Search

CN-121984725-A - Secure communication method, system, client and server of world integration network

CN121984725ACN 121984725 ACN121984725 ACN 121984725ACN-121984725-A

Abstract

The invention discloses a secure communication method, a system, a client and a server of an heaven and earth integrated network, wherein the communication method is characterized in that authentication information comprising a client identity mark and a timestamp is generated at the client, encryption processing is carried out on the authentication information by utilizing a pre-shared secret key, a message authentication code is generated based on encrypted data, a TCP synchronous message is constructed, the encrypted authentication information and the message authentication code are packaged in an option field of the TCP synchronous message, the TCP synchronous message is sent to a server to request to establish TCP connection, after a confirmation response of the server for the TCP synchronous message is received, the completion of TCP connection establishment is confirmed, and a transmission layer security protocol TLS handshake request is initiated to the server on the established TCP connection to establish an encrypted communication tunnel. The method realizes high-efficiency pre-authentication through the option field of the TCP synchronous message in the world integrated network, and establishes an end-to-end secure communication tunnel by using the TLS protocol after the authentication is passed.

Inventors

  • GU YUE
  • HAO LIYUAN
  • QIAO HAIBIN

Assignees

  • 中国移动通信集团辽宁有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260505
Application Date
20260114

Claims (14)

  1. 1. A secure communication method of an heaven-earth integrated network, applied to a client, comprising: generating authentication information comprising a client identity and a timestamp, encrypting the authentication information by using a pre-shared key, and generating a message authentication code based on the encrypted data; constructing a TCP synchronous message, and packaging the encrypted authentication information and the message authentication code in an option field of the TCP synchronous message; sending the TCP synchronous message to a server to request to establish TCP connection; after receiving the confirmation response of the server side to the TCP synchronous message, confirming that the TCP connection establishment is completed; and initiating a transport layer security protocol (TLS) handshake request to the server on the established TCP connection to establish an encrypted communication tunnel.
  2. 2. The secure communication method of claim 1, wherein the method of generating the message authentication code comprises: generating an initialization vector; splicing the client identity and the timestamp into plaintext data; encrypting the plaintext data by using the pre-shared secret key and the initialization vector and adopting a cha20 stream encryption algorithm to obtain an encrypted data block; and combining the initialization vector with the encrypted data block, calculating the combined data by using the pre-shared secret key and adopting an HMAC-SHA256 algorithm, and intercepting a preset length from a calculation result as the message authentication code.
  3. 3. The method of claim 2, wherein the method of encapsulating the encrypted authentication information and the message authentication code in the option field of the TCP synchronous message comprises: Sequentially encapsulating an option type, an option length, the initialization vector, the encrypted data block and the message authentication code in an option field of the TCP synchronous message; wherein the option type is a predefined private value, the length of the encrypted data block is 8 bytes, and the length of the message authentication code is 10 bytes.
  4. 4. The secure communication method according to claim 1, further comprising, before sending the TCP synchronization packet to a server: Constructing an authentication request packet in UDP format, wherein the authentication request packet comprises an encrypted client identifier and a current time stamp; and sending the authentication request packet to a predefined UDP port of the server to inform the server of the connection request to be initiated.
  5. 5. The method of claim 1, wherein the method of initiating a transport layer security protocol TLS handshake request to a server over an established TCP connection comprises: Sending a TLS client hello message to a server, wherein the message comprises a supported TLS version, a password suite and a random number; receiving a TLS server hello message returned by the server and a server digital certificate; verifying the validity of the digital certificate of the server by using a local trusted root certificate library; After the verification is passed, negotiating with a server to generate a session key, and establishing the encrypted communication tunnel by using the session key; and when receiving a client certificate request sent by the server, sending a client digital certificate to the server for bidirectional identity authentication by the server.
  6. 6. The safety communication method of the heaven-earth integrated network is applied to a server and is characterized by comprising the following steps: receiving a TCP synchronous message sent by a client, and analyzing an option field of the TCP synchronous message to obtain authentication information, wherein the authentication information comprises encrypted data and a message authentication code; verifying the consistency of the message authentication code, decrypting the encrypted data to obtain a client identity and a time stamp, and verifying the validity of the client identity and the validity of the time stamp; If the verification is passed, sending a confirmation response to the client to allow the establishment of TCP connection, and if the verification is not passed, discarding the TCP synchronous message; and receiving a transport layer security protocol (TLS) handshake request initiated by the client on the established TCP connection, and responding to establish an encrypted communication tunnel with the client.
  7. 7. The secure communication method of claim 6, wherein the method of verifying the authentication information using a pre-shared key comprises: extracting an initialization vector, an encrypted data block and a message authentication code in the TCP synchronous message option field; Calculating the combined data of the initialization vector and the encrypted data block by using the pre-shared secret key through an HMAC-SHA256 algorithm, and intercepting a preset length from a calculation result and comparing the intercepted preset length with the extracted message authentication code; And if the comparison is consistent, decrypting the encrypted data block by using the pre-shared secret key and the initialization vector and adopting a cha20 stream encryption algorithm to obtain plaintext data containing the client identity and the timestamp.
  8. 8. The secure communication method of claim 7, wherein the method of parsing the option field of the TCP sync message comprises: Identifying whether the option type in the option field is a predefined private value; if yes, sequentially reading the option length, the 16 bytes of initialization vector, the 8 bytes of encrypted data block and the 10 bytes of message authentication code according to a preset byte structure.
  9. 9. The secure communication method of claim 6, further comprising, prior to receiving the TCP synchronization message sent by the client: Monitoring and receiving an authentication request packet sent by a client at a predefined UDP port; Verifying the validity of the authentication request packet; If the verification is passed, the identification or the source IP address of the client is recorded, and a temporary permission rule is set in the firewall so as to allow the TCP synchronous message from the client to pass within a preset time window.
  10. 10. The method of claim 6, wherein the method of receiving and responding to a client initiated transport layer security protocol TLS handshake request over an established TCP connection comprises: receiving a TLS client hello message sent by a client; Sending a TLS server hello message to the client and sending a server digital certificate containing a server public key; If the two-way authentication is configured, a certificate request message is sent to the client, and a client digital certificate sent by the client is received and verified; negotiating with the client to generate a session key for encrypted transmission of subsequent communication data.
  11. 11. A client, characterized in that it operates based on the secure communication method according to any of claims 1 to 5.
  12. 12. A service end, characterized in that it operates on the basis of the secure communication method according to any one of claims 6 to 10.
  13. 13. A secure communication system, comprising: One or more processors; A memory; And one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing the secure communication method of any of claims 1-5 or 6-10.
  14. 14. A computer readable storage medium comprising a computer program executable by a processor to perform the secure communication method of any of claims 1 to 5 or 6 to 10.

Description

Secure communication method, system, client and server of world integration network Technical Field The present invention relates to the field of mobile communications security technologies, and in particular, to a secure communication method, system, client and server for an heaven-earth integrated network. Background The space-earth integrated network constructs a multi-dimensional three-dimensional communication architecture by integrating a satellite communication system and a ground network infrastructure, and has important significance for realizing communication services with global seamless coverage. However, such networks face serious and unique network security challenges due to their inherent link openness (e.g., broadcasting characteristics of satellite downlink are prone to eavesdropping), network topology dynamic variability, on-board node resource limitations, and the centralization of critical infrastructure of ground stations. In an integrated network, in order to optimize transmission performance under the characteristics of long delay and high error code of a satellite link, a TCP performance enhancement proxy (TCP PEP) mechanism is generally introduced. However, TCP PEP often conflicts with traditional end-to-end security protocols (such as IPSec) by splitting the operation of the TCP connection. For example, the IPSec tunnel mode can hide the transmission layer information, so that the PEP is invalid, and if the IPSec is abandoned for the PEP compatibility, the key information such as the session identifier and the like can be exposed in a plaintext form, thereby increasing the risk of attacks such as session hijacking and the like. In addition, if the service ports of key nodes such as ground stations, gateway stations and the like are continuously exposed in the public network, the service ports are very easy to be network scanning and attack break. To address the port exposure problem, single packet grant (SPA) techniques are often employed in the prior art. Standard SPA technology achieves service hiding and initial access control by a client sending an encrypted and authenticated single data packet ("knock-out packet") before connection, requesting the server to dynamically open a specific port. However, standard SPA relies primarily on the request source IP address to associate a "knock packet" with a subsequent connection request (e.g., TCP-SYN packet). In an integrated world-wide network, there is a ubiquitous Network Address Translation (NAT) scenario (e.g., multiple users share a public network IP access satellite network through the same ground station), which can lead to a serious "knock-out magnification hole," i.e., after a legitimate user is successfully authenticated, other unauthorized users under the same NAT exit may also use the IP to access an opened service. Furthermore, relying on only IP addresses also makes it vulnerable to IP spoofing attacks. On the other hand, although transport layer security protocols (TLS) can provide strong end-to-end communication encryption, TLS is typically applied over an established TCP connection, which means that the service port itself still needs to be continuously listening and open, and port scanning, probing attacks against service vulnerabilities, and denial of service (DoS) attacks cannot be avoided. Meanwhile, the metadata of the connection may be listened to before the TLS handshake is completed. For long-delay satellite links in an heaven-earth integrated network, significant delay may be introduced by multiple round trips of the TLS handshake process, and if a large number of illegal or unauthorized requests cannot be effectively filtered out by a lightweight mechanism before handshake, the system efficiency will be seriously affected. In summary, there is currently a lack of a comprehensive secure communication scheme that can tightly integrate the service hiding and pre-authentication advantages of SPA and the communication encryption advantages of TLS, and can effectively solve authentication loopholes in NAT environments, be compatible with TCP PEP mechanisms, and be suitable for unique challenges of the world-wide integrated network. Disclosure of Invention The invention aims to provide a safety communication method, a system, a client and a server of an heaven-earth integrated network, which can realize service hiding, pre-authentication and whole-course communication encryption, for solving the technical problems. In order to achieve the above object, the present invention provides a secure communication method of an heaven-earth integrated network, which is applied to a client, and includes: generating authentication information comprising a client identity and a timestamp, encrypting the authentication information by using a pre-shared key, and generating a message authentication code based on the encrypted data; constructing a TCP synchronous message, and packaging the encrypted authentication information and t