Search

US-12621276-B2 - Secure channel sleep wake-up method, apparatus and device

US12621276B2US 12621276 B2US12621276 B2US 12621276B2US-12621276-B2

Abstract

Embodiments of the present disclosure provide a secure channel sleep wake-up method, apparatus and device. The method comprises: when a node 1 is awakened from a sleep state, obtaining stored IP communication information communicating with a node 2 , performing message encapsulation by using the IP communication information to obtain a first message, and sending the first message to the node 2 ; the node 2 obtaining the IP communication information and a key updating request message from the first message, and generating a second key according to information comprising a basic key corresponding to a basic key identifier in the key updating request message and a first random number generated by the node 1 and in combination with a second random number self-generated by the node 2 ; the node 1 obtaining the IP communication information and a key updating response message, and generating the second key and the second random number.

Inventors

  • Jinfa GUO
  • Ming Du
  • Jun Cao

Assignees

  • CHINA IWNCOMM CO., LTD.

Dates

Publication Date
20260505
Application Date
20221222
Priority Date
20220105

Claims (20)

  1. 1 . A secure channel sleep wake-up method, comprising: in response to a node 1 waking up from a sleep state, obtaining, by the node 1 , stored IP communication information for communicating with a node 2 , wherein the IP communication information comprises at least one of an IP address, a communication port number, or a session identifier; using, by the node 1 , the IP communication information to perform message encapsulation to obtain a first message and sending the first message to the node 2 , wherein the first message comprises a key update request message subject to protection processing by using a first key shared with the node 2 , and the key update request message comprises a basic key identifier and a first random number generated by the node 1 ; receiving, by the node 2 , the first message, obtaining the IP communication information from the first message, using the first key to perform de-protection processing to obtain the key update request message, and calculating and generating a second key based on information comprising a basic key corresponding the basic key identifier and the first random number in the key update request message, and a second random number generated by the node 2 ; using, by the node 2 , the IP communication information to perform message encapsulation to obtain a second message and sending the second message to the node 1 , wherein the second message comprises a key update response message subject to protection processing by using the first key, and the key update response message comprises the second random number; receiving, by the node 1 , the second message, obtaining the IP communication information from the second message, and using the first key to perform de-protection processing to obtain the key update response message, calculating and generating the second key based on information comprising the basic key corresponding to the basic key identifier and the second random number, and the first random number generated by the node 1 ; and using, by the node 1 and the node 2 , the IP communication information and the second key to perform message encapsulation and protection transmission.
  2. 2 . The method according to claim 1 , wherein in response to the node 1 waking up from the sleep state, the obtaining the stored IP communication information for communicating with the node 2 , comprises: in response to the IP communication information of the node 1 not changing when the node 1 waking up, obtaining, by the node 1 , the IP communication information stored before entering the sleep state; in response to the IP communication information of the node 1 changing when the node 1 waking up, storing immediately and obtaining, by the node 1 , the changed IP communication information.
  3. 3 . The method according to claim 1 , wherein after receiving, by the node 2 , the first message, the method further comprises: in response to the node 2 detecting that locally stored IP communication information of the node 1 is different from the IP communication information of the node 1 in the first message, re-determining, by the node 2 , the IP communication information of the node 1 and generating an address update notification message, wherein the address update notification message is used to indicate the re-determined IP communication information of the node 1 ; the using, by the node 2 , the IP communication information to perform message encapsulation to obtain the second message and sending the second message to the node 1 , further comprises: performing, by the node 2 , protection processing on the address update notification message by using the first key, carrying the address update notification message after the protection processing in the second message, and sending the address update notification message in the second message to the node 1 .
  4. 4 . The method according to claim 3 , wherein after receiving, by the node 1 , the second message, the method further comprises: using, by the node 1 , the first key to perform de-protection processing to obtain the address update notification message, and determining a valid IP communication information of the node 1 according to the address update notification message; using, by the node 1 , the IP communication information obtained from the second message to perform message encapsulation to obtain a third message and sending the third message to the node 2 , wherein the third message comprises an address update response message subject to protection processing by using the first key, and the address update response message is used to indicate the valid IP communication information of the node 1 ; receiving, by the node 2 , the third message, using the first key to perform de-protection processing to obtain the address update response message, and determining the valid IP communication information of the node 1 according to the address update response message; and updating, by the node 2 , the locally stored IP communication information of the node 1 to the valid IP communication information of the node 1 .
  5. 5 . The method according to claim 3 , wherein the re-determining, by the node 2 , the IP communication information of the node 1 , comprises: determining, by the node 2 , that the locally stored IP communication information of the node 1 is a first IP communication information, and determining that the IP communication information of the node 1 in the first message is a second IP communication information; the generating, by the node 2 , the address update notification message, performing protection processing on the address update notification message by using the first key, carrying the address update notification message after the protection processing in the second message, and sending the address update notification message in the second message to the node 1 , comprises: generating, by the node 2 , a first address update notification message for indicating the first IP communication information, and generating a second address update notification message for indicating the second IP communication information; performing, by the node 2 , protection processing on the first address update notification message by using the first key, carrying the first address update notification message after the protection processing in the second message, and sending the first address update notification message in the second message to a node corresponding to the first IP communication information; and performing, by the node 2 , protection processing on the second address update notification message by using the first key, carrying the second address update notification message after the protection processing in the second message, and sending the second address update notification message in the second message to a node corresponding to the second IP communication information.
  6. 6 . The method according to claim 1 , wherein the key update response message further comprises a first random number obtained by the node 2 from the key update request message; after obtaining the key update response message by the node 1 , checking, by the node 1 , whether the first random number in the key update response message is the same as the first random number generated by the node 1 ; if not, discarding the key update response message.
  7. 7 . The method according to claim 1 , wherein the key update request message further comprises identity information of the node 1 , and the key update response message further comprises identity information of the node 2 ; after using, by the node 2 , the first key to perform de-protection processing to obtain the key update request message, the method further comprises: using, by the node 2 , the identity information of the node 1 in the key update request message to determine whether the node 1 is a legitimate node; after using, by the node 1 , the first key to perform de-protection processing to obtain the key update response message, the method further comprises: using, by the node 1 , the identity information of the node 2 in the key update response message to determine whether the node 2 is a legitimate node.
  8. 8 . The method according to claim 7 , wherein the calculating and generating the second key by the node 2 based on the information comprising the basic key corresponding to the basic key identifier and the first random number in the key update request message, and the second random number generated by the node 2 , comprises: calculating and generating, by the node 2 , the second key based on information comprising the basic key corresponding to the basic key identifier, the first random number, and the identity information of the node 1 in the key update request message, and the second random number generated by the node 2 , the identity information of the node 2 and a constant character string; the calculating and generating, by the node 1 , the second key based on the information comprising the basic key corresponding to the basic key identifier and the second random number, and the first random number generated by the node 1 , comprises: calculating and generating, by the node 1 , the second key based on information comprising the basic key corresponding to the basic key identifier, the second random number and the identity information of the node 2 , and the first random number generated by the node 1 , the identity information of the node 1 and the constant character string; wherein the constant character string is an optional field pre-shared between the node 1 and the node 2 .
  9. 9 . A secure channel sleep wake-up apparatus, configured on a node 1 , comprising at least one processor and a memory, wherein the at least one processor is configured to execute instructions stored in the memory to: obtain stored IP communication information for communicating with a node 2 in response to the node 1 waking up from a sleep state, wherein the IP communication information comprises at least one of an IP address, a communication port number, or a session identifier; use the IP communication information to perform message encapsulation to obtain a first message and send the first message to the node 2 , wherein the first message comprises a key update request message subject to protection processing by using a first key shared with the node 2 , and the key update request message comprises a basic key identifier and a first random number generated by the node 1 ; receive a second message sent by the node 2 , obtain the IP communication information from the second message, and use the first key to perform de-protection processing to obtain a key update response message, wherein the key update response message comprises a second random number generated by the node 2 ; calculate and generate a second key based on information comprising a basic key corresponding to the basic key identifier and the second random number, and the first random number generated by the node 1 ; and perform message encapsulation and protection transmission with the node 2 by using the IP communication information and the second key.
  10. 10 . The apparatus according to claim 9 , wherein the at least one processor is further configured to execute instructions stored in the memory to: in response to the IP communication information of the node 1 not changing when the node 1 waking up, obtain the IP communication information stored before entering the sleep state; in response to the IP communication information of the node 1 changing when the node 1 waking up, store immediately and obtain the changed IP communication information.
  11. 11 . The apparatus according to claim 9 , wherein the second message further comprises an address update notification message subject to protection processing by the node 2 using the first key, and the address update notification message is used to indicate re-determined IP communication information of the node 1 ; wherein, after receiving the second message, the at least one processor is further configured to execute instructions stored in the memory to use the first key to perform de-protection processing to obtain the address update notification message, and determine a valid IP communication information of the node 1 according to the address update notification message; wherein the at least one processor is further configured to execute instructions stored in the memory to: use the IP communication information obtained from the second message to perform message encapsulation to obtain a third message and send the third message to the node 2 , wherein the third message comprises an address update response message subject to protection processing by using the first key, and the address update response message is used to indicate the valid IP communication information of the node 1 .
  12. 12 . The apparatus according to claim 9 , wherein the key update response message further comprises a first random number obtained by the node 2 from the key update request message; after obtaining the key update response message, the at least one processor is further configured to execute instructions stored in the memory to check whether the first random number in the key update response message is the same as the first random number generated by the node 1 ; if not, discard the key update response message.
  13. 13 . The apparatus according to claim 9 , wherein the key update request message further comprises identity information of the node 1 , and the key update response message further comprises identity information of the node 2 ; wherein the at least one processor is further configured to execute instructions stored in the memory to use the identity information of the node 2 in the key update response message to determine whether the node 2 is a legitimate node.
  14. 14 . The apparatus according to claim 13 , wherein the at least one processor is further configured to execute instructions stored in the memory to: calculate and generate the second key based on information comprising a basic key corresponding to the basic key identifier, the second random number and the identity information of the node 2 , and the first random number generated by the node 1 , the identity information of the node 1 and a constant character string; wherein the constant character string is an optional field pre-shared between the node 1 and the node 2 .
  15. 15 . A secure channel sleep wake-up apparatus, configured on a node 2 , comprising at least one processor and a memory, wherein the at least one processor is configured to execute instructions stored in the memory to: receive a first message sent by a node 1 , obtain a IP communication information from the first message, and use a first key shared with the node 1 to perform de-protection processing to obtain a key update request message, wherein the key update request message comprises a basic key identifier and a first random number generated by the node 1 ; wherein the first message comprises the key update request message subject to protection processing by the node 1 using the first key shared with the node 2 ; the IP communication information comprises at least one of an IP address, a communication port number or a session identifier; calculate and generate a second key based on information comprising a basic key corresponding to the basic key identifier and the first random number, and a second random number generated by the node 2 ; use the IP communication information to perform message encapsulation to obtain a second message and send the second message to the node 1 , wherein the second message comprises a key update response message subject to protection processing by using the first key, and the key update response message comprises the second random number; and perform message encapsulation and protection transmission with the node 1 by using the IP communication information and the second key.
  16. 16 . The apparatus according to claim 15 , wherein the at least one processor is further configured to execute instructions stored in the memory to, in response to detecting that locally stored IP communication information of the node 1 is different from the IP communication information of the node 1 in the first message, re-determine the IP communication information of the node 1 and generate an address update notification message, and the address update notification message is used to indicate the re-determined IP communication information of the node 1 ; wherein the at least one processor is further configured to execute instructions stored in the memory to use the first key to perform protection processing on the address update notification message, carry the address update notification message after the protection processing in the second message, and send the address update notification message in the second message to the node 1 ; wherein the at least one processor is further configured to execute instructions stored in the memory to: receive a third message sent by the node 1 , use the first key to perform de-protection processing on the third message to obtain an address update response message, determine a valid IP communication information of the node 1 based on the address update response message, and update the locally stored IP communication information of the node 1 to the valid IP communication information of the node 1 .
  17. 17 . The apparatus according to claim 16 , wherein the at least one processor is further configured to execute instructions stored in the memory to: determine that the locally stored IP communication information of the node 1 is a first IP communication information, and determine that the IP communication information of the node 1 in the first message is a second IP communication information; generate a first address update notification message for indicating the first IP communication information, and generate a second address update notification message for indicating the second IP communication information; wherein the at least one processor is further configured to execute instructions stored in the memory to: use the first key to perform protection processing on the first address update notification message, carry the first address update notification message after the protection processing in the second message, and send the first address update notification message in the second message to a node corresponding to the first IP communication information; and use the first key to perform protection processing on the second address update notification message, carry the second address update notification message after the protection processing in the second message, and send the second address update notification message in the second message to a node corresponding to the second IP communication information.
  18. 18 . The apparatus according to claim 15 , wherein the key update response message further comprises a first random number from the key update request message.
  19. 19 . The apparatus according to claim 15 , wherein the key update request message further comprises identity information of the node 1 , and the key update response message further comprises identity information of the node 2 ; wherein the at least one processor is further configured to execute instructions stored in the memory to use the identity information of the node 1 in the key update request message to determine whether the node 1 is a legitimate node.
  20. 20 . The apparatus according to claim 19 , wherein the at least one processor is further configured to execute instructions stored in the memory to: calculate and generate the second key based on information comprising the basic key corresponding to the basic key identifier, the first random number and the identity information of the node 1 , and the second random number generated by the node 2 , the identity information of the node 2 and a constant character string; wherein the constant character string is an optional field pre-shared between the node 1 and the node 2 .

Description

CROSS-REFERENCE TO RELATED APPLICATIONS The present disclosure is a national phase entry under 35 U.S.C § 371 of International Application No. PCT/CN2022/141151, filed on Dec. 22, 2022, which claims the priority of the Chinese patent application submitted to the China National Intellectual Property Administration on Jan. 5, 2022, with the application Ser. No. 20/221,0005644.4, and the application name is “Secure Channel Sleep Wake-Up Method, Apparatus, and Computer-Readable Storage Medium”, the entire contents of which are incorporated herein by reference. TECHNICAL FIELD The present disclosure relates to the technical field of network communication, in particular to a secure channel sleep wake-up method, apparatus and device. BACKGROUND Tunneling technology is a technology that transmits data between networks by using the infrastructure of the Internet. The data transmitted through the tunnel can be data frames or packets of different protocols. The tunneling protocol re-encapsulates and sends the data frames or packets of these other protocols in the new header. During implementation, in order to reduce resource consumption such as power and network bandwidth or other reasons, some communication devices will turn the tunnel into a sleep state and stop tunnel communication under certain conditions. However, in the related art, if the tunnel sleeps for a long time, the probability of the dormant device being cracked is high. Then when the illegal device uses communication parameters obtained by cracking the dormant device to pretend to be a legitimate device to attack the tunnel communication, it is hard to distinguish for other communication devices, causing less secure. SUMMARY Embodiments of the present disclosure provides a secure channel sleep wake-up method, apparatus and device to solve the problem that tunnel communication security is poor because one of communication nodes is easy to be cracked when the communication node sleeps in the related art, and can also avoid complex time-consuming time caused by renegotiation or configuration of communication parameters after waking up. In a first aspect, an embodiment of the present disclosure provides a secure channel sleep wake-up method, including: in response to a node 1 waking up from a sleep state, obtaining, by the node 1, stored IP communication information for communicating with a node 2, where the IP communication information includes at least one of an IP address, a communication port number, or a session identifier;using, by the node 1, the IP communication information to perform message encapsulation to obtain a first message and sending the first message to the node 2, where the first message includes a key update request message subject to protection processing by using a first key shared with the node 2, and the key update request message includes a basic key identifier and a first random number generated by the node 1;receiving, by the node 2, the first message, obtaining the IP communication information from the first message, using the first key to perform de-protection processing to obtain the key update request message, and calculating and generating a second key based on information including a basic key corresponding the basic key identifier and the first random number in the key update request message, and a second random number generated by the node 2;using, by the node 2, the IP communication information to perform message encapsulation to obtain a second message and sending the second message to the node 1, where the second message includes a key update response message subject to protection processing by using the first key, and the key update response message includes the second random number;receiving, by the node 1, the second message, obtaining the IP communication information from the second message, and using the first key to perform de-protection processing to obtain the key update response message, calculating and generating the second key based on information including the basic key corresponding to the basic key identifier and the second random number, and the first random number generated by the node 1; andusing, by the node 1 and the node 2, the IP communication information and the second key to perform message encapsulation and protection transmission. Optionally, in response to the node 1 waking up from the sleep state, the obtaining the stored IP communication information for communicating with the node 2, includes: if the IP communication information of the node 1 does not change in response to the node 1 waking up, obtaining, by the node 1, the IP communication information stored before entering the sleep state;if the IP communication information of the node 1 changes in response to the node 1 waking up, storing immediately and obtaining, by the node 1, the changed IP communication information. Optionally, after receiving, by the node 2, the first message, the method further includes: in response to the node 2