CN114844716B - Digital signature message processing method, device, equipment and computer medium - Google Patents
Digital signature message processing method, device, equipment and computer medium Download PDFInfo
- Publication number
- CN114844716B CN114844716B CN202210576995.0A CN202210576995A CN114844716B CN 114844716 B CN114844716 B CN 114844716B CN 202210576995 A CN202210576995 A CN 202210576995A CN 114844716 B CN114844716 B CN 114844716B
- Authority
- CN
- China
- Prior art keywords
- digital signature
- host
- message
- signature message
- access device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
技术领域technical field
本申请涉及计算机信息传输及安全领域,尤其涉及一种数字签名报文处理方法、装置、设备及计算机介质。The present application relates to the field of computer information transmission and security, in particular to a digital signature message processing method, device, equipment and computer media.
背景技术Background technique
数字签名是一种加密机制和网络信息传输的证明机制,是只有信息或者报文的发送者才能产生的别人无法伪造的一段数字串,这段数字串同时也是对信息或报文的发送者发送信息真实性的一个有效证明。A digital signature is an encryption mechanism and a proof mechanism for network information transmission. It is a digital string that only the sender of the message or message can generate and cannot be forged by others. This digital string is also an effective proof of the authenticity of the information sent by the sender of the message or message.
但数字签名算法的难点在于,很难确保报文是发送者A签名的,因为数字签名虽然由私钥拥有者生产,但私钥是什么,只有拥有者本人知道。如果某个第三方利用发送者A的私钥生产生成一个数字签名,并且通过互联网发送至接收者B,则B是无法判断,该数字签名是否是A完成的,也就是说,数字签名无法保证第三方利用真实发送者的私钥生成数字签名,导致报文接收者无法识别伪造数字签名报文的情况。But the difficulty of the digital signature algorithm is that it is difficult to ensure that the message is signed by the sender A, because although the digital signature is produced by the owner of the private key, only the owner knows what the private key is. If a third party uses the private key of sender A to generate a digital signature and sends it to receiver B through the Internet, then B cannot determine whether the digital signature is completed by A.
发明内容Contents of the invention
鉴于上述问题,本申请提供一种数字签名报文处理方法、装置、设备及计算机介质,用以解决第三方利用真实发送者的私钥生成数字签名,导致报文接收者无法识别伪造数字签名报文的问题。In view of the above problems, this application provides a digital signature message processing method, device, equipment and computer media to solve the problem that a third party uses the real sender's private key to generate a digital signature, resulting in the recipient of the message being unable to identify the forged digital signature message.
为了实现上述目的,本申请提供如下技术方案:In order to achieve the above object, the application provides the following technical solutions:
第一方面,本申请提供一种数字签名报文处理方法,应用于转发设备,所述方法包括:In a first aspect, the present application provides a method for processing a digitally signed message, which is applied to a forwarding device, and the method includes:
接收接入设备转发的数字签名报文及其目的地址,所述数字签名报文及其目的地址是所述接入设备从其连接的第一主机处接收并转发至所述转发设备的,所述数字签名报文携带公钥、文件、数字签名;Receiving the digitally signed message and its destination address forwarded by the access device, the digitally signed message and its destination address are received by the access device from the first host connected to it and forwarded to the forwarding device, and the digitally signed message carries a public key, a file, and a digital signature;
存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息,并基于所述目的地址将所述数字签名报文发送给第二主机;storing the digitally signed message, the device information of the access device and the user identification information of the connected first host, and sending the digitally signed message to a second host based on the destination address;
若接收到第二主机发送的数字签名报文协商验证请求,则基于所述设备信息向所述接入设备发送所述数字签名报文和所述用户标识信息,以使所述接入设备基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测。If the digital signature message negotiation verification request sent by the second host is received, the digital signature message and the user identification information are sent to the access device based on the device information, so that the access device detects forged messages based on the user identification information on the first host that sends the digital signature message.
在一种实施方式中,所述数字签名报文协商验证请求是所述第二主机在识别到不同数字签名时向所述转发设备发出的。In an implementation manner, the digital signature packet negotiation verification request is sent by the second host to the forwarding device when different digital signatures are recognized.
在一种实施方式中,在接收接入设备转发的数字签名报文之后,以及存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息之前,还包括:In an implementation manner, after receiving the digitally signed message forwarded by the access device, and before storing the digitally signed message, the device information of the access device, and the user identification information of the connected first host, the method further includes:
基于所述目的地址识别待接收所述数字签名报文的第二主机是否为自身设备所连接的主机,若是,则执行存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息的步骤。Identifying based on the destination address whether the second host to receive the digitally signed message is a host connected to its own device, and if so, perform the step of storing the digitally signed message, the device information of the access device, and the user identification information of the connected first host.
在一种实施方式中,所述数字签名报文是所述接入设备从其连接的第一主机处接收到数字签名并在所述数字签名报文的第一特定字段中写入所述接入设备的第一标签后转发的。In one embodiment, the digitally signed message is forwarded after the access device receives the digital signature from the first host it is connected to and writes the first tag of the access device into the first specific field of the digitally signed message.
在一种实施方式中,在接收接入设备转发的数字签名报文之后,以及存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息之前,还包括:In an implementation manner, after receiving the digitally signed message forwarded by the access device, and before storing the digitally signed message, the device information of the access device, and the user identification information of the connected first host, the method further includes:
若所数字签名报文中未携带自身设备的第二标签,则在所述数字签名报文的第二特定字段中写入自身设备的第二标签。If the digitally signed message does not carry the second label of the own device, write the second label of the own device in the second specific field of the digitally signed message.
第二方面,本申请提供另一种数字签名报文处理方法,应用于接入设备,所述方法包括:In the second aspect, the present application provides another digital signature message processing method, which is applied to an access device, and the method includes:
接收自身设备连接的第一主机发送的数字签名报文及其目的地址,所述数字签名报文携带公钥、文件、数字签名;Receive a digitally signed message and its destination address sent by the first host connected to its own device, where the digitally signed message carries a public key, a file, and a digital signature;
基于所述目的地址将所述数字签名报文转发至转发设备,以使所述转发设备存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息,并基于所述目的地址将所述数字签名报文发送给第二主机,并在接收到第二主机发送的数字签名报文协商验证请求时基于所述设备信息和所述用户标识信息向所述接入设备发送所述数字签名报文;Forwarding the digitally signed message to the forwarding device based on the destination address, so that the forwarding device stores the digitally signed message, the device information of the access device, and the user identification information of the connected first host, and sends the digitally signed message to a second host based on the destination address, and sends the digitally signed message to the access device based on the device information and the user identification information when receiving a digital signature message negotiation verification request sent by the second host;
基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测。Based on the user identification information, a forged message detection is performed on the first host that sends the digitally signed message.
在一种实施方式中,所述数字签名报文协商验证请求是所述第二主机在识别到不同数字签名时向所述转发设备发出的。In an implementation manner, the digital signature packet negotiation verification request is sent by the second host to the forwarding device when different digital signatures are recognized.
在一种实施方式中,在接收自身设备连接的第一主机发送的数字签名报文之后,以及基于所述目的地址将所述数字签名报文转发至转发设备之前,还包括:In an implementation manner, after receiving the digitally signed message sent by the first host connected to the self-device, and before forwarding the digitally signed message to the forwarding device based on the destination address, the method further includes:
在所述数字签名报文的第一特定字段中写入自身设备的第一标签。Writing the first label of the own device in the first specific field of the digital signature message.
在一种实施方式中,基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测,包括:In an implementation manner, the forged message detection is performed on the first host that sends the digitally signed message based on the user identification information, including:
判断所述第一主机的历史会话记录中是否存在第一主机和第二主机之间的会话,若是,则判定发出所述数字签名报文的第一主机为有效主机,所述数字签名报文为有效报文。Judging whether there is a session between the first host and the second host in the historical session record of the first host, if so, then determining that the first host sending the digitally signed message is a valid host, and the digitally signed message is a valid message.
在一种实施方式中,基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测,包括:In an implementation manner, the forged message detection is performed on the first host that sends the digitally signed message based on the user identification information, including:
向所述第一主机发送其它业务的仿造报文,判断所述第一主机在接收到所述仿造报文后是否采用其它用户标识信息处理所述仿造报文,若是,则判定发出所述数字签名报文的第一主机为有效主机,所述数字签名报文为有效报文。Sending counterfeit messages of other services to the first host, and judging whether the first host uses other user identification information to process the counterfeit messages after receiving the counterfeit messages;
第三方面,本申请提供一种数字签名报文处理装置,应用于转发设备,包括:In a third aspect, the present application provides a digital signature message processing device, which is applied to forwarding equipment, including:
第一接收模块,其设置为接收接入设备转发的数字签名报文及其目的地址,所述数字签名报文及其目的地址是所述接入设备从其连接的第一主机处接收并转发至所述转发设备的,所述数字签名报文携带公钥、文件、数字签名;The first receiving module is configured to receive a digitally signed message and its destination address forwarded by the access device, the digitally signed message and its destination address are received by the access device from the first host connected to it and forwarded to the forwarding device, and the digitally signed message carries a public key, a file, and a digital signature;
存储模块,其设置为存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息,并基于所述目的地址将所述数字签名报文发送给第二主机;A storage module configured to store the digitally signed message, the device information of the access device and the user identification information of the connected first host, and send the digitally signed message to a second host based on the destination address;
发送检测模块,其设置为若接收到第二主机发送的数字签名报文协商验证请求,则基于所述设备信息向所述接入设备发送所述数字签名报文和所述用户标识信息,以使所述接入设备基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测。A sending detection module, which is configured to send the digital signature message and the user identification information to the access device based on the device information if the digital signature message negotiation verification request sent by the second host is received, so that the access device detects forged messages based on the user identification information on the first host that sends the digital signature message.
第四方面,本申请提供一种数字签名报文处理装置,应用于接入设备,所述装置包括:In a fourth aspect, the present application provides a digital signature message processing device, which is applied to an access device, and the device includes:
第二接收模块,其设置为接收自身设备连接的第一主机发送的数字签名报文及其目的地址,所述数字签名报文携带公钥、文件、数字签名;The second receiving module is configured to receive a digitally signed message and its destination address sent by the first host connected to its own equipment, and the digitally signed message carries a public key, a file, and a digital signature;
转发模块,其设置为基于所述目的地址将所述数字签名报文转发至转发设备,以使所述转发设备存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息,并基于所述目的地址将所述数字签名报文发送给第二主机,并在接收到第二主机发送的数字签名报文协商验证请求时基于所述设备信息和所述用户标识信息向所述接入设备发送所述数字签名报文;A forwarding module, configured to forward the digitally signed message to a forwarding device based on the destination address, so that the forwarding device stores the digitally signed message, the device information of the access device, and the user identification information of the connected first host, and sends the digitally signed message to a second host based on the destination address, and sends the digitally signed message to the access device based on the device information and the user identification information when receiving a digital signature message negotiation verification request sent by the second host;
检测模块,其设置为基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测。A detection module, configured to detect a forged message on the first host sending the digitally signed message based on the user identification information.
第五方面,提供一种转发设备,包括:处理器和存储器;In a fifth aspect, a forwarding device is provided, including: a processor and a memory;
所述存储器存储计算机执行指令;the memory stores computer-executable instructions;
所述处理器执行所述存储器存储的计算机执行指令,使得所述转发设备执行所述的一种数字签名报文处理方法。The processor executes the computer-executable instructions stored in the memory, so that the forwarding device executes the above-mentioned digital signature message processing method.
第六方面,提供一种接入设备,包括:处理器和存储器;In a sixth aspect, an access device is provided, including: a processor and a memory;
所述存储器存储计算机执行指令;the memory stores computer-executable instructions;
所述处理器执行所述存储器存储的计算机执行指令,使得所述接入设备执行所述的另一种数字签名报文处理方法。The processor executes the computer-executable instructions stored in the memory, so that the access device executes the other digital signature message processing method.
第七方面,提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机执行指令,所述计算机执行指令被处理器执行时用于实现所述的一种数字签名报文处理方法,或者所述的另一种数字签名报文处理方法。In a seventh aspect, a computer-readable storage medium is provided, wherein computer-executable instructions are stored in the computer-readable storage medium, and when executed by a processor, the computer-readable instructions are used to implement the above-mentioned method for processing a digital signature message, or the above-mentioned another method for processing a digital signature message.
根据本申请提供的数字签名报文处理方法、装置、设备及计算机介质,通过中间设备---接入设备、转发设备的协商决策机制,在发送者和接收者之间传输数字签名报文时,利用接入设备、转发设备对数字签名报文进行接入和转发,通过记录和存储数字签名报文及对应的接入设备的设备信息及其连接的第一主机的用户标识信息,并利用中间设备的检测功能,对伪造数字签名的报文进行检测,其可在不引入权威认证CA机构的基础下,高效识别伪造数字签名报文,有效提高网络系统的安全可靠性,降低整体业务的运营成本。According to the digital signature message processing method, device, equipment and computer medium provided by this application, through the negotiation and decision-making mechanism of the intermediate device---the access device and the forwarding device, when the digitally signed message is transmitted between the sender and the receiver, the access device and the forwarding device are used to access and forward the digitally signed message, by recording and storing the digitally signed message and the device information of the corresponding access device and the user identification information of the first host connected to it, and using the detection function of the intermediate device to detect forged digitally signed messages. Identify forged digital signature messages, effectively improve the security and reliability of the network system, and reduce the operating costs of the overall business.
附图说明Description of drawings
图1为相关技术中数字签名报文传输的网络架构示意图;FIG. 1 is a schematic diagram of a network architecture for digitally signed message transmission in the related art;
图2为相关技术中存在伪造报文的数字签名报文传输的网络架构示意图;FIG. 2 is a schematic diagram of a network architecture for digitally signed message transmission with forged messages in the related art;
图3为本申请实施例一种可能的网络架构示意图;FIG. 3 is a schematic diagram of a possible network architecture according to an embodiment of the present application;
图4为本申请实施例提供的一种数字签名报文处理方法的流程示意图;FIG. 4 is a schematic flowchart of a method for processing a digitally signed message provided in an embodiment of the present application;
图5为本申请实施例提供的另一种数字签名报文处理方法的流程示意图;FIG. 5 is a schematic flowchart of another digital signature message processing method provided by the embodiment of the present application;
图6为本申请实施例提供的一种数字签名报文处理装置的结构示意图;FIG. 6 is a schematic structural diagram of a digital signature message processing device provided in an embodiment of the present application;
图7为本申请实施例提供的另一种数字签名报文处理装置的结构示意图;FIG. 7 is a schematic structural diagram of another digital signature message processing device provided in the embodiment of the present application;
图8为本申请实施例提供的一种转发设备的结构示意图;FIG. 8 is a schematic structural diagram of a forwarding device provided in an embodiment of the present application;
图9为本申请实施例提供的一种接入设备的结构示意图;FIG. 9 is a schematic structural diagram of an access device provided in an embodiment of the present application;
图10为本申请实施例提供的一种数字签名报文处理系统的结构示意图。FIG. 10 is a schematic structural diagram of a digital signature message processing system provided by an embodiment of the present application.
具体实施方式Detailed ways
为便于对本申请实施例的理解,首先对数字签名机制进行解释:对于数字签名机制的描述,可以类比为某个人在一个文件上签上自己的名字。当他在纸上签字的时候,我们可以验证(比如通过笔迹),该签名确实出自此人之手。当一个人通过数字化的方式在某个文件上签字之后,如何验证该数字签名就是出自此人之手呢?数字签名的机制就是为了解决这个问题。结合图1所示,具体机制如下:In order to facilitate the understanding of the embodiment of the present application, the digital signature mechanism is explained firstly: the description of the digital signature mechanism can be compared to a person signing his own name on a document. When he signs on paper, we can verify (for example, by handwriting) that the signature is indeed from this person. When a person digitally signs a document, how to verify that the digital signature is from this person? The mechanism of digital signature is to solve this problem. Combined with Figure 1, the specific mechanism is as follows:
1)假设通信在A(发送者)和B(接收者)之间进行。1) Suppose the communication is between A (sender) and B (receiver).
2)A根据RSA加密算法生成公钥和私钥;2) A generates a public key and a private key according to the RSA encryption algorithm;
3)对要传输的文件进行哈希运算,得出文件哈希值H;3) Perform a hash operation on the file to be transferred to obtain the file hash value H;
4)使用私钥对文件哈希值进行加密,即得出数字签名S;4) Use the private key to encrypt the hash value of the file to obtain the digital signature S;
5)A将公钥、文件和数字签名通过互联网发送至B;5) A sends the public key, file and digital signature to B via the Internet;
6)B收到上述信息之后,开始验证该数字签名是否是由A完成的,具体步骤如下;6) After receiving the above information, B starts to verify whether the digital signature is completed by A. The specific steps are as follows;
7)B使用公钥对S进行解密,得出文件哈希值G(这是RSA加密算法的特点,即依据公钥,可以完成解密);7) B uses the public key to decrypt S to obtain the file hash value G (this is the characteristic of the RSA encryption algorithm, that is, the decryption can be completed based on the public key);
8)B对收到的文件进行哈希运算,得到G’;8) B performs a hash operation on the received file to obtain G';
9)B对G和G’进行对比,若G=G’,则得出签名成立的结论,否则,得出否定的结论。9) B compares G and G', if G=G', then draws the conclusion that the signature is established, otherwise, draws a negative conclusion.
以上就是数字签名的整体步骤。该过程可以保证,文件在通过互联网传输的过程中没有被篡改,否则,将无法得到G=G’,因为文件被篡改之后,哈希值会发生变化。The above are the overall steps of digital signature. This process can ensure that the file has not been tampered with during transmission through the Internet, otherwise, G=G' cannot be obtained, because the hash value will change after the file is tampered with.
上述过程涉及两个重要的概念,分别是RSA加密算法和哈希算法。RSA是一种对称加密算法,该加密和解密的过程可以双向进行。具体为,加密一方生产一对公钥和私钥,将私钥对文件进行加密,同时将公钥公开。而RSA的特点决定,解密一方只需获得公钥信息,就可以将加密文件进行解密,而无需得到加密一方的私钥信息;哈希则是一种单方向的加密算法(开源算法)。常见的信息摘要算法(Message-Digest Algorithm,MD5)即属于哈希算法。哈希算法可对任何一类文件进行加密,并得到长度固定的一段数字。这段数字与被加密的文件对比,但通过这段数字无法复原源文件。The above process involves two important concepts, namely RSA encryption algorithm and hash algorithm. RSA is a symmetric encryption algorithm, the encryption and decryption process can be bidirectional. Specifically, the encryption party produces a pair of public key and private key, encrypts the file with the private key, and discloses the public key at the same time. The characteristics of RSA determine that the decrypting party only needs to obtain the public key information to decrypt the encrypted file without obtaining the private key information of the encrypting party; hash is a one-way encryption algorithm (open source algorithm). The common message digest algorithm (Message-Digest Algorithm, MD5) belongs to the hash algorithm. The hash algorithm can encrypt any type of file and obtain a fixed-length number. This number is compared with the encrypted file, but the original file cannot be recovered through this number.
但数字签名算法的难点在于,其很难确保文件是A签名的,因为数字签名只能由私钥拥有者生产,但私钥是什么,只有拥有者本人知道。如果某个第三人利用自己的私钥生产生成一个数字签名,并且通过互联网发送至B,则B是无法判断,该数字签名是否是A完成的,如图2。But the difficulty of the digital signature algorithm is that it is difficult to ensure that the file is signed by A, because the digital signature can only be produced by the owner of the private key, but only the owner himself knows what the private key is. If a third party generates a digital signature with its own private key and sends it to B through the Internet, then B cannot judge whether the digital signature was completed by A, as shown in Figure 2.
由于公钥和私钥总是配对生产的,因此,某一私钥的拥有者也是对应公钥的生成者,而由于公钥是不可欺骗的(因为它时刻公开在互联网上),因此只需要证明公钥是由A生成的即可。针对上述问题,相关技术中为了保证数字签名的真实性,普遍采用的方法是数字证书的形式,利用数字证书颁发机构(Certificate Authority,CA)向A颁发数字证书,具体地,A将个人信息和公钥信息发给CA,CA为其颁发一个证书。该证书里记录了A的个人信息与其公钥,之后,A将该证书也放到互联网上。这样,B就可以确定,该公钥是否属于A了。Since the public key and the private key are always produced in pairs, the owner of a certain private key is also the generator of the corresponding public key, and since the public key is unspoofable (because it is always published on the Internet), it is only necessary to prove that the public key was generated by A. In view of the above problems, in order to ensure the authenticity of digital signatures in related technologies, the commonly used method is in the form of digital certificates, using a digital certificate authority (Certificate Authority, CA) to issue digital certificates to A. Specifically, A sends personal information and public key information to CA, and CA issues a certificate for it. The certificate records A's personal information and its public key, and then A also puts the certificate on the Internet. In this way, B can determine whether the public key belongs to A.
但该机制的缺点在于,1)严重依赖的数字认证机构。如果CA出错,那么会带来严重的后果;2)该机制会带来很高的运营成本,而且通信各方都要为得到签名证书而支付很高的服务费,即便网络通信一切正常。随着用户数的增长,该机制的运营成本会变得越来越高。But the shortcoming of this mechanism is, 1) the digital certificate authority that relies heavily on. If the CA makes a mistake, it will bring serious consequences; 2) This mechanism will bring high operating costs, and all parties to the communication must pay a high service fee for obtaining the signed certificate, even if the network communication is normal. As the number of users grows, the operating cost of this mechanism will become higher and higher.
有鉴于此,本申请实施例提供了一种数字签名报文处理方案,采用转发设备协商决策的机制,在发送者和接收者之间传输数字签名报文时,利用接入设备、转发设备对数字签名报文进行接入和转发,并记录转发过程,利用接入设备和转发设备之间的协商和判断的功能,对伪造数字签名的报文进行检测。其可在不引入权威认证CA机构的基础下,帮助通信网络有效的利用数字签名,降低数字签名伪造报文的成功率,有效提高网络系统的安全可靠性,降低整体业务的运营成本。In view of this, the embodiment of the present application provides a digitally signed message processing solution, which adopts the forwarding device negotiation decision-making mechanism, and uses the access device and the forwarding device to access and forward the digitally signed message when transmitting the digitally signed message between the sender and the receiver, and records the forwarding process, and uses the negotiation and judgment functions between the access device and the forwarding device to detect forged digitally signed messages. It can help the communication network to effectively use digital signatures without introducing an authoritative certification CA organization, reduce the success rate of digital signature forged messages, effectively improve the security and reliability of the network system, and reduce the operating costs of the overall business.
为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请的实施例中的附图,对本申请实施例中的技术方案进行更加详细的描述。在附图中,自始至终相同或类似的标号表示相同或类似的部件或具有相同或类似功能的部件。所描述的实施例是本申请一部分实施例,而不是全部的实施例。下面通过参考附图描述的实施例是示例性的,旨在用于解释本申请,而不能理解为对本申请的限制。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of the present application clearer, the technical solutions in the embodiments of the present application will be described in more detail below in conjunction with the drawings in the embodiments of the present application. In the drawings, the same or similar reference numerals denote the same or similar components or components having the same or similar functions throughout. The described embodiments are some, but not all, embodiments of the application. The embodiments described below by referring to the figures are exemplary, and are intended to explain the present application, and should not be construed as limiting the present application. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.
图3为本申请实施例提供的一种可能的网络架构图,如图3所示,包括第一接入设备X、第二接入设备Z,转发设备Y,其中第一接入设备X、第二接入设备Z与转发设备Y之间可通过有线或者无线网络相互连接。示例性的,第一接入设备X、第二接入设备Z与转发设备Y的数据传输链路上还可以包括其他通信设备,其中第一接入设备X连接主机A,第二接入设备Z连接主机C,转发设备连接主机B,主机A和主机C分别对应报文发送者,主机B对应报文接收者。FIG. 3 is a possible network architecture diagram provided by the embodiment of the present application. As shown in FIG. 3 , it includes a first access device X, a second access device Z, and a forwarding device Y, wherein the first access device X, the second access device Z, and the forwarding device Y can be connected to each other through a wired or wireless network. Exemplarily, the data transmission link between the first access device X, the second access device Z, and the forwarding device Y may also include other communication devices, wherein the first access device X is connected to host A, the second access device Z is connected to host C, and the forwarding device is connected to host B. Host A and host C correspond to the sender of the message, and host B corresponds to the receiver of the message.
其中,第一接入设备X、第二接入设备Z,转发设备Y是能够接收和转发数字签名报文的终端设备,可以包括但不限于,电脑、智能手机、平板电脑、电子书阅读器、动态影像专家压缩标准音频层面3(Moving Picture experts group audio layer III,简称MP3)播放器、动态影像专家压缩标准音频层面4(Moving Picture experts group audio layer IV,简称MP4)播放器、便携计算机、车载电脑、可穿戴设备、台式计算机、机顶盒、智能电视等等。Among them, the first access device X, the second access device Z, and the forwarding device Y are terminal devices capable of receiving and forwarding digitally signed messages, which may include, but are not limited to, computers, smart phones, tablet computers, e-book readers, Moving Picture experts group audio layer III (MP3 for short) players, and Moving Picture experts group audio layer IV (MP4 for short) players , portable computers, car computers, wearable devices, desktop computers, set-top boxes, smart TVs, and more.
可选地,在其他示例中接入设备的数量可以更多或更少,本申请实施例对此不加以限定。Optionally, in other examples, the number of access devices may be more or less, which is not limited in this embodiment of the present application.
主机是指计算机除去输入输出设备以外的主要机体部分,也是用于放置主板及其他主要部件的控制箱体(容器Mainframe)。通常包括CPU、内存、主板、硬盘、光驱、电源、机箱、散热系统以及其他输入输出控制器和接口。在本实施例中是关于发送与接收信息的终端设备。The mainframe refers to the main body part of the computer except the input and output devices, and it is also the control box (container Mainframe) for placing the motherboard and other main components. Usually includes CPU, memory, motherboard, hard disk, optical drive, power supply, chassis, cooling system, and other input and output controllers and interfaces. In this embodiment it is about terminal equipment that sends and receives information.
上面对本申请的场景示意图进行了简单说明,下面以应用于图1中的接入设备X、转发设备Y为例,来详细说明本申请实施例提供的数字签名报文处理方法。The above is a brief description of the schematic diagram of the scenario of this application. The following uses the access device X and forwarding device Y in FIG. 1 as examples to describe the digital signature message processing method provided by the embodiment of this application in detail.
请参照图4,图4为本申请实施例提供的一种数字签名报文处理方法的流程示意图,应用于转发设备Y,所述方法包括步骤S401-S403。Please refer to FIG. 4 . FIG. 4 is a schematic flowchart of a digitally signed message processing method provided by an embodiment of the present application, which is applied to a forwarding device Y, and the method includes steps S401-S403.
步骤S401、接收接入设备转发的数字签名报文及其目的地址,所述数字签名报文及其目的地址是所述接入设备从其连接的第一主机处接收并转发至所述转发设备的,所述数字签名报文携带公钥、文件、数字签名。Step S401. Receive the digitally signed message and its destination address forwarded by the access device. The digitally signed message and its destination address are received by the access device from the first host it is connected to and forwarded to the forwarding device. The digitally signed message carries a public key, a file, and a digital signature.
可以理解的是,数字签名报文为以数字签名形式验证信息传输方身份的报文,而并非对报文的类型、内容等作具体限定。It can be understood that a digitally signed message is a message that verifies the identity of the information transmitter in the form of a digital signature, and does not specifically limit the type and content of the message.
本实施例中,第一主机即主机A,第二主机即主机B,替代现有技术中主机A和主机B之间的报文直接传输方式,主机A需要向主机B传输数字签名报文时,利用中间设备---接入设备X、转发设备Y来转发数字签名报文,具体的,主机A首先将包含公钥、文件和数字签名的数字签名报文发送至接入设备X,并将报文的目的地址设置为B的目的地址。接入设备X接收到报文后识别出是数字签名报文,即进入后续的报文转发步骤。In this embodiment, the first host is host A, and the second host is host B, which replaces the direct message transmission mode between host A and host B in the prior art. When host A needs to transmit a digitally signed message to host B, an intermediate device---access device X and forwarding device Y is used to forward the digitally signed message. Specifically, host A first sends the digitally signed message containing the public key, file and digital signature to the access device X, and sets the destination address of the message to the destination address of B. After receiving the message, the access device X recognizes that it is a digitally signed message, and enters the subsequent message forwarding step.
步骤S402、存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息,并基于所述目的地址将所述数字签名报文发送给第二主机。Step S402, storing the digitally signed message, the device information of the access device and the user identification information of the connected first host, and sending the digitally signed message to a second host based on the destination address.
本实施例中,转发设备在接收到数字签名报文后记录及存储数字签名报文信息、接入设备X的设备信息和主机A的用户标识ID信息,并将数字签名报文转发给主机B,通过存储上述信息,当主机B识别到不同的数字签名时,根据该存储信息可以快速定位到可能伪造的数字签名报文对应的接入设备及主机,进而实现对该可能伪造的数字签名报文进行验证。In this embodiment, after receiving the digitally signed message, the forwarding device records and stores the digitally signed message information, the device information of the access device X, and the user identification ID information of the host A, and forwards the digitally signed message to the host B. By storing the above information, when the host B recognizes a different digital signature, the access device and the host corresponding to the possibly forged digitally signed message can be quickly located according to the stored information, and then the possibly forged digitally signed message is verified.
需要说明的是,本实施例的转发设备Y作为数字签名报文在网络中的最后一跳,在一些实施例中,如果接收者主机B不是转发设备Y连接的主机,则转发设备Y继续将数字签名报文转发给下一跳的转发设备,直到转发给连接主机B的转发设备,其中,可仅仅由最后一跳或者其它任一跳的转发设备存储数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息,也可由每一跳的转发设备均存储上述信息,本实施例对此并不作限定。It should be noted that the forwarding device Y in this embodiment serves as the last hop of the digitally signed message in the network. In some embodiments, if the recipient host B is not the host connected to the forwarding device Y, the forwarding device Y continues to forward the digitally signed message to the forwarding device of the next hop until it is forwarded to the forwarding device connected to the host B, wherein only the forwarding device of the last hop or any other hop stores the digitally signed message, the device information of the access device and the user identification information of the first host connected to it, or the forwarding device of each hop stores the above information , which is not limited in this embodiment.
步骤S403、若接收到第二主机发送的数字签名报文协商验证请求,则基于所述设备信息向所述接入设备发送所述数字签名报文和所述用户标识信息,以使所述接入设备基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测。Step S403: If the digital signature packet negotiation verification request sent by the second host is received, send the digital signature packet and the user identification information to the access device based on the device information, so that the access device detects forged packets based on the user identification information on the first host that sent the digital signature packet.
其中,所述数字签名报文协商验证请求是所述第二主机在识别到不同数字签名时向所述转发设备发出的。Wherein, the digital signature packet negotiation verification request is sent by the second host to the forwarding device when different digital signatures are recognized.
具体的,若主机B在特定时间范围内,只收到一种数字签名信息,说明该报文为主机A(假设主机A为真实身份)发来的数字签名,数字签名的发送流程结束;若主机B在特定时间范围内,收到不只一种数字签名信息,则判定网络中存在针对该数字签名的伪造者。此时,主机B向转发设备Y发送数字签名报文协商验证请求报文。可以理解的是,特定时间范围可以结合实际应用设定,例如A和B之间进行报文传输的时间段。Specifically, if host B receives only one type of digital signature information within a specific time range, it means that the message is a digital signature sent by host A (assuming that host A is the real identity), and the digital signature sending process ends; if host B receives more than one type of digital signature information within a specific time range, it is determined that there is a forger targeting the digital signature in the network. At this time, host B sends a digitally signed packet negotiation verification request packet to forwarding device Y. It can be understood that the specific time range can be set in combination with practical applications, for example, a time period for packet transmission between A and B.
转发设备Y在接收到主机B的数字签名报文协商验证请求后,基于已存储的所述设备信息向与相应的接入设备X(若存储了接入设备Z的设备信息,同时向接入设备Z)发送所述数字签名报文和所述用户标识信息,以使所述接入设备X(和接入设备Z)基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测。After receiving the digital signature message negotiation verification request from the host B, the forwarding device Y sends the digital signature message and the user identification information to the corresponding access device X (if the device information of the access device Z is stored) based on the stored device information, so that the access device X (and the access device Z) detects forged messages based on the user identification information on the first host that sends the digital signature message.
进一步,伪造报文检测过程可以为,接入设备X(和接入设备Z)接收到报文之后,分别向主机A(和接入设备Z连接的主机C)发起检查,并可以同时开启与对方的协商过程(接入设备X与接入设备Z之间)。示例性的,以X的检查过程为例:例一,接入设备X检查主机A的前期会话记录,如果确定该会话在A与B之间进行,则判定A为有效主机;例二,接入设备X向主机A发起另一业务的仿造报文,如果主机A采用其他的用户ID(往往是其真实的用户ID),则判定主机A为有效主机。接入设备X和接入设备Z分别通过上述方法,可识别出真正的用户,即A为真实用户。作为优化,接入设备X和接入设备Z发起协商交互报文,由接入设备Z将主机C地址列入黑名单,从而排除了主机C伪造报文的后续操作。Further, the forged message detection process may be that, after the access device X (and the access device Z) receives the message, it initiates a check to the host A (the host C connected to the access device Z) respectively, and simultaneously starts the negotiation process with the other party (between the access device X and the access device Z). Exemplarily, take the inspection process of X as an example: Example 1, the access device X checks the previous session record of host A, and if it is determined that the session is carried out between A and B, then it is determined that A is a valid host; Example 2, the access device X initiates a counterfeit message of another service to host A, and if host A adopts another user ID (often its real user ID), then it is determined that host A is a valid host. The access device X and the access device Z can respectively identify the real user through the above methods, that is, A is the real user. As an optimization, access device X and access device Z initiate a negotiation interaction message, and access device Z blacklists the address of host C, thereby excluding subsequent operations of host C forging messages.
在上述过程中,仅利用接入设备和转发设备之间的协商交互,就能实现对数字签名报文的真实性认证,而无需如相关技术中引入权威认证CA机构,有效帮助通信网络有效的利用数字签名,降低数字签名伪造报文的成功率,提高了网络系统的安全可靠性,并降低了整体业务的运营成本。In the above process, only the negotiation and interaction between the access device and the forwarding device can be used to realize the authenticity authentication of the digitally signed message, without the need to introduce an authoritative certification CA organization as in related technologies, which can effectively help the communication network to effectively use digital signatures, reduce the success rate of forged messages with digital signatures, improve the security and reliability of the network system, and reduce the operating costs of the overall business.
在一种实施方式中,在接收接入设备转发的数字签名报文(步骤S401)之后,以及存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息(步骤S402)之前,还包括以下步骤:In one embodiment, after receiving the digitally signed message forwarded by the access device (step S401), and before storing the digitally signed message, the device information of the access device, and the user identification information of the connected first host (step S402), the following steps are further included:
基于所述目的地址识别待接收所述数字签名报文的第二主机是否为自身设备所连接的主机,若是,则执行存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息的步骤。Identifying based on the destination address whether the second host to receive the digitally signed message is a host connected to its own device, and if so, perform the step of storing the digitally signed message, the device information of the access device, and the user identification information of the connected first host.
本实施例中,考虑到转发设备Y可能作为传输网络中的中间路由或者其连接的主机非接收者设备,为了避免无用信息的存储及转发,只有在识别到接收者设备是转发设备Y所连接的主机,转发设备Y才进行上述信息的存储及发送,也就是说,接收者设备是转发设备Y所连接的主机设备时,即转发设备Y是数字签名报文传输的最后一跳时,才执行后续步骤。In this embodiment, considering that the forwarding device Y may serve as an intermediate route in the transmission network or that the host connected to it is not the receiver device, in order to avoid storage and forwarding of useless information, the forwarding device Y stores and sends the above information only when it is recognized that the receiver device is the host connected to the forwarding device Y.
在一种实施方式中,为了记录数字签名报文的传输过程所经过的网络设备等信息,以便于伪造报文的检测,本实施例的所述数字签名报文是所述接入设备从其连接的第一主机处接收到数字签名并在所述数字签名报文的第一特定字段中写入所述接入设备的第一标签后转发的。In an implementation manner, in order to record information such as the network device through which the digitally signed message is transmitted, so as to facilitate the detection of forged messages, the digitally signed message in this embodiment is forwarded after the access device receives the digital signature from the first host connected to it and writes the first label of the access device in the first specific field of the digitally signed message.
需要说明的是,第一标签和第二标签仅用于区分不同的标签信息,而无其它含义,其中接入设备的第一标签可以为接入设备的出口IP地址和MAC地址;相应的,转发设备的第二标签可以为转发设备的出口IP地址和MAC地址。It should be noted that the first label and the second label are only used to distinguish different label information and have no other meaning. The first label of the access device may be the egress IP address and MAC address of the access device; correspondingly, the second label of the forwarding device may be the egress IP address and MAC address of the forwarding device.
进一步地,转发设备Y也在数字签名报文中写入自身设备的标签信息,以记录数字签名报文的传输过程所经过的网络设备,具体地,在接收接入设备转发的数字签名报文(步骤S401)之后,以及存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息(步骤S402)之前,还包括以下步骤:Further, the forwarding device Y also writes the label information of its own device in the digitally signed message to record the network device through which the digitally signed message is transmitted. Specifically, after receiving the digitally signed message forwarded by the access device (step S401), and before storing the digitally signed message, the device information of the access device, and the user identification information of the first host connected to it (step S402), the following steps are further included:
若所数字签名报文中未携带自身设备的第二标签,则在所述数字签名报文的第二特定字段中写入自身设备的第二标签。If the digitally signed message does not carry the second label of the own device, write the second label of the own device in the second specific field of the digitally signed message.
在一些实施例中,转发设备Y、接入设备X或者其他转发设备可能在数字签名报文中已经打上了转发设备Y的标签信息,此时,转发设备Y无需再次打上其标签信息。In some embodiments, the forwarding device Y, the access device X or other forwarding devices may have marked the forwarding device Y's label information in the digital signature message, and at this time, the forwarding device Y does not need to mark its label information again.
请参照图5,图5为本申请实施例提供的另一种数字签名报文处理方法的流程示意图,应用于接入设备X,所述方法包括步骤S501-S503。Please refer to FIG. 5 . FIG. 5 is a schematic flowchart of another digitally signed message processing method provided by the embodiment of the present application, which is applied to an access device X, and the method includes steps S501-S503.
步骤S501、接收自身设备连接的第一主机发送的数字签名报文及其目的地址,所述数字签名报文携带公钥、文件、数字签名;Step S501, receiving a digitally signed message and its destination address sent by the first host connected to its own device, the digitally signed message carrying a public key, a file, and a digital signature;
步骤S502、基于所述目的地址将所述数字签名报文转发至转发设备,以使所述转发设备存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息,并基于所述目的地址将所述数字签名报文发送给所述第二主机,并在接收到第二主机发送的数字签名报文协商验证请求时基于所述设备信息和所述用户标识信息向所述接入设备发送所述数字签名报文;Step S502, forwarding the digitally signed message to the forwarding device based on the destination address, so that the forwarding device stores the digitally signed message, the device information of the access device, and the user identification information of the connected first host, and sends the digitally signed message to the second host based on the destination address, and sends the digitally signed message to the access device based on the device information and the user identification information when receiving a digital signature message negotiation verification request sent by the second host;
步骤S503、基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测。Step S503 , based on the user identification information, detects a forged message on the first host sending the digitally signed message.
在一种实施方式中,所述数字签名报文协商验证请求是所述第二主机在识别到不同数字签名时向所述转发设备发出的。In an implementation manner, the digital signature packet negotiation verification request is sent by the second host to the forwarding device when different digital signatures are identified.
在一种实施方式中,在接收自身设备连接的第一主机发送的数字签名报文之后,以及基于所述目的地址将所述数字签名报文转发至转发设备之前,还包括:In an implementation manner, after receiving the digitally signed message sent by the first host connected to the self-device, and before forwarding the digitally signed message to the forwarding device based on the destination address, the method further includes:
在所述数字签名报文的第一特定字段中写入自身设备的第一标签。Writing the first label of the own device in the first specific field of the digital signature message.
在一种实施方式中,通过检测历史会话来判断仿造报文,具体地,基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测(步骤S503),包括以下步骤:In one embodiment, the counterfeit message is judged by detecting historical sessions, specifically, based on the user identification information, the first host that sends the digitally signed message is subjected to forged message detection (step S503), including the following steps:
判断所述第一主机的历史会话记录中是否存在第一主机和第二主机之间的会话,若是,则判定发出所述数字签名报文的第一主机为有效主机,所述数字签名报文为有效报文。Judging whether there is a session between the first host and the second host in the historical session record of the first host, if so, then determining that the first host sending the digitally signed message is a valid host, and the digitally signed message is a valid message.
在一种实施方式中,以发送仿造报文的形式识别主机身份,基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测(步骤S503),包括以下步骤:In one embodiment, the identity of the host is identified in the form of sending a counterfeit message, and based on the user identification information, the first host that sends the digitally signed message is subjected to forged message detection (step S503), including the following steps:
向所述第一主机发送其它业务的仿造报文,判断所述第一主机是否在接收到所述仿造报文后是否采用其它用户标识信息处理所述仿造报文,若是,则判定发出所述数字签名报文的第一主机为有效主机,所述数字签名报文为有效报文。Send counterfeit messages of other services to the first host, and determine whether the first host uses other user identification information to process the counterfeit messages after receiving the counterfeit messages;
需要说明的是,上述各步骤的原理已在上述实施例进行了详述,本实施例不再多作赘述。It should be noted that, the principles of the above steps have been described in detail in the above embodiments, and will not be repeated in this embodiment.
在一示例性实施例中,结合本申请提供的网络架构图---图3所示,本申请提供的数字签名报文处理方法的流程如下:In an exemplary embodiment, combined with the network architecture diagram provided by this application---as shown in Figure 3, the flow of the digital signature message processing method provided by this application is as follows:
1)A将公钥、文件和数字签名发送至接入设备X,并将报文的目的地址设置为B的地址;1) A sends the public key, file and digital signature to the access device X, and sets the destination address of the message as the address of B;
2)X识别数字签名报文,并在该报文中打上本设备的标签,标签的内容为本设备的出口IP地址和MAC地址,并将该报文转发出去;2) X identifies the digitally signed message, and puts a label of the device on the message. The content of the label is the egress IP address and MAC address of the device, and forwards the message;
3)在报文转发链路中的转发设备识别该报文,在看到特定字段中已有转发设备的标签信息时,不再填写自身设备的标签;3) The forwarding device in the message forwarding link recognizes the message, and no longer fills in the label of its own device when seeing the label information of the forwarding device in a specific field;
4)当转发设备Y识别报文的目的地址为自己所连接的主机设备时,该转发设备可判定自己为该报文在网络中的最后一跳;4) When the forwarding device Y recognizes that the destination address of the message is the host device it is connected to, the forwarding device can determine that it is the last hop of the message in the network;
5)转发设备Y记录数字签名报文信息、接入设备X和发送者A的用户ID的地址信息,并将该报文转发至B;5) The forwarding device Y records the digital signature message information, the address information of the access device X and the user ID of the sender A, and forwards the message to B;
6)若B在特定时间范围内,只收到一种数字签名信息,则判断该报文为A发来的数字签名,数字签名的发送流程结束;6) If B receives only one type of digital signature information within a specific time range, it is judged that the message is a digital signature sent by A, and the sending process of the digital signature ends;
7)若B在特定时间范围内,收到不只一种数字签名信息,则判断网络中存在针对该数字签名的伪造者。此时,B向Y发送数字签名报文协商请求报文;7) If B receives more than one type of digital signature information within a specific time range, it is judged that there is a forger for the digital signature in the network. At this time, B sends a digitally signed message negotiation request message to Y;
8)此时,Y已经记录了同一个用户ID(即A的用户ID)的不同的公钥信息及其接入设备信息,即A_ID:X和A_ID:Z。Y分别向X和Z发送相关报文和X、Z的地址信息;8) At this point, Y has recorded different public key information and access device information of the same user ID (that is, A's user ID), that is, A_ID:X and A_ID:Z. Y sends relevant messages and address information of X and Z to X and Z respectively;
9)X和Z接收到报文之后,分别向主机A和C发起检查,并开启与对方的协商过程(X与Z之间)。具体的检查过程可分为两种,以X的检查过程为例:第一种是,接入设备X检查主机A的前期会话记录,如果确定该会话在A与B之间进行,则判定A为有效主机;第二种是,接入设备X向主机A发起另一业务的仿造报文,如果主机A采用其他的用户ID(往往是其真实的用户ID),则判定主机A为有效主机。X和Z分别通过上述方法,可识别出真正的用户,即A;9) After receiving the message, X and Z initiate checks to hosts A and C respectively, and start the negotiation process with the other party (between X and Z). The specific inspection process can be divided into two types, taking the inspection process of X as an example: the first one is that the access device X checks the previous session record of host A, and if it is determined that the session is carried out between A and B, then it is determined that A is a valid host; X and Z can identify the real user, namely A, through the above methods respectively;
10)X和Z发起协商交互报文,由Z将C主机地址列入黑名单,从而排除了C伪造报文的后续操作。10) X and Z initiate a negotiation exchange message, and Z puts C's host address in the blacklist, thereby excluding C's subsequent operation of forging the message.
通过上述流程,可在不引用权威认证机构的情况下,有效的降低数字签名伪造报文的成功率,有效的提高网络系统的可靠性,并降低整体业务的运营成本。Through the above process, without referencing an authoritative certification authority, the success rate of forging messages with digital signatures can be effectively reduced, the reliability of the network system can be effectively improved, and the operating cost of the overall business can be reduced.
本申请实施例相应还提供一种数字签名报文处理装置,如图6所示,应用于转发设备,包括第一接收模块61、存储模块62及发送检测模块,其中,Correspondingly, the embodiment of the present application provides a digital signature message processing device, as shown in FIG. 6 , applied to forwarding equipment, including a first receiving module 61, a storage module 62 and a sending detection module, wherein,
第一接收模块61,其设置为接收接入设备转发的数字签名报文及其目的地址,所述数字签名报文及其目的地址是所述接入设备从其连接的第一主机处接收并转发至所述转发设备的,所述数字签名报文携带公钥、文件、数字签名;The first receiving module 61 is configured to receive a digitally signed message and its destination address forwarded by the access device, the digitally signed message and its destination address are received by the access device from the first host connected to it and forwarded to the forwarding device, and the digitally signed message carries a public key, a file, and a digital signature;
存储模块62,其设置为存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息,并基于所述目的地址将所述数字签名报文发送给第二主机;A storage module 62 configured to store the digitally signed message, the device information of the access device and the user identification information of the connected first host, and send the digitally signed message to a second host based on the destination address;
发送检测模块63,其设置为若接收到第二主机发送的数字签名报文协商验证请求,则基于所述设备信息向所述接入设备发送所述数字签名报文和所述用户标识信息,以使所述接入设备基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测。The sending detection module 63 is configured to send the digital signature message and the user identification information to the access device based on the device information if the digital signature message negotiation verification request sent by the second host is received, so that the access device detects forged messages based on the user identification information on the first host that sends the digital signature message.
在一种实施方式中,所述数字签名报文协商验证请求是所述第二主机在识别到不同数字签名时向所述转发设备发出的。In an implementation manner, the digital signature packet negotiation verification request is sent by the second host to the forwarding device when different digital signatures are identified.
在一种实施方式中,所述装置还包括:In one embodiment, the device also includes:
识别模块,其设置为基于所述目的地址识别待接收所述数字签名报文的第二主机是否为自身设备所连接的主机;An identification module, configured to identify based on the destination address whether the second host to receive the digitally signed message is a host connected to its own device;
所述存储模块62还设置为,在识别模块识别为是自身设备所连接的主机时,存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息的步骤。The storage module 62 is also configured as a step of storing the digitally signed message, the device information of the access device and the user identification information of the connected first host when the identification module recognizes that it is the host connected to its own device.
在一种实施方式中,所述数字签名报文是所述接入设备从其连接的第一主机处接收到数字签名并在所述数字签名报文的第一特定字段中写入所述接入设备的第一标签后转发的。In one embodiment, the digitally signed message is forwarded after the access device receives the digital signature from the first host it is connected to and writes the first tag of the access device into the first specific field of the digitally signed message.
在一种实施方式中,所述装置还包括:In one embodiment, the device also includes:
第一写入模块,其设置为若所数字签名报文中未携带自身设备的第二标签,则在所述数字签名报文的第二特定字段中写入自身设备的第二标签。The first writing module is configured to write the second tag of the own device in the second specific field of the digitally signed message if the digitally signed message does not carry the second tag of the own device.
本申请实施例相应提供一种数字签名报文处理装置,应用于接入设备,如图7所示,所述装置包括第二接收模块71、转发模块72和检测模块73,其中,The embodiment of the present application correspondingly provides a digital signature message processing device, which is applied to an access device. As shown in FIG. 7, the device includes a second receiving module 71, a forwarding module 72, and a detection module 73, wherein,
第二接收模块71,其设置为接收自身设备连接的第一主机发送的数字签名报文及其目的地址,所述数字签名报文携带公钥、文件、数字签名;The second receiving module 71 is configured to receive a digitally signed message and its destination address sent by the first host connected to its own equipment, and the digitally signed message carries a public key, a file, and a digital signature;
转发模块72,其设置为基于所述目的地址将所述数字签名报文转发至转发设备,以使所述转发设备存储所述数字签名报文、所述接入设备的设备信息及其连接的第一主机的用户标识信息,并基于所述目的地址将所述数字签名报文发送给第二主机,并在接收到第二主机发送的数字签名报文协商验证请求时基于所述设备信息和所述用户标识信息向所述接入设备发送所述数字签名报文;The forwarding module 72 is configured to forward the digitally signed message to a forwarding device based on the destination address, so that the forwarding device stores the digitally signed message, the device information of the access device, and the user identification information of the connected first host, and sends the digitally signed message to a second host based on the destination address, and sends the digitally signed message to the access device based on the device information and the user identification information when receiving a digital signature message negotiation verification request sent by the second host;
检测模块73,其设置为基于所述用户标识信息对发出所述数字签名报文的第一主机进行伪造报文检测。A detection module 73 configured to detect a forged message on the first host sending the digitally signed message based on the user identification information.
在一种实施方式中,所述数字签名报文协商验证请求是所述第二主机在识别到不同数字签名时向所述转发设备发出的。In an implementation manner, the digital signature packet negotiation verification request is sent by the second host to the forwarding device when different digital signatures are identified.
在一种实施方式中,所述装置还包括:In one embodiment, the device also includes:
第二写入模块,其设置为在所述数字签名报文的第一特定字段中写入自身设备的第一标签。The second writing module is configured to write the first label of its own device in the first specific field of the digitally signed message.
在一种实施方式中,所述检测模块73具体设置为,判断所述第一主机的历史会话记录中是否存在第一主机和第二主机之间的会话,若是,则判定发出所述数字签名报文的第一主机为有效主机,所述数字签名报文为有效报文。In one embodiment, the detection module 73 is specifically configured to determine whether there is a session between the first host and the second host in the historical session record of the first host, and if so, determine that the first host sending the digitally signed message is a valid host, and the digitally signed message is a valid message.
在一种实施方式中,所述检测模块73具体设置为,向所述第一主机发送其它业务的仿造报文,判断所述第一主机是否在接收到所述仿造报文后是否采用其它用户标识信息处理所述仿造报文,若是,则判定发出所述数字签名报文的第一主机为有效主机,所述数字签名报文为有效报文。In one embodiment, the detection module 73 is specifically configured to send counterfeit messages of other services to the first host, and determine whether the first host uses other user identification information to process the counterfeit messages after receiving the counterfeit messages;
本申请实施例相应还提供一种转发设备,如图8所示,包括:处理器81和存储器82;Correspondingly, the embodiment of the present application provides a forwarding device, as shown in FIG. 8 , including: a processor 81 and a memory 82;
所述存储器82存储计算机执行指令;The memory 82 stores computer-executable instructions;
所述处理器81执行所述存储器82存储的计算机执行指令,使得所述转发设备执行所述的一种数字签名报文处理方法。The processor 81 executes the computer-executed instructions stored in the memory 82, so that the forwarding device executes the aforementioned digital signature message processing method.
本申请实施例相应还提供一种接入设备,如图9所示,包括:处理器91和存储器92;Correspondingly, the embodiment of the present application provides an access device, as shown in FIG. 9 , including: a processor 91 and a memory 92;
所述存储器92存储计算机执行指令;The memory 92 stores computer-executable instructions;
所述处理器91执行所述存储器92存储的计算机执行指令,使得所述接入设备执行所述的另一种数字签名报文处理方法。The processor 91 executes the computer-executed instructions stored in the memory 92, so that the access device executes another digital signature message processing method.
本申请相应还提供一种数字签名报文处理系统,如图10所示,所述系统包括接入设备100、第一主机200、转发设备300和第二主机400,其中所述接入设备分别与所述第一主机和所述转发设备电连接,所述转发设备分别与所述接入设备和所述第二主机电连接。Correspondingly, the present application also provides a digital signature message processing system. As shown in FIG. 10 , the system includes an access device 100, a first host 200, a forwarding device 300, and a second host 400, wherein the access device is electrically connected to the first host and the forwarding device, and the forwarding device is electrically connected to the access device and the second host.
本申请实施例相应还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机执行指令,所述计算机执行指令被处理器执行时用于实现所述的一种数字签名报文处理方法,或者所述的另一种数字签名报文处理方法。Correspondingly, an embodiment of the present application provides a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are executed by a processor, they are used to implement the above-mentioned method for processing a digital signature message, or the above-mentioned another method for processing a digital signature message.
本申请实施例提供一种本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。The embodiment of the present application provides a person of ordinary skill in the art who can understand that all or some of the steps in the method disclosed above, the functional modules/units in the system, and the device can be implemented as software, firmware, hardware, and an appropriate combination thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be executed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media).
如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。As is well known to those of ordinary skill in the art, the term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store desired information and that can be accessed by a computer.
此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。In addition, communication media typically embody computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism, and can include any information delivery media, as is known to those of ordinary skill in the art.
在本申请实施例的描述中,术语“和/或”仅仅表示一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,术语“至少一种”表示多种中的任一种或多种中的至少两种的任意组合,例如,包括A、B、中的至少一种,可以表示包括A、B和C沟通的集合中选择的任意一个或多个元素。In the description of the embodiment of the present application, the term "and/or" only means an association relationship describing associated objects, and means that there may be three kinds of relationships, for example, A and/or B may mean: A exists alone, A and B exist simultaneously, and B exists alone. In addition, the term "at least one" means any combination of any one or more of at least two of the plurality, for example, including at least one of A, B, and may mean any one or more elements selected from the set consisting of A, B, and C.
在本申请实施例的描述中,术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。In the description of the embodiments of the present application, the terms "first", "second", "third", "fourth" and so on (if any) are used to distinguish similar objects, and not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the application described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", and any variations thereof, are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or elements is not necessarily limited to those steps or elements explicitly listed, but may include other steps or elements not expressly listed or inherent to the process, method, product or device.
最后应说明的是:以上各实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述各实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements to some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
Claims (13)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210576995.0A CN114844716B (en) | 2022-05-25 | 2022-05-25 | Digital signature message processing method, device, equipment and computer medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210576995.0A CN114844716B (en) | 2022-05-25 | 2022-05-25 | Digital signature message processing method, device, equipment and computer medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114844716A CN114844716A (en) | 2022-08-02 |
| CN114844716B true CN114844716B (en) | 2023-07-25 |
Family
ID=82571941
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210576995.0A Active CN114844716B (en) | 2022-05-25 | 2022-05-25 | Digital signature message processing method, device, equipment and computer medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114844716B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115361142B (en) * | 2022-08-22 | 2024-10-01 | 中国联合网络通信集团有限公司 | Digital signature processing method, device, equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0869637A2 (en) * | 1997-04-02 | 1998-10-07 | Arcanvs | Digital certification system |
| US7373512B1 (en) * | 2000-03-27 | 2008-05-13 | Entrust Limited | Method and apparatus for providing information security to prevent digital signature forgery |
| CN111064573A (en) * | 2018-10-16 | 2020-04-24 | 金联汇通信息技术有限公司 | Digital certificate generation method, authentication method and electronic equipment |
| CN111130803A (en) * | 2019-12-26 | 2020-05-08 | 信安神州科技(广州)有限公司 | Method, system and device for digital signature |
| CN111431724A (en) * | 2020-03-27 | 2020-07-17 | 微梦创科网络科技(中国)有限公司 | Data transmission method and device and electronic equipment |
| CN113904809A (en) * | 2021-09-08 | 2022-01-07 | 北京世纪互联宽带数据中心有限公司 | Communication method, communication device, electronic equipment and storage medium |
| CN114520726A (en) * | 2022-03-21 | 2022-05-20 | 中国工商银行股份有限公司 | Processing method and device based on block chain data, processor and electronic equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7240366B2 (en) * | 2002-05-17 | 2007-07-03 | Microsoft Corporation | End-to-end authentication of session initiation protocol messages using certificates |
| JP2005101883A (en) * | 2003-09-25 | 2005-04-14 | Hitachi Ltd | E-mail document originality assurance device |
| JP4949232B2 (en) * | 2004-04-08 | 2012-06-06 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Method and system for linking a certificate to a signed file |
-
2022
- 2022-05-25 CN CN202210576995.0A patent/CN114844716B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0869637A2 (en) * | 1997-04-02 | 1998-10-07 | Arcanvs | Digital certification system |
| US7373512B1 (en) * | 2000-03-27 | 2008-05-13 | Entrust Limited | Method and apparatus for providing information security to prevent digital signature forgery |
| CN111064573A (en) * | 2018-10-16 | 2020-04-24 | 金联汇通信息技术有限公司 | Digital certificate generation method, authentication method and electronic equipment |
| CN111130803A (en) * | 2019-12-26 | 2020-05-08 | 信安神州科技(广州)有限公司 | Method, system and device for digital signature |
| CN111431724A (en) * | 2020-03-27 | 2020-07-17 | 微梦创科网络科技(中国)有限公司 | Data transmission method and device and electronic equipment |
| CN113904809A (en) * | 2021-09-08 | 2022-01-07 | 北京世纪互联宽带数据中心有限公司 | Communication method, communication device, electronic equipment and storage medium |
| CN114520726A (en) * | 2022-03-21 | 2022-05-20 | 中国工商银行股份有限公司 | Processing method and device based on block chain data, processor and electronic equipment |
Non-Patent Citations (2)
| Title |
|---|
| 基于PKI的数字签名系统实现方案探讨;辛海华;;科技信息(科学教研)(第34期);全文 * |
| 基于数字签名的伪基站垃圾短信识别研究;尚青为;魏更宇;;软件(第12期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114844716A (en) | 2022-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9705859B2 (en) | Key exchange through partially trusted third party | |
| US10412098B2 (en) | Signed envelope encryption | |
| CN114900304B (en) | Digital signature method and apparatus, electronic device, and computer-readable storage medium | |
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| EP3073668A1 (en) | Apparatus and method for authenticating network devices | |
| EP2961094A1 (en) | System and method for generating a random number | |
| CN103701598B (en) | It is a kind of that endorsement method and digital signature device are checked based on SM2 signature algorithms | |
| CN101189827A (en) | Method for integrated authentication and management of service provider, terminal and subscriber identity module, and system and terminal using the same | |
| CN111769938B (en) | Key management system and data verification system of block chain sensor | |
| US11804961B1 (en) | Secure video content transmission over a computer network | |
| CN111914291A (en) | Message processing method, device, equipment and storage medium | |
| US20090254749A1 (en) | Cooperation method and system of hardware secure units, and application device | |
| US20110320359A1 (en) | secure communication method and device based on application layer for mobile financial service | |
| US11991294B2 (en) | Peer-to-peer secure conditional transfer of cryptographic data | |
| CN116528228B (en) | A method, communication method, and system for Internet of Vehicles preset and session key distribution | |
| CN116318654A (en) | SM2 algorithm cooperative signature system, method and equipment integrated with quantum key distribution | |
| CN114844716B (en) | Digital signature message processing method, device, equipment and computer medium | |
| CN109391473B (en) | Electronic signature method, device and storage medium | |
| CN115378611A (en) | Quantum-safe digital signature verification method and system | |
| CN111309812A (en) | Block chain based mail transmission method and related equipment | |
| CN116232578A (en) | A multi-party cooperative signature system, method and device integrating quantum key distribution | |
| Asaduzzaman et al. | A security-aware near field communication architecture | |
| CN114679311B (en) | Block chain-based document data security verification method | |
| CN111754233B (en) | Electronic payment method and system based on multiparty signature | |
| JP3747394B2 (en) | Electronic data arrival guarantee method and program recording medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |