Method and system for building multi-source safety relevance

A security association and establishment method technology, applied in the field of multi-source security association establishment methods and systems, can solve the problems of inability to adapt to security backup, low security, high hardware requirements, etc., and achieve the goal of ensuring real-time seamless switching and enhancing security performance Effect

Inactive Publication Date: 2013-03-13
NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT +1
View PDF2 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0008] The security backup scheme in the prior art implements the multi-source security function of the IPsec protocol through hardware or architecture improvement, but there are problems such as low security, high hardware requirements, and high node redundancy, which cannot adapt to the existing The requirements for security backup under network cluster conditions cannot realize the multi-source backup and switching functions of security associations such as existing gateways, which has a great impact on communication security under the IKE communication mechanism

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and system for building multi-source safety relevance
  • Method and system for building multi-source safety relevance
  • Method and system for building multi-source safety relevance

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0053] see image 3 , which is a principle flowchart of the method for establishing a multi-source security association provided in Embodiment 1 of the present invention, specifically as follows:

[0054] Step 10, in IKEv2 communication, during the IKE_AUTH message negotiation process, the gateway sends a message carrying flag payload Hai, advertisement payload N[IPi] and N traffic selector payloads TS2i.

[0055] This embodiment is essentially a scheme for establishing a multi-source security association based on IKEv2, and it is necessary to expand and modify the third and fourth messages of IKEv2, that is, it is necessary to extend the negotiation process of the IKE_AUTH message. The sender (gateway) adds at least HAi load, N[IPi] load and N TS2i loads to the third message, where N is a natural number greater than 1. Among them, HAi is a payload of flags, which is used to confirm that this sent message carries multi-source security association information. In addition to ...

Embodiment 2

[0073] The embodiment of the present invention provides a specific method for establishing a multi-source security association, see Figure 6 ,details as follows:

[0074] Host 1, gateway 1 and gateway 2 form the system, gateway 1 is the main gateway, and gateway 2 is the backup gateway. IKE negotiation is performed between gateway 1 and host 1. Gateway 2 is a trusted host and uses a fixed IP. Gateway 1 can directly send authentication information to gateway 2. If gateway 2 is untrustworthy, gateway 1 sends encrypted authentication information to gateway 2. The encryption algorithm can use existing encryption algorithms, such as signature Algorithm and so on one or more. The specific implementation includes the following steps:

[0075] When gateway 1 sends the third message to host 1, in addition to the identity of gateway 1, identity information such as the IP address of gateway 2 is also included. Wherein, the gateway 2 may select one or more hosts. In addition to send...

Embodiment 3

[0091] see Figure 9 , the embodiment of the present invention provides a multi-source security association establishment system, the system includes a terminal, a gateway and at least one backup gateway, specifically as follows:

[0092] The gateway is used to carry flag payload Hai, notification payload N[IPi], and N traffic selector payloads TS2i in the sent message; among them, the flag payload Hai is used to confirm that this sent message carries multi-source security association information; N is backup The number of gateways; N[IPi] is the IP address of the backup gateway; TS2i is the traffic protected by each backup gateway.

[0093] The terminal is used to carry the flag bit confirmation payload HAr and N traffic selector payloads TSr in the return message; wherein, the flag bit confirmation payload HAr is used to identify the terminal to confirm the establishment of a multi-source security association; the N traffic selector payloads TSr correspond to receiving The ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method and system for building multi-source safety relevance and belongs to the technical field of information security. The method comprises that a gateway carries zone bit load Hai, annunciation load N[IPi] and N flow selector load TS2i in sending message in an IKE_AUTK information consultation process during IKEv2 communication; and a terminal carries zone bit confirmation load HAr and the N flow selector load TS2i. The method and system increases identification load and flow selector load to build a plurality of backup IKE SA through function expansion of the existing IPsec, guarantees real-time seamless switching of enciphered data flow and further strengthens safety performance of the IPsec. The communication end sends counting states to solve the problem that certain packet loss problems are produced during switching.

Description

technical field [0001] The present invention relates to the technical field of information security, in particular to a method and system for establishing a multi-source security association. Background technique [0002] Because computer communication networks have security risks such as information forgery, tampering, replay, and eavesdropping, in order to ensure network security, IPsec (Internet Protocol Security, IP Security Protocol) came into being. In August 1995, IETF (Internet Engineering Task Force, Internet Engineering Task Force) released IPsec1.0. After 15 years of continuous exploration and improvement, it has formed a relatively mature and complete set that can support both IPv4 and IPv6. The security protocol family is mainly used to provide security services for IP layer network communication. IPsec is most commonly used in VPN (Virtual Private Network, virtual private network), and is also used in other protocols such as MIPv6, OSPF, HIP, and SCTP to prote...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L29/12
Inventor 周立邹昕鲁松张良关建峰许长桥张能张宏科
Owner NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap