CN120675769A - Anti-replay attack method for complex underground fortification PNT system based on multi-mechanism fusion - Google Patents
Anti-replay attack method for complex underground fortification PNT system based on multi-mechanism fusionInfo
- Publication number
- CN120675769A CN120675769A CN202510834708.5A CN202510834708A CN120675769A CN 120675769 A CN120675769 A CN 120675769A CN 202510834708 A CN202510834708 A CN 202510834708A CN 120675769 A CN120675769 A CN 120675769A
- Authority
- CN
- China
- Prior art keywords
- data packet
- data
- pnt system
- pnt
- fusion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a multi-mechanism fusion-based method for resisting replay attack of a PNT system of a complex underground work, which comprises the steps of carrying out date filtering and serial number detection on the PNT system, verifying a detected data packet by utilizing a random number mechanism, transmitting the data packet after random number verification by utilizing a session mechanism, and carrying out encryption and signature processing on the data packet in the transmission process. The invention adopts the technical means of multi-mechanism fusion, effectively prevents replay attack, can identify and filter abnormal or repeated data packets, and ensures the safety of the PNT system.
Description
Technical Field
The invention relates to the technical field of PNT system matching, in particular to a method for resisting replay attack of a complex underground work PNT system based on multi-mechanism fusion.
Background
Replay attack is a common network attack means, and an attacker can achieve the purposes of spoofing a system, acquiring illegal interests or interfering with normal communication by intercepting legal data packets and then resending the legal data packets to a receiver at a later time. In a PNT system of a complex underground work, replay attack may cause a receiver to receive outdated or false navigation positioning information, so as to cause problems of positioning errors, navigation deviation and the like, and even may cause serious consequences such as failure of military operations or casualties and the like in serious cases.
The common replay attack resisting method comprises a time stamping scheme, wherein the time stamping scheme is relatively simple to realize and can intuitively reflect the freshness of data, but has higher requirement on time synchronization. In complex underground work, due to the factors of complex environment, signal shielding and the like, it is difficult to ensure accurate time synchronization among different devices, which may lead to misjudging a legal request as a legal request for playback or that a playback request is mistakenly regarded as a legal request, and a random number scheme is adopted, wherein the scheme does not need to depend on strict time synchronization, and the uniqueness of random numbers increases the difficulty of playback attack. However, as the amount of requests increases, the server needs to store a large number of used random numbers, which places high demands on storage and query performance. Moreover, the generation of the random number requires a certain amount of calculation resources and algorithm support, and the security is affected if the generated random number is not random enough or is easily guessed, and the serial number-based method does not need time synchronization, but an attacker can bypass a protection mechanism by increasing a deception authentication end once acquiring the serial number.
In summary, in view of the limitation of the single replay attack resisting method in the complex underground work PNT system, the adoption of the multi-mechanism fusion method is particularly important.
Disclosure of Invention
The invention aims to provide a replay attack resisting method for a complex underground work PNT system based on multi-mechanism fusion, so as to solve the problems in the prior art, effectively prevent replay attack by adopting a multi-mechanism fusion technical means, and ensure the safety of the PNT system by identifying and filtering abnormal or repeated data packets by a block.
In order to achieve the above object, the present invention provides the following solutions:
a method for resisting replay attack of a complex underground work PNT system based on multi-mechanism fusion comprises the following steps:
performing date filtering and serial number detection on the PNT system;
verifying the detected data packet by utilizing a random number mechanism;
and transmitting the data packet after random number verification by using a session mechanism, and encrypting and signing the data packet in the transmission process.
Optionally, date filtering the PNT system includes:
a time stamp is added to each data packet, and the receiving side detects out-of-date data packets by comparing the time stamps and filters.
Optionally, performing the sequence number detection includes:
allocating a unique serial number for each data packet, and carrying the corresponding serial number in the data packet;
the receiving side detects the repeated data packets according to the sequence of the sequence numbers and refuses to process the repeated data packets.
Optionally, verifying the detected data packet using a random number mechanism includes:
Adding random numbers to each data packet, and verifying the uniqueness of the random numbers at the receiving party, if the random numbers are repeated or invalid, refusing to process the data packet.
Optionally, transmitting the random number authenticated data packet using a session mechanism includes:
and carrying out identity authentication and integrity verification on each data packet.
Optionally, performing the identity authentication includes:
by comparing the pre-stored digital signatures, it is confirmed whether the data is from a trusted source.
Optionally, performing the integrity verification includes:
operating on the data packet by using a hash function to generate a unique check value;
the receiver verifies the integrity of the data packet based on the same hash function and check value.
The beneficial effects of the invention are as follows:
In the aspect of safety, the invention forms a strong safety protection net by fusing various mechanisms such as time stamps, serial numbers, random numbers, encryption and the like, can effectively identify and resist replay attacks, ensures the authenticity, the integrity and the freshness of navigation positioning data of data packets, greatly reduces the probability of safety risks such as positioning errors, navigation deviations and the like caused by replay attacks on a system, provides reliable space-time information service for military operations, personnel and equipment scheduling and the like in underground work, and powerfully ensures the accurate execution of combat tasks and personnel safety. From the aspect of system stability, the cooperative work of multiple mechanisms enables the system to have stronger adaptability and fault tolerance capability in complex and changeable underground work environments, even if part of mechanisms are influenced by environmental interference or attack, other mechanisms can still play a role, maintain the stable operation of the system, reduce system faults or interruption caused by replay attack, improve the overall availability and stability of the system, ensure the continuity of PNT service and meet the requirement of uninterrupted operation of underground works for 24 hours. In terms of data reliability and accuracy, the method can effectively prevent outdated or tampered navigation data from entering a subsequent processing flow of the system, ensure accurate navigation positioning information provided for users, improve the accuracy of operation of each item based on the PNT system in underground work, realize efficient and accurate execution according to accurate space-time data no matter automatic driving of vehicles, accurate transportation of materials, positioning rescue of personnel and the like, and enhance the intelligent level of underground work operation management and emergency response capability to emergency.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the drawings that are needed in the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a replay attack resisting method of a complex underground work PNT system based on multi-mechanism fusion according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
The complex underground work PNT system refers to a system capable of providing high-precision, reliable and continuous positioning, navigation and time service under an underground complex environment. The key point is to comprehensively utilize various technical means and information sources, solve the problems of shielding, interference and the like of the underground environment on the traditional PNT signals (such as satellite signals), provide accurate space-time information for personnel, vehicles, equipment and the like in underground works, and support efficient command, scheduling and management of the underground works.
A data packet refers to a data unit carrying positioning, navigation and timing information. These packets typically contain data that is used to determine critical information such as position, direction, speed, and time.
As shown in fig. 1, the embodiment proposes a replay attack resisting method of a complex underground work PNT system based on multi-mechanism fusion, which is used for preventing replay attack, wherein replay attack is a common network attack means, and an attacker achieves the purpose of spoofing a system by intercepting legal data packets and repeatedly sending the data packets in the future. The specific content of the embodiment includes the following aspects:
performing date filtering and serial number detection on the PNT system;
verifying the detected data packet by utilizing a random number mechanism;
and transmitting the data packet after random number verification by using a session mechanism, and encrypting and signing the data packet in the transmission process.
In a complex underground work environment, PNT systems face a serious replay attack threat. The replay attack resisting method based on multi-mechanism fusion constructs a firm safety defense line by comprehensively applying various strategies such as date filtering, serial number detection, random number verification, session mechanism and the like, and effectively ensures the safety and reliability of the PNT system.
Further, date filtering the PNT system includes:
The timeliness of the data packets is verified by adding a time stamp to each data packet. The receiving party can detect the expired data packet by comparing the time stamps, thereby rejecting the processing.
Specifically, in the date filtering step in this embodiment, it is critical to accurately add a high-precision timestamp to each data packet. The time stamp contains not only the usual year, month, day, time, minute, second, etc., but also to the millisecond level. When the receiving party verifies the data packet, the validity of the data packet can be judged strictly according to a preset time delay threshold. For example, in a personnel location system for underground work, if the delay threshold is set to 100 milliseconds, once the difference between the received data packet timestamp and the current system time exceeds the threshold, the system will determine that it is a replay attack data packet and reject it without delay. The strict time delay control not only can effectively filter out the expiration data, but also can prevent an attacker from interfering the normal operation of the system by using the delay data
Further, performing the sequence number detection includes:
allocating a unique serial number for each data packet, and carrying the corresponding serial number in the data packet;
the receiving side detects the repeated data packets according to the sequence of the sequence numbers and refuses to process the repeated data packets.
Specifically, in this embodiment, each data packet is assigned a unique incremental sequence number. The sequence number adopts a 64-bit unsigned integer, the initial value is 1, and the sequence number of each data packet sent is incremented by 1. The receiver maintains a list of received sequence numbers and, when a new packet is received, checks whether the sequence number is already present and in compliance with the incrementing logic. If the sequence numbers are repeated or do not accord with the increasing order, the attack data packet is judged to be replayed. For efficient sequence number management, a sliding window algorithm is used, and the window size is dynamically adjusted according to the number of concurrent data packets expected in underground work, for example, the window size is set to 1000 in a high concurrency scene, so as to balance security and system performance.
In terms of sequence number detection, assigning a unique sequence number to each data packet is a key measure to ensure the order and uniqueness of the data packets. The sequence number adopts a 64-bit unsigned integer, the initial value is set to be 1, and the sequence number of each data packet transmitted is automatically increased by 1. The receiver maintains a list of received sequence numbers and, upon receipt of a new packet, carefully checks whether the sequence number is already present and in compliance with the incrementing logic. In an automatic driving system of a vehicle for underground work, if the serial numbers are repeated or do not accord with the increasing sequence, the system judges that the data packet is replayed and refuses to process if the serial numbers are broken. In order to efficiently manage sequence numbers, the system adopts a sliding window algorithm, and the window size can be dynamically adjusted according to the number of expected concurrent data packets in underground work. In a high concurrency scene, the window size can be set to 1000, so that the safety can be ensured, the system performance can be balanced sufficiently, and data congestion or transmission delay caused by sequence number detection can be avoided.
Further, verifying the detected data packet by using a random number mechanism includes:
Adding random numbers to each data packet, and verifying the uniqueness of the random numbers at the receiving party, if the random numbers are repeated or invalid, refusing to process the data packet.
Specifically, in this embodiment, a random number is embedded in each data packet, and the random number is generated by a high-security random number generation algorithm, such as a hardware random number generator. The receiver performs a unique verification on the received random number, and if the random number is repeated or does not conform to the security policy (e.g., the entropy of the random number is below a threshold value), the data packet is rejected. The random number is 128 bits in length, ensuring that it is sufficiently random and unpredictable.
Further, transmitting the random number verified data packet by using a session mechanism includes:
and carrying out identity authentication and integrity verification on each data packet.
In this embodiment, the transmission of data packets is managed by establishing a session. During the session, identity authentication and integrity verification are performed on each data packet to ensure validity and correctness of the data packet.
Further, performing the identity authentication includes:
by comparing the pre-stored digital signatures, it is confirmed whether the data is from a trusted source.
Performing the integrity verification includes:
operating on the data packet by using a hash function to generate a unique check value;
the receiver verifies the integrity of the data packet based on the same hash function and check value.
Specifically, in this embodiment, the identity authentication is performed by verifying whether the source of the data packet is authentic. The authentication flow is as follows:
The data source provider (Alice) generates a signature- > sends data + signature- > verifies that the transmission is successful and retransmits or alerts if the failure.
The data receiver (Bob) verifies the signature- > compares the data source information- > confirms the data source identity.
The data source provider encrypts the data using its own private key to generate a signature. For identity authentication and data integrity verification, a signature is generated following the following steps.
1) The first step, splicing parameters;
The parameters are ordered according to ASCII dictionary, and the parameter names are ordered according to the key=value format and the character string coding format UTF-8.
2) Splicing the API key;
stringSign = stringA + "&key=*"
the signing key is distributed by the aggregation party and takes a value of 32-bit UUID.
3) Thirdly, generating a signature;
sign=hex (SM 3 (STRINGSIGN)) (signature value hexadecimal form lowercase string);
HEX, representing converting STRINGSIGN encrypted strings into 16-system lower case strings;
The data source provider sends the data to the data receiver along with the signature. The data receiver decrypts the signature using the public key of the data source provider and verifies the decryption result against the original data. If the verification passes, the data source is considered trusted.
Among these, mature signature algorithms such as RSA, ECDSA or SHA-256 are selected. Encryption libraries such as OpenSSL or crypto++ are used to process keys and signatures.
A pair of public and private keys is generated for each data packet. The private key is used to generate the signature and the public key is used to verify the signature. Secure storage and transmission of the private key is ensured. Key management is an important component for ensuring information security, and development content of the key management comprises the following key components:
1) Key generation, which is the first step in key management, involves the generation of public and private keys. Typically, the public key and the private key are a pair of matching keys used to encrypt and decrypt data. In generating the key, advanced algorithms such as RSA, ECC, etc. are required to be used, and security and uniqueness of the key are ensured.
2) Key storage-after key generation, they need to be stored securely. For an individual user, the private key may be stored in a local computer or mobile device, while for an enterprise user, it is often desirable to store the private key in a secure key management system.
3) Key transfer-when data needs to be encrypted or decrypted, the public and private keys need to be matched together for use. Typically, the key may be delivered over a secure channel or an encrypted channel.
4) Key usage-when encrypting or decrypting data, a corresponding key needs to be used. For encryption, the public key is used for encryption, while the private key may be used for decryption.
5) Key updating and rotation-key updating or rotation is required as time goes by and security requirements change. This involves generating a new key pair, updating the stored key, and informing the interested party of the new key.
6) Key backup and recovery in order to prevent the data from being decrypted due to the loss of the key, the key needs to be periodically backed up. At the same time, it is also desirable to provide a reliable recovery mechanism to recover the key when necessary.
7) Key life cycle management, including the security management of the whole processes of key generation, storage, transmission, use, update, rotation, backup, recovery and the like. Corresponding policies and procedures need to be formulated to ensure that the keys are properly managed throughout the life cycle.
After receiving the data and the signature, the signature is decrypted by using the public key and compared with the original data. If so, the data is considered to be from a real data source.
Signature verification is part of the signing process for verifying the validity and correctness of digital signatures. Signature verification mainly comprises the following steps of receiving data and a signature, wherein a receiving party receives the original data and the signature. The date and time of the signature is verified, and it is confirmed whether the date and time of the signature meets the expectations, in order to prevent replay attacks. Verifying that the signature has not been tampered with, confirming whether the signature has been tampered with, in order to ensure the integrity and authenticity of the signature.
Verifying the certificate, verifying whether the public key certificate of the signer is valid, and whether the certificate is issued by a trusted certificate authority. And decrypting the signature by using the public key, and decrypting the signature by using the public key of the signer to obtain a decrypted hash value.
And calculating the hash value of the original data, namely carrying out hash operation on the received original data to obtain the hash value of the original data. Comparing the decrypted hash value with the hash value of the original data, and if the decrypted hash value is consistent with the hash value of the original data, considering the signature to be valid, and if the decrypted hash value is inconsistent with the hash value of the original data, considering the signature to be invalid.
Specifically, in this embodiment, the data is also operated on by using a hash function or a checksum or other algorithm to generate a unique check value. The recipient may use the same algorithm and check value to verify the integrity of the data. If the data is tampered with during transmission, the check value will change, thereby detecting data inconsistencies.
In this embodiment, there is provided an electronic device including a memory in which a computer program is stored, and a processor configured to run the computer program to perform the method in the above embodiment.
The above-described programs may be run on a processor or may also be stored in memory (or referred to as computer-readable media), including both permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technique. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
These computer programs may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks and/or block diagram block or blocks, and corresponding steps may be implemented in different modules.
Such an apparatus or system is provided in this embodiment. The system is called a complex underground work PNT system replay attack resisting system based on multi-mechanism fusion, and comprises a filtering detection module, a random number verification module and an encryption transmission module, wherein the filtering detection module is used for carrying out date filtering and serial number detection on the PNT system, the random number verification module is used for verifying detected data packets by utilizing a random number mechanism, and the encryption transmission module is used for transmitting the data packets after random number verification by utilizing a session mechanism and carrying out encryption and signature processing on the data packets in the transmission process.
The system or the device is used for realizing the functions of the method in the above embodiment, and each module in the system or the device corresponds to each step in the method, which has been described in the method, and will not be described herein.
For example, in the filtering detection module, the receiver is used for adding a time stamp into each data packet, detecting out-of-date data packets by comparing the time stamps and filtering, and is also used for allocating a unique serial number to each data packet and carrying a corresponding serial number in the data packet, detecting repeated data packets according to the sequence of the serial numbers by the receiver, and refusing to process the repeated data packets.
The above embodiments are merely illustrative of the preferred embodiments of the present invention, and the scope of the present invention is not limited thereto, but various modifications and improvements made by those skilled in the art to which the present invention pertains are made without departing from the spirit of the present invention, and all modifications and improvements fall within the scope of the present invention as defined in the appended claims.
Claims (7)
1. The method for resisting replay attack of the complex underground work PNT system based on multi-mechanism fusion is characterized by comprising the following steps:
performing date filtering and serial number detection on the PNT system;
verifying the detected data packet by utilizing a random number mechanism;
and transmitting the data packet after random number verification by using a session mechanism, and encrypting and signing the data packet in the transmission process.
2. The multi-mechanism fusion-based playback attack resistant method for a complex underground work PNT system according to claim 1, wherein performing date filtering on the PNT system comprises:
a time stamp is added to each data packet, and the receiving side detects out-of-date data packets by comparing the time stamps and filters.
3. The multi-mechanism fusion-based playback attack resistant method for a complex underground work PNT system according to claim 1, wherein performing the sequence number detection comprises:
allocating a unique serial number for each data packet, and carrying the corresponding serial number in the data packet;
the receiving side detects the repeated data packets according to the sequence of the sequence numbers and refuses to process the repeated data packets.
4. The multi-mechanism fusion-based playback attack resistant method for a complex underground work PNT system according to claim 1, wherein verifying the detected data packet using a random number mechanism comprises:
Adding random numbers to each data packet, and verifying the uniqueness of the random numbers at the receiving party, if the random numbers are repeated or invalid, refusing to process the data packet.
5. The playback attack resistance method for a complex underground work PNT system based on multi-mechanism fusion according to claim 1, wherein transmitting the random number verified data packet by using the session mechanism comprises:
and carrying out identity authentication and integrity verification on each data packet.
6. The multi-mechanism fusion-based playback attack resistant method for a complex underground work PNT system according to claim 5, wherein performing the identity authentication comprises:
by comparing the pre-stored digital signatures, it is confirmed whether the data is from a trusted source.
7. The multi-mechanism fusion-based playback attack resistant method for a complex underground utility PNT system according to claim 5, wherein performing said integrity verification comprises:
operating on the data packet by using a hash function to generate a unique check value;
the receiver verifies the integrity of the data packet based on the same hash function and check value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510834708.5A CN120675769A (en) | 2025-06-20 | 2025-06-20 | Anti-replay attack method for complex underground fortification PNT system based on multi-mechanism fusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510834708.5A CN120675769A (en) | 2025-06-20 | 2025-06-20 | Anti-replay attack method for complex underground fortification PNT system based on multi-mechanism fusion |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN120675769A true CN120675769A (en) | 2025-09-19 |
Family
ID=97052738
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202510834708.5A Pending CN120675769A (en) | 2025-06-20 | 2025-06-20 | Anti-replay attack method for complex underground fortification PNT system based on multi-mechanism fusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN120675769A (en) |
-
2025
- 2025-06-20 CN CN202510834708.5A patent/CN120675769A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10516662B2 (en) | System and method for authenticating the legitimacy of a request for a resource by a user | |
| KR102366684B1 (en) | Method for validating messages | |
| EP1969762B1 (en) | Certify and split system and method for replacing cryptographic keys | |
| US8578170B2 (en) | Bundle verification | |
| CN112968910B (en) | Replay attack prevention method and device | |
| CN119397600B (en) | Information management method and system for access control card chip | |
| CN113242235A (en) | System and method for encrypting and authenticating railway signal secure communication protocol RSSP-I | |
| CN119484028A (en) | A method and system for realizing security authentication of Internet of Things devices based on blockchain technology | |
| JP2002542722A (en) | Monitoring the integrity of transmitted data | |
| CN112202773B (en) | Computer network information security monitoring and protection system based on internet | |
| CN120090874A (en) | A blockchain-based method for cross-border circulation of personal data | |
| CN112564985A (en) | Safe operation and maintenance management method based on block chain | |
| CN117061127A (en) | Digital signature generation method and system, device, electronic equipment and storage medium | |
| Benton et al. | Signaturecheck: a protocol to detect man-in-the-middle attack in ssl | |
| CN120675769A (en) | Anti-replay attack method for complex underground fortification PNT system based on multi-mechanism fusion | |
| JP2016531477A (en) | Selective revocation of certificates | |
| EP2116953A1 (en) | Modified bundle signature verification | |
| CN120639508B (en) | A trusted time source device and its implementation method and application | |
| CA2665445C (en) | Bundle verification | |
| CN116744298A (en) | Identity recognition method, identification system and related equipment of card equipment of Internet of things | |
| CN120474793A (en) | Number authentication method and system based on blockchain | |
| CN119892373A (en) | Trusted proving method and device based on distributed scene | |
| CN118573391A (en) | Data cross-network transmission method, device and medium based on MQ message queue | |
| CN119995945A (en) | A method and system for secure transmission of electric power data based on hybrid encryption | |
| CN120090860A (en) | Dynamic identity authentication method, system and medium based on HMAC-SHA256 algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |