Unlock instant, AI-driven research and patent intelligence for your innovation.

MACsec (Multi-Access Computer security) key updating method and equipment

A key update and equipment technology, applied in the field of communication network, can solve problems such as inability to guarantee network security and data transmission security threats, and achieve the effect of ensuring network security and improving timeliness

Active Publication Date: 2013-07-17
NEW H3C TECH CO LTD
View PDF4 Cites 13 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

During data transmission, if SecY is attacked by illegal packets, it will pose a threat to data transmission security. According to the MACsec key update scheme of the existing standard protocol, even if SecY detects an attack, it will not immediately change the key, thus Network security cannot be guaranteed in the first place

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • MACsec (Multi-Access Computer security) key updating method and equipment
  • MACsec (Multi-Access Computer security) key updating method and equipment
  • MACsec (Multi-Access Computer security) key updating method and equipment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0069] Embodiment 1. When the network device under attack is network device A, the MACsec key update process. In this embodiment, it is assumed that when under attack, the SA of each network device is SA0, the corresponding SAK is SAK1, and the corresponding AN is ANO.

[0070] In this embodiment, the network device under attack is KEY SERVER (that is, device A), and the MACsec key update process includes the following steps:

[0071] KEY SERVER (device A) generates SAK1 and corresponding AN1 and notifies non-KEY SERVERs (device B and device C) in the CA of SAK1 and corresponding AN1.

[0072] Usually, in order to ensure normal data transmission, the SC can contain multiple SAs, up to 4 SAs, and the ANs are AN0, AN1, AN2 and AN3 respectively. When the network device is working normally, usually only one SA is valid. When a network attack occurs or the link of the current transmission channel fails, the current SA can be switched to other SAs. In the embodiment of the present ...

Embodiment 2

[0098] Embodiment 2: When the network device under attack is not a KEY SERVER, the MACsec key update process.

[0099] The difference between Embodiment 2 and Embodiment 1 is that after the network device under network attack determines that the device is not the KEY SERVER, it needs to notify the KEY SERVER so that the KEY SERVER can issue a new key.

[0100] Specifically, if the network device under network attack judges that the device is a non-KEY SERVER, it will notify the KEY SERVER through the existing protocol message. Set the Lowest Acceptable PN (minimum acceptable PN value) in the Keep alive message directly to 0xC0000000 and send it to the KEY SERVER. The KEY SERVER receives the Keep alive message and parses out the PN carried in it. If it is judged that the PN value is 0xC0000000 , it is known that the non-KEY SERVER has been attacked by the network, thereby triggering the operation of generating and issuing a new key.

[0101] It should be noted that the non-KEY...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a MACsec (Multi-Access Computer security) key updating method and equipment which are applied to a connection alliance (CA) comprising a plurality of network equipment. In the embodiment of the invention, the network equipment generates and issues a new SAK (Security Attention Key) or triggers the network equipment functioning as a key server to generate and issue a new SAK when detecting an attack so that the current SAK used by the CA can be replaced in time when the network equipment in the CA detects the attack so as to improve the updating timeliness of the MACsec key and ensure the network security to the greatest extent.

Description

technical field [0001] The invention relates to the technical field of communication networks, in particular to a MACsec key update method and equipment. Background technique [0002] MACsec (Media Access Control Security, Media Access Control Security) technology is used to protect Layer 2 communication security, prevent Layer 2 attacks, and meet the security requirements of data transmission on Ethernet. MACsec defines a security infrastructure that provides data confidentiality and integrity as well as data source verification. By confirming the data source, MACsec can mitigate attacks on Layer 2 protocols. [0003] CA (Connectivity Association, connection alliance) is composed of multiple SecY (MAC Security Entity, MAC security entity) that implements MACsec functions, and MKA (MACsec Key Agreement protocol, MACsec key agreement protocol) is responsible for the discovery, authentication, and authorization of SecY. CA has the same CAK (CA key), and each SecY uses the sam...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L9/08H04L29/06
Inventor 彭剑远
Owner NEW H3C TECH CO LTD