Based on Verification System and the method for IKMPTechnical field
The present invention relates to technical field of communication safety and comprising, in particular to one based on the Verification System of IKMP (KeyManagementProtocol, be called for short KMP) and method.
Background technology
The safety of Routing Protocol is a crucial technology, has a lot of working group to study and standardization it in ietf, and wherein authentication techniques in route technology and key management required in certification are mainly studied by KARP working group.In KARP working group, propose the concept of a KMP, wherein, KMP operates between two communication entities performing Routing Protocol, for these two communication entities provide certification, and generation session key and more new session key.Why important KMP is is because artificial key managing project depends on the work of keeper more, once network size becomes large, keeper feels simply helpless to the key management of complexity.
As shown in Figure 1, it comprises the current system based on KMP: identification module (Identifier) 102, key management module 104, authentication module (IdentityProof) 106, cipher key storage block (Keystore) 108 and Routing Protocol Module 110.
In working order, identification module 102 provides the ID value of opposite end needing communication to key management module 104, key management module 104 obtains root key and is used for session key generation deliver the Routing Protocol Module 110 of required key from cipher key storage block 108.Cipher key storage block 108 storage root key, session key.
But, in above-mentioned system architecture, owing to the root key and session cipher key separation that are used for certification and generation session key not being opened, thus cause when accessing each key of KMP agreement, all need to carry out alternately with the cipher key storage block 108 in Fig. 1, this may cause larger pressure to cipher key storage block.Meanwhile, owing to using same database to come storage root key and session key, thus all may obtain when module accesses database or destroy root key, like this, leaving the chance that can attack to hacker.
In addition, said method also may cause another one problem: because authentication module 106 is not mutual with cipher key storage block 108, thus the root key that cipher key storage block 108 preserves cannot be obtained, like this, authentication module cannot producing authentication information, thus make communicating pair cannot carry out certification to the other side, reduce the fail safe of communication.
Summary of the invention
Main purpose of the present invention is to provide a kind of Verification System based on IKMP and method, cannot carry out certification, thus reduce the safety issue of communication at least to solve communicating pair in prior art to the other side.
According to an aspect of the present invention, provide a kind of Verification System based on IKMP, it comprises: identity module, key management module, authentication module, cipher key storage block, Routing Protocol Module, wherein, above-mentioned authentication module is connected with above-mentioned cipher key storage block, for obtaining authentication information from above-mentioned cipher key storage block, and according to above-mentioned authentication information, certification is carried out to communication entity.
Further, above-mentioned cipher key storage block is for preserving the long term keys relevant to user identity, and the above-mentioned long term keys corresponding to the identification information of user generates the above-mentioned authentication information being used for certification.
Further, above-mentioned key management module be used for by produce according to above-mentioned authentication information or send to above-mentioned cipher key storage block from the session key that above-mentioned authentication module receives, above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned cipher key storage block, wherein, above-mentioned authentication module produces above-mentioned session key according to above-mentioned authentication information.
Further, above-mentioned key management module be used for by produce according to above-mentioned authentication information or send to above-mentioned Routing Protocol Module from the session key that above-mentioned authentication module receives, wherein, above-mentioned authentication module produces above-mentioned session key according to above-mentioned authentication information.
Further, above-mentioned cipher key storage block also for storing long term keys material and ephemeral keys material, wherein, above-mentioned long term keys material comprise following one of at least: the root key of user, certificate; Above-mentioned ephemeral keys material is generated by long term keys.
According to a further aspect in the invention, provide a kind of Verification System based on IKMP, it comprises: key management module, authentication module, Routing Protocol Module, identity module, long term keys memory module and ephemeral keys memory module, wherein, above-mentioned authentication module is for receiving the identification information of the communication entity of above-mentioned key management module transmission, the authentication message carrying above-mentioned identification information is sent to above-mentioned long term keys memory module, receive the authentication information corresponding with above-mentioned identification information from above-mentioned long term keys memory module, and use above-mentioned authentication information to carry out certification.
Further, above-mentioned session key also for generation of the session key for communicating, and is sent to above-mentioned key management module by above-mentioned authentication module, and wherein, above-mentioned key management module is used for above-mentioned session key to send to Routing Protocol Module; Or, above-mentioned authentication module is also for notifying that above-mentioned key management module produces above-mentioned session key, wherein, above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned key management module, and above-mentioned ephemeral keys memory module is for receiving and preserving the above-mentioned session key from above-mentioned authentication module or above-mentioned key management module.
According to another aspect of the invention, provide a kind of authentication method based on IKMP, it comprises: above-mentioned authentication module obtains authentication information from cipher key storage block, and carries out certification according to above-mentioned authentication information to communication entity.
Further, above-mentioned certification mould certainly comprises from cipher key storage block acquisition authentication information: above-mentioned cipher key storage block obtains the long term keys corresponding with the identification information of above-mentioned communication entity; Above-mentioned cipher key storage block generates above-mentioned authentication information according to above-mentioned long term keys; Above-mentioned authentication information is sent to above-mentioned authentication module by above-mentioned cipher key storage block.
Further, in certification by afterwards, also comprise: above-mentioned authentication module produces the session key for communicating, and above-mentioned session key is sent to above-mentioned key management module, and above-mentioned session key is sent to Routing Protocol Module by above-mentioned key management module; Or above-mentioned authentication module notifies that above-mentioned key management module produces above-mentioned session key, and above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned key management module.
Further, after certification is passed through, also comprise: above-mentioned authentication module produces session key, and above-mentioned session key is sent to above-mentioned key management module, above-mentioned session key is sent to above-mentioned cipher key storage block and preserves by above-mentioned key management module, and above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned cipher key storage block; Or above-mentioned authentication module notifies that above-mentioned key management module produces session key, above-mentioned session key is sent to above-mentioned cipher key storage block and preserves by above-mentioned key management module, and above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned cipher key storage block.
Further, after above-mentioned Routing Protocol Module obtains the session key for communicating, also comprise: above-mentioned Routing Protocol Module uses above-mentioned session key to protect protocol massages.
According to another aspect of the invention, provide a kind of authentication method based on IKMP, it comprises: authentication module receives the identification information of the communication entity that key management module sends; Above-mentioned authentication module sends authentication request message to long term keys memory module, and wherein, above-mentioned authentication request message carries above-mentioned identification information; Above-mentioned authentication module receives the authentication information corresponding with above-mentioned identification information from above-mentioned long term keys memory module; Above-mentioned authentication module uses above-mentioned authentication information to carry out certification.
Further, above-mentioned authentication module also comprises before receiving the authentication information corresponding with above-mentioned identification information from above-mentioned long term keys memory module: above-mentioned long term keys memory module obtains the long term keys corresponding with above-mentioned identification information; Above-mentioned long term keys memory module generates above-mentioned authentication information according to above-mentioned long term keys; Above-mentioned authentication information is sent to above-mentioned authentication module by above-mentioned long term keys memory module.
Further, above-mentioned long term keys is root key.
Further, in certification by afterwards, also comprise: above-mentioned authentication module produces the session key for communicating, and above-mentioned session key is sent to above-mentioned key management module, and above-mentioned session key is sent to Routing Protocol Module by above-mentioned key management module; Or above-mentioned authentication module notifies that above-mentioned key management module produces above-mentioned session key, and above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned key management module.
Further, after certification is passed through, also comprise: above-mentioned authentication module produces session key, and above-mentioned session key is sent to above-mentioned key management module, above-mentioned session key is sent to ephemeral keys memory module and preserves by above-mentioned key management module, and above-mentioned session key is sent to Routing Protocol Module by above-mentioned ephemeral keys memory module; Or above-mentioned authentication module notifies that above-mentioned key management module produces session key, above-mentioned session key is sent to ephemeral keys storage mould and certainly preserves by above-mentioned key management module, and above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned ephemeral keys memory module.
Further, after above-mentioned Routing Protocol Module obtains the session key for communicating, also comprise: above-mentioned Routing Protocol Module uses above-mentioned session key to protect protocol massages.
The present invention has following beneficial effect:
1) because authentication module can obtain certified Information in cipher key storage block, thus make communicating pair can carry out mutual certification according to the authentication information of the other side, and when certification is passed through just session key generation, thus ensure that the fail safe of communication.
2) due to by long term keys (such as, root key) database with deposit ephemeral keys (such as, session key) database separately, thus can only in the case of necessary (such as, session key generation) just access the database of long term keys, and when transfer of data, only need access deposit the database of ephemeral keys and can session key be obtained.Like this, specific module (e.g., authentication module etc.) is only had long term keys could to be accessed (such as, root key) database, obtain the root key that level of security is higher, other module then cannot access the database of long term keys, thus can improve security performance.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram of the KMP framework according to correlation technique;
Fig. 2 is the flow chart of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 3 is a kind of preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 4 is the another kind of preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 5 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 6 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 7 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 8 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 9 is according to the another kind of the embodiment of the present invention flow chart based on the authentication method of IKMP;
Figure 10 is the schematic diagram of the Verification System based on IKMP according to the embodiment of the present invention;
Figure 11 is the preferred schematic diagram of a kind of Verification System based on IKMP according to the embodiment of the present invention;
Figure 12 is according to the another kind of the embodiment of the present invention preferred schematic diagram based on the Verification System of IKMP.
Embodiment
Hereinafter also describe the present invention in detail with reference to accompanying drawing in conjunction with the embodiments.It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.
Fig. 2 is the flow chart of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
S202, authentication module receives the identification information of the communication entity that key management module sends;
S204, above-mentioned authentication module sends authentication request message to long term keys memory module, and wherein, above-mentioned authentication request message carries above-mentioned identification information;
S206, above-mentioned authentication module receives the authentication information corresponding with above-mentioned identification information from above-mentioned long term keys memory module;
S208, above-mentioned authentication module uses above-mentioned authentication information to carry out certification.
In the prior art, authentication module is not mutual with cipher key storage block, thus cannot obtain the root key that cipher key storage block preserves, and like this, communicating pair cannot carry out certification to the other side, thus reduces the fail safe of communication.Review the embodiment of the present invention, because authentication module can obtain certified Information from long term keys memory module, thus make communicating pair can carry out mutual certification according to the authentication information of the other side, and when certification is passed through just session key generation, thus ensure that the fail safe of communication.
Preferably, described authentication module also comprises before receiving the authentication information corresponding with described identification information from described long term keys memory module: described long term keys memory module obtains the long term keys corresponding with described identification information; Described long term keys memory module generates described authentication information according to described long term keys; Described long term keys stores mould and certainly described authentication information is sent to described authentication module.
Preferably, described long term keys is root key.
Preferably, in certification by afterwards, also comprise: described authentication module produces the session key for communicating, and described session key is sent to described key management module, and described session key is sent to Routing Protocol Module by described key management module; Or described authentication module notifies that described key management module produces described session key, and described session key is sent to described Routing Protocol Module by described key management module.
Preferably, after certification is passed through, also comprise: described authentication module produces session key, and described session key is sent to described key management module, described session key is sent to ephemeral keys memory module and preserves by described key management module, and described session key is sent to Routing Protocol Module by described ephemeral keys memory module; Or described authentication module notifies that described key management module produces session key, described session key is sent to ephemeral keys memory module and preserves by described key management module, and described session key is sent to described Routing Protocol Module by described ephemeral keys memory module.
According to above-mentioned preferred embodiment, use different databases to deposit long term keys (such as, root key) and ephemeral keys (such as, session key) respectively.Because the safe class of long term keys is different from ephemeral keys, therefore, under the design that this database is separated, only just can access the database of long term keys in the case of necessary, thus can security performance be improve.
In above-mentioned two kinds of preferred embodiments, after described Routing Protocol Module obtains the session key for communicating, described Routing Protocol Module uses described session key to protect protocol massages.
The authentication method process under the scene shown in Fig. 2 is described in detail in below in conjunction with accompanying drawing.
Embodiment 1
Fig. 3 is a kind of preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S302: key management module receives identity information (id information).
Step S304: key management module sends authentication request to authentication module.
Step S306: authentication module and long term keys memory module alternately, obtain authentication information.
Step S308: authentication module sends authentication response to key management module.
Step S310: key management module produces session key.
Step S312: key management module sends session key to ephemeral keys memory module.
Step S314: ephemeral keys memory module sends session key to Routing Protocol Module.
Step S316: Routing Protocol Module session key is protected routing protocol packet.
Embodiment 2
Fig. 4 is the another kind of preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S402: Routing Protocol Module sends request session key message to ephemeral keys memory module.
Step S404: ephemeral keys memory module sends request session key message to key management module.
Step S406: key management module and identity module alternately, obtain identity information.
Step S408: key management module and long term keys memory module alternately, obtain authentication information.
Step S410: key management module carries out identifying procedure.
Step S412: key management module produces session key.
Step S414: key management module sends session key to ephemeral keys memory module.
Step S416: ephemeral keys memory module sends close session key to Routing Protocol Module.
Step S418: Routing Protocol Module session key is protected routing protocol packet.
Embodiment 3
Fig. 5 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S502: Routing Protocol Module sends request session key message to key management module.
Step S504: key management module and identity module alternately, obtain identity information.
Step S506: key management module and long term keys memory module alternately, obtain authentication information.
Step S508: key management module carries out identifying procedure.
Step S510: key management module produces session key.
Step S512: key management module sends session key to ephemeral keys management mould certainly.
Step S514: ephemeral keys administration module sends close session key to Routing Protocol Module.
Step S516: Routing Protocol Module session key is protected routing protocol packet.
Present invention also offers the another kind of authentication method based on IKMP, as shown in Figure 9, it comprises the steps:
S902, above-mentioned authentication module obtains authentication information from cipher key storage block;
S904, above-mentioned authentication module carries out certification according to above-mentioned authentication information to communication entity.
In the above-described embodiment, because authentication module can obtain certified Information from cipher key storage block, thus make communicating pair can carry out mutual certification according to the authentication information of the other side, and when certification is passed through just session key generation, thus ensure that the fail safe of communication.
Preferably, described authentication module comprises from cipher key storage block acquisition authentication information: described cipher key storage block obtains the long term keys corresponding with described identification information; Described cipher key storage block generates described authentication information according to described long term keys; Described authentication information is sent to described authentication module by described cipher key storage block.
Preferably, in certification by afterwards, also comprise: described authentication module produces the session key for communicating, and described session key is sent to described key management module, and described session key is sent to Routing Protocol Module by described key management module; Or described authentication module notifies that described key management module produces described session key, and described session key is sent to described Routing Protocol Module by described key management module.
Preferably, in certification by afterwards, also comprise: described authentication module produces session key, and described session key is sent to described key management module, described session key is sent to described cipher key storage block and preserves by described key management module, and described session key is sent to described Routing Protocol Module by described cipher key storage block; Or described authentication module notifies that described key management module produces session key, described session key is sent to described cipher key storage block and preserves by described key management module, and described session key is sent to described Routing Protocol Module by described cipher key storage block.
Preferably, after described Routing Protocol Module obtains the session key for communicating, also comprise: described Routing Protocol Module uses described session key to protect protocol massages.
The authentication method process under the scene shown in Fig. 9 is described in detail in below in conjunction with accompanying drawing.
Embodiment 4
Fig. 6 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S602: key management module receives identity information (id information).
Step S604: key management module sends authentication request to authentication module.
Step S606: authentication module and cipher key storage block alternately, obtain authentication information.
Step S608: authentication module sends authentication response.
Step S610: key management module produces session key.
Step S612: key management module sends session key to cipher key storage block.
Step S614: cipher key storage block sends session key to Routing Protocol Module.
Step S616: Routing Protocol Module session key is protected routing protocol packet.
Embodiment 5
Fig. 7 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S702: Routing Protocol Module sends request session key message to cipher key storage block.
Step S704: cipher key storage block sends request session key message to key management module.
Step S706: key management module and identity module alternately, obtain identity information.
Step S708: key management mould is certainly mutual with cipher key storage block, obtains authentication information.
Step S710: key management module carries out identifying procedure.
Step S712: key management module produces session key.
Step S714: key management module sends session key to cipher key storage block.
Step S716: cipher key storage block sends close session key to Routing Protocol Module.
Step S718: Routing Protocol Module session key is protected routing protocol packet.
Embodiment 6
Fig. 8 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S802: Routing Protocol Module sends request session key message to key management module.
Step S804: key management module and identity module alternately, obtain identity information.
Step S806: key management module and cipher key storage block alternately, obtain authentication information.
Step S808: key management module carries out identifying procedure.
Step S810: key management module produces session key.
Step S812: key management module sends session key to cipher key storage block.
Step S814: cipher key storage block sends close session key to Routing Protocol Module.
Step S816: Routing Protocol Module session key is protected routing protocol packet.
Present invention also offers a kind of Verification System based on KMP, it can be suitable for above-mentioned authentication method.
Figure 10 shows above-mentioned Verification System, and it comprises: the first identity module 1002, first key management module 1006, first authentication module 1010, first cipher key storage block 1014, first routing module 1018, second identity module 1004, second key management module 1008, second authentication module 1012, second cipher key storage block 1016, secondary route module 1020.
First identity module 1002, first key management module 1006, first authentication module 1010, first cipher key storage block 1014, first routing module 1018 communication process each other with reference to accompanying drawing 6-8, can not repeat them here.Equally, the second identity module 1004, second key management module 1008, second authentication module 1012, second cipher key storage block 1016, secondary route module 1020 communication process each other with reference to accompanying drawing 6-8, can not repeat them here yet.
According to the embodiment of the present invention, because authentication module can obtain certified Information in calm key memory module, thus make communicating pair can carry out mutual certification according to the authentication information of the other side, the ability session key generation when certification is passed through, thus ensure that the fail safe of communication.
Figure 11 is the schematic diagram of a kind of Verification System based on IKMP according to the embodiment of the present invention, it comprises: identity module 1102, key management module 1104, authentication module 1106, cipher key storage block 1110, Routing Protocol Module 1112, wherein, described authentication module 1106 is connected with described cipher key storage block 1110, for obtaining authentication information from described cipher key storage block 1110, and according to described authentication information, certification is carried out to communication entity.
Preferably, in the embodiment shown in fig. 11, as shown in figure 11, communication process each other can with reference to accompanying drawing 6-8 for identity module 1102, key management module 1104, authentication module 1106, cipher key storage block 1110, Routing Protocol Module 1112 annexation each other.
Preferably, described cipher key storage block 1110 is for preserving the long term keys relevant to user identity, and the described long term keys corresponding to the identification information of user generates the described authentication information being used for certification.
Preferably, described key management module 1104 for by produce according to described authentication information or send to described cipher key storage block 1110 from the session key that described authentication module 1106 receives, described session key is sent to described Routing Protocol Module 1112 by described cipher key storage block 1110, wherein, described authentication module 1106 produces described session key according to described authentication information.
Preferably, described key management module 1104 for by produce according to described authentication information or send to described Routing Protocol Module 1112 from the session key that described authentication module 1106 receives, wherein, described authentication module 1106 produces described session key according to described authentication information.
Preferably, described cipher key storage block 1110 also for storing long term keys material and ephemeral keys material, wherein, described long term keys material comprise following one of at least: the root key of user, certificate; Described ephemeral keys material is generated by long term keys.
Figure 12 is the schematic diagram of a kind of Verification System based on IKMP according to the embodiment of the present invention, and it comprises: identity module 1202, key management module 1204, authentication module (certificate server) 1206, long term keys memory module 1208, ephemeral keys memory module 1210, Routing Protocol Module 1212.Wherein, described authentication module 1206 is for receiving the identification information of the communication entity of described key management module 1204 transmission, the authentication message carrying described identification information is sent to described long term keys memory module 1208, receive the authentication information corresponding with described identification information from described long term keys memory module 1208, and use described authentication information to carry out certification.
Preferably, described session key also for generation of the session key for communicating, and is sent to described key management module 1204 by described authentication module 1206, and described session key is sent to Routing Protocol Module 1212 by described key management module 1204; Or described authentication module 1206 is also for notifying that described key management module 1204 produces described session key, and described session key is sent to described Routing Protocol Module 1212 by described key management module 1204; Described ephemeral keys memory module 1210 is for receiving and preserving the described session key from described authentication module 1206 or described key management module 1204.
The database depositing long-term master key is separated with the database depositing short-term session key by the embodiment of the present invention, following several benefit can be produced like this: the 1) division of safe class, the safe class of long term keys is far away higher than the session key of short-term, the session key of short-term is destroyed the safety just affecting this time session, and the result that long term keys is affected to be following safety certification all can be forged.So being separately necessary by these two cipher key storage block, is also meet the principle that safety classification ensures; 2) because two databases are separated, interface API can separately design, also can ensure the ID authenticator that is only necessary like this when access keys and need the KMP module of key material can touch the database depositing long-term master key, Routing Protocol Module then can touch the database depositing short-term session key, thus further increases the fail safe of communication.
Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on network that multiple calculation element forms, alternatively, they can realize with the executable program code of calculation element, thus, they can be stored and be performed by calculation element in the storage device, and in some cases, step shown or described by can performing with the order be different from herein, or they are made into each integrated circuit modules respectively, or the multiple module in them or step are made into single integrated circuit module to realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.