Method and system for achieving communication security protection

A technology of communication security and implementation method, applied in transmission systems and key distribution, can solve the problems of lack of end-to-end security protection, lack of visibility of IP data flow, etc., and achieve the effect of ensuring confidentiality

Inactive Publication Date: 2013-08-21
ELECTRIC POWER RESEARCH INSTITUTE OF STATE GRID SHANDONG ELECTRIC POWER COMPANY
View PDF3 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0011] To sum up, the existing IPsec deployment methods have their own shortcomings: the host-host mode can provide end-to-end protection, but lacks IP traffic visibility; the gateway-gateway and remote access modes have IP traffic visibility, but lack IP traffic visibility. End-to-end security protection

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and system for achieving communication security protection
  • Method and system for achieving communication security protection
  • Method and system for achieving communication security protection

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0095] Figure 4 The process of establishing an IKE SA between the initiator host 101 and the gateway 102 is shown. The process of establishing IKE SA between initiator host 101 and gateway 102 is as follows: Figure 4 As shown, the specific description of the process is as follows:

[0096] Step 11 , the initiator host 101 sends an IKE_SA_INIT request to the gateway 102 .

[0097] In step 12, the gateway 102 sends an IKE_SA_INIT response to the initiator host 101.

[0098] Step 13, the initiator host 101 sends an IKE_SA_AUTH request to the gateway 102, including end-to-end security protection and visibility support payload and security association payload. The end-to-end security protection is used to indicate that the own party has end-to-end security protection and visibility support capabilities, and the security association payload is used to indicate to the gateway the set of security protocols and cryptographic algorithms supported by the own party.

[0099] In step...

Embodiment 2

[0101] If the peer gateway in the host-gateway-gateway-host mode establishes an IPsec SA for the peer host, but the IKE SA with the peer host has not been established, it needs to establish the IKE SA first. Figure 5 Describes the process of establishing IKE SA between the peer gateway and the peer host, such as Figure 5 As shown, the specific description of the process is as follows:

[0102] In steps 21 and 22, both parties send IKE_SA_INIT request and response messages.

[0103] In step 23, the peer gateway 108 sends an IKE_SA_AUTH request to the peer host 109, and adds an end-to-end security protection and visibility support payload to the message, indicating that its own side has end-to-end security protection and visibility support capabilities.

[0104] Step 24, the peer host 109 sends an IKE SA AUTH response to the peer gateway 108, including end-to-end security protection and visibility support payload and security association payload.

[0105] In the remote host-...

Embodiment 3

[0107] This embodiment provides a process of establishing, updating and deleting an IPsec SA in a host-gateway-gateway-mode. In this embodiment, it is assumed that the IKE SA between the host 101 and the gateway 102, between the gateway 102 and the peer gateway 108, and between the peer gateway 108 and the peer host 109 has been established, such as Figure 6 As shown, the specific description of the process is as follows:

[0108] Step 201, the initiator host 101 sends an IPsec SA establishment request

[0109] Step 202, the gateway 102 sends a CREATE_CHILD_SA request to the peer gateway 108

[0110] In step 203 and step 204, the peer gateway 108 performs a survivability check on the peer host 109 . If no IKE SA is established between the peer gateway 108 and the peer host 109, use Figure 5 Steps 21-24 in replace steps 203 and 204.

[0111] Step 205, peer gateway 108 sends a CREATE_CHILD_SA response to gateway 102

[0112] In step 206 and step 206A, the gateway 102 and ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method and system for achieving communication security protection. IKE security association (SA) is constructed between a first host computer and a first gateway and between a second host computer and a second gateway respectively, wherein the first gateway and the second gateway are two independent gateways or the same gateway, IPsec SA is constructed between the first host computer and the second host computer, and related information of the IPsec SA between the first host computer and the second host computer is generated by the gateways or is derived through key agreement of the gateway and the gateway or is derived through key agreement of the gateway and the host computer. According to the method and system for achieving the communication security protection, terminal-to-terminal protection is provided, confidentiality and integrity of the communication between the host computers are guaranteed, and visibility of the gateways to IP data flows is achieved.

Description

technical field [0001] The present invention relates to the technical field of communication security, in particular, to a method and system for realizing communication security protection. Background technique [0002] IP Security (Internet Protocol Security, referred to as IPsec) provides confidentiality, data integrity, access control and data source authentication security protection services for IP datagrams. These services are realized through IPsec security association (Security Association, referred to as SA). IPsec SA defines the method of protecting IP traffic at the sending end and receiving end of IP datagram, including the communication security protocol, key algorithm and cryptographic algorithm used keys, and other information needed to provide security services. [0003] In view of poor scalability of manually establishing an IPsec SA, it is necessary to use a protocol to dynamically establish an IPsec SA. This protocol is called the Internet Key Exchange pr...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L9/08
Inventor 张瑞山谢振华
Owner ELECTRIC POWER RESEARCH INSTITUTE OF STATE GRID SHANDONG ELECTRIC POWER COMPANY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products