Method for checking application information, message processing method and device
阅读说明:本技术 一种校验应用信息的方法、报文处理方法及装置 (Method for checking application information, message processing method and device ) 是由 彭书萍 毛健炜 夏靓 李振斌 于 2020-07-13 设计创作,主要内容包括:本申请实施例公开了一种校验应用信息的方法,该方法可以由第一通信装置执行。第一通信装置在接收到包括应用信息的第一报文之后,可以对第一报文中的应用信息的完整性进行验证。在本申请实施例中,第一报文中包括应用信息和第一验证信息,该第一验证信息用于对应用信息的完整性进行验证。因此,第一通信装置接收到第一报文之后,可以基于该第一验证信息对应用信息的完整性进行验证。由此可见,利用本申请实施例的方案,第一通信装置可以对应用信息的完整性进行验证,从而避免应用信息不当使用,相应的可以避免由于应用信息的不当使用而导致网络资源的不当使用的问题。(The embodiment of the application discloses a method for verifying application information, which can be executed by a first communication device. The first communication device may verify integrity of the application information in the first message after receiving the first message including the application information. In this embodiment of the present application, the first packet includes application information and first verification information, where the first verification information is used to verify integrity of the application information. Therefore, after the first communication device receives the first message, the integrity of the application information can be verified based on the first verification information. Therefore, by using the scheme of the embodiment of the application, the first communication device can verify the integrity of the application information, so that improper use of the application information is avoided, and accordingly, the problem of improper use of network resources caused by improper use of the application information can be avoided.)
1. A method of verifying application information, performed by a first communications device, the method comprising:
acquiring application information and at least one piece of verification information, wherein the at least one piece of verification information is used for carrying out integrity verification on the application information;
and performing integrity verification on the application information according to the at least one piece of verification information.
2. The method of claim 1, wherein obtaining application information and at least one authentication information comprises:
receiving a first message, wherein the first message comprises the application information and the at least one piece of verification information.
3. The method of claim 2, wherein the at least one authentication information comprises a first authentication information.
4. The method of claim 3, wherein the integrity verifying the application information according to the at least one verification message comprises:
acquiring third verification information according to a first target field in the first message, wherein the first target field comprises the application information;
and performing matching check on the third verification information and the first verification information.
5. The method according to claim 3 or 4, wherein the integrity verification of the application information according to the at least one verification information comprises:
and verifying the integrity of the application information based on a first verification method and the first verification information.
6. The method of claim 5, wherein the first verification method is a key dependent hash operation message authentication code (HMAC) verification.
7. The method according to claim 6, wherein the first verification information includes first HMAC verification information, and wherein verifying the integrity of the application information based on the first verification method and the first verification information includes:
performing HMAC calculation on the first target field to obtain second HMAC check information;
and performing matching verification on the first HMAC verification information and the second HMAC verification information.
8. The method of claim 5, wherein the first verification method is digital signature verification.
9. The method of claim 8, wherein the first verification information is a digital signature obtained by signing the first target field with a first private key and a first hash calculation, and wherein verifying the integrity of the application information based on a first verification method and the first verification information comprises:
decrypting the digital signature through a first public key to obtain a first plaintext;
performing second hash calculation on the first target field to obtain a second plaintext, wherein the first hash calculation and the second hash calculation adopt the same hash algorithm;
and performing matching verification on the first plaintext and the second plaintext.
10. The method of claim 9, wherein the first message comprises a digital certificate, and wherein the first public key is carried in the digital certificate.
11. The method according to claim 10, wherein the digital certificate further comprises a decryption algorithm for decrypting the digital signature, and/or the hash algorithm.
12. The method according to claim 10 or 11, characterized in that the method further comprises:
and verifying the legality of the digital certificate.
13. The method according to claim 5, wherein the first verification method is an integrity verification based on Internet Protocol Security (IPSEC).
14. The method according to claim 13, wherein the first verification information is first Authentication Header (AH) verification information, and the verifying the integrity of the application information based on the first verification method and the first verification information comprises:
calculating the first target field by using an AH (advanced header) verification algorithm to obtain second AH verification information;
performing match verification on the first AH verification information and the second AH verification information.
15. The method according to claim 13, wherein the first verification information is first Encapsulated Security Payload (ESP) verification information, and the verifying the integrity of the application information based on the first verification method and the first verification information comprises:
calculating the first target field by using an ESP (electronic stability program) verification algorithm to obtain second ESP verification information;
and performing matching verification on the first ESP verification information and the second ESP verification information.
16. The method according to claim 5, wherein the first packet includes a digital certificate, the application information and the at least one verification information are carried in the digital certificate, and the verifying the integrity of the application information based on the first verification method and the first verification information includes:
and carrying out validity verification on the digital certificate.
17. The method of any of claims 2-16, wherein the at least one authentication information further comprises a second authentication information.
18. The method of claim 17, wherein the integrity verifying the application information according to the at least one verification message comprises:
acquiring fourth verification information according to a second target field in the first message, wherein the second target field comprises the application information;
and performing matching check on the fourth verification information and the second verification information.
19. The method according to claim 17 or 18, wherein said integrity verifying the application information according to the at least one verification information comprises:
and verifying the integrity of the application information based on a second verification method and the second verification information.
20. The method of claim 19, wherein the first verification method and the second verification method are different verification algorithms.
21. The method of any of claims 1-20, wherein the first communication device is a network appliance.
22. The method of any of claims 1-21, wherein the first communication device comprises:
the access ACC device, or the customer premises CPE device, or the home gateway RG, or the data center server access leaf device, or the data center egress gateway DC GW, or the autonomous system border router ASBR, or the broadband network gateway BNG, or the operator edge PE device.
23. The method according to any one of claims 2-22, further comprising:
and forwarding the first message under the condition that the application information is determined to pass the verification.
24. The method according to any one of claims 2-22, further comprising:
and under the condition that the application information is determined not to pass the verification, discarding the first message.
25. A method of message processing, performed by a second communications device, the method comprising:
acquiring application information and at least one piece of verification information, wherein the at least one piece of verification information is used for carrying out integrity verification on the application information;
and sending the application information and the at least one piece of verification information to the first communication device.
26. The method of claim 25, wherein obtaining the application information and the at least one authentication information comprises:
acquiring a first message, wherein the first message comprises the application information and the at least one piece of verification information;
the sending the application information and the at least one verification information to the first communication device includes:
and sending the first message to the first communication device.
27. The method of claim 26, wherein the at least one authentication information comprises a first authentication information.
28. The method of claim 27, wherein the first authentication information is obtained from a first destination field in the first message, and wherein the first destination field comprises the application information.
29. The method according to claim 27 or 28, wherein the first verification information is calculated by using a first verification method for a first target field in the first message, and the first target field includes the application information.
30. The method of claim 29, wherein the first verification method is a key dependent Hash Message Authentication Code (HMAC) verification.
31. The method of claim 30, wherein the first authentication information comprises first HMAC check information.
32. The method of claim 29, wherein the first verification method is digital signature verification.
33. The method of claim 32, wherein the first verification information is a digital signature obtained by signing the first target field using a first private key and a first hash calculation.
34. The method of claim 25, wherein the first authentication information is a cryptographic digest in a digital certificate, the digital certificate further comprising the application information.
35. The method according to any of claims 30-34, wherein the first authentication information is sent to the second communication device by a control management device.
36. The method of claim 29, wherein the first verification method is an integrity verification based on internet protocol security, IPSEC.
37. The method of claim 36, wherein the first verification information is first authentication header, AH, verification information.
38. The method according to claim 36, wherein the first authentication information is first encapsulated security load, ESP, authentication information.
39. The method of any of claims 26-38, wherein the at least one authentication information further comprises a second authentication information.
40. The method of claim 39, wherein the second authentication information is obtained from a second destination field in the first message, wherein the second destination field comprises the application information.
41. The method according to claim 39 or 40, wherein the second verification information is calculated by using a second verification method for a second target field in the first message, and the second target field includes the application information.
42. The method of claim 41, wherein the first verification method and the second verification method are different verification algorithms.
43. The method according to any of claims 2-20 or 26-42, wherein the application information and the at least one authentication information are carried in a header of the first packet.
44. The method according to any of claims 2-20 or 26-43, wherein the first message is an internet protocol version 6 IPv6 message.
45. The method of claim 44, wherein the application information is carried in an IPv6 extension header.
46. The method of claim 44, wherein the application information is carried in a destination address.
47. The method of claim 44, wherein the application information is carried in a source address.
48. The method according to any of claims 44-47, wherein said at least one authentication information is carried in an IPv6 extension header.
49. The method of any of claims 44-47, wherein the at least one authentication information is carried in a destination address.
50. The method of any of claims 44-47, wherein the at least one authentication information is carried in a source address.
51. The method according to any of claims 2-20 or 26-43, wherein the first packet is a multiprotocol Label switching, MPLS, packet.
52. The method of claim 51, wherein the application information is carried in a tag value field.
53. The method of claim 51, wherein the application information is carried in an extended Type Length Value (TLV) field.
54. The method of any of claims 51-53, wherein the at least one authentication information is carried in a tag value field.
55. The method according to any of claims 51-53, wherein said at least one authentication information is carried in an extended TLV field.
56. The method of any of claims 2-21 or 26-43, wherein the first packet is an Internet protocol release 6 route SRv6 packet.
57. The method according to claim 56, wherein said application information is carried in a Segment Routing Header (SRH).
58. The method according to claim 56 or 57, wherein said at least one authentication information is carried in SRH.
59. The method according to any of claims 2-20 or 26-43, wherein the first message is an internet protocol version 4 IPv4 message.
60. The method of claim 59, wherein the application information is carried in an option field.
61. The method according to claim 59 or 60, wherein said at least one authentication information is carried in an option field.
62. The method according to any of claims 2-20 or 26-43, wherein the first packet is a generic routing encapsulation, GRE, packet.
63. The method of claim 62, wherein the application information is carried in a key field.
64. The method according to claim 62 or 63, wherein said at least one authentication information is carried in a key field.
65. The method according to any of claims 2-20 or 26-43, wherein the first message is a virtual extensible local area network, VXLAN, message.
66. The method of claim 65, wherein the application information is carried in a virtual network identifier field.
67. The method of claim 65, wherein the application information is carried in a reserved field.
68. The method according to any of claims 65-67, wherein said at least one authentication information is carried in a virtual network identifier field.
69. The method according to any of claims 65-67, wherein the at least one authentication information is carried in a reserved field.
70. The method according to any of claims 2-20 or 26-43, wherein the first packet is a Network Virtualization Generic Routing Encapsulation (NVGRE) packet.
71. The method of claim 70, wherein the application information is carried in a flow identification field.
72. The method of claim 70, wherein the application information is carried in a virtual network identification field.
73. The method of claim 70, wherein the application information is carried in a reserved field.
74. The method of any of claims 70-73, wherein the at least one piece of authentication information is carried in a flow identification field.
75. The method according to any of claims 70-73, wherein the at least one authentication information is carried in a virtual network identification field.
76. The method of any of claims 70-73, wherein the at least one authentication information is carried in a reserved field.
77. The method of any of claims 2 to 20 or 26 to 43, wherein the first packet is a generic packet of generic network virtualization encapsulation.
78. The method of claim 77, wherein the application information is carried in a reserved field.
79. The method of claim 77, wherein the application information is carried in a variable length options field.
80. The method of any one of claims 77-79, wherein the at least one authentication information is carried in a reserved field.
81. The method of any one of claims 77 to 79, wherein the at least one authentication information is carried in a variable length options field.
82. A first communications device, wherein said first communications device comprises at least one memory and at least one processor;
the at least one memory for storing program code;
the at least one processor configured to execute instructions in the program code to cause the first communication device to perform the method of any of claims 1-24 above.
83. A second communications device, characterized in that the second communications device comprises a memory and at least one processor;
the at least one memory for storing program code;
the at least one processor configured to execute instructions in the program code to cause the second communication device to perform the method of any of claims 25-81.
84. A computer-readable storage medium having stored therein instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1-24 above or cause the computer to perform the method of any one of claims 25-81 above.
85. A communication system comprising the first communication device of claim 82 and the second communication device of claim 83.
Technical Field
The present application relates to the field of communications, and in particular, to a method for verifying application information, a method and an apparatus for processing a packet.
Background
In some networks, for example, in an Application-aware Internet Protocol Version 6 (APN 6) network, Application information may be carried in a service packet, so that after the service packet enters the network, a network device in the network can determine an Application requirement according to the Application information, thereby allocating a corresponding network resource to an Application.
At present, improper use of application information can result in improper use of network resources.
Disclosure of Invention
The embodiment of the application provides a method for verifying application information, a message processing method and a message processing device, which can avoid the problem of improper use of network resources caused by improper use of application information.
In a first aspect, an embodiment of the present application provides a method for verifying application information, where the method may be performed by a first communication device. The first communication device may verify integrity of the application information in the first message after receiving the first message including the application information. In this embodiment of the present application, the first packet includes application information and first verification information, where the first verification information is used to verify integrity of the application information. Therefore, after the first communication device receives the first message, the integrity of the application information can be verified based on the first verification information. Therefore, by using the scheme of the embodiment of the application, the first communication device can verify the integrity of the application information, so that improper use of the application information is avoided, and accordingly, the problem of improper use of network resources caused by improper use of the application information can be avoided.
In one implementation, when the first communication device verifies the integrity of the application information based on the first verification information, in a specific implementation, the first communication device may obtain second verification information according to a target field in the first message, where the target field includes the application information. After obtaining the second authentication information, the first communication device performs matching verification on the second authentication information and the first authentication information. For example, the matching check may be performed on the second verification information and the first verification information, and if the first verification information and the second verification information are the same, the matching check is passed, and if the first verification information and the second verification information are not the same, the matching check is not passed. In this way, integrity verification of the application information can be achieved.
In one implementation, when the first communication device verifies the integrity of the application information based on the first verification information, the first communication device may verify the integrity of the application information based on a first verification method and the first verification information, for example.
In one implementation, the first verification method is a key-dependent hash operation message authentication code HMAC verification.
In an implementation manner, when the first verification method is HMAC verification, the first verification information included in the first packet may be first HMAC verification information. The first HMAC check information may be obtained by performing HMAC calculation on the destination field in the first message. For this case, the first communication device verifies the integrity of the application information based on the first verification method and the first verification information, and in particular implementation: the first communication device may perform HMAC calculation on the target field in the first message to obtain second HMAC check information; and then, performing matching verification on the first HMAC verification information and the second HMAC verification information to realize integrity verification on the application information.
In one implementation, the first verification method is digital signature verification.
In an implementation manner, when the first verification method is digital signature authentication, the first verification information is a digital signature obtained by signing a target field in the first message by using a first private key and first hash calculation. For this case, the first communication device verifies the integrity of the application information based on the first verification method and the first verification information, and in a specific implementation: the first communication device can decrypt the digital signature through the first public key to obtain a first plaintext; performing second hash calculation on the target field to obtain a second plaintext, wherein the first hash calculation and the second hash calculation adopt the same hash algorithm; and then, the first communication device carries out matching verification on the first plaintext and the second plaintext.
In one implementation, the first message further includes a digital certificate, and the digital certificate includes the first public key. In this embodiment, the digital certificate may be a digital certificate of the sending device of the first message, and the digital certificate may be regarded as an identification of the sending device of the first message. When the first public key is carried in the digital certificate, the validity of the first public key can be ensured.
In one implementation, the digital certificate further includes a decryption algorithm for decrypting the digital signature, and/or the hash algorithm. When the decryption algorithm for decrypting the digital signature is carried in the digital signature, the legality of the decryption algorithm can be ensured; when the hash algorithm is carried in the digital signature, the validity of the hash algorithm can be ensured.
In one implementation, the method further comprises: and verifying the legality of the digital certificate. It can be understood that the validity of the sending device of the first message can be verified by verifying the digital certificate and the validity. Correspondingly, if the digital certificate also carries other information, for example, the first public key, and also for example, a decryption algorithm for decrypting the digital signature, and/or the hash algorithm, the validity of the other information carried in the digital certificate may also be verified.
In an implementation manner, the first packet includes a digital certificate, and the application information and the first verification information are carried in the digital certificate.
In one implementation, when the application information and the first verification information are carried in a digital certificate, the first communication device verifies the integrity of the application information based on the first verification information, and in a specific implementation, the first communication device may verify the validity of the digital certificate.
In one implementation, the first verification method is integrity verification based on internet protocol security, IPSEC. Among them, the integrity verification based on IPSEC includes integrity verification based on AH and integrity verification based on ESP, in this embodiment, the integrity verification based on AH may also be referred to as AH check, and the integrity verification based on AH may also be referred to as ESP check.
In one implementation, when the first verification method is AH verification, the first verification information is first AH verification information, where the first AH verification information may be obtained by calculating a target field in the first message by using an AH verification algorithm. For this case, the first communication device verifies the integrity of the application information based on the first verification method and the first verification information, and in a specific implementation: the first communication device may calculate a target field in the first message by using an AH check algorithm to obtain second AH verification information; and performs matching verification on the first AH verification information and the second AH verification information.
In one implementation, when the first verification method is ESP verification, the first verification information is first ESP verification information, where the first ESP verification information may be obtained by calculating a target field in the first message by using an ESP verification algorithm. For this case, the first communication device verifies the integrity of the application information based on the first verification method and the first verification information, and in a specific implementation: the first communication device can calculate a target field in the first message by using an ESP (electronic stability program) verification algorithm to obtain second ESP verification information; and performing matching verification on the first ESP verification information and the second ESP verification information.
In one implementation, the first communication device is a network device. The network equipment carries out integrity check on the application information and can determine whether the application information is stolen or not, thereby ensuring that the network resources corresponding to the application information are not stolen.
In one implementation, the first communications device includes: the access ACC device, or the customer premises CPE device, or the home gateway RG, or the data center server access leaf device, or the data center egress gateway DC GW, or the autonomous system border router ASBR, or the base station, or the user plane function UPF device, or the broadband network gateway BNG, or the operator edge PE device.
In one implementation, after the integrity of the application information is verified by the first communication device, if the application information passes the verification, the application information in the first message is legal, so that the first communication device can forward the first message. As an example, the first communication device may determine a corresponding network resource according to the application information, and forward the first packet using the determined network resource.
In one implementation, after the integrity of the application information is verified by the first communication device, if the application information is not verified, it indicates that the application information in the first message is illegal, so that the first communication device may discard the first message. Thereby preventing the network resource corresponding to the application information from being stolen.
In a second aspect, an embodiment of the present application provides a method for message processing, where the method may be executed by a second communication device. The second communication device may generate a first packet, where the first packet includes, in addition to the application information, first verification information for performing integrity verification on the application information. After the second communication device generates the first message, the first message can be sent to the first communication device, so that the first communication device can conveniently carry out integrity verification on the application information based on the first verification information. In this way, after receiving the first message, the first communication device may verify the integrity of the application information based on the first verification information. Therefore, by using the scheme of the embodiment of the application, the first communication device can verify the integrity of the application information, so that improper use of the application information is avoided, and accordingly, the problem of improper use of network resources caused by improper use of the application information can be avoided.
In one implementation, the first authentication information is obtained according to a target field in the first message, and the target field includes the application information. As an example, the second communication device may obtain a target field, and then obtain the first verification information according to the target field, and further, the second communication device encapsulates the first verification information into the first message, so as to obtain the first message including the application information and the first verification information.
In an implementation manner, the first verification information is obtained by calculating a target field in the first message by using a first verification method, where the target field includes the application information. As an example, the second communication device may obtain a target field, and then calculate the target field in the first message by using a first verification method, so as to obtain first verification information, and further encapsulate the first verification information into the first message, so as to obtain a first message including the application information and the first verification information.
In one implementation, the first verification method is a key-dependent hash operation message authentication code HMAC verification.
In one implementation, the first authentication information includes first HMAC check information.
In one implementation, the first verification method is digital signature verification.
In one implementation, the first verification information is a digital signature obtained by signing the target field with a first private key.
In one implementation, the first authentication information is an encrypted digest in a digital certificate, and the digital certificate further includes the application information.
In one implementation, when the first authentication method is HMAC, or the first authentication method is digital signature authentication, or the first authentication information is an encrypted digest in a digital certificate, the first authentication information is sent to the second communication apparatus by the control management device. As an example, the second communication apparatus may transmit the application information to the control management device, the control management device may perform calculation on the application information to obtain the first authentication information, and the control management device may further transmit the calculated first authentication information to the second communication apparatus.
In one implementation, the first verification method is integrity verification based on internet protocol security, IPSEC.
In one implementation, the first verification information is first authentication header AH verification information. For this case, the first AH authentication information may be calculated by the second communication apparatus using an AH verification algorithm on the destination field in the first message.
In one implementation, the first authentication information is first encapsulated security payload, ESP, authentication information. For this case, the first ESP authentication information may be calculated by the second communication device using an ESP verification algorithm on the target field in the first message.
In one implementation, the second communication device is a server or a user equipment.
In one implementation, the user equipment includes: an internet of things (IoT) device or a terminal device.
In the above first and second aspects:
the application information and the first verification information may be carried in a header of the first packet.
In one implementation, the first message is an internet protocol version 6 IPv6 message.
In one implementation, when the first packet is an IPv6 packet, the application information is carried in an IPv6 extension header.
In one implementation, when the first packet is an IPv6 packet, the application information is carried in the destination address.
In one implementation, when the first packet is an IPv6 packet, the application information is carried in the source address.
In one implementation, when the first packet is an IPv6 packet, the first authentication information is carried in an IPv6 extension header.
In one implementation, when the first packet is an IPv6 packet, the first authentication information is carried in the destination address.
In one implementation, when the first packet is an IPv6 packet, the first authentication information is carried in the source address.
In one implementation, the first packet is a multi-protocol label switching MPLS packet.
In one implementation, when the first packet is an MPLS packet, the application information is carried in a tag value field.
In an implementation manner, when the first packet is an MPLS packet, the application information is carried in an extended type length value, TLV, field.
In one implementation, when the first packet is an MPLS packet, the first verification information is carried in a tag value field.
In an implementation manner, when the first packet is an MPLS packet, the first verification information is carried in the extended TLV field.
In one implementation, when the first packet is an SRv6 packet, the first packet is an internet protocol version 6 route SRv6 packet.
In one implementation, when the first packet is an SRv6 packet, the application information is carried in the segment routing header SRH.
In one implementation, when the first packet is the SRv6 packet, the first authentication information is carried in the SRH.
In one implementation, the first message is an internet protocol version 4 IPv4 message.
In one implementation, when the first packet is an IPv4 packet, the application information is carried in the option field.
In one implementation, when the first packet is an IPv4 packet, the first authentication information is carried in an option field.
In one implementation, the first packet is a Generic Routing Encapsulation (GRE) packet.
In one implementation, when the first packet is a GRE packet, the application information is carried in a key field.
In one implementation, when the first packet is a GRE packet, the first authentication information is carried in a key field.
In an implementation manner, the first message is a virtual extensible local area network VXLAN message.
In one implementation, when the first packet is a VXLAN packet, the application information is carried in a virtual network identifier field.
In one implementation, when the first message is a VXLAN message, the application information is carried in a reserved field.
In one implementation, when the first packet is a VXLAN packet, the first authentication information is carried in a virtual network identifier field.
In one implementation, when the first packet is a VXLAN packet, the first authentication information is carried in a reserved field.
In an implementation manner, the first packet is a network virtualization generic routing encapsulation NVGRE packet.
In one implementation, when the first packet is an NVGRE packet, the application information is carried in a flow identifier field.
In an implementation manner, when the first packet is an NVGRE packet, the application information is carried in a virtual network identification field.
In one implementation, when the first packet is an NVGRE packet, the application information is carried in a reserved field.
In one implementation, when the first packet is an NVGRE packet, the first authentication information is carried in a flow identifier field.
In an implementation manner, when the first packet is an NVGRE packet, the first verification information is carried in a virtual network identification field.
In one implementation, when the first packet is an NVGRE packet, the first authentication information is carried in a reserved field.
In one implementation, the first packet is a generic packet of generic network virtualization encapsulation.
In one implementation, when the first packet is a gene packet, the application information is carried in a reserved field.
In one implementation, when the first packet is a gene packet, the application information is carried in a variable length option field.
In one implementation, when the first packet is a gene packet, the first authentication information is carried in a reserved field.
In one implementation, when the first packet is a gene packet, the first authentication information is carried in a variable length option field.
In a third aspect, embodiments of the present application provide a method for verifying application information, where the method may be performed by a first communication device. The first communication device may obtain a first message, where the first message includes a digital certificate, and the digital certificate includes application information and first verification information for performing integrity verification on the application information. Since the digital certificate includes the application information and the first authentication information. If the digital certificate is legal, the first verification information is legal, and the corresponding application information is integrity verified, so that the first communication device can verify the legality of the digital certificate after receiving the first message, and the purpose of verifying the integrity of the application information is achieved. Therefore, by using the scheme of the embodiment of the application, the first communication device can verify the integrity of the application information, so that improper use of the application information is avoided, and accordingly, the problem of improper use of network resources caused by improper use of the application information can be avoided.
In one implementation, the first message further includes second verification information, where the second verification information is used to perform integrity verification on the application information, and the method further includes: and carrying out integrity verification on the application information by utilizing the second verification information. Therefore, the first message comprises a plurality of verification information used for verifying the integrity of the application information, so that multiple verification of the application information can be realized, and network resources corresponding to the application information are better prevented from being stolen.
In one implementation, the first authentication information is a cryptographic digest in the digital certificate.
In an implementation manner, a specific implementation manner of the first communication device performing integrity verification on the application information by using the second verification information is similar to the method of the first communication device performing integrity verification on the application information by using the first verification information described above in the first aspect. As an example: the first communication device may obtain third authentication information according to a target field in the first message, where the target field includes the application information; and performing matching check on the third verification information and the second verification information.
In one implementation, integrity verification of the application information using the second verification information includes: verifying the integrity of the application information based on a digital signature algorithm and the second verification information.
In one implementation, the second verification information is a digital signature obtained by signing a target field in the first message by using a first private key and a first hash calculation, and verifying the integrity of the application information based on a digital signature algorithm and the second verification information includes: decrypting the digital signature through a first public key to obtain a first plaintext; performing second hash calculation on the target field to obtain a second plaintext, wherein the first hash calculation and the second hash calculation adopt the same hash algorithm; and performing matching verification on the first plaintext and the second plaintext.
In one implementation, the first public key is carried in the digital certificate. In this way, a double verification of the application information can be achieved using the digital certificate. One of the methods is to verify the digital certificate to verify the integrity of the application information included in the digital certificate, and the other method is to verify the integrity of the application information by using a digital signature algorithm and a public key carried in the digital certificate.
In one implementation, a decryption algorithm that decrypts the digital signature is carried in the digital certificate, and/or the hash algorithm is carried in the digital certificate.
In a fourth aspect, an embodiment of the present application provides a message processing method, which is executed by a second communication device, and the method includes: the second communication device obtains a first message, wherein the first message comprises a digital certificate, the digital certificate comprises application information and first verification information, and the first verification information is used for verifying the integrity of the application information. After obtaining the first message, the second communication device sends the first message to the first communication device. Since the digital certificate includes the application information and the first authentication information. If the digital certificate is legal, the first verification information is legal, and the corresponding application information is integrity verified, so that the first communication device can verify the legality of the digital certificate after receiving the first message, and the purpose of verifying the integrity of the application information is achieved. Therefore, by using the scheme of the embodiment of the application, the first communication device can verify the integrity of the application information, so that improper use of the application information is avoided, and accordingly, the problem of improper use of network resources caused by improper use of the application information can be avoided.
In one implementation, the first authentication information is a cryptographic digest in the digital certificate.
In an implementation manner, the first message further includes second verification information, and the second verification information is used to perform integrity verification on the application information.
In one implementation, the second authentication information is obtained according to a target field in the first message, and the target field includes the application information.
In an implementation manner, the second verification information is obtained by calculating a target field in the first message by using a first verification method, where the target field includes the application information.
In one implementation, the first verification method is digital signature verification.
In one implementation, the second verification information is a digital signature obtained by signing the target field with a first private key.
In one implementation manner, a first public key corresponding to the first private key is carried in the digital certificate, and the first public key is used for verifying the second verification information.
In one implementation, a decryption algorithm for decrypting the digital signature is carried in the digital certificate, and/or a hash algorithm for verifying the second verification information is carried in the digital certificate.
In the above third and fourth aspects:
in one implementation, the digital certificate is carried in a header of the first message.
In one implementation, the first message is an internet protocol version 6 IPv6 message.
In one implementation, when the first message is an IPv6 message, the digital certificate is carried in an IPv6 extension header.
In one implementation, when the first message is an IPv6 message, the digital certificate is carried in the destination address.
In one implementation, when the first message is an IPv6 message, the digital certificate is carried in the source address.
In one implementation, the first packet is a multi-protocol label switching MPLS packet.
In one implementation, when the first packet is an MPLS packet, the digital certificate is carried in a tag value field.
In one implementation, when the first packet is an MPLS packet, the digital certificate is carried in an extended type length value, TLV, field.
In one implementation, the first packet is an internet protocol version 6 route SRv6 packet.
In one implementation, when the first message is the SRv6 message, the digital certificate is carried in the segment routing header SRH.
In one implementation, the first message is an internet protocol version 4 IPv4 message.
In one implementation, when the first message is an IPv4 message, the digital certificate is carried in the option field.
In one implementation, the first packet is a Generic Routing Encapsulation (GRE) packet.
In one implementation, when the first message is a GRE message, the digital certificate is carried in a key field.
In an implementation manner, the first message is a virtual extensible local area network VXLAN message.
In one implementation, when the first message is a VXLAN message, the digital certificate is carried in a virtual network identifier field.
In one implementation, when the first message is a VXLAN message, the digital certificate is carried in a reserved field.
In an implementation manner, the first packet is a network virtualization generic routing encapsulation NVGRE packet.
In one implementation, when the first packet is an NVGRE packet, the digital certificate is carried in the flow identification field.
In one implementation, when the first packet is an NVGRE packet, the digital certificate is carried in the virtual network identification field.
In one implementation, when the first message is an NVGRE message, the digital certificate is carried in a reserved field.
In one implementation, the first packet is a generic packet of generic network virtualization encapsulation.
In one implementation, when the first message is a gene message, the digital certificate is carried in a reserved field.
In one implementation, when the first message is a gene message, the digital certificate is carried in a variable length options field.
In a fifth aspect, an embodiment of the present application provides a method for processing application information, where the method may be performed by a control management device, and the control management device may obtain the application information and obtain first verification information according to the application information, where the first verification information is used to verify integrity of the application information. After the control management apparatus obtains the first authentication information, the first authentication information may be transmitted to the second communication device. After receiving the first verification information, the second communication device may perform a corresponding operation according to the first verification information, for example, generate a first message including the application information and the first verification information, and send the first message to the first communication device, so that the first communication device performs integrity verification on the application information. Therefore, by using the scheme of the embodiment of the application, the control management device can obtain the first verification information for performing integrity verification on the application information, and send the first verification information to the network device which forwards the message carrying the application information, so that the network device which forwards the message carrying the application information can perform integrity verification on the application information. Therefore, by using the scheme of the embodiment of the application, the network device forwarding the message carrying the application information can verify the integrity of the application information based on the first verification information, thereby avoiding improper use of the application information and correspondingly avoiding the problem of improper use of network resources caused by improper use of the application information.
In one implementation, the obtaining first verification information according to the application information includes: and calculating the application information based on a first verification method to obtain the first verification information.
In one implementation, the first verification method is a key-dependent hash operation message authentication code HMAC verification.
In one implementation, when the first verification method is HAMC verification, the first verification information includes first HMAC verification information. The first HMAC check information may be obtained by calculating the application information by the control management device using an HMAC algorithm.
In one implementation, the first verification method is digital signature verification.
In one implementation, when the first verification method is digital signature verification, the first verification information is a digital signature obtained by signing the application information by using a first private key and first hash calculation.
In one implementation, the obtaining first verification information according to the application information includes: and obtaining a digital certificate according to the application information, wherein the digital certificate comprises the first verification information. In one implementation, the first authentication information is a cryptographic digest in a digital certificate.
In one implementation manner, when the first authentication information is carried in a digital certificate, the control management device sends the first authentication information to the second communication apparatus, and in a specific implementation, for example, the first authentication information may be: and sending the digital certificate to the second communication device.
In one implementation, the method further comprises: obtaining second verification information according to the application information, wherein the second verification information is used for verifying the integrity of the application information; and sending the second verification information to a second communication device. By adopting the mode, the control management equipment can generate a plurality of verification information for verifying the integrity of the application information, thereby realizing multiple verification of the application information and more effectively avoiding the stealing of network resources corresponding to the application information.
In one implementation, the obtaining second verification information according to the application information includes: and calculating the application information based on a second verification method to obtain the second verification information.
In one implementation, the second verification method is HMAC verification.
In one implementation, the second authentication information includes second HMAC check information.
In one implementation, the second verification method is digital signature verification.
In one implementation, the second verification information is a digital signature obtained by signing the application information by using a second private key and a second hash calculation.
In one implementation, the first verification method and the second verification method are different verification methods. For example, the first verification method is HMAC verification, and the second verification method is digital signature verification; as another example, the first verification method is digital signature verification, and the second verification method is HAMC verification.
In a sixth aspect, embodiments of the present application provide a method for verifying application information, where the method may be performed by a first communication device. The first communication device may acquire application information and at least one piece of authentication information for integrity-verifying the application information. After the first communication device acquires the application information and the at least one verification information, integrity verification may be performed on the application information based on the at least one verification information. Therefore, by using the scheme of the embodiment of the application, the first communication device can verify the integrity of the application information, so that improper use of the application information is avoided, and accordingly, the problem of improper use of network resources caused by improper use of the application information can be avoided.
In one implementation, the first communication device may obtain the application information and the at least one verification information, for example, when implementing, a first message including the application information and the at least one verification information may be received from another device.
In one implementation, the first message may carry one or more verification messages for performing integrity verification on the application information, and as an example, the first message may include the first verification message.
In one implementation, when the first communication device verifies the integrity of the application information based on the first verification information, in a specific implementation, the first communication device may obtain third verification information according to a first target field in the first message, where the first target field includes the application information. After obtaining the third authentication information, the first communication device performs matching verification on the third authentication information and the first authentication information. For example, the third verification information and the first verification information may be compared, and if the third verification information and the first verification information are the same, the matching verification is passed, and if the third verification information and the first verification information are not the same, the matching verification is not passed. In this way, integrity verification of the application information can be achieved.
In one implementation, when the first communication device verifies the integrity of the application information based on the first verification information, the first communication device may verify the integrity of the application information based on a first verification method and the first verification information, for example.
In one implementation, the first verification method is a key-dependent hash operation message authentication code HMAC verification.
In an implementation manner, when the first verification method is HMAC verification, the first verification information included in the first packet may be first HMAC verification information. The first HMAC check information may be obtained by performing HMAC calculation on the first destination field in the first message. For this case, the first communication device verifies the integrity of the application information based on the first verification method and the first verification information, and in particular implementation: the first communication device may perform HMAC calculation on the first target field in the first message to obtain second HMAC check information; and then, performing matching verification on the first HMAC verification information and the second HMAC verification information to realize integrity verification on the application information.
In one implementation, the first verification method is digital signature verification.
In an implementation manner, when the first verification method is digital signature authentication, the first verification information is a digital signature obtained by signing a first target field in the first message by using a first private key and first hash calculation. For this case, the first communication device verifies the integrity of the application information based on the first verification method and the first verification information, and in a specific implementation: the first communication device can decrypt the digital signature through the first public key to obtain a first plaintext; performing second hash calculation on the first target field to obtain a second plaintext, wherein the first hash calculation and the second hash calculation adopt the same hash algorithm; and then, the first communication device carries out matching verification on the first plaintext and the second plaintext.
In one implementation, the first message further includes a digital certificate, and the digital certificate includes the first public key. In this embodiment, the digital certificate may be a digital certificate of the sending device of the first message, and the digital certificate may be regarded as an identification of the sending device of the first message. When the first public key is carried in the digital certificate, the validity of the first public key can be ensured.
In one implementation, the digital certificate further includes a decryption algorithm for decrypting the digital signature, and/or the hash algorithm. When the decryption algorithm for decrypting the digital signature is carried in the digital signature, the legality of the decryption algorithm can be ensured; when the hash algorithm is carried in the digital signature, the validity of the hash algorithm can be ensured.
In one implementation, the method further comprises: and verifying the legality of the digital certificate. It can be understood that the validity of the sending device of the first message can be verified by verifying the digital certificate and the validity. Correspondingly, if the digital certificate also carries other information, for example, the first public key, and also for example, a decryption algorithm for decrypting the digital signature, and/or the hash algorithm, the validity of the other information carried in the digital certificate may also be verified.
In one implementation, the first verification method is integrity verification based on internet protocol security, IPSEC. The integrity verification based on IPSEC comprises AH verification and ESP verification.
In one implementation, when the first verification method is AH verification, the first verification information is first AH verification information, where the first AH verification information may be obtained by calculating a first target field in the first message by using an AH verification algorithm. For this case, the first communication device verifies the integrity of the application information based on the first verification method and the first verification information, and in a specific implementation: the first communication device may calculate a first target field in the first message by using an AH check algorithm to obtain second AH verification information; and performs matching verification on the first AH verification information and the second AH verification information.
In one implementation, when the first verification method is ESP verification, the first verification information is first ESP verification information, where the first ESP verification information may be obtained by calculating a first target field in the first message by using an ESP verification algorithm. For this case, the first communication device verifies the integrity of the application information based on the first verification method and the first verification information, and in a specific implementation: the first communication device can calculate a first target field in the first message by using an ESP (electronic stability program) verification algorithm to obtain second ESP verification information; and performing matching verification on the first ESP verification information and the second ESP verification information.
In an implementation manner, the first packet includes a digital certificate, and the application information and the at least one piece of verification information are carried in the digital certificate.
In one implementation, when the application information and the at least one piece of verification information are carried in a digital certificate, the first communication device may verify the validity of the digital certificate to verify the integrity of the application information.
In an implementation manner, the verification information carried in the first packet may include second verification information in addition to the first verification information. Accordingly, the first communication apparatus can authenticate the application information based on the second authentication information in addition to the first authentication information, so as to realize multiple authentications of the application information.
In one implementation, when the first communication device verifies the integrity of the application information based on the second verification information, in a specific implementation, the first communication device may obtain fourth verification information according to a second target field in the first message, where the second target field includes the application information. After the fourth authentication information is obtained, the first communication device performs matching verification on the second authentication information and the fourth authentication information.
In one implementation, when the first communication device verifies the integrity of the application information based on the second verification information, the first communication device may verify the integrity of the application information based on a second verification method and the second verification information, for example.
In one implementation, the second verification method is a key-dependent hash operation message authentication code HMAC verification.
In an implementation manner, when the second verification method is HMAC verification, the second verification information included in the first packet may be third HMAC verification information. The third HMAC check information may be obtained by performing HMAC calculation on the second destination field in the first message. For this case, the first communication device verifies the integrity of the application information based on the second verification method and the second verification information, and in particular implementation: the first communication device may perform HMAC calculation on the second target field in the first message to obtain fourth HMAC check information; and then, performing matching verification on the third HMAC verification information and the fourth HMAC verification information to realize integrity verification on the application information.
In one implementation, the second verification method is digital signature verification.
In an implementation manner, when the second verification method is digital signature authentication, the second verification information is a digital signature obtained by signing a second target field in the first message by using a second private key and a third hash calculation. For this case, the first communication device verifies the integrity of the application information based on the second verification method and the second verification information, and in a specific implementation: the first communication device can decrypt the digital signature through the second public key to obtain a third plaintext; performing fourth hash calculation on the target field to obtain a fourth plaintext, wherein the third hash calculation and the fourth hash calculation adopt the same hash algorithm; and then, the first communication device carries out matching verification on the third plaintext and the fourth plaintext.
In one implementation, similar to the first public key, the second public key may also be carried in a digital certificate to ensure the validity of the second public key. Wherein the digital certificate may be carried in the first message.
In an implementation manner, a decryption algorithm for decrypting the second verification information, and/or a hash algorithm used in the third hash calculation and the fourth hash calculation may also be carried in the digital certificate.
In one implementation, the second verification method is an integrity verification based on internet protocol security, IPSEC. The integrity verification based on IPSEC comprises AH verification and ESP verification.
In one implementation, when the second verification method is AH verification, the second verification information is third AH verification information, where the third AH verification information may be obtained by calculating a second target field in the first message by using an AH verification algorithm. For this case, the first communication device verifies the integrity of the application information based on the second verification method and the second verification information, and in a specific implementation: the first communication device may calculate the second target field in the first message by using an AH check algorithm, to obtain fourth AH verification information; and performs matching verification on the third AH verification information and the fourth AH verification information.
In one implementation, when the second verification method is ESP verification, the second verification information is third ESP verification information, where the third ESP verification information may be obtained by calculating a second target field in the first message by using an ESP verification algorithm. For this case, the first communication device verifies the integrity of the application information based on the second verification method and the second verification information, and in a specific implementation: the first communication device can calculate a second target field in the first message by using an ESP (electronic stability program) verification algorithm to obtain fourth ESP verification information; and performing match verification on the third ESP verification information and the fourth ESP verification information.
In one implementation, the first communication device is a network device. The network equipment carries out integrity check on the application information and can determine whether the application information is stolen or not, thereby ensuring that the network resources corresponding to the application information are not stolen.
In one implementation, the first communications device includes: the access ACC device, or the customer premises CPE device, or the home gateway RG, or the data center server access leaf device, or the data center egress gateway DC GW, or the autonomous system border router ASBR, or the broadband network gateway BNG, or the operator edge PE device.
In one implementation, after the integrity of the application information is verified by the first communication device, if the application information passes the verification, the application information in the first message is legal, so that the first communication device can forward the first message. As an example, the first communication device may determine a corresponding network resource according to the application information, and forward the first packet using the determined network resource.
In one implementation, after the integrity of the application information is verified by the first communication device, if the application information is not verified, it indicates that the application information in the first message is illegal, so that the first communication device may discard the first message. Thereby preventing the network resource corresponding to the application information from being stolen.
In a seventh aspect, an embodiment of the present application provides a method for processing application information, where the method may be performed by a second communication device, and the second communication device may obtain the application information and at least one piece of verification information, where the at least one piece of verification information is used to perform integrity verification on the application information. After the second communication device obtains the application information and the at least one verification information, the application information and the at least one verification information may be transmitted to the first communication device, so that the first communication device verifies the integrity of the application information based on the at least one verification information. Therefore, by using the scheme of the embodiment of the application, the first communication device can verify the integrity of the application information, so that improper use of the application information is avoided, and accordingly, the problem of improper use of network resources caused by improper use of the application information can be avoided.
In one implementation, the first communication device may obtain a first message including the application information and at least one piece of authentication information, and send the application information and the at least one piece of authentication information to the first communication device by sending the first message to the first communication device. In one example, the first communication device may encapsulate the service packet with the application information and the at least one authentication information, thereby obtaining a first packet.
In one implementation, the first message may carry one or more verification messages for performing integrity verification on the application information, and as an example, the first message may include the first verification message.
In one implementation, the first authentication information is obtained according to a first target field in the first message, and the first target field includes the application information. As an example, the second communication device may obtain a first target field, and then obtain the first verification information according to the first target field, and further, the second communication device encapsulates the first verification information into the first message, so as to obtain the first message including the application information and the first verification information.
In an implementation manner, the first verification information is obtained by calculating a first target field in the first message by using a first verification method, where the first target field includes the application information. As an example, the second communication device may obtain a first target field, and then calculate the first target field in the first message by using a first verification method, so as to obtain first verification information, and further encapsulate the first verification information into the first message, so as to obtain a first message including the application information and the first verification information.
In one implementation, the first verification method is a key-dependent hash operation message authentication code HMAC verification.
In one implementation, the first authentication information includes first HMAC check information.
In one implementation, the first verification method is digital signature verification.
In one implementation, the first verification information is a digital signature obtained by signing the first target field with a first private key.
In one implementation, the first authentication information is an encrypted digest in a digital certificate, and the digital certificate further includes the application information.
In one implementation, when the first authentication method is HMAC, or the first authentication method is digital signature authentication, or the first authentication information is an encrypted digest in a digital certificate, the first authentication information is sent to the second communication apparatus by the control management device. As an example, the second communication apparatus may transmit the application information to the control management device, the control management device may perform calculation on the application information to obtain the first authentication information, and the control management device may further transmit the calculated first authentication information to the second communication apparatus.
In one implementation, the first verification method is integrity verification based on internet protocol security, IPSEC.
In one implementation, the first verification information is first authentication header AH verification information. For this case, the first AH authentication information may be calculated by the second communication device using an AH verification algorithm on the first destination field in the first message.
In one implementation, the first authentication information is first encapsulated security payload, ESP, authentication information. For this case, the first ESP authentication information may be calculated by the second communication device using an ESP verification algorithm on the first target field in the first message.
In an implementation manner, the verification information carried in the first packet may include second verification information in addition to the first verification information. Accordingly, after the first packet is sent to the first communication device, the first communication device may verify the application information based on the first verification information, and may also verify the application information based on the second verification information, so as to implement multiple verifications of the application information.
In one implementation, the second authentication information is obtained according to a second target field in the first message, and the second target field includes the application information. As an example, the second communication device may obtain the second target field, and then obtain the second verification information according to the second target field, and further, the second communication device encapsulates the second verification information into the first message, so as to obtain the first message including the application information and the second verification information.
In an implementation manner, the second verification information is obtained by calculating a second target field in the first message by using a second verification method, where the second target field includes the application information. As an example, the second communication device may obtain the second target field, and then calculate the second target field in the first message by using the second verification method, so as to obtain the second verification information, and further encapsulate the second verification information into the first message by the second communication device, so as to obtain the first message including the application information and the second verification information.
In one implementation, the second verification method is a key-dependent hash operation message authentication code HMAC verification.
In one implementation, the second authentication information includes third HMAC check information.
In one implementation, the first verification method is digital signature verification.
In one implementation, the first verification information is a digital signature obtained by signing the second target field with a second private key.
In one implementation, the second authentication information is an encrypted digest in a digital certificate, and the digital certificate further includes the application information.
In one implementation, when the second verification method is HMAC, or the second verification method is digital signature verification, or the second verification information is an encrypted digest in a digital certificate, the second verification information is sent to the second communication apparatus by the control management device. As an example, the second communication apparatus may transmit the application information to the control management device, the control management device may perform calculation on the application information to obtain the second authentication information, and the control management device may further transmit the calculated second authentication information to the second communication apparatus.
In one implementation, the second verification method is an integrity verification based on internet protocol security, IPSEC.
In one implementation, the second verification information is third authentication header AH verification information. For this case, the third AH authentication information may be calculated by the second communication device using an AH check algorithm on the second destination field in the first message.
In one implementation, the second authentication information is a third encapsulated security load, ESP, authentication information. For this case, the third ESP authentication information may be calculated by the second communication device using the ESP checking algorithm on the second target field in the first message.
In the above seventh and eighth aspects:
in one implementation, the first verification method and the second verification method are different verification algorithms. For example, if the first verification method is HMAC verification, then the second verification method may be one of digital signature verification, AH verification, and ESP verification; for another example, if the first verification method is digital signature verification, the second verification method may be one of HMAC verification, AH verification, and ESP verification; if the first verification method is AH verification, the second verification method may be one of HMAC verification, digital signature verification, and ESP verification; as another example, if the first verification method is ESP verification, the second verification method may be one of HMAC verification, digital signature verification, and AH verification.
In an implementation manner, the application information and the at least one piece of verification information are carried in a header of the first packet.
In one implementation, the first message is an internet protocol version 6 IPv6 message.
In one implementation, when the first packet is an IPv6 packet, the application information is carried in an IPv6 extension header.
In one implementation, when the first packet is an IPv6 packet, the application information is carried in the destination address.
In one implementation, when the first packet is an IPv6 packet, the application information is carried in the source address.
In one implementation, when the first packet is an IPv6 packet, the at least one piece of authentication information is carried in an IPv6 extension header.
In one implementation, when the first packet is an IPv6 packet, the at least one piece of authentication information is carried in the destination address.
In one implementation, when the first packet is an IPv6 packet, the at least one piece of authentication information is carried in the source address.
In one implementation, the first packet is a multi-protocol label switching MPLS packet.
In one implementation, when the first packet is an MPLS packet, the application information is carried in a tag value field.
In an implementation manner, when the first packet is an MPLS packet, the application information is carried in an extended type length value, TLV, field.
In one implementation, when the first packet is an MPLS packet, the at least one piece of authentication information is carried in a tag value field.
In one implementation, when the first packet is an MPLS packet, the at least one piece of authentication information is carried in an extended TLV field.
In one implementation, the first packet is an internet protocol version 6 route SRv6 packet.
In one implementation, when the first packet is an SRv6 packet, the application information is carried in the segment routing header SRH.
In one implementation, when the first message is the SRv6 message, the at least one piece of authentication information is carried in the SRH.
In one implementation, the first message is an internet protocol version 4 IPv4 message.
In one implementation, when the first packet is an IPv4 packet, the application information is carried in the option field.
In one implementation, when the first packet is an IPv4 packet, the at least one piece of authentication information is carried in an option field.
In one implementation, the first packet is a Generic Routing Encapsulation (GRE) packet.
In one implementation, when the first packet is a GRE packet, the application information is carried in a key field.
In one implementation, when the first packet is a GRE packet, the at least one piece of authentication information is carried in a key field.
In an implementation manner, the first message is a virtual extensible local area network VXLAN message.
In one implementation, when the first packet is a VXLAN packet, the application information is carried in a virtual network identifier field.
In one implementation, when the first message is a VXLAN message, the application information is carried in a reserved field.
In one implementation, when the first message is a VXLAN message, the at least one authentication information is carried in a virtual network identifier field.
In one implementation, when the first message is a VXLAN message, the at least one authentication information is carried in a reserved field.
In an implementation manner, the first packet is a network virtualization generic routing encapsulation NVGRE packet.
In one implementation, when the first packet is an NVGRE packet, the application information is carried in a flow identifier field.
In an implementation manner, when the first packet is an NVGRE packet, the application information is carried in a virtual network identification field.
In one implementation, when the first packet is an NVGRE packet, the application information is carried in a reserved field.
In one implementation, when the first packet is an NVGRE packet, the at least one piece of authentication information is carried in the flow identification field.
In one implementation manner, when the first packet is an NVGRE packet, the at least one piece of authentication information is carried in the virtual network identification field.
In one implementation, when the first packet is an NVGRE packet, the at least one piece of authentication information is carried in a reserved field.
In one implementation, the first packet is a generic packet of generic network virtualization encapsulation.
In one implementation, when the first packet is a gene packet, the application information is carried in a reserved field.
In one implementation, when the first packet is a gene packet, the application information is carried in a variable length option field.
In one implementation, when the first packet is a gene packet, the at least one piece of authentication information is carried in a reserved field.
In one implementation, when the first packet is a gene packet, the at least one piece of authentication information is carried in a variable length option field.
In an eighth aspect, an embodiment of the present application provides a first communication apparatus, including: a communication interface; and a processor coupled to the communication interface; according to the communication interface and the processor, the first communication device is configured to perform the method of any one of the preceding first aspect and the first aspect; alternatively, the first communications device is configured to perform the method of any one of the third and fourth aspects; alternatively, the first communication device is configured to perform the method of any of the preceding sixth aspect and sixth aspect.
In a ninth aspect, an embodiment of the present application provides a second communication apparatus, including: a communication interface; and a processor coupled to the communication interface; the second communication device is configured to perform the method of any one of the second aspect and the second aspect according to the communication interface and the processor; alternatively, the second communication device is configured to perform the method of any one of the fourth aspect and the fourth aspect; alternatively, the second communication device is configured to perform the method of any one of the foregoing seventh aspect and seventh aspect.
In a tenth aspect, an embodiment of the present application provides a control management device, including: a communication interface; and a processor coupled to the communication interface; according to the communication interface and the processor, the control management device is configured to perform the method of any one of the foregoing fifth aspect and fifth aspect.
In an eleventh aspect, embodiments of the present application provide a first communication device, where the first communication device includes a memory and a processor; the memory for storing program code; the processor is configured to execute instructions in the program code to cause the first communication device to perform the method of any one of the first aspect and the first aspect; or causing the first communications device to perform the method of any one of the preceding third and fourth aspects; alternatively, the first communication device is caused to perform the method of any one of the preceding sixth aspect and sixth aspect.
In a twelfth aspect, embodiments of the present application provide a second communication device, where the second communication device includes a memory and a processor; the memory for storing program code; the processor is configured to execute instructions in the program code to cause the second communication device to perform the method according to any one of the second aspect and the second aspect; or causing the second communications device to perform the method of any of the preceding fourth and fourth aspects; alternatively, the second communication device is caused to perform the method of any one of the preceding seventh aspect and seventh aspect.
In a thirteenth aspect, an embodiment of the present application provides a control management device, where the control management device includes a memory and a processor; the memory for storing program code; the processor is configured to execute instructions in the program code, so that the control management device executes the method of any one of the foregoing fifth aspect and fifth aspect.
In a fourteenth aspect, the present embodiments provide a computer-readable storage medium, which stores instructions that, when executed on a computer, cause the computer to perform the method of any one of the above first aspect and the first aspect, or cause the computer to perform the method of any one of the above second aspect and the second aspect, or cause the computer to perform the method of any one of the above third aspect and the third aspect, or cause the computer to perform the method of any one of the above fourth aspect and the fourth aspect, or cause the computer to perform the method of any one of the above fifth aspect and the fifth aspect, or cause the computer to perform the method of any one of the above sixth aspect and the sixth aspect, or cause the computer to perform the method of any of the seventh and seventh aspects above.
In a fifteenth aspect, an embodiment of the present application provides a communication system, including the first communication apparatus according to the above eighth aspect or eleventh aspect and the second communication apparatus according to the above ninth aspect or twelfth aspect.
In a sixteenth aspect, an embodiment of the present application provides a communication system, which is characterized by comprising the second communication apparatus according to the above ninth aspect or twelfth aspect, and the control management device according to the above tenth aspect or thirteenth aspect.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of an exemplary application scenario provided in an embodiment of the present application;
fig. 2 is a schematic diagram of another exemplary network scenario provided by an embodiment of the present application;
fig. 3 is a signaling interaction diagram of a method for verifying application information according to an embodiment of the present application;
fig. 4a is a structural diagram of a message 1 according to an embodiment of the present application;
fig. 4b is a structural diagram of a message 1 according to an embodiment of the present application;
fig. 4c is a structural diagram of a message 1 according to an embodiment of the present application;
fig. 4d is a structural diagram of a message 1 according to an embodiment of the present application;
fig. 5 is a signaling interaction diagram of a method for verifying application information according to an embodiment of the present application;
fig. 6 is a schematic flowchart of a method for verifying application information according to an embodiment of the present disclosure;
fig. 7 is a schematic flowchart of a message processing method according to an embodiment of the present application;
fig. 8 is a schematic flowchart of a method for verifying application information according to an embodiment of the present disclosure;
fig. 9 is a schematic flowchart of a message processing method according to an embodiment of the present application;
fig. 10 is a schematic flowchart of a method for processing application information according to an embodiment of the present application;
fig. 11 is a schematic flowchart of a method for verifying application information according to an embodiment of the present application;
fig. 12 is a schematic flowchart of a message processing method according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 14 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of a communication device according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a method for verifying application information, which can avoid the problem of improper use of network resources caused by improper use of the application information.
An Application (APP), which may also be referred to as an application program (application program), or application software (application software) in the present application, is software that provides functions required by a service, including a computer program that performs one or more specific tasks, and generally needs to interact with a user. Each application may belong to multiple services, may run on one or more servers or on user equipment. In the embodiment of the present application, the application program may be APP about games, videos, mails, instant messaging, traffic information, weather forecast, and the like, for example. The application is typically installed on the terminal device. For convenience of understanding, a possible application scenario of the embodiment of the present application is first described.
Referring to fig. 1, the figure is a schematic diagram of an exemplary application scenario provided in the embodiment of the present application.
In the application scenario shown in fig. 1, a user equipment 101 installed with an Application (APP) may send a service packet a to a server 102 of the APP through a network 100, where the service packet a may include application information of the APP. The network 100 at least includes a device 103 and a device 104, and the device 103 that receives the service packet a may allocate a corresponding network resource to the service packet a according to application information carried in the service packet a, so as to forward the service packet a to the server 102 by using the network resource. The traffic packet a is forwarded to the server 102, for example, using a high bandwidth link. Of course, the server 102 may also send the service packet B to the user equipment 101 through the network 100, and similarly, the service packet B may also carry the application information of the APP. The device 104 receiving the service packet B may allocate a network resource to the service packet B according to the application information carried in the service packet B, so as to forward the service packet B to the user equipment 101 by using the network resource. Devices 103 and 104, referred to herein, may be edge devices of network 100.
The application scenario shown in fig. 1 may be used in network scenarios such as a government-enterprise private line, a home bandwidth, and a mobile network. The user equipment 101 may be an Internet of Things (IoT) device or a terminal device. The terminal device mentioned herein may be a mobile phone, a Personal Computer (PC), such as a Tablet PC, a notebook computer, an ultra mobile PC, a personal digital assistant, etc., and the embodiments of the present application are not limited in particular.
If the application scenario shown in fig. 1 is applied to a government and enterprise private line, the device 103 may be Customer Premise Equipment (CPE) or access network (ACC) device; device 104 may be a Data Center egress Gateway (DC GW), or a Data Center server access device leaf, or an Autonomous System Boundary Router (ASBR).
If the application scenario shown in fig. 1 is applied to home bandwidth, the device 103 may be a home Gateway (RG) or an ACC device of an access network; the device 104 may be a DC GW, or a data center server access device leaf, or an ASBR.
If the application scenario shown in fig. 1 is applied to a mobile network, the device 103 may be a mobile network base station, or a User Plane Function (UPF) device of a core network, or an ACC device of an access network; the device 104 may be a DC GW, or a data center server access device leaf, or an ASBR.
In some embodiments, network 100 may include an access network, an aggregation network, and a data center network. Referring to fig. 2, a schematic diagram of another exemplary network scenario provided in an embodiment of the present application is shown. The network scenario shown in fig. 2 may be applied to home bandwidth or a government and enterprise line, and will not be described in detail herein with respect to a network scenario corresponding to a mobile network.
In the scenario shown in fig. 2, a user equipment 101 installed with an APP may generate a service packet a including application information, and sequentially pass through an equipment 105, an access equipment ACC 106 accessing a network, an Aggregation (AGG) equipment 107 of an aggregation network, an ASBR 108, a DC GW 109, a data center server access equipment spine 110, and a data center server access equipment leaf 111 to reach a server 102 of an application program. For a home bandwidth scenario, the device 105 may be an RG, and for a network scenario of a government and enterprise private line, the device 105 may be a CPE.
As can be seen from the above description, since the network device 103 can provide the service quality corresponding to the service packet a according to the application information carried in the service packet a, and the network device 104 can provide the service quality corresponding to the service packet B according to the application information carried in the service packet B, if the application information is not used properly, for example, stolen, the network resource may be improperly used.
Examples are 1: the paid APP in the device 101 uses application information AAAA, which corresponds to a network resource with high bandwidth and low latency. The free APP in the device 101 steals the application information AAAA, thus stealing high-bandwidth, low-latency network resources.
For example, 2: the APP in the device 101 logs in to the paid user account 1 and is authorized to use the application information AAAA. Other devices install the cracked version of the APP and log in the free user account B. The cracked version of APP steals the application information AAAA, thus stealing the network resources of the paid subscriber account 1.
For example, 3: the paid APP in the device 101 uses the application information AAAA, and the free APP in other devices steals the application information AAAA, thereby stealing the network resource of the paid APP.
For example, 4: the APP in the device 101 logs in to the account of the paying user and is authorized to use the application information AAAA. The same APP in other devices logs in a free user account and is authorized to use the application information BBBB. The free user account changes the application information BBBB into AAAA in order to steal the network resources of the paid user account.
Therefore, the embodiment of the present application provides a method for verifying application information, which can avoid improper use of network resources due to improper use of application information. Next, the method of verifying the application information will be described with reference to the drawings.
It should be noted that, unless otherwise specified, in the following description of the embodiments of the present application, descriptions of "object + serial number" such as hash algorithm n, public key n, private key n, etc. are used to distinguish similar objects, and are not used to limit a specific order or sequence order. Moreover, for the same object, the content and the serial number are not directly related, and the content may be the same or different between objects with different serial numbers, and the embodiment of the present application is not particularly limited. For example, the hash algorithm 1 and the hash algorithm 2 may be the same algorithm or different algorithms.
It should be noted that the communication device mentioned in this embodiment of the present application may be a network device such as a switch or a router, or may be a part of components on the network device, such as a board or a line card on the network device, or may be a functional module on the network device. The communication means may also be a user equipment or a server or be a part of a component on a user equipment or a server. The embodiments of the present application are not particularly limited.
Referring to fig. 3, fig. 3 is a signaling interaction diagram of a method for verifying application information according to an embodiment of the present application.
The method 100 for verifying application information shown in fig. 3 may be performed by the communication apparatus 1 and the communication apparatus 2.
As an example, when the communication apparatus 1 is applied to the user equipment 101, the communication apparatus 2 is applied to the device 103, and the communication apparatus 3 is applied to the server 102; when the communication apparatus 1 is applied to the server 102, the communication apparatus 2 is applied to the device 104, and the communication apparatus 3 is applied to the user and the device 101. The method 100 may be implemented, for example, by S101-S105a or S101-S105b as follows.
S101: the communication device 1 generates a message 1, and the message 1 includes application information 1 and verification information 1.
As for the communication apparatus 1, reference may be made to the above description part of the user equipment 101 or the server 102, which is not described in detail here.
In the present application, the application information refers to application information corresponding to an APP installed on the communication apparatus 1. In one implementation, the application information may include one or more of a service-level agreement (SLA) level, an application identifier, a user identifier, a flow identifier (flow ID), and a reservation parameter. The application identifier is used for identifying an application, the user identifier is used for identifying a user using the application, and the user identifier may be, for example, an identifier of an account logged in the application; the flow identifier is used to identify the service packet corresponding to the application.
In the embodiment of the present application, the verification information 1 is used to perform integrity verification on the application information 1. And performing integrity verification on the application information 1, including verifying whether the application information 1 is lost, has an error code or is tampered or forged.
In the embodiment of the present application, the communication apparatus 1 may obtain the application information 1, and obtain the authentication information 1 according to the application information 1. After obtaining the application information 1 and the verification information 1, the communication apparatus 1 may encapsulate the service packet of APP 1, and add the application information 1 and the verification information 1 to the service packet, thereby obtaining the packet 1.
In one implementation manner of the embodiment of the present application, the verification information 1 may be obtained by the communication device 1 according to a field in the message 1. As an example, the authentication information 1 may be calculated by the communication apparatus 1 using the authentication algorithm 1 for the field in the message 1. Wherein, the field in the message 1 includes the application information 1.
In an implementation manner of the embodiment of the present application, the verification algorithm 1 may be a hash-based message authentication code (HMAC) check associated with a key.
When the authentication algorithm 1 is an HMAC check, in one implementation, the communication device 1 may append the key 1 on the field 1 as an input to the hash algorithm 1, thereby obtaining the authentication information 1. Wherein, the key 1 is attached to the field 1, which may be that the key 1 is attached to the tail of the field 1, or the key 1 is added to the head of the field 1, or the key 1 is inserted into the middle of the field 1, and so on. In one example, field 1 may include only application information 1. In yet another example, field 1 may include other fields in message 1 in addition to application information 1.
When the verification algorithm 1 is HMAC verification, in yet another implementation, the communication device 1 obtains the parameter 1 and the parameter 2, and the number of bits (english: bit) of the parameter 1 and the parameter 2 is the same, for example, both the parameter 1 and the parameter 2 are 64 bits. The communication apparatus 1 supplements a value, for example, 0, to the head or tail of the key 2 so that the number of bits of the key 2 after supplementing the value is the same as the parameter 1. The communication device 1 calculates, for example, exclusive-or calculates the key 2 and the parameter 1 after the value supplementation to obtain a key 2'. Then, the communication device 1 adds the key 2' to the field 1 as an input to the hash algorithm 2, resulting in the HMAC 1. The communication device 1 calculates the key 2 and the parameter 2 after the value supplement, for example, performs an exclusive or calculation to obtain a key 2 ", and then the communication device 1 adds the key 2" to the HMAC 1 as an input of the hash algorithm 2 to obtain an HMAC2, where the HMAC2 is the verification information 1. For the description of "attach key 2' to field 1" and "attach key 2" to HMAC 1 ", reference may be made to the description section above" attach key 1 to field 1 "and no further details are given here.
In an implementation manner of the embodiment of the present application, when the aforementioned field 1 only includes the application information 1, the verification information 1 may also be calculated by the control management device according to the application information 1. For example, the communication device 1 transmits the application information 1 to the control management apparatus, the control management apparatus calculates the application information 1 using the HMAC algorithm to obtain the authentication information 1, and transmits the authentication information 1 to the communication device 1, so that the communication device 1 obtains the authentication information 1.
In one implementation of the embodiment of the present application, the verification algorithm 1 may be digital signature verification.
When the verification algorithm 1 is digital signature verification, in one implementation, the communication device 1 may perform a hash operation on the field 2 in the packet 1 by using the hash algorithm 3 to obtain the hash digest 1. Then, the communication device 1 encrypts the hash digest 1 by using the private key 1 and the encryption algorithm 1 to obtain the digital signature 1, thereby obtaining the verification information 1. The verification information 1 referred to herein is a digital signature 1. In one example, field 2 may include only application information 1. In yet another example, field 2 may include other fields in message 1 in addition to application information 1.
In an implementation manner of the embodiment of the present application, when the aforementioned field 2 only includes the application information 1, the verification information 1 may also be calculated by the control management device according to the application information 1. For example, the communication apparatus 1 transmits the application information 1 to the control management device, and the control management device calculates the application information 1 using a digital signature algorithm to obtain the verification information 1 and transmits the verification information 1 to the communication apparatus 1, so that the communication apparatus 1 obtains the verification information 1.
In an implementation manner of the embodiment of the present application, when the verification algorithm 1 is digital signature verification, the message 1 may further include a digital certificate 1 of the communication device 1 in addition to the application information 1 and the verification information 1, where the digital certificate 1 includes a public key 1, and the public key 1 and the aforementioned private key 1 are a pair of asymmetric keys. In other words, the public key 1 can be used to decrypt the digital signature 1. In some embodiments, the digital certificate 1 includes, in addition to the public key 1, a hash algorithm 3 and a decryption algorithm 1, where the decryption algorithm 1 mentioned herein corresponds to the encryption algorithm 1 mentioned above, and is used for decrypting the digital signature 1.
In the embodiment of the present application, the digital certificate 1 of the communication apparatus 1 may be transmitted to the communication apparatus 1 by a Certificate Authority (CA) device. The CA device mentioned here may be, for example, a control management device, and may be, for example, a CA server. The procedure for the communication apparatus 1 to obtain the digital certificate 1 will now be briefly described. First, the communication apparatus 1 transmits its own identity information and other information, which constitute an untrusted digital certificate, to the CA device. The CA device utilizes the Hash algorithm 4 to perform Hash calculation on the untrusted digital certificate to obtain a Hash abstract 2, and then the CA device utilizes the private key 2 of the CA device to encrypt the Hash abstract 2 to obtain an encrypted abstract 1. Then, the CA authority transmits the CA authority's identity information, the encrypted digest 1, and the untrusted digital certificate, that is, the trusted digital certificate 1 constituting the communication apparatus 1, to the communication apparatus 1.
It should be noted here that other information sent by the communication apparatus 1 to the CA device may include one or more of the public key 1, the decryption algorithm 1, and the hash algorithm 3. The identity information of the communication apparatus 1 may include, for example, an equipment identifier of the communication apparatus 1, and may also include, for example, the application information 1, which is not specifically limited in this embodiment of the application. In the embodiment of the present application, when the identity information of the communication apparatus 1 includes the application information 1, the application information 1 in the message 1 may be carried in the digital certificate 1, for example.
In an implementation manner of the embodiment of the present application, the authentication algorithm 1 may be integrity authentication based on Internet protocol security (IPSec).
In the embodiment of the present application, the IPSec-based integrity verification may include integrity verification based on an Authentication Header (AH) and integrity verification based on an Encapsulating Security Payload (ESP). When the authentication algorithm 1 is integrity authentication based on IPSec, the encapsulation format of the packet 1 may include two forms of a tunnel encapsulation format and a transport encapsulation format. Next, it is understood in conjunction with fig. 4a to 4 d. Fig. 4a to 4d respectively show 4 kinds of structural diagrams of the message 1. In the message 1 shown in fig. 4a, the message encapsulation format adopted is the transmission mode, and the integrity verification algorithm adopted is AH; the packet 1 shown in fig. 4b adopts a tunnel mode as a packet encapsulation format, and an integrity verification algorithm AH as an integrity verification algorithm; the message 1 shown in fig. 4c adopts a message encapsulation format as a transmission mode, and adopts an integrity verification algorithm as ESP; the packet 1 shown in fig. 4d uses a tunnel mode as a packet encapsulation format, and uses an ESP as an integrity verification algorithm.
When the verification algorithm 1 is integrity verification based on AH and the packet 1 is encapsulated in the transmission mode, in an implementation manner, the communication device 1 may calculate the field 3 in the packet 1 by using the AH verification algorithm 1 to obtain the AH verification information 1, that is: authentication information 1 is obtained. As can be seen from fig. 4a, field 3 includes an IP header, an IP extension header, AH, a Transmission Control Protocol (TCP) header and data (english: data). The application information 1 may be carried in an IP extension header, and the IP extension header mentioned herein may be, for example, an IPv6 extension header. The AH verification algorithm 1 mentioned here may be, for example, an HMAC message digest algorithm (message-digest algorithm) MD5, or an HMAC secure hash algorithm (secure hash algorithm) SHA 1.
When the verification algorithm 1 is integrity verification based on AH and the packet 1 is encapsulated in tunnel mode, in an implementation manner, the communication device 1 may calculate the field 4 in the packet 1 by using an AH check algorithm 2 to obtain AH verification information 2, that is: authentication information 1 is obtained. As can be seen from fig. 4b, field 4 comprises a new IP header, AH, IP header, IP extension header, TCP header and data. The application information 1 may be carried in an IP extension header, and the IP extension header mentioned herein may be, for example, an IPv6 extension header. The AH verification algorithm 2 mentioned here may be, for example, HMAC MD5 or HMAC SHA 1.
When the verification algorithm 1 is based on the integrity verification of the ESP, the message 1 may adopt a tunnel encapsulation mode, and in one implementation, the communication device 1 may adopt the ESP verification algorithm 1 to calculate the field 5 in the message 1 so as to obtain the ESP verification information 1, that is: authentication information 1 is obtained. As can be seen from fig. 4d, field 5 includes an ESP header, an IP extension header, a TCP header, data, and an ESP trailer (english: tail). The application information 1 may be carried in an IP extension header, and the IP extension header mentioned herein may be, for example, an IPv6 extension header. The ESP checking algorithm 1 mentioned here may be, for example, HMAC MD5 or HMAC SHA 1.
In one implementation, the message 1 mentioned herein may be an Internet Protocol Version 6 (IPv 6) message.
When the message 1 is an IPv6 message, in some embodiments, the aforementioned application information 1 may be carried in an extension header of an IPv6 message. The extension header of the IPv6 message may be a hop-by-hop option (english: hop-by-hop option) extension header, the extension header of the IPv6 message may also be a destination option (english: destination option) extension header, and the extension header of the IPv6 message may also be a routing extension header. In other embodiments, the application information 1 may also be carried in the source address field or the destination address field of the message 1. Considering that for an IPv6 message, the source and destination addresses thereof include 128 bits, the 128 bits may include three fields of locator, function and definitions. The locator field is used for carrying a network segment address and a subnet address; the function and definitions fields are both used to carry the behavior corresponding to the locator. In some embodiments, application information 1 may be carried in the function field or the attributes field of the source address field. In some embodiments, application information 1 may be carried in the function field or the attributes field of the destination address field.
Similar to application information 1, when message 1 is an IPv6 message, in some embodiments, authentication information 1 may be carried in an extension header of an IPv6 message. In other embodiments, the authentication information 1 may be carried in a source address field or a destination address field of the IPv6 message. It should be noted that, in this embodiment of the present application, the application information 1 and the verification information 1 may be carried in the same field of the IPv6 message, or may be carried in different fields, and this embodiment of the present application is not limited specifically. For example, both application information 1 and verification information 1 are carried in the source address field, where: the application information 1 is carried in the function field of the source address, and the authentication information 1 is carried in the attributes field of the source address. As another example, the application information 1 is carried in the source address field and the authentication information 1 is carried in the destination address field.
Regarding the structure of the IPv6 message and the meaning of each field, reference may be made to the relevant description part of request for comments (RFC) 8200, which is not described in detail herein.
In one implementation, the packet 1 may be a Multi-Protocol Label Switching (MPLS) packet.
When the packet 1 is an MPLS packet, the application information 1 may be carried in a header of the MPLS packet, for example. As an example, the application information 1 may be carried in a label stack in the header of the packet, for example in a certain label value field. As yet another example, the application information 1 may be carried in an extended Type Length Value (TLV) field of the MPLS packet.
When the packet 1 is an MPLS packet, the authentication information 1 may also be carried in a packet header of the MPLS packet, similar to the application information 1. As an example, the verification information 1 may be carried in a label stack in the header of the packet, for example in a certain label value field. As yet another example, authentication information 1 may be carried in an extended TLV field of the MPLS packet.
Regarding the structure of the MPLS packet and the meaning of each field, refer to the related description part of draft-song-MPLS-extension-header-02 and RFC 3031, and will not be described in detail here.
In one implementation, the message 1 may be an Internet Protocol Version 6 Routing (Segment Routing Internet Protocol Version 6, SRv6) message.
When message 1 is an SRv6 message, application information 1 may be carried in the header of the SRv6 message, for example. As an example, the application information 1 may be carried in a Segment Routing Header (SRH) of the SRv6 packet. In some embodiments, application information 1 may be carried in the source address field of the SRH; in other embodiments, application information 1 may be carried in the destination address field of the SRH. In still other embodiments, the application information 1 may also be carried in a segment identifier list (SID list).
Similar to application information 1, when message 1 is an SRv6 message, authentication information 1 may also be carried in the header of SRv6 message. As an example, authentication information 1 may be carried in the SRH of the SRv6 message. In some embodiments, authentication information 1 may be carried in the source address field of the SRH; in other embodiments, authentication information 1 may be carried in the destination address field of the SRH. In still other embodiments, the authentication information 1 may also be carried in the SID list.
Regarding the structure of the SRv6 message and the meaning of each field, reference may be made to the related description part of RFC 8200, which is not described in detail here.
In one implementation, message 1 may be an Internet Protocol Version 4 (IPv 4) message.
When the message 1 is an IPv4 message, the application information 1 may be carried in an option field of an IPv4 message, for example. Similar to the application information 1, the authentication information 1 may also be carried in an option field of the IPv4 message.
The structure of the IPv4 message and the meaning of each field are not described in detail here.
In one implementation, the packet 1 may be a Generic Routing Encapsulation (GRE) packet.
When the message 1 is a GRE message, the application information 1 may be carried in a header of the GRE message. As an example, the application information 1 may be carried in a key field in a header of the packet. Similar to the application information 1, the authentication information 1 may also be carried in the key field of the GRE message.
For the structure of the GRE message and the meaning of each field, refer to the related description part of RFC 2890, which is not detailed here.
In one implementation, the message 1 may be a virtual extensible local area network (VXLAN) message.
When the message 1 is a VXLAN message, the application information 1 may be carried in a header of the VXLAN message. As an example, application information 1 may be carried in a reserved field in the header of the packet. As yet another example, the application information 1 may be carried in a Virtual Network Identifier (VNI) field in a header of the packet. When the application information 1 is carried in the VNI field, the VNI field may be divided into a plurality of parts, one part for carrying the VNI and one part for carrying the application information 1.
Similar to application information 1, when message 1 is a VXLAN message, authentication information 1 may be carried in the header of the VXLAN message. As an example, the authentication information 1 may be carried in a reserved field in the header of the packet. As yet another example, authentication information 1 may be carried in a VNI field in the header. When authentication information 1 is carried in the VNI field, the VNI field may be divided into a plurality of parts, one part for carrying VNI and one part for carrying authentication information 1.
For the structure of the VXLAN message and the meaning of each field, refer to the related description part of RFC 7348, which is not detailed here.
In one implementation, the packet 1 may be a Network Virtual General Routing Encapsulation (NVGRE) packet.
When the message 1 is an NVGRE message, the application information 1 may be carried in a header of the NVGRE message. As an example, application information 1 may be carried in a reserved field in the header of the packet. As yet another example, application information 1 may be carried in a VNI field in the header. When the application information 1 is carried in the VNI field, the VNI field may be divided into a plurality of parts, one part for carrying the VNI and one part for carrying the application information 1. As another example, application information 1 may be carried in a flow ID field in the header of the message. When the application information 1 is carried in the flow ID field, the flow ID field may be divided into a plurality of parts, one part for carrying the flow ID and one part for carrying the application information 1.
Similar to application information 1, when message 1 is a VXLAN message, authentication information 1 may be carried in the header of the NVGRE message. As an example, the authentication information 1 may be carried in a reserved field in the header of the packet. As yet another example, authentication information 1 may be carried in a VNI field in the header. When authentication information 1 is carried in the VNI field, the VNI field may be divided into a plurality of parts, one part for carrying VNI and one part for carrying authentication information 1. As another example, authentication information 1 may be carried in a flow ID field in the header of the message. When authentication information 1 is carried in the flow ID field, the flow ID field may be divided into a plurality of parts, one part for carrying the flow ID and one part for carrying authentication information 1.
For the structure of NVGRE message and the meaning of each field, refer to the related description part of RFC 7637, which is not detailed here.
In one implementation, the message 1 may be a general network virtualization encapsulation (general) message.
When message 1 is a Geneve message, application information 1 may be carried in the header of the Geneve message. As an example, application information 1 may be carried in a reserved field in the header of the packet. As yet another example, the application information 1 may be carried in a variable length options (english) field in a header.
Similar to application information 1, when message 1 is a Geneve message, authentication information 1 may be carried in the header of the Geneve message. As an example, the authentication information 1 may be carried in a reserved field in the header of the packet. As yet another example, authentication information 1 may be carried in a variable length option field in the header of the message.
Regarding the structure of the Geneve message and the meaning of each field, reference can be made to the related description part of draft-ietf-nvo 3-gene-16, which will not be described in detail here.
S102: the communication device 1 transmits the message 1 to the communication device 2.
S103: the communication device 2 receives the message 1.
S104: the communication device 2 performs integrity verification on the application information 1 based on the verification information 1.
After the communication device 2 receives the message 1, since the message 1 carries the application information 1, the communication device 2 should determine the corresponding network resource for the message 1 according to the application information 1. In the embodiment of the present application, in order to avoid improper use of the application information 1, after receiving the message 1, the communication device 2 may perform integrity verification on the basis of the application information 1 corresponding to the verification information 1, so as to avoid improper use of network resources.
In this embodiment of the application, in a specific implementation of S104, for example, the communication device 2 may calculate a field in the message 1 to obtain the verification information 2, and perform matching check on the verification information 1 and the verification information 2. In one example, the verification information 1 and the verification information 2 are subjected to matching verification, that is, the verification information 1 and the verification information 2 are compared, if the verification information 1 and the verification information 2 are the same, the matching verification is successful, and if the verification information 1 and the verification information 2 are different, the matching verification is failed. In one implementation manner of the embodiment of the present application, the communication device 2 calculates the field in the message 1, for example, the field in the message 1 may be calculated by using the verification algorithm 1. Wherein, the field in the message 1 includes application information 1.
As before, the verification algorithm 1 may be an HMAC check.
When the verification algorithm 1 is HMAC verification, one implementation of S104 is: the communication device 2 may append the key 1 to the field 1 as an input to the hash algorithm 1, resulting in the authentication information 2. Then, the verification information 1 and the verification information 2 are subjected to matching verification. Here, the key 1 may be pre-negotiated between the communication apparatus 2 and the communication apparatus 1. The hash algorithm 1 may be previously negotiated between the communication apparatus 2 and the communication apparatus 1. Regarding the field 1, reference may be made to the relevant description part in S101, which is not described in detail here.
In the embodiment of the present application, since the key 1 and the hash algorithm 1 may be obtained by the communication apparatus 1 and the communication apparatus 2 in advance, or the APP 1 on the communication apparatus 1 and the communication apparatus 2 in advance, the other APPs on the communication apparatus 1 cannot obtain the key 1 and the hash algorithm 1, and the APPs installed on the other devices cannot obtain the key 1 and the hash algorithm 1. Therefore, even if the APP on the other APP or the APP on the other device on the communication apparatus 1 steals the application information 1, it cannot generate the authentication information 1 because it cannot obtain the key 1 and the hash algorithm 1. Correspondingly, the message a generated by the APP stealing the application information 1 does not include the verification information 1, so that the communication device 2 does not pass the integrity verification of the application information 1 when receiving the message a, thereby avoiding the stealing of network resources caused by the stealing of the application information 1.
When the verification algorithm 1 is HMAC verification, another implementation of S104 is: the communication apparatus 2 obtains the parameter 1 and the parameter 2. The communication device 2 supplements the key 2 with a value, for example, 0, at the head or tail of the key 2 in a value supplementing manner agreed with the communication device 1, so that the number of bits of the key 2 after supplementing the value is the same as the parameter 1. The communication device 2 calculates the key 2 and the parameter 1 after the value supplementation, for example, by performing an exclusive or calculation, to obtain a key 2', by using a calculation method agreed with the communication device 1. Then, the communication device 2 adds the key 2 'to the field 1 as an input to the hash algorithm 2, resulting in HMAC 1'. The communication device 2 calculates the key 2 and the parameter 2 after supplementing the numerical values by using a calculation method agreed with the communication device 1, for example, performing xor calculation to obtain the key 2 ", and then the communication device 2 attaches the key 2" to the HMAC 1 'as an input of the hash algorithm 2 to obtain the HMAC 2', i.e., to obtain the verification information 2. After the verification information 2 is calculated, the communication apparatus 2 may perform matching verification on the verification information 1 and the verification information 2. The parameter 1, the parameter 2, the key 2, and the hash algorithm 2 may be pre-negotiated between the communication device 1 and the communication device 2.
In the embodiment of the present application, since the parameter 1, the parameter 2, the key 2, and the hash algorithm 2 may be obtained by negotiating with the communication apparatus 1 and the communication apparatus 2 in advance, or the APP 1 on the communication apparatus 1 negotiates with the communication apparatus 2 in advance, other APPs on the communication apparatus 1 cannot obtain the parameter 1, the parameter 2, the key 2, and the hash algorithm 2, and APPs installed on other devices cannot obtain the parameter 1, the parameter 2, the key 2, and the hash algorithm 2. Therefore, even if other APP on the communication apparatus 1 or APP on other device steals the application information 1, it cannot generate the authentication information 1 because it cannot obtain the parameter 1, the parameter 2, the key 2, and the hash algorithm 2. Correspondingly, the message b generated by the APP stealing the application information 1 does not include the verification information 1, so that the communication device 2 does not pass the integrity verification of the application information 1 when receiving the message b, thereby avoiding the phenomenon that the application information 1 is stolen to cause the theft of network resources.
As before, the verification algorithm 1 may be a digital signature verification.
When the verification algorithm 1 is digital signature verification, one implementation of S104 is: the communication device 2 may, for example, hash the field 2 of the packet 1 using the hash algorithm 3 to obtain the hash digest 1'. The communication device 2 decrypts the digital signature 1 by using the public key 1 and the decryption algorithm 1 to obtain the hash digest 1 ″. Then, the communication apparatus 2 performs a matching check on the hash digest 1' and the hash digest 1 ″.
In some embodiments, the aforementioned public key 1 may be pre-negotiated between the communication device 2 and the communication device 1, and the aforementioned decryption algorithm 1 and the hash algorithm 3 may be pre-negotiated between the communication device 2 and the communication device 1. In still other embodiments, the public key 1 may be carried in the message 1, for example, as described above, the message 1 includes the digital certificate 1, and the digital certificate 1 carries the public key 1. In addition, the aforementioned decryption algorithm 1 and hash algorithm 3 may be carried in the message 1, for example, in the digital certificate 1.
In the embodiment of the present application, the public key 1, the decryption algorithm 1, and the hash algorithm 3 may be obtained by negotiating in advance between the communication apparatus 1 and the communication apparatus 2, or by negotiating in advance between the APP 1 on the communication apparatus 1 and the communication apparatus 2, while other APPs on the communication apparatus 1 cannot obtain the public key 1, the decryption algorithm 1, and the hash algorithm 3, and APPs installed on other devices cannot obtain the public key 1, the decryption algorithm 1, and the hash algorithm 3. Therefore, even if the other APP on the communication apparatus 1 or the APP on the other device steals the application information 1, it cannot generate the authentication information 1 because it cannot obtain the public key 1, the decryption algorithm 1, and the hash algorithm 3. Correspondingly, the message c generated by the APP stealing the application information 1 does not include the verification information 1, so that the communication device 2 does not pass the integrity verification of the application information 1 when receiving the message c, thereby avoiding the phenomenon that the application information 1 is stolen to cause the theft of network resources.
In an implementation manner of the embodiment of the present application, the message 1 includes the digital certificate 1 of the communication device 1, and the communication device 2 may also verify the validity of the digital certificate. Once the digital certificate 1 is authenticated, it indicates that the message 1 is from a trusted sender. Moreover, if the public key 1 is carried in the digital certificate 1, if the digital certificate 1 passes the verification, the validity of the public key 1 is also guaranteed. Similarly, if the decryption algorithm 1 and the hash algorithm 3 are carried in the digital certificate 1, if the digital certificate 1 passes the verification, the legitimacy of the decryption algorithm 1 and the hash algorithm 3 is also guaranteed.
Also, as described above, the digital certificate 1 includes the identity information of the communication apparatus 1, and when the identity information of the communication apparatus 1 includes the application information 1, the application information 1 in the message 1 may be carried in the digital certificate 1. For this case, if the digital certificate 1 passes the verification, the validity of the application information 1 in the digital certificate 1 is also guaranteed, thereby implementing multiple verifications of the application information 1.
In another implementation manner of the embodiment of the present application, if the message 1 includes the digital certificate 1, and the digital certificate 1 includes the application information 1 and the verification information 1, in a specific implementation, the S104 may directly perform validity verification on the digital certificate 1, and as long as the digital certificate 1 is legal, it indicates that the verification information 1 and the application information 1 are legal. Regarding the validity verification of the digital certificate, for example, the hash algorithm 4 may be used to perform hash calculation on the untrusted digital certificate mentioned in S101 to obtain a hash digest 2 ', and the public key 2 of the CA organization is used to decrypt the encrypted digest 1 in the digital certificate to obtain the hash digest 2 ", and then, the hash digest 2' and the hash digest 2" are subjected to matching verification, if the two are the same, it is determined that the digital certificate 1 is valid, otherwise, it is determined that the digital certificate 1 is invalid. Certainly, when the digital certificate 1 is verified, the identity authentication of the CA certification authority may be further performed, and as to the specific implementation manner of performing the identity authentication of the CA certification authority, reference may be made to the conventional authentication manner, which is not described in detail herein.
As before, authentication algorithm 1 may be IPSec based integrity authentication.
When the verification algorithm 1 is AH-based integrity verification and the packet 1 is encapsulated in the transmission mode, an implementation manner of S104 is as follows: the communication device 2 calculates the field 3 in the message 1 by using an AH (advanced header verification) algorithm 1 to obtain AH verification information 3, namely verification information 2. Then, the communication device 2 performs matching verification on the verification information 1 and the verification information 2. The matching check of the verification information 1 and the verification information 2 is to perform matching check of the AH verification information 1 and the AH verification information 3 mentioned in S101. It should be noted that the AH verification algorithm 1 mentioned here may be previously agreed between the communication apparatus 1 and the communication apparatus 2. Regarding the field 3, reference may be made to the description part of S101 for the field 3, which is not described in detail here.
In the embodiment of the present application, the AH check algorithm 1 may be obtained by the communication apparatus 1 and the communication apparatus 2 in advance, or the APP 1 on the communication apparatus 1 and the communication apparatus 2 in advance, but other APPs on the communication apparatus 1 cannot obtain the AH check algorithm 1, and APPs installed on other devices cannot obtain the AH check algorithm 1. Therefore, even if the APP on the other APP on the communication apparatus 1 or the APP on the other device steals the application information 1, it cannot generate the authentication information 1 because it cannot obtain the AH check algorithm 1. Correspondingly, the message d generated by the APP stealing the application information 1 does not include the verification information 1, so that the communication device 2 does not pass the integrity verification of the application information 1 when receiving the message d, thereby avoiding the phenomenon that the application information 1 is stolen to cause the theft of network resources.
When the verification algorithm 1 is integrity verification based on AH, and the packet 1 is encapsulated in tunnel mode, an implementation manner of S104 is: the communication device 2 calculates the field 4 in the message 1 by using an AH (advanced header verification) algorithm 2 to obtain AH verification information 4, namely verification information 2. Then, the communication device 2 performs matching verification on the verification information 1 and the verification information 2. The matching check of the verification information 1 and the verification information 2 is to perform matching check of the AH verification information 2 and the AH verification information 4 mentioned in S101. It should be noted that the AH verification algorithm 2 mentioned here may be previously agreed between the communication apparatus 1 and the communication apparatus 2. Regarding the field 4, reference may be made to the description part of S101 for the field 4, which is not described in detail here.
In the embodiment of the present application, the AH check algorithm 2 may be obtained by the communication apparatus 1 and the communication apparatus 2 in advance, or the APP 1 on the communication apparatus 1 and the communication apparatus 2 in advance, but the AH check algorithm 2 cannot be obtained by other APPs on the communication apparatus 1, and the APP installed on other devices cannot obtain the AH check algorithm 2. Therefore, even if the APP on the other APP on the communication apparatus 1 or the APP on the other device steals the application information 1, it cannot generate the authentication information 1 because it cannot obtain the AH check algorithm 2. Correspondingly, the message e generated by the APP stealing the application information 1 does not include the verification information 1, so that the communication device 2 does not pass the integrity verification of the application information 1 when receiving the message e, thereby avoiding the phenomenon that the application information 1 is stolen to cause the theft of network resources.
When the verification algorithm 1 is ESP-based integrity verification, one implementation of S104 is: the communication device 2 may use the ESP check algorithm 1 to calculate the field 5 in the packet 1 to obtain the ESP verification information 2, that is: authentication information 2 is obtained. Then, the communication device 2 performs matching verification on the verification information 1 and the verification information 2. The matching check of the verification information 1 and the verification information 2 is to perform matching check of the ESP verification information 1 and the ESP verification information 2 mentioned in S101. It should be noted that the ESP verification algorithm 1 mentioned here may be predetermined by the communication device 1 and the communication device 2. Regarding the field 5, reference may be made to the description part of S101 for the field 5, which is not described in detail here.
In the embodiment of the present application, the ESP checking algorithm 1 may be obtained by the communication device 1 and the communication device 2 in advance, or by the APP 1 on the communication device 1 and the communication device 2 in advance, while other APPs on the communication device 1 cannot obtain the ESP checking algorithm 1, and APPs installed on other devices cannot obtain the ESP checking algorithm 1. Therefore, even if the other APP on the communication apparatus 1 or the APP on the other device steals the application information 1, it cannot generate the authentication information 1 because it cannot obtain the ESP check algorithm 1. Correspondingly, the message f generated by the APP stealing the application information 1 does not include the verification information 1, so that the communication device 2 does not pass the integrity verification of the application information 1 when receiving the message f, thereby avoiding the phenomenon that the application information 1 is stolen to cause the theft of network resources.
S105 a: if the application information 1 is verified, the communication device 2 transmits the message 1 to the communication device 3.
S105 b: if the application information 1 is not verified, the communication device 2 discards the message 1.
In the embodiment of the present application, after the communication device 2 performs integrity verification on the application information 1, if the application information 1 passes the verification, it is indicated that the application information in the message 1 is legitimate, and therefore the communication device 2 can transmit the message 1 to the server 102. In some embodiments, communication device 2 may determine the network resource corresponding to message 1 according to application information 1, and further forward message 1 to server 102 using the determined network resource.
In an implementation manner of the embodiment of the present application, if the application information 1 is not verified, it indicates that the application information in the message 1 may be obtained by an illegal means, so the communication device 2 may discard the message 1, thereby preventing the network resource corresponding to the application information 1 from being illegally stolen.
In an implementation manner of the embodiment of the present application, the verification information used for performing integrity verification on the application information 1 in the message 1 may include one or more pieces. Accordingly, the communication apparatus 2 can perform integrity verification on the application information 1 based on other verification information in addition to integrity verification on the application information 1 based on the verification information 1. In other words, in the embodiment of the present application, the message 1 may include the verification information 3 in addition to the verification information 1. The verification information 3 may be calculated by the communication device 1 from fields in the message 1. As an example, the verification information 3 may be calculated by using the verification algorithm 2 to the field in the message 1.
The verification algorithm 2 is a different verification algorithm than the verification algorithm 1. But similar to the checking algorithm 1, the checking algorithm 2 may also be one of an HMAC algorithm, a digital signature algorithm, and an integrity verification based on IPSec. As to the verification algorithm 2, reference may be made to the above description of the verification algorithm 1, which is not described in detail here. With regard to the specific implementation of the communication apparatus 1 for obtaining the verification information 3 by using the verification algorithm 2, reference may be made to the above description part of the communication apparatus 1 for obtaining the verification information 1 according to the verification algorithm 1, which is not described in detail here. Accordingly, with regard to a specific implementation in which the communication apparatus 2 performs integrity verification on the application information 1 by using the verification information 3, reference may be made to the above specific description part for S104, and a description thereof will not be repeated here.
Referring to fig. 5, fig. 5 is a signaling interaction diagram of a method for verifying application information according to an embodiment of the present application.
The method 200 for verifying application information shown in fig. 5 may be performed by the communication apparatus 1 and the communication apparatus 2 shown in fig. 1, and as for the communication apparatus 1, the communication apparatus 2, and the communication apparatus 3 in the method 200, reference may be made to the description parts of the method 100 for the communication apparatus 1, the communication apparatus 2, and the communication apparatus 3, and a description thereof will not be repeated here. The method 200 may be implemented, for example, by the following S201-S203.
S201: the communication device 1 acquires a message 1, wherein the message 1 comprises a digital certificate 1, and the digital certificate 1 comprises application information 1 and verification information 1.
In the embodiment of the present application, the communication apparatus 1 may first transmit the application information 1 to the control management device, and then obtain the digital certificate 1 including the application information 1 and the authentication information 1 from the control management device. In an embodiment, the control management device may perform hash calculation on the application information 1 by using a hash algorithm 1 to obtain a hash digest 1, and then encrypt the hash digest 1 by using a private key 1 of the control management device to obtain verification information 1, where the verification information 1 is an encrypted digest of the hash digest 1. The digital certificate 1 mentioned here may include, in addition to the application information 1 and the verification information 1, identity information of the control management device and a public key 1 corresponding to the private key 1, and the identity information of the control management device is not limited here.
After the communication apparatus 1 obtains the digital certificate 1 from the control management device, a message 1 including the digital certificate 1 may be generated.
In this embodiment of the present application, in an implementation manner, the message 1 mentioned here may be an IPv6 message.
When the message 1 is an IPv6 message, in some embodiments, the aforementioned digital certificate 1 may be carried in an extension header of an IPv6 message. In other embodiments, digital certificate 1 may be carried in either the source address field or the destination address field of an IPv6 message.
In one implementation, message 1 may be an MPLS message.
When the message 1 is an MPLS message, the digital certificate 1 may be carried in a header of the MPLS message, for example. As an example, the digital certificate 1 may be carried in a label stack in a header, e.g. in a certain label value field. As yet another example, digital certificate 1 may be carried in an extended TLV field of the MPLS message.
In one implementation, message 1 may be an SRv6 message.
When message 1 is an SRv6 message, the digital certificate 1 may be carried in the header of the SRv6 message, for example. As an example, the digital certificate 1 may be carried in the SRH of the SRv6 message. In some embodiments, the digital certificate 1 may be carried in the source address field of the SRH; in other embodiments, the digital certificate 1 may be carried in the destination address field of the SRH. In still other embodiments, the digital certificate 1 may also be carried in a SID list.
In one implementation, message 1 may be an IPv4 message.
When the message 1 is an IPv4 message, the digital certificate 1 may be carried in the option field of the IPv4 message, for example.
In one implementation, message 1 may be a GRE message.
When message 1 is a GRE message, the digital certificate 1 may be carried in the header of the GRE message. As an example, the digital certificate 1 may be carried in a key field in a header of the message.
In one implementation, message 1 may be a VXLAN message.
When message 1 is a VXLAN message, the digital certificate 1 may be carried in the header of the VXLAN message. As an example, the digital certificate 1 may be carried in a reserved field in the header of the message. As yet another example, the digital certificate 1 may be carried in a VNI field in a header of the message.
In one implementation, message 1 may be an NVGRE message.
When message 1 is an NVGRE message, digital certificate 1 may be carried in a header of the NVGRE message. As an example, the digital certificate 1 may be carried in a reserved field in the header of the message. As yet another example, the digital certificate 1 may be carried in a VNI field in a header of the message. As another example, digital certificate 1 may be carried in a flow ID field in the header of the message.
In one implementation, message 1 may be a Geneve message.
When message 1 is a Geneve message, the digital certificate 1 may be carried in the header of the Geneve message. As an example, the digital certificate 1 may be carried in a reserved field in the header of the message. As yet another example, the digital certificate 1 may be carried in a variable length options field in the header of the message.
S202: the communication device 1 transmits the message 1 to the communication device 2.
S203: the communication device 2 receives the message 1.
S204: the communication device 2 performs validity verification on the digital certificate 1.
After receiving the message 1, the communication device 2 can verify the validity of the digital certificate 1. Since the digital certificate 1 includes the application information 1 and the authentication information 1. Therefore, when the digital certificate 1 is legitimate, it indicates that the legitimacy of the authentication information 1 and the application information 1 is authenticated. As to a specific implementation manner of the communication apparatus 2 for verifying the digital certificate 1, reference may be made to the above-mentioned description portion of the communication apparatus 2 for verifying the validity of the digital certificate 1, and a detailed description thereof is omitted here.
S205 a: the communication means 2 forwards the message 1 to the communication means 3 if said digital certificate 1 is verified.
S205 b: the communication device 2 discards the message 1 if the digital certificate 1 is not verified.
In the embodiment of the present application, after the communication device 2 verifies the validity of the digital certificate 2, if the digital certificate 1 passes the verification, it indicates that the application information 1 in the message 1 is valid, so the communication device 2 can send the message 1 to the communication device 3. In some embodiments, the communication device 2 may determine the network resource corresponding to the message 1 according to the application information 1, and further forward the message 1 to the communication device 3 by using the determined network resource.
In an implementation manner of the embodiment of the present application, if the digital certificate 1 is not verified, it indicates that the application information 1 in the message 1 may be obtained by an illegal means, so that the communication device 2 may discard the message 1, thereby preventing the network resource corresponding to the application information 1 from being illegally stolen.
In an implementation manner of the embodiment of the present application, the message 1 may further include, in addition to the verification information 1, verification information 2 for performing integrity verification on the application information 1. As for the verification information 2, it is similar to the verification information 1 in the method 100, and therefore will not be described in detail here.
Accordingly, the communication apparatus 2 can perform integrity verification on the application information 1 using the verification information 2 in addition to performing validity verification on the digital certificate 1. As to a specific implementation of the communication apparatus 2 for verifying the application information 1 by using the verification information 2, reference may be made to the specific implementation part of the above S104, which is not described in detail here.
As can be seen in the description of the verification information 1 in the method 100, the verification information 1 may be calculated from the field in the message 1 by using a digital signature algorithm, and thus, in one implementation, the verification information 2 in the method 200 may be calculated from the field in the message 1 by using a digital signature algorithm. Wherein, the field in the message 1 includes the application information 1. For this case, the communication apparatus 1 may digitally sign a field in the message 1 using the private key 2 and the hash algorithm 2, and determine the resulting digital signature 1 as the verification information 2. In one example: the communication device 1 may perform hash calculation on the application information 1 in the packet 1 by using the hash algorithm 2 to obtain the hash digest 1, and encrypt the hash digest 1 by using the private key 2 and the encryption algorithm 1 to obtain the digital signature 1. Accordingly, the communication device 2 can decrypt the verification information 2 by using the decryption algorithm 1 and the public key 2 corresponding to the private key 2, and obtain the hash digest 1'. The communication device 2 may further perform hash calculation on the application information 1 in the packet 1 by using the hash algorithm 2 to obtain the hash digest 1 ", and perform matching check on the hash digest 1' and the hash digest 1 ″. The decryption algorithm 1 is an inverse operation of the encryption algorithm 1, and is used for decrypting data encrypted by the encryption algorithm 1.
In an implementation manner of the embodiment of the present application, if the verification information 2 may be obtained by calculating a field in the message 1 by using a digital signature algorithm, the aforementioned public key 2 may be carried in the digital certificate 1 mentioned in S201. The aforementioned decryption algorithm 1 and hash algorithm 2 may also be carried in the digital certificate 1 mentioned in S201.
The embodiment of the present application further provides a method 300 for verifying application information, referring to fig. 6, where fig. 6 is a schematic flow diagram of the method for verifying application information provided in the embodiment of the present application.
The method 300 shown in fig. 6 may be performed by a first communication device, which may be, for example, the communication device 1 mentioned in the above embodiments. The method 300 shown in fig. 6, which may be applied to the method 100 mentioned in the above embodiments for performing the steps performed by the communication device 1 in the above method 100, may for example include the following S301-S302.
S301: receiving a first message, wherein the first message comprises application information and first verification information, and the first verification information is used for verifying the integrity of the application information.
S302: verifying the integrity of the application information based on the first verification information.
The first packet in the method 300 may correspond to the packet 1 in the method 100; the application information in method 300 may correspond to application information 1 in method 100; the first authentication information in the method 300 may correspond to authentication information 1 in the method 100.
In one implementation, verifying the integrity of the application information based on the first verification information includes:
acquiring second verification information according to a target field in the first message, wherein the target field comprises the application information;
and performing matching check on the second verification information and the first verification information.
The target field in the method 300 may correspond to field 1, field 2, field 3, field 4, or field 5 in the method 100. The second authentication information in the method 300 may correspond to the authentication information 2 in the method 100.
In one implementation, verifying the integrity of the application information based on the first verification information includes:
and verifying the integrity of the application information based on a first verification method and the first verification information.
The first verification method in method 300 may correspond to verification algorithm 1 in method 100.
In one implementation, the first verification method is a key-dependent hash operation message authentication code HMAC verification.
In one implementation, the verifying the integrity of the application information based on the first verification method and the first verification information includes:
performing HMAC calculation on a target field in the first message to obtain second HMAC check information;
and performing matching verification on the first HMAC verification information and the second HMAC verification information.
When the first verification method is HMAC verification, the target field in method 300 corresponds to field 1 in method 100.
In one implementation, the first HMAC check information in the method 300 may correspond to the authentication information 1 obtained by appending the key 1 to the field 1 as an input of the hash algorithm 1 in the method 100. Accordingly, the second HMAC check information may correspond to the authentication information 2 obtained by appending the key 1 to the field 1 as an input to the hash algorithm 1 in the method 100.
In one implementation, the first HMAC check information in the method 300 may correspond to the HMAC2 in the method 100, and the second HMAC check information may correspond to the HMAC 2' in the method 100.
In one implementation, the first verification method is digital signature verification.
In one implementation, the first verification information is a digital signature obtained by signing a target field in the first message by using a first private key and a first hash calculation, and verifying the integrity of the application information based on a first verification method and the first verification information includes:
decrypting the digital signature through a first public key to obtain a first plaintext;
performing second hash calculation on the target field to obtain a second plaintext, wherein the first hash calculation and the second hash calculation adopt the same hash algorithm;
and performing matching verification on the first plaintext and the second plaintext.
When the first verification method is digital signature: the target field corresponds to field 2 in method 100; the first private key corresponds to private key 1 in method 100; the first hash calculation corresponds to hash algorithm 3 in method 100; the digital signature corresponds to digital signature 1 in method 100; the first public key corresponds to public key 1 in method 100; the first plaintext corresponds to hash digest 1 "in method 100; the second hash calculation corresponds to hash algorithm 3 in method 100; the second plaintext may correspond to hash digest 1' in method 100.
In one implementation, the first message further includes a digital certificate, and the digital certificate includes the first public key.
The digital certificate in method 300 corresponds to digital certificate 1 in method 100 and the first public key corresponds to public key 1 in method 100.
In one implementation, the digital certificate further includes a decryption algorithm for decrypting the digital signature, and/or the hash algorithm.
The decryption algorithm mentioned here may correspond to decryption algorithm 1 in method 100; the hash algorithm mentioned here may correspond to hash algorithm 3 in method 100.
In one implementation, the method further comprises:
and verifying the legality of the digital certificate.
In an implementation manner, the first packet includes a digital certificate, and the application information and the first verification information are carried in the digital certificate.
In one implementation, the verifying the integrity of the application information based on the first verification information includes:
and verifying the legality of the digital certificate.
In one implementation, the first verification method is integrity verification based on internet protocol security, IPSEC.
When the first verification method is integrity verification based on IPSEC, the first verification method may be AH verification or ESP verification.
In one implementation, the verifying the integrity of the application information based on the first verification method and the first verification information includes:
calculating a target field in the first message by using an AH (advanced header verification) algorithm to obtain second AH verification information;
performing match verification on the first AH verification information and the second AH verification information.
When the first verification method is AH verification, the first verification information is first AH verification information, and the second verification information is second AH verification information. The first AH verification information may correspond to AH verification information 1 or AH verification information 2 in the method 100, and the second AH verification information may correspond to AH verification information 3 or AH verification information 4 in the method 100.
In one example, when the first packet is encapsulated in the transmission mode, the first AH verification information corresponds to AH verification information 1 in method 100, the second AH verification information corresponds to AH verification information 3 in method 100, and the target field may correspond to field 3 in method 100; when the first packet is encapsulated in tunnel mode, the first AH verification information corresponds to AH verification information 2 in method 100, the second AH verification information corresponds to AH verification information 4 in method 100, and the target field may correspond to field 4 in method 100.
In one implementation, the first verification information is first Encapsulated Security Payload (ESP) verification information, and the verifying the integrity of the application information based on the first verification method and the first verification information includes:
calculating a target field in the first message by using an ESP (electronic stability program) verification algorithm to obtain second ESP verification information;
and performing matching verification on the first ESP verification information and the second ESP verification information.
When the first verification method is ESP verification, the first verification information is first ESP verification information, and the second verification information is second ESP verification information. The first ESP validation information may correspond to ESP validation information 1 in method 100, the second ESP validation information may correspond to ESP validation information 2 in method 100, and the target field may correspond to field 5 in method 100.
In one implementation, the first communication device is a network device.
In one implementation, the first communications device includes:
the access ACC device, or the customer premises CPE device, or the home gateway RG, or the data center server access leaf device, or the data center egress gateway DC GW, or the autonomous system border router ASBR, or the base station, or the user plane function UPF device, or the broadband network gateway BNG, or the operator edge PE device.
In one implementation, the method further comprises:
and forwarding the first message under the condition that the application information is determined to pass the verification.
In one implementation, the method further comprises:
and under the condition that the application information is determined not to pass the verification, discarding the first message.
Fig. 7 shows a flow diagram of a message processing method 400 according to an embodiment of the present application, where fig. 7 is a flowchart of the message processing method according to the embodiment of the present application.
The method 700 shown in fig. 7 may be performed by a second communication device, which may be, for example, the communication device 2 mentioned in the above embodiments. The method 400 shown in fig. 7 may be applied to the method 100 mentioned in the above embodiments for executing the steps performed by the communication device 2 in the above method 100, and the method 400 may include, for example, the following S401-S402.
S401: generating a first message, wherein the first message comprises application information and first verification information, and the first verification information is used for verifying the integrity of the application information.
S402: and sending the first message to a first communication device.
The first packet in the method 400 may correspond to the packet 1 in the method 100; the application information in method 400 may correspond to application information 1 in method 100; the first authentication information in the method 400 may correspond to authentication information 1 in the method 100.
In one implementation, the first authentication information is obtained according to a target field in the first message, and the target field includes the application information.
In method 400, the target field may correspond to field 1, field 2, field 3, field 4, or field 5 in method 100.
In an implementation manner, the first verification information is obtained by calculating a target field in the first message by using a first verification method, where the target field includes the application information.
The first verification method in method 400 may correspond to verification algorithm 1 in method 100.
In one implementation, the first verification method is a key-dependent hash operation message authentication code HMAC verification.
In one implementation, the first authentication information includes first HMAC check information.
When the first verification method is HMAC verification, the target field in method 300 corresponds to field 1 in method 100.
In one implementation, the first HMAC check information in the method 400 may correspond to the authentication information 1 obtained by appending the key 1 to the field 1 as an input of the hash algorithm 1 in the method 100.
In one implementation, the first HMAC check information in the method 400 may correspond to the HMAC2 in the method 100.
In one implementation, the first verification method is digital signature verification.
In one implementation, the first verification information is a digital signature obtained by signing the target field with a first private key.
When the first verification method is digital signature: the target field corresponds to field 2 in method 100; the first private key corresponds to private key 1 in method 100 and the digital signature corresponds to digital signature 1 in method 100.
In one implementation, the first authentication information is an encrypted digest in a digital certificate, and the digital certificate further includes the application information.
The digital certificate referred to herein may correspond to digital certificate 1 in method 100 and, correspondingly, the encrypted digest in the digital certificate may correspond to encrypted digest 1 in method 100.
In one implementation, the first authentication information is sent to the second communication apparatus by the control management device.
In one implementation, the first verification method is integrity verification based on internet protocol security, IPSEC.
When the first verification method is integrity verification based on IPSEC, the first verification method may be AH verification or ESP verification.
In one implementation, the first verification information is first authentication header AH verification information.
The first AH verification information may correspond to AH verification information 1 or AH verification information 2 in the method 100. When the first packet is encapsulated in the transmission mode, the first AH verification information corresponds to AH verification information 1 in the method 100; when the first packet is encapsulated in tunnel mode, the first AH verification information corresponds to AH verification information 2 in method 100.
In one implementation, the first authentication information is first encapsulated security payload, ESP, authentication information.
The first ESP verification information may correspond to ESP verification information 1 in method 100.
In one implementation, the second communication device is a server or a user equipment.
In one implementation, the user equipment includes:
an internet of things (IoT) device or a terminal device.
In the above method 300 and method 400:
in an implementation manner, the application information and the first verification information are carried in a header of the first packet.
In one implementation, the first message is an internet protocol version 6 IPv6 message.
In one implementation, the application information is carried in an IPv6 extension header.
In one implementation, the application information is carried in a destination address.
In one implementation, the application information is carried in a source address.
In one implementation, the first authentication information is carried in an IPv6 extension header.
In one implementation, the first authentication information is carried in a destination address.
In one implementation, the first authentication information is carried in a source address.
In one implementation, the first packet is a multi-protocol label switching MPLS packet.
In one implementation, the application information is carried in a tag value field.
In one implementation, the application information is carried in an extended type length value, TLV, field.
In one implementation, the first authentication information is carried in a tag value field.
In one implementation, the first authentication information is carried in an extended TLV field.
In one implementation, the first packet is an internet protocol version 6 route SRv6 packet.
In one implementation, the application information is carried in a segment routing header SRH.
In one implementation, the first authentication information is carried in an SRH.
In one implementation, the first message is an internet protocol version 4 IPv4 message.
In one implementation, the application information is carried in an option field.
In one implementation, the first authentication information is carried in an option field.
In one implementation, the first packet is a Generic Routing Encapsulation (GRE) packet.
In one implementation, the application information is carried in a key field.
In one implementation, the first authentication information is carried in a key field.
In an implementation manner, the first message is a virtual extensible local area network VXLAN message.
In one implementation, the application information is carried in a virtual network identifier field.
In one implementation, the application information is carried in a reserved field.
In one implementation, the first authentication information is carried in a virtual network identifier field.
In one implementation, the first authentication information is carried in a reserved field.
In an implementation manner, the first packet is a network virtualization generic routing encapsulation NVGRE packet.
In one implementation, the application information is carried in a flow identification field.
In one implementation, the application information is carried in a virtual network identification field.
In one implementation, the application information is carried in a reserved field.
In one implementation, the first authentication information is carried in a flow identification field.
In one implementation, the first authentication information is carried in a virtual network identification field.
In one implementation, the first authentication information is carried in a reserved field.
In one implementation, the first packet is a generic packet of generic network virtualization encapsulation.
In one implementation, the application information is carried in a reserved field.
In one implementation, the application information is carried in a variable length options field.
In one implementation, the first authentication information is carried in a reserved field.
In one implementation, the first authentication information is carried in a variable length options field.
With respect to specific implementations of the method 300 and the method 400, reference may be made to the description above for the method 100, and the description is not repeated here.
The embodiment of the present application further provides a method 500 for verifying application information, referring to fig. 8, where fig. 8 is a schematic flowchart of the method for verifying application information provided in the embodiment of the present application.
The method 500 shown in fig. 8 may be performed by a first communication device, which may be, for example, the communication device 1 mentioned in the above embodiments. The method 500 shown in fig. 8 may be applied to the method 200 mentioned in the above embodiment for executing the steps performed by the communication device 1 in the above method 200, and the method 500 may include, for example, the following S501-S502.
S501: the method comprises the steps of obtaining a first message, wherein the first message comprises a digital certificate, the digital certificate comprises application information and first verification information, and the first verification information is used for carrying out integrity verification on the application information.
S502: and carrying out validity verification on the digital certificate.
In the method 500: the first packet may correspond to packet 1 in method 200; the digital certificate may correspond to digital certificate 1 in method 200; the application information may correspond to application information 1 in method 200; the first authentication information may correspond to authentication information 1 in the method 100.
In one implementation, the first message further includes second verification information, where the second verification information is used to perform integrity verification on the application information, and the method further includes:
and carrying out integrity verification on the application information by utilizing the second verification information.
The second authentication information in the method 500 may correspond to the authentication information 2 in the method 200.
In one implementation, integrity verification of the application information using the second verification information includes:
acquiring third verification information according to a target field in the first message, wherein the target field comprises the application information;
and performing matching check on the third verification information and the second verification information.
With respect to the verification of the application information by using the second verification information, reference may be made to the related description of the method 300 for verifying the application information by using the first verification information, and the description will not be repeated here.
In one implementation, integrity verification of the application information using the second verification information includes:
verifying the integrity of the application information based on a digital signature algorithm and the second verification information.
In one implementation, the second verification information is a digital signature obtained by signing a target field in the first message by using a first private key and a first hash calculation, and verifying the integrity of the application information based on a digital signature algorithm and the second verification information includes:
decrypting the digital signature through a first public key to obtain a first plaintext;
performing second hash calculation on the target field to obtain a second plaintext, wherein the first hash calculation and the second hash calculation adopt the same hash algorithm;
and performing matching verification on the first plaintext and the second plaintext.
In one implementation, the first public key is carried in the digital certificate.
In one implementation, a decryption algorithm that decrypts the digital signature is carried in the digital certificate, and/or the hash algorithm is carried in the digital certificate.
Fig. 9 shows a flowchart of a message processing method 600 according to an embodiment of the present application, where fig. 9 is a schematic flowchart of the message processing method according to the embodiment of the present application.
The method 600 shown in fig. 9 may be performed by a second communication device, which may be, for example, the communication device 2 mentioned in the above embodiments. The method 600 shown in fig. 9 may be applied to the method 200 mentioned in the above embodiments for executing the steps performed by the communication device 2 in the above method 200, and the method 600 may include, for example, the following S601-S602.
S601: the method comprises the steps of obtaining a first message, wherein the first message comprises a digital certificate, the digital certificate comprises application information and first verification information, and the first verification information is used for carrying out integrity verification on the application information.
S602: and sending the first message to a first communication device.
In the method 600: the first packet may correspond to packet 1 in method 200; the digital certificate may correspond to digital certificate 1 in method 200; the application information may correspond to application information 1 in method 200; the first authentication information may correspond to authentication information 1 in the method 100.
In an implementation manner, the first message further includes second verification information, and the second verification information is used to perform integrity verification on the application information.
The second authentication information in the method 600 may correspond to the authentication information 2 in the method 200.
In one implementation, the second authentication information is obtained according to a target field in the first message, and the target field includes the application information.
In an implementation manner, the second verification information is obtained by calculating a target field in the first message by using a first verification method, where the target field includes the application information.
In one implementation, the first verification method is digital signature verification.
In one implementation, the second verification information is a digital signature obtained by signing the target field with a first private key.
The first private key mentioned here may correspond to private key 2 in method 200 and the digital signature mentioned here may correspond to digital signature 1 in method 200.
In one implementation manner, a first public key corresponding to the first private key is carried in the digital certificate, and the first public key is used for verifying the second verification information.
The first public key mentioned here may correspond to public key 2 in method 200.
In one implementation, a decryption algorithm for decrypting the digital signature is carried in the digital certificate, and/or a hash algorithm for verifying the second verification information is carried in the digital certificate.
The decryption algorithm mentioned here may correspond to decryption algorithm 1 in method 200; the hash algorithm for verifying the second verification information may correspond to hash algorithm 2 in method 200.
In the above method 500 and method 600:
in one implementation, the digital certificate is carried in a header of the first packet.
In one implementation, the first message is an IPV6 version 6 of the internet protocol.
In one implementation, the digital certificate is carried in an IPv6 extension header.
In one implementation, the digital certificate is carried in a destination address.
In one implementation, the digital certificate is carried in a source address.
In one implementation, the first packet is a multi-protocol label switching MPLS packet.
In one implementation, the digital certificate is carried in a tag value field.
In one implementation, the digital certificate is carried in an extended type length value, TLV, field.
In one implementation, the first packet is an internet protocol version 6 route SRv6 packet.
In one implementation, the digital certificate is carried in a segment routing header SRH.
In one implementation, the first message is an internet protocol version 4 IPv4 message.
In one implementation, the digital certificate is carried in an option field.
In one implementation, the first packet is a Generic Routing Encapsulation (GRE) packet.
In one implementation, the digital certificate is carried in a key field.
In an implementation manner, the first message is a virtual extensible local area network VXLAN message.
In one implementation, the digital certificate is carried in a virtual network identifier field.
In one implementation, the digital certificate is carried in a reserved field.
In an implementation manner, the first packet is a network virtualization generic routing encapsulation NVGRE packet.
In one implementation, the digital certificate is carried in a flow identification field.
In one implementation, the digital certificate is carried in a virtual network identification field.
In one implementation, the digital certificate is carried in a reserved field.
In one implementation, the first packet is a generic packet of generic network virtualization encapsulation.
In one implementation, the digital certificate is carried in a reserved field.
In one implementation, the digital certificate is carried in a variable length options field.
In one implementation, the first authentication information is a cryptographic digest in the digital certificate.
With respect to the specific implementation of the method 500 and the method 600, reference may be made to the above description of the method 200, which is not described in detail here.
An application information processing method 700 is further provided in the embodiment of the present application, and referring to fig. 10, fig. 10 is a schematic flowchart of an application information processing method provided in the embodiment of the present application.
The method 700 shown in fig. 10 may be performed by a control management device. The method 700 shown in fig. 9 may be applied to the method 100 or 200 mentioned in the above embodiments, for executing the steps performed by the control management device in the above method 100 or 200, and the method 700 may include, for example, the following S701-S703.
S701: and acquiring application information.
S702: and acquiring first verification information according to the application information, wherein the first verification information is used for verifying the integrity of the application information.
S703: and sending the first verification information to a second communication device.
In method 700: the application information may correspond to application information 1 in the method 100 or the method 200; the first authentication information may correspond to authentication information 1 in the method 100 or the method 200; the second communication device may correspond to communication device 2 in method 100 or method 200.
In one implementation, the obtaining first verification information according to the application information includes:
and calculating the application information based on a first verification method to obtain the first verification information.
The first verification method mentioned here may correspond to verification algorithm 1 in method 100.
In one implementation, the first verification method is a key-dependent hash operation message authentication code HMAC verification.
In one implementation, the first authentication information includes first HMAC check information.
As an example, the first HMAC check information may correspond to the authentication information 1 obtained by appending the key 1 to the field 1 as an input of the hash algorithm 1 in the method 100. As yet another example, the first HMAC check information may correspond to HMAC2 in the method 100.
In one implementation, the first verification method is digital signature verification.
In one implementation, the first verification information is a digital signature obtained by signing the application information by using a first private key and a first hash calculation.
The first private key corresponds to private key 1 in method 100; the first hash calculation corresponds to hash algorithm 3 in method 100; the digital signature corresponds to digital signature 1 in method 100.
In one implementation, the obtaining first verification information according to the application information includes:
and obtaining a digital certificate according to the application information, wherein the digital certificate comprises the first verification information.
The digital certificate referred to herein may correspond, for example, to digital certificate 1 in method 100.
In one implementation, sending the first authentication information to a second communications device includes:
and sending the digital certificate to the second communication device.
In one implementation, the method further comprises:
obtaining second verification information according to the application information, wherein the second verification information is used for verifying the integrity of the application information;
and sending the second verification information to a second communication device.
The second authentication information mentioned here may correspond to the authentication information 3 in the method 100, for example.
In one implementation, the obtaining second verification information according to the application information includes:
and calculating the application information based on a second verification method to obtain the second verification information.
In one implementation, the second verification method is HMAC verification.
In one implementation, the second authentication information includes second HMAC check information.
Regarding the second HMAC check information, reference may be made to the above description part of the first HMAC check information, which is not described in detail here.
In one implementation, the second verification method is digital signature verification.
In one implementation, the second verification information is a digital signature obtained by signing the application information by using a second private key and a second hash calculation.
In one implementation, the first verification method and the second verification method are different verification methods.
With respect to the specific implementation of the method 700, reference may be made to the above description of the method 100 and the method 200, which are not described in detail here.
An embodiment of the present application further provides a method 800 for verifying application information, referring to fig. 11, where fig. 11 is a schematic flowchart of the method for verifying application information provided in the embodiment of the present application.
The method 800 shown in fig. 11 may be performed by a first communication device, which may be, for example, the communication device 1 mentioned in the above embodiments. The method 800 shown in fig. 11 may be applied to the method 100 mentioned in the above embodiments for executing the steps performed by the communication device 1 in the above method 100, and the method 800 may include, for example, the following S801-S802.
S801: acquiring application information and at least one piece of verification information, wherein the at least one piece of verification information is used for carrying out integrity verification on the application information.
S802: and performing integrity verification on the application information according to the at least one piece of verification information.
In the method 800: at least one authentication information may correspond to the authentication information 1 in the method 100, or may correspond to the authentication information 1 and the authentication information 3 in the method 100.
In one implementation, the obtaining the application information and the at least one verification information includes:
receiving a first message, wherein the first message comprises the application information and the at least one piece of verification information.
The first packet may correspond to packet 1 in method 100.
In one implementation, the at least one authentication information includes first authentication information.
The first authentication information may correspond to authentication information 1 in the method 100.
In one implementation, the integrity verification of the application information according to the at least one verification information includes:
acquiring third verification information according to a first target field in the first message, wherein the first target field comprises the application information;
and performing matching check on the third verification information and the first verification information.
The first target field in the method 800 may correspond to field 1, field 2, field 3, field 4, or field 5 in the method 100. The third authentication information in the method 800 may correspond to authentication information 2 in the method 100.
In one implementation, the integrity verification of the application information according to the at least one verification information includes:
and verifying the integrity of the application information based on a first verification method and the first verification information.
The first verification method in method 800 may correspond to verification algorithm 1 in method 100.
In one implementation, the first verification method is a key-dependent hash operation message authentication code HMAC verification.
In one implementation, the verifying the integrity of the application information based on the first verification method and the first verification information includes:
performing HMAC calculation on the first target field to obtain second HMAC check information;
and performing matching verification on the first HMAC verification information and the second HMAC verification information.
In one implementation, the first HMAC check information in the method 800 may correspond to the authentication information 1 obtained by appending the key 1 to the field 1 as an input of the hash algorithm 1 in the method 100. Accordingly, the second HMAC check information may correspond to the authentication information 2 obtained by appending the key 1 to the field 1 as an input to the hash algorithm 1 in the method 100.
In one implementation, the first HMAC check information in the method 800 may correspond to the HMAC2 in the method 100, and the second HMAC check information may correspond to the HMAC 2' in the method 100.
In one implementation, the first verification method is digital signature verification.
In one implementation, the first verification information is a digital signature obtained by signing the first target field by using a first private key and a first hash calculation, and verifying the integrity of the application information based on a first verification method and the first verification information includes:
decrypting the digital signature through a first public key to obtain a first plaintext;
performing second hash calculation on the first target field to obtain a second plaintext, wherein the first hash calculation and the second hash calculation adopt the same hash algorithm;
and performing matching verification on the first plaintext and the second plaintext.
When the first verification method is digital signature: the first target field corresponds to field 2 in method 100; the first private key corresponds to private key 1 in method 100; the first hash calculation corresponds to hash algorithm 3 in method 100; the digital signature corresponds to digital signature 1 in method 100; the first public key corresponds to public key 1 in method 100; the first plaintext corresponds to hash digest 1 "in method 100; the second hash calculation corresponds to hash algorithm 3 in method 100; the second plaintext may correspond to hash digest 1' in method 100.
In one implementation, the first packet includes a digital certificate, and the first public key is carried in the digital certificate.
The digital certificate in method 800 corresponds to digital certificate 1 in method 100 and the first public key corresponds to public key 1 in method 100.
In one implementation, the digital certificate further includes a decryption algorithm for decrypting the digital signature, and/or the hash algorithm.
The decryption algorithm mentioned here may correspond to decryption algorithm 1 in method 100; the hash algorithm mentioned here may correspond to hash algorithm 3 in method 100.
In one implementation, the method further comprises:
and verifying the legality of the digital certificate.
In one implementation, the first verification method is integrity verification based on internet protocol security, IPSEC.
When the first verification method is integrity verification based on IPSEC, the first verification method may be AH verification or ESP verification.
In one implementation, the verifying the integrity of the application information based on the first verification method and the first verification information includes:
calculating the first target field by using an AH (advanced header) verification algorithm to obtain second AH verification information;
performing match verification on the first AH verification information and the second AH verification information.
When the first verification method is AH verification, the first verification information is first AH verification information, and the second verification information is second AH verification information. The first AH verification information may correspond to AH verification information 1 or AH verification information 2 in the method 100, and the second AH verification information may correspond to AH verification information 3 or AH verification information 4 in the method 100.
In one example, when the first packet is encapsulated in transmission mode, the first AH verification information corresponds to AH verification information 1 in method 100, the second AH verification information corresponds to AH verification information 3 in method 100, and the first target field may correspond to field 3 in method 100; when the first packet is encapsulated in tunnel mode, the first AH verification information corresponds to AH verification information 2 in method 100, the second AH verification information corresponds to AH verification information 4 in method 100, and the first target field may correspond to field 4 in method 100.
In one implementation, the first verification information is first Encapsulated Security Payload (ESP) verification information, and the verifying the integrity of the application information based on the first verification method and the first verification information includes:
calculating the first target field by using an ESP (electronic stability program) verification algorithm to obtain second ESP verification information;
and performing matching verification on the first ESP verification information and the second ESP verification information.
When the first verification method is ESP verification, the first verification information is first ESP verification information, and the second verification information is second ESP verification information. The first ESP validation information may correspond to ESP validation information 1 in method 100, the second ESP validation information may correspond to ESP validation information 2 in method 100, and the first target field may correspond to field 5 in method 100.
In an implementation manner, the verifying integrity of the application information based on the first verification method and the first verification information includes:
and carrying out validity verification on the digital certificate.
In one implementation, the at least one authentication information further includes second authentication information.
The second verification information mentioned here may correspond to the verification information 3 in the method 100.
In one implementation, the integrity verification of the application information according to the at least one verification information includes:
acquiring fourth verification information according to a second target field in the first message, wherein the second target field comprises the application information;
and performing matching check on the fourth verification information and the second verification information.
In one implementation, the integrity verification of the application information according to the at least one verification information includes:
and verifying the integrity of the application information based on a second verification method and the second verification information.
In one implementation, the first verification method and the second verification method are different verification algorithms.
As for the second authentication information, reference may be made to the related description of the first authentication information, which is not described in detail here.
In one implementation, the first communication device is a network device.
In one implementation, the first communications device includes:
the access ACC device, or the customer premises CPE device, or the home gateway RG, or the data center server access leaf device, or the data center egress gateway DC GW, or the autonomous system border router ASBR, or the broadband network gateway BNG, or the operator edge PE device.
In one implementation, the method further comprises:
and forwarding the first message under the condition that the application information is determined to pass the verification.
In one implementation, the method further comprises:
and under the condition that the application information is determined not to pass the verification, discarding the first message.
The embodiment of the present application further provides a message processing method 900, refer to fig. 12, and fig. 12 is a schematic flow diagram of the message processing method provided in the embodiment of the present application.
The method 900 shown in fig. 12 may be performed by a second communication device, which may be, for example, the communication device 2 mentioned in the above embodiment. The method 900 shown in fig. 12 may be applied to the method 100 mentioned in the above embodiment for executing the steps executed by the communication device 2 in the above method 100, and the method 900 may include the following S901-S902, for example.
S901: acquiring application information and at least one piece of verification information, wherein the at least one piece of verification information is used for carrying out integrity verification on the application information.
S902: and sending the application information and the at least one piece of verification information to the first communication device.
In method 900: at least one authentication information may correspond to the authentication information 1 in the method 100, or may correspond to the authentication information 1 and the authentication information 3 in the method 100.
In one implementation, the obtaining the application information and the at least one verification information includes:
acquiring a first message, wherein the first message comprises the application information and the at least one piece of verification information;
the sending the application information and the at least one verification information to the first communication device includes:
and sending the first message to the first communication device.
The first message may correspond to message 1 in method 100 and the first communication device may correspond to communication device 1 in method 100.
In one implementation, the at least one authentication information includes first authentication information.
The first authentication information may correspond to authentication information 1 in the method 100.
In one implementation, the first authentication information is obtained according to a first target field in the first message, and the first target field includes the application information.
In method 900, the first target field may correspond to field 1, field 2, field 3, field 4, or field 5 in method 100.
In an implementation manner, the first verification information is obtained by calculating a first target field in the first message by using a first verification method, where the first target field includes the application information.
The first verification method in method 900 may correspond to verification algorithm 1 in method 100.
In one implementation, the first verification method is a key-dependent hash operation message authentication code HMAC verification.
In one implementation, the first authentication information includes first HMAC check information.
When the first verification method is HMAC verification, the target field in method 300 corresponds to field 1 in method 100.
In one implementation, the first HMAC check information in the method 900 may correspond to the authentication information 1 obtained by appending the key 1 to the field 1 as an input of the hash algorithm 1 in the method 100.
In one implementation, the first HMAC check information in the method 900 may correspond to the HMAC2 in the method 100.
In one implementation, the first verification method is digital signature verification.
In one implementation, the first verification information is a digital signature obtained by signing the first target field with a first private key.
When the first verification method is digital signature: the first target field corresponds to field 2 in method 100; the first private key corresponds to private key 1 in method 100 and the digital signature corresponds to digital signature 1 in method 100.
In one implementation, the first authentication information is an encrypted digest in a digital certificate, and the digital certificate further includes the application information.
The digital certificate referred to herein may correspond to digital certificate 1 in method 100 and, correspondingly, the encrypted digest in the digital certificate may correspond to encrypted digest 1 in method 100.
In one implementation, the first authentication information is sent to the second communication apparatus by the control management device.
In one implementation, the first verification method is integrity verification based on internet protocol security, IPSEC.
When the first verification method is integrity verification based on IPSEC, the first verification method may be AH verification or ESP verification.
In one implementation, the first verification information is first authentication header AH verification information.
The first AH verification information may correspond to AH verification information 1 or AH verification information 2 in the method 100. When the first packet is encapsulated in the transmission mode, the first AH verification information corresponds to AH verification information 1 in the method 100; when the first packet is encapsulated in tunnel mode, the first AH verification information corresponds to AH verification information 2 in method 100.
In one implementation, the first authentication information is first encapsulated security payload, ESP, authentication information.
The first ESP verification information may correspond to ESP verification information 1 in method 100.
In one implementation, the at least one authentication information further includes second authentication information.
The second authentication information may correspond to authentication information 3 in method 100.
In one implementation, the second authentication information is obtained according to a second target field in the first message, and the second target field includes the application information.
Regarding the second object field, reference may be made to the description section for the first object field, and the description will not be repeated here.
In an implementation manner, the second verification information is obtained by calculating a second target field in the first message by using a second verification method, where the second target field includes the application information.
As for the second verification method, reference may be made to the description part of the first verification method, which is not described in detail here.
In one implementation, the first verification method and the second verification method are different verification algorithms.
In the above method 800 and method 900:
in one implementation, the application information and the at least one piece of authentication information are carried in a header of the first packet.
In one implementation, the first message is an internet protocol version 6 IPv6 message.
In one implementation, the application information is carried in an IPv6 extension header.
In one implementation, the application information is carried in a destination address.
In one implementation, the application information is carried in a source address.
In one implementation, the at least one authentication information is carried in an IPv6 extension header.
In one implementation, the at least one authentication information is carried in the destination address.
In one implementation, the at least one authentication information is carried in a source address.
In one implementation, the first packet is a multi-protocol label switching MPLS packet.
In one implementation, the application information is carried in a tag value field.
In one implementation, the application information is carried in an extended type length value, TLV, field.
In one implementation, the at least one authentication information is carried in a tag value field.
In one implementation, the at least one authentication information is carried in an extended TLV field.
In one implementation, the first packet is an internet protocol version 6 route SRv6 packet.
In one implementation, the application information is carried in a segment routing header SRH.
In one implementation, the at least one authentication information is carried in an SRH.
In one implementation, the first message is an internet protocol version 4 IPv4 message.
In one implementation, the application information is carried in an option field.
In one implementation, the at least one authentication information is carried in an option field.
In one implementation, the first packet is a Generic Routing Encapsulation (GRE) packet.
In one implementation, the application information is carried in a key field.
In one implementation, the at least one authentication information is carried in a key field.
In an implementation manner, the first message is a virtual extensible local area network VXLAN message.
In one implementation, the application information is carried in a virtual network identifier field.
In one implementation, the application information is carried in a reserved field.
In one implementation, the at least one authentication information is carried in a virtual network identifier field.
In one implementation, the at least one authentication information is carried in a reserved field.
In an implementation manner, the first packet is a network virtualization generic routing encapsulation NVGRE packet.
In one implementation, the application information is carried in a flow identification field.
In one implementation, the application information is carried in a virtual network identification field.
In one implementation, the application information is carried in a reserved field.
In one implementation, the at least one authentication information is carried in a flow identification field.
In one implementation, the at least one authentication information is carried in a virtual network identification field.
In one implementation, the at least one authentication information is carried in a reserved field.
In one implementation, the first packet is a generic packet of generic network virtualization encapsulation.
In one implementation, the application information is carried in a reserved field.
In one implementation, the application information is carried in a variable length options field.
In one implementation, the at least one authentication information is carried in a reserved field.
In one implementation, the at least one authentication information is carried in a variable length options field.
With respect to specific implementations of the method 800 and the method 900, reference may be made to the above description of the method 100, and a description thereof will not be repeated here.
In addition, an embodiment of the present application further provides a communication apparatus 1300, which is shown in fig. 13. Fig. 13 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication apparatus 1300 includes a transceiver unit 1301 and a processing unit 1302. The communications apparatus 1300 may be configured to perform the method 100, the method 200, the method 300, the method 400, the method 500, the method 600, the method 700, the method 800, or the method 900 in the above embodiments.
In one example, the communication device 1300 may perform the method 100 in the above embodiment, and when the communication device 1300 is used to perform the method 100 in the above embodiment, the communication device 1300 is equivalent to the communication device 1 in the method 100. The transceiving unit 1301 is configured to perform transceiving operations performed by the communication apparatus 1 in the method 100. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the communication apparatus 1 in the method 100. For example: the processing unit 1302 is configured to generate a message 1, where the message 1 includes application information 1 and verification information 1; the transceiving unit 1301 is configured to send the message 1 to the communication apparatus 2.
In one example, the communication device 1300 may perform the method 100 in the above embodiment, and when the communication device 1300 is used to perform the method 100 in the above embodiment, the communication device 1300 is equivalent to the communication device 2 in the method 100. The transceiving unit 1301 is configured to perform transceiving operations performed by the communication apparatus 2 in the method 100. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the communication device 2 in the method 100. For example: the transceiving unit 1301 is configured to receive a message 1, where the message 1 includes application information 1 and verification information 1; the processing unit 1302 is configured to verify the integrity of the application information 1 in the packet 1 according to the verification information 1 in the packet 1.
In one example, the communication device 1300 may perform the method 200 in the above embodiment, and when the communication device 1300 is used to perform the method 200 in the above embodiment, the communication device 1300 is equivalent to the communication device 1 in the method 200. The transceiving unit 1301 is configured to perform transceiving operations performed by the communication apparatus 1 in the method 200. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the communication apparatus 1 in the method 200. For example: the processing unit 1302 is configured to generate a message 1, where the message 1 includes a digital certificate 1, the digital certificate 1 includes application information 1 and verification information 1, and the verification information 1 is used to perform integrity verification on the application information 1; the transceiving unit 1301 is configured to send the message 1 to the communication apparatus 2.
In one example, the communication device 1300 may perform the method 200 in the above embodiment, and when the communication device 1300 is used to perform the method 200 in the above embodiment, the communication device 1300 is equivalent to the communication device 2 in the method 200. The transceiving unit 1301 is configured to perform transceiving operations performed by the communication apparatus 2 in the method 200. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the communication device 2 in the method 200. For example: the transceiving unit 1301 is configured to receive a message 1, where the message 1 includes a digital certificate 1, the digital certificate 1 includes application information 1 and verification information 1, and the verification information 1 is used to perform integrity verification on the application information 1; the processing unit 1302 is configured to perform validity verification on the digital certificate 1. In one example, the communication device 1300 may perform the method 300 in the above embodiment, and when the communication device 1300 is used to perform the method 300 in the above embodiment, the communication device 1300 is equivalent to the first communication device in the method 300. The transceiving unit 1301 is configured to perform transceiving operations performed by the first communication apparatus in the method 300. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the first communication device in the method 300. For example: the transceiving unit 1301 is configured to receive a first message, where the first message includes application information and first verification information; the processing unit 1302 is configured to verify integrity of the application information in the first message according to the first verification information in the first message.
In one example, the communication device 1300 may perform the method 400 in the above embodiment, and when the communication device 1300 is used to perform the method 400 in the above embodiment, the communication device 1300 is equivalent to the second communication device in the method 400. The transceiving unit 1301 is configured to perform transceiving operations performed by the second communication apparatus in the method 400. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the second communication device in the method 400. For example: the processing unit 1302 is configured to generate a first packet, where the first packet includes application information and first verification information, and the first verification information is used to verify integrity of the application information; the transceiving unit 1301 is configured to send the first packet to a first communication apparatus.
In one example, the communication device 1300 may perform the method 500 in the above embodiment, and when the communication device 1300 is used to perform the method 500 in the above embodiment, the communication device 1300 is equivalent to the first communication device in the method 500. The transceiving unit 1301 is configured to perform transceiving operations performed by the first communication apparatus in the method 500. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the first communication device in the method 500. For example: the transceiving unit 1301 is configured to acquire a first packet, where the first packet includes a digital certificate, the digital certificate includes application information and first verification information, and the first verification information is used to perform integrity verification on the application information; the processing unit 1302 is configured to perform validity verification on the digital certificate.
In one example, the communication device 1300 can perform the method 600 in the above embodiment, and when the communication device 1300 is used for performing the method 600 in the above embodiment, the communication device 1300 is equivalent to the second communication device in the method 600. The transceiving unit 1301 is configured to perform transceiving operations performed by the second communication apparatus in the method 600. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the second communication device in the method 600. For example: the processing unit 1302 is configured to obtain a first packet, where the first packet includes a digital certificate, the digital certificate includes application information and first verification information, and the first verification information is used to perform integrity verification on the application information; the transceiving unit 1301 is configured to send the first packet to a first communication apparatus.
In one example, the communication apparatus 1300 may perform the method 700 in the above embodiment, and when the communication apparatus 1300 is used to perform the method 700 in the above embodiment, the communication apparatus 1300 corresponds to the control management device in the method 700. The transceiving unit 1301 is configured to perform transceiving operations performed by the control management apparatus in the method 700. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the control management device in the method 700. For example: the transceiving unit 1301 is configured to acquire application information, the processing unit 1302 is configured to acquire first verification information according to the application information, where the first verification information is used to verify the integrity of the application information, and the transceiving unit 1301 is further configured to send the first verification information to a second communication apparatus.
In one example, the communication device 1300 can perform the method 800 in the above embodiment, and when the communication device 1300 is used to perform the method 800 in the above embodiment, the communication device 1300 corresponds to the first communication device in the method 800. The transceiving unit 1301 is configured to perform transceiving operations performed by the first communication apparatus in the method 800. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the first communication device in the method 800. For example: the transceiving unit 1301 is configured to obtain application information and at least one piece of verification information, where the at least one piece of verification information is used to perform integrity verification on the application information; the processing unit 1302 is configured to perform integrity verification on the application information according to the at least one verification information.
In one example, the communications device 1300 can perform the method 900 in the above embodiments, and when the communications device 1300 is used to perform the method 900 in the above embodiments, the communications device 1300 corresponds to the second communications device in the method 900. The transceiving unit 1301 is configured to perform transceiving operations performed by the second communication apparatus in the method 900. The processing unit 1302 is configured to perform operations other than transceiving operations performed by the second communication device in the method 900. For example: the processing unit 1302 is configured to obtain application information and at least one piece of verification information, where the at least one piece of verification information is used to perform integrity verification on the application information; the transceiving unit 1301 is configured to send the application information and the at least one piece of authentication information to the first communication apparatus.
In addition, an embodiment of the present application further provides a communication device 1400, as shown in fig. 14, fig. 14 is a schematic structural diagram of the communication device provided in the embodiment of the present application. The communication device 1400 includes a communication interface 1401 and a processor 1402 connected to the communication interface 1401. The communications apparatus 1300 may be configured to perform the method 100, the method 200, the method 300, the method 400, the method 500, the method 600, the method 700, the method 800, or the method 900 in the above embodiments.
In one example, the communication device 1400 may perform the method 100 in the above embodiment, and when the communication device 1400 is used to perform the method 100 in the above embodiment, the communication device 1400 is equivalent to the communication device 1 in the method 100. Among them, the communication interface 1401 is used for the transceiving operation performed by the communication apparatus 1 in the above method 100; the processor 1402 is used for other operations than the transceiving operation performed by the communication apparatus 1 in the above method 100. For example: the processor 1402 is configured to generate a message 1, where the message 1 includes application information 1 and verification information 1, and the verification information 1 is used to perform integrity verification on the application information 1; the communication interface 1401 is used to send a message 1 to the communication device 2.
In one example, the communication device 1400 may perform the method 100 in the above embodiment, and when the communication device 1400 is used to perform the method 100 in the above embodiment, the communication device 1400 is equivalent to the communication device 2 in the method 100. Among them, the communication interface 1401 is used for the transceiving operation performed by the communication apparatus 2 in the above method 100; processor 1402 is used for other operations than transceiving operations performed by communication device 2 in method 100 above. For example: the communication interface 1401 is configured to receive a message 1, where the message 1 includes application information 1 and verification information 1, and the verification information 1 is used to perform integrity verification on the application information 1; the processor 1402 is configured to perform integrity verification on the application information 1 by using the verification information 1.
In one example, the communication device 1400 may perform the method 200 in the above embodiment, and when the communication device 1400 is used to perform the method 200 in the above embodiment, the communication device 1400 is equivalent to the communication device 1 in the method 200. Among them, the communication interface 1401 is used for the transceiving operation performed by the communication apparatus 1 in the above method 200; the processor 1402 is used for other operations than the transceiving operation performed by the communication apparatus 1 in the above method 200. For example: the processor 1402 is configured to generate a message 1, where the message 1 includes a digital certificate 1, the digital certificate 1 includes application information 1 and verification information 1, and the verification information 1 is used to perform integrity verification on the application information 1; the communication interface 1401 is used to send a message 1 to the communication device 2.
In one example, the communication device 1400 may perform the method 200 in the above embodiment, and when the communication device 1400 is used to perform the method 200 in the above embodiment, the communication device 1400 is equivalent to the communication device 2 in the method 200. Among them, the communication interface 1401 is used for the transceiving operation performed by the communication apparatus 2 in the above method 200; processor 1402 is used for other operations than transceiving operations performed by communication device 2 in method 200 above. For example: the communication interface 1401 is configured to receive a message 1, where the message 1 includes a digital certificate 1, the digital certificate 1 includes application information 1 and verification information 1, and the verification information 1 is used to perform integrity verification on the application information 1; processor 1402 is configured to validate digital certificate 1.
In one example, the communication device 1400 may perform the method 300 in the above embodiment, and when the communication device 1400 is used to perform the method 300 in the above embodiment, the communication device 1400 is equivalent to the first communication device in the method 300. Wherein the communication interface 1401 is used for the transceiving operation performed by the first communication device in the above method 300; the processor 1402 is used for other operations than the transceiving operations performed by the first communication device in the above method 300. For example: the communication interface 1401 is configured to receive a first message, where the first message includes application information and first verification information; the processor 1402 is configured to verify integrity of the application information in the first message according to the first verification information in the first message.
In one example, the communication device 1400 may perform the method 400 in the above embodiment, and when the communication device 1400 is used to perform the method 400 in the above embodiment, the communication device 1400 is equivalent to the second communication device in the method 400. Wherein the communication interface 1401 is used for the transceiving operation performed by the second communication device in the above method 400; the processor 1402 is used for other operations than transceiving operations performed by the second communication device in the above method 400. For example: the processor 1402 is configured to generate a first packet, where the first packet includes application information and first verification information, and the first verification information is used to verify integrity of the application information; the communication interface 1401 is configured to send the first message to a first communication device.
In one example, the communication device 1400 may perform the method 500 in the above embodiment, and when the communication device 1400 is used to perform the method 500 in the above embodiment, the communication device 1400 is equivalent to the first communication device in the method 500. Wherein the communication interface 1401 is used for the transceiving operation performed by the first communication device in the above method 500; the processor 1402 is used for other operations than the transceiving operation performed by the first communication device in the above method 500. For example: the communication interface 1401 is configured to obtain a first packet, where the first packet includes a digital certificate, where the digital certificate includes application information and first verification information, and the first verification information is used to perform integrity verification on the application information; processor 1402 is configured to validate the digital certificate.
In one example, the communication device 1400 can perform the method 600 in the above embodiment, and when the communication device 1400 is used to perform the method 600 in the above embodiment, the communication device 1400 is equivalent to the second communication device in the method 600. Wherein the communication interface 1401 is used for the transceiving operation performed by the second communication device in the above method 600; the processor 1402 is used for other operations than transceiving operations performed by the second communication device in the above method 600. For example: the processor 1402 is configured to obtain a first packet, where the first packet includes a digital certificate, the digital certificate includes application information and first verification information, and the first verification information is used to perform integrity verification on the application information; the communication interface 1401 is configured to send the first message to a first communication device.
In one example, the communication apparatus 1400 may perform the method 700 in the above embodiment, and when the communication apparatus 1400 is used to perform the method 700 in the above embodiment, the communication apparatus 1400 is equivalent to the control management device in the method 700. Among them, the communication interface 1401 is used for controlling the transceiving operation performed by the management apparatus in the above method 700; the processor 1402 is used to control other operations performed by the management device in the above method 700, in addition to transceiving operations. For example: the communication interface 1401 is configured to obtain application information, the processor 1402 is configured to obtain first verification information according to the application information, the first verification information is configured to verify the integrity of the application information, and the communication interface 1401 is further configured to send the first verification information to a second communication apparatus.
In one example, the communication device 1400 may perform the method 800 in the above embodiment, and when the communication device 1400 is used to perform the method 800 in the above embodiment, the communication device 1400 is equivalent to the first communication device in the method 800. Among them, the communication interface 1401 is used for the transceiving operation performed by the first communication apparatus in the above method 800; the processor 1402 is used for other operations than the transceiving operation performed by the first communication device in the above method 800. For example: the communication interface 1401 is used for acquiring application information and at least one authentication information; the processor 1402 is configured to perform integrity verification on the application information according to the at least one verification information.
In one example, the communication device 1400 can perform the method 900 in the above embodiment, and when the communication device 1400 is used to perform the method 900 in the above embodiment, the communication device 1400 is equivalent to the second communication device in the method 900. Wherein the communication interface 1401 is used for the transceiving operation performed by the second communication device in the above method 900; the processor 1402 is used for other operations than transceiving operations performed by the second communication device in the method 900 above. For example: the processor 1402 is configured to obtain application information and at least one verification message, where the at least one verification message is used to perform integrity verification on the application information; the communication interface 1401 is configured to send the application information and the at least one authentication information to the first communication device.
In addition, an embodiment of the present application further provides a communication device 1500, referring to fig. 15, where fig. 15 is a schematic structural diagram of a communication device provided in an embodiment of the present application.
The communications apparatus 1500 may be configured to perform the methods 100, 200, 300, 400, 500, 600, 700, 800, or 900 of the above embodiments.
As shown in fig. 15, the communications apparatus 1500 can include a processor 1510, a memory 1520 coupled to the processor 1510, and a transceiver 1530. The processor 1510 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. The processor may also be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. The processor 1510 may refer to one processor, or may include multiple processors. The memory 1520 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory may also include a non-volatile memory (ROM), such as a read-only memory (ROM), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD); the memory 1520 may also include a combination of the above types of memory. The memory 1520 may refer to one memory or may include a plurality of memories. In one embodiment, the memory 1520 has stored therein computer-readable instructions comprising a plurality of software modules, such as a transmit module 1521, a process module 1522, and a receive module 1523. The processor 1510 may execute each software module and perform corresponding operations according to the instructions of each software module. In this embodiment, the operations performed by a software module actually refer to the operations performed by processor 1510 as directed by the software module.
In one example, the communication device 1500 may perform the method 100 in the above embodiment, and when the communication device 1500 is used to perform the method 100 in the above embodiment, the communication device 1500 is equivalent to the communication device 1 in the method 100. At this time, the processing module 1522 is configured to generate a message 1, where the message 1 includes application information 1 and verification information 1, and the verification information 1 is used to perform integrity verification on the application information 1; the sending module 1521 is configured to send the message 1 to the communication device 2.
In one example, the communication device 1500 may perform the method 100 in the above embodiment, and when the communication device 1500 is used to perform the method 100 in the above embodiment, the communication device 1500 corresponds to the communication device 2 in the method 100. At this time, the receiving module 1523 is configured to receive a message 1, where the message 1 includes application information 1 and verification information 1. The processing module 1522 is configured to perform integrity verification on the application information 1 according to the verification information 1. In one example, the sending module 1521 is configured to forward the packet 1 if the application information 1 is verified.
In one example, the communication device 1500 may perform the method 200 in the above embodiment, and when the communication device 1500 is used to perform the method 200 in the above embodiment, the communication device 1500 is equivalent to the communication device 1 in the method 200. At this time, the processing module 1522 is configured to generate a message 1, where the message 1 includes a digital certificate 1, the digital certificate 1 includes application information 1 and verification information 1, and the verification information 1 is used to perform integrity verification on the application information 1; the sending module 1521 is configured to send the message 1 to the communication device 2.
In one example, the communication device 1500 may perform the method 200 in the above embodiment, and when the communication device 1500 is used to perform the method 200 in the above embodiment, the communication device 1500 is equivalent to the communication device 2 in the method 200. At this time, the receiving module 1523 is configured to receive a message 1, where the message 1 includes a digital certificate 1, and the digital certificate 1 includes application information 1 and verification information 1. Processing module 1522 is configured to perform validity verification on digital certificate 1. In one example, the sending module 1521 is configured to forward the packet 1 if the application information 1 is verified.
In one example, the communications apparatus 1500 can perform the method 300 in the above embodiments, and when the communications apparatus 1500 is used to perform the method 300 in the above embodiments, the communications apparatus 1500 corresponds to the first communications apparatus in the method 300. At this time, the receiving module 1523 is configured to receive a first message, where the first message includes application information and first verification information. The processing module 1522 is configured to verify integrity of the application information in the first message according to the first verification information in the first message. In one example, the sending module 1521 is configured to forward the first packet if the application information is verified.
In one example, the communication device 1500 can perform the method 400 in the above embodiment, and when the communication device 1500 is used to perform the method 400 in the above embodiment, the communication device 1500 corresponds to the second communication device in the method 400. At this time, the processing module 1522 is configured to generate a first packet, where the first packet includes application information and first verification information, and the first verification information is used to verify the integrity of the application information. The sending module 1521 is configured to send the first packet to a first communication device.
In one example, the communications apparatus 1500 can perform the method 500 in the above embodiments, and when the communications apparatus 1500 is used to perform the method 500 in the above embodiments, the communications apparatus 1500 corresponds to the first communications apparatus in the method 500. At this time, the receiving module 1523 is configured to obtain a first packet, where the first packet includes a digital certificate, the digital certificate includes application information and first verification information, and the first verification information is used to perform integrity verification on the application information. The processing module 1522 is configured to perform validity verification on the digital certificate. In one example, the sending module 1521 is configured to forward the first packet if the application information is verified.
In one example, the communication device 1500 can perform the method 600 in the above embodiment, and when the communication device 1500 is used to perform the method 600 in the above embodiment, the communication device 1500 is equivalent to the second communication device in the method 600. At this time, the processing module 1522 is configured to obtain a first packet, where the first packet includes a digital certificate, the digital certificate includes application information and first verification information, and the first verification information is used to perform integrity verification on the application information. The sending module 1521 is configured to send the first packet to a first communication device.
In one example, the communication apparatus 1500 may perform the method 700 in the above embodiment, and when the communication apparatus 1500 is used to perform the method 700 in the above embodiment, the communication apparatus 1500 corresponds to the control management device in the method 700. At this time, the receiving module 1523 is configured to obtain application information, the processing module 1522 is configured to obtain first verification information according to the application information, where the first verification information is used to verify the integrity of the application information, and the sending module 1521 is configured to send the first verification information to the second communication device.
In one example, the communications apparatus 1500 can perform the method 800 in the above embodiments, and when the communications apparatus 1500 is used to perform the method 800 in the above embodiments, the communications apparatus 1500 corresponds to the first communications apparatus in the method 800. At this time, the receiving module 1523 is configured to obtain the application information and at least one piece of verification information, where the at least one piece of verification information is used to perform integrity verification on the application information. The processing module 1522 is configured to perform integrity verification on the application information according to the at least one verification information.
In one example, the communications apparatus 1500 can perform the method 900 in the above embodiments, and when the communications apparatus 1500 is used to perform the method 900 in the above embodiments, the communications apparatus 1500 corresponds to the second communications apparatus in the method 900. At this time, the processing module 1522 is configured to obtain application information and at least one piece of verification information, where the at least one piece of verification information is used to perform integrity verification on the application information. The sending module 1521 is configured to send the application information and the at least one piece of verification information to the first communication apparatus.
Further, after processor 1510 executes computer readable instructions in memory 1520, all operations that network device 1500 may perform may be performed as directed by the computer readable instructions. For example, all operations that the communication apparatus 1 in the method 100 can perform may be performed; for example, all operations that may be performed by communication apparatus 2 in method 100 may be performed; for example, all operations that the communication apparatus 1 in the method 200 can perform may be performed; for example, all operations that may be performed by communication apparatus 2 in method 200 may be performed; for example, all of the operations that the first communications device may perform in method 300 may be performed; as another example, all operations that may be performed by the second communication device in method 400 may be performed; as another example, all operations that may be performed by the first communications device in method 500 may be performed; as another example, all operations that may be performed by the second communications device in method 600 may be performed; as another example, all operations that may be performed by the control management device in method 700 may be performed; as another example, all of the operations that the first communications device may perform in method 800 may be performed; as another example, all operations that the second communication device may perform in method 900 may be performed.
In the above description of the embodiment of the present application, the control management device may be, for example, a device running network management software, or may be a controller, for example, which is not specifically limited in the embodiment of the present application. Embodiments of the present application also provide a computer-readable storage medium, which stores instructions that, when executed on a computer, cause the computer to perform the steps performed by the first communication device in the above embodiments.
Embodiments of the present application also provide a computer-readable storage medium, which stores instructions that, when executed on a computer, cause the computer to perform the steps performed by the second communication device in the above embodiments.
The embodiment of the present application also provides a computer-readable storage medium, which stores instructions that, when executed on a computer, cause the computer to perform the steps performed by the control management device in the above embodiment.
The embodiment of the present application further provides a communication system, which includes the first communication device and the second communication device mentioned in the above embodiments.
The embodiment of the present application further provides a communication system, which includes the second communication device and the control management device mentioned in the above embodiments.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is only a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, each service unit in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a hardware form, and can also be realized in a software service unit form.
The integrated unit, if implemented in the form of a software business unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Those skilled in the art will recognize that, in one or more of the examples described above, the services described in this disclosure may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the services may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above embodiments are intended to explain the objects, aspects and advantages of the present invention in further detail, and it should be understood that the above embodiments are merely illustrative of the present invention.
The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
- 上一篇:一种医用注射器针头装配设备
- 下一篇:一种数据处理方法以及相关设备