Nothing Special   »   [go: up one dir, main page]

CN103701700B - Node discovery method in a kind of communication network and system - Google Patents

Node discovery method in a kind of communication network and system Download PDF

Info

Publication number
CN103701700B
CN103701700B CN201310723937.7A CN201310723937A CN103701700B CN 103701700 B CN103701700 B CN 103701700B CN 201310723937 A CN201310723937 A CN 201310723937A CN 103701700 B CN103701700 B CN 103701700B
Authority
CN
China
Prior art keywords
node
information
address
hop
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310723937.7A
Other languages
Chinese (zh)
Other versions
CN103701700A (en
Inventor
李凤华
李晖
曹进
马建峰
张明星
耿魁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Institute of Information Engineering of CAS
Original Assignee
Xidian University
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University, Institute of Information Engineering of CAS filed Critical Xidian University
Priority to CN201310723937.7A priority Critical patent/CN103701700B/en
Publication of CN103701700A publication Critical patent/CN103701700A/en
Application granted granted Critical
Publication of CN103701700B publication Critical patent/CN103701700B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供了一种通信网络中的节点发现方法及系统;方法包括:源节点发送发现请求报文至下一跳节点,所述发现请求报文中携带源节点的地址信息、源节点的身份信息、目的节点的地址信息及源节点生成的挑战值;收到发现请求报文的节点向源节点返回本节点提交给源节点的验证信息;根据其中的地址信息判断本节点是否为目的节点,如果不是目的节点则将发现请求报文转发给本节点的下一跳节点;源节点当收到目的节点返回的验证信息后,根据所收到的各节点提交的验证信息对各节点进行验证;如果全部验证通过则将各节点确定为可信节点。本发明能确保网络设备之间通信传输的安全性和可靠性,减少通信延迟。

The present invention provides a node discovery method and system in a communication network; the method includes: the source node sends a discovery request message to the next hop node, and the discovery request message carries the address information of the source node and the identity of the source node information, the address information of the destination node, and the challenge value generated by the source node; the node that receives the discovery request message returns to the source node the verification information submitted by the node to the source node; judges whether the node is the destination node according to the address information, If it is not the destination node, the discovery request message will be forwarded to the next hop node of the node; after the source node receives the verification information returned by the destination node, it will verify each node according to the verification information submitted by the received nodes; If all verifications pass, each node is determined as a trusted node. The invention can ensure the safety and reliability of communication transmission between network devices and reduce communication delay.

Description

一种通信网络中的节点发现方法及系统A node discovery method and system in a communication network

技术领域technical field

本发明涉及通信领域,尤其涉及一种通信网络中的节点发现方法及系统。The invention relates to the communication field, in particular to a node discovery method and system in a communication network.

背景技术Background technique

通信网络的出现,使得人与人之间可以更加快速地沟通,信息的交流更加顺畅。通信网络作为信息传递的一种主要载体,已经取得了前所未有的发展,在基础性和全局性地位日益突出的同时,也不断面临着日益多样化的安全威胁和越来越复杂的网络安全环境。由于互联网具有开放性、全球性、虚拟性、身份的不确定性、非中心化与平等性等特征,使得人们的某些需求得以满足,也正是由于互联网的这些特征,同时又产生了许多安全问题。特别是针对高速的、大型的、复杂多跳的通信网络来说,网络的安全性尤为重要。The emergence of communication networks enables people to communicate more quickly and exchange information more smoothly. As a main carrier of information transmission, the communication network has achieved unprecedented development. While its basic and overall status has become increasingly prominent, it is also constantly facing increasingly diverse security threats and an increasingly complex network security environment. Due to the characteristics of the Internet, such as openness, globality, virtuality, uncertainty of identity, decentralization, and equality, certain needs of people can be met, and it is precisely because of these characteristics of the Internet that many safe question. Especially for high-speed, large-scale, complex and multi-hop communication networks, network security is particularly important.

互联网中,信息的传送是通过网中许多段的传输介质和设备(路由器,交换机,服务器,网关等等)从一端到达另一端。路径选择是通信网络设计和运行必须要考虑的因素之一。对于网络的运行来说,其路径选择就是找到一条从源端发出的信息经最小的代价传输到目的端。由于通信网络开放性的特点,使得数据包中信息的机密性在通信网络传输过程中无法得到有效保证。携带在数据包中的信息可能暴露给路径上的恶意节点,一方面通过暴力方式破解数据包中的信息,另一方面利用一些投降节点来获取网络中的信息。在获得这些网络的拓扑信息后,恶意节点就会相应地实施各种攻击。因此,对于信息的发送端来说,应找到一条可信的到达目的端的有效路径,确保信息传送过程中每一个节点都是可信的,从而保证信息不被非法节点所获取。In the Internet, information is transmitted from one end to the other through the transmission media and devices (routers, switches, servers, gateways, etc.) of many segments in the network. Path selection is one of the factors that must be considered in the design and operation of communication networks. For the operation of the network, its path selection is to find a message sent from the source to the destination with the least cost. Due to the openness of the communication network, the confidentiality of the information in the data packet cannot be effectively guaranteed during the transmission of the communication network. The information carried in the data packet may be exposed to malicious nodes on the path. On the one hand, the information in the data packet is cracked by brute force, and on the other hand, some surrender nodes are used to obtain information in the network. After obtaining the topology information of these networks, malicious nodes will implement various attacks accordingly. Therefore, for the sender of the information, it is necessary to find a credible and effective path to the destination to ensure that every node in the process of information transmission is credible, so as to ensure that the information is not obtained by illegal nodes.

在通信网络中,现存最常用的节点发现过程为traceroute探测过程。这个过程利用增加TTL(存活时间)值来实现其功能。每当数据包经过一个路由器,其存活时间就会减1;当其存活时间是0时,设备便取消数据包,并传送一个ICMP(Internet Control Message Protocol,Internet控制报文协议)TTL数据包给原数据包的发出者。但是,这个过程并没有确保所查找到的路径上节点的真实性和可靠性,而且每次节点发现过程都需要重复发送多条数据包,因此大大耗费了网络开销。In communication networks, the most commonly used node discovery process is the traceroute detection process. This process implements its functionality by increasing the TTL (Time To Live) value. Whenever a data packet passes through a router, its survival time will be reduced by 1; when its survival time is 0, the device will cancel the data packet and send an ICMP (Internet Control Message Protocol, Internet Control Message Protocol) TTL data packet to The sender of the original packet. However, this process does not ensure the authenticity and reliability of the nodes on the found path, and each node discovery process needs to repeatedly send multiple data packets, which greatly consumes network overhead.

IETF(互联网工程任务组)为了解决同一链路上不同节点之间的通信和地址自动配置问题,提出了一种邻居发现协议NDP。这个协议是IPv6协议的基本组成部分,但是必须建立在可信网络的基础上,在现实中存在着大量的安全威胁。随后,IETF提出了IPSec认证头和SEND(Secure NeighborDiscovery,安全邻居发现)协议来提高NDP的安全性。通过添加密码生成地址,RSA(一种公钥加密算法)签名,时间戳以及当前会话标签选项,并引入路由器的认证机制,安全邻居发现协议大大提高了邻居发现过程的安全性,但是这个协议仍然存在着大量的安全问题,如不能抵抗伪造NDP报文攻击。近年来,研究者也设计了多种针对adhoc(点对点)网络的路由发现协议,但是由于adhoc网络局部、小型、无线性等特点,并不适合于跨域、高速、大型的通信网络。IETF (Internet Engineering Task Force) proposed a neighbor discovery protocol NDP in order to solve the communication and address automatic configuration problems between different nodes on the same link. This protocol is a basic part of the IPv6 protocol, but it must be established on the basis of a trusted network, and there are a lot of security threats in reality. Subsequently, the IETF proposed the IPSec authentication header and the SEND (Secure Neighbor Discovery, Secure Neighbor Discovery) protocol to improve the security of NDP. By adding password generation address, RSA (a public key encryption algorithm) signature, timestamp and current session label options, and introducing router authentication mechanism, the secure neighbor discovery protocol greatly improves the security of the neighbor discovery process, but this protocol still There are a lot of security problems, such as the inability to resist forged NDP packet attacks. In recent years, researchers have also designed a variety of routing discovery protocols for adhoc (point-to-point) networks. However, due to the local, small, and wireless characteristics of adhoc networks, they are not suitable for cross-domain, high-speed, and large-scale communication networks.

发明内容Contents of the invention

本发明要解决的技术问题是如何确保网络设备之间通信传输的安全性和可靠性,减少通信延迟。The technical problem to be solved by the present invention is how to ensure the safety and reliability of communication transmission between network devices and reduce communication delay.

为了解决上述问题,本发明提供了一种通信网络中的节点发现方法,包括:In order to solve the above problems, the present invention provides a node discovery method in a communication network, comprising:

S101、源节点发送发现请求报文至下一跳节点,所述发现请求报文中携带源节点的地址信息、源节点的身份信息、目的节点的地址信息及源节点生成的挑战值;S101. The source node sends a discovery request message to the next-hop node, and the discovery request message carries address information of the source node, identity information of the source node, address information of the destination node, and a challenge value generated by the source node;

S102、收到所述发现请求报文的节点向所述源节点返回本节点提交给所述源节点的验证信息,包括:本节点的地址信息和数字证书,以及本节点针对源节点的挑战响应值;根据其中的所述地址信息判断本节点是否为目的节点,如果不是目的节点则将所述发现请求报文转发给本节点的下一跳节点;S102. The node that receives the discovery request message returns to the source node the verification information submitted by the node to the source node, including: the address information and digital certificate of the node, and the challenge response of the node to the source node value; judging whether the current node is a destination node according to the address information therein, if not the destination node, forwarding the discovery request message to the next hop node of the current node;

S103、所述源节点当收到目的节点返回的验证信息后,根据所收到的各节点提交的验证信息对各节点进行验证;如果全部验证通过则将各所述节点确定为可信节点。S103. After receiving the verification information returned by the destination node, the source node verifies each node according to the received verification information submitted by each node; if all verifications pass, each node is determined as a trusted node.

可选地,一个节点针对源节点的挑战响应值为源节点和该节点之间的相关信息,与采用该节点的私钥对该相关信息生成的签名进行逻辑运算的结果;其中,源节点和该节点之间的相关信息包括:该节点的身份信息、源节点的身份信息、及所述源节点生成的挑战值;Optionally, the challenge response value of a node to the source node is the result of logical operation between the source node and the node, and the signature generated by the node's private key; wherein, the source node and The relevant information between the nodes includes: the identity information of the node, the identity information of the source node, and the challenge value generated by the source node;

所述源节点根据所收到的各节点提交的验证信息对各节点进行验证的步骤包括:The steps for the source node to verify each node according to the received verification information submitted by each node include:

所述源节点分别验证各节点提交的验证信息中的地址信息及数字证书是否有效;分别通过各节点数字证书中携带的公钥验证该节点生成的挑战响应值里的签名是否有效。The source node respectively verifies whether the address information and the digital certificate in the verification information submitted by each node are valid; respectively verifies whether the signature in the challenge response value generated by the node is valid through the public key carried in the digital certificate of each node.

可选地,所述将所述发现请求报文转发给本节点的下一跳节点的步骤包括:Optionally, the step of forwarding the discovery request message to the next hop node of the current node includes:

保存所述发现请求报文中的上一跳节点的地址信息,然后删除所述发现请求报文中源节点以外的其它节点的附加信息,在所述发现请求报文中增加本节点的附加信息,最后发送给本节点的下一跳节点;所述附加信息包括:本节点的地址信息、身份信息及本节点生成的挑战值;Save the address information of the last hop node in the discovery request message, then delete the additional information of nodes other than the source node in the discovery request message, and add the additional information of the node in the discovery request message , and finally sent to the next hop node of the current node; the additional information includes: the address information of the current node, identity information and the challenge value generated by the current node;

所述步骤S102中还包括:The step S102 also includes:

当上一跳节点不为所述源节点时构造邻近发现响应报文发送给上一跳节点,其中携带本节点提交给上一跳节点的验证信息,包括:本节点的地址信息、数字证书以及本节点针对上一跳节点的挑战响应值;本节点针对上一跳节点的挑战响应值为上一跳节点和本节点之间的相关信息,与采用本节点的私钥对该相关信息所生成的签名进行逻辑运算的结果;其中,上一跳节点和本节点之间的相关信息包括:本节点的身份信息、上一跳节点的身份信息、及所述上一跳节点生成的挑战值。When the previous hop node is not the source node, construct a proximity discovery response message and send it to the previous hop node, which carries the verification information submitted by the current node to the previous hop node, including: the address information of the current node, the digital certificate and The challenge response value of this node for the previous hop node; the challenge response value of this node for the previous hop node is the relevant information between the previous hop node and this node, and the relevant information generated by using the private key of this node The result of the logical operation of the signature of the last hop node; wherein, the relevant information between the previous hop node and this node includes: the identity information of this node, the identity information of the previous hop node, and the challenge value generated by the previous hop node.

可选地,所述的方法还包括:Optionally, the method also includes:

收到所述邻近发现响应报文的节点验证其中下一跳节点的地址信息和数字证书是否有效,并通过该下一跳节点的数字证书中携带的公钥验证该下一跳节点生成的挑战响应值里的签名是否有效;如果均有效则保存该下一跳节点的地址信息。The node receiving the neighbor discovery response message verifies whether the address information and digital certificate of the next-hop node are valid, and verifies the challenge generated by the next-hop node through the public key carried in the digital certificate of the next-hop node Whether the signature in the response value is valid; if all are valid, the address information of the next-hop node is saved.

可选地,所述步骤S103后还包括:Optionally, after the step S103, it also includes:

S104、各中间节点Ri分别进行以下步骤,所述中间节点为所述目的节点以外的收到所述发现请求报文的节点:S104, each intermediate node R i performs the following steps respectively, and the intermediate node is a node other than the destination node that receives the discovery request message:

41、Ri将本节点的上一跳节点作为上行请求对象节点;如果本节点保存有下一跳节点的地址信息,则将该下一跳节点作为下行请求对象节点;将跳数值设为1;41. R i takes the previous hop node of this node as the uplink request target node; if the current node saves the address information of the next hop node, the next hop node is used as the downlink request target node; the hop value is set to 1 ;

42、Ri向所述上行请求对象节点发送节点地址请求报文,其中携带所述跳数值、对所述上行请求对象节点的上一跳节点的地址信息的请求、本节点的身份信息及本节点生成的挑战值;42. R i sends a node address request message to the uplink request object node, which carries the hop value, a request for the address information of the previous hop node of the uplink request object node, the identity information of the current node, and the local The challenge value generated by the node;

如果存在所述下行请求对象节点,则Ri向所述下行请求对象节点发送节点地址请求报文,其中携带所述跳数值、对所述下行请求对象节点的下一跳节点的地址信息的请求、本节点的身份信息及本节点生成的挑战值;If there is the downlink request object node, R i sends a node address request message to the downlink request object node, which carries the hop value and a request for the address information of the next hop node of the downlink request object node , the identity information of this node and the challenge value generated by this node;

43、所述上/下行请求对象节点收到所述Ri发送的请求上/下一跳节点地址信息的节点地址请求报文后,如果本节点有上/下一跳节点的地址信息,则构造节点验证请求报文返回给Ri,其中携带本节点的身份信息、数字证书、本节点生成的挑战值及所述本节点针对Ri的挑战响应值;43. After the uplink/downlink request object node receives the node address request message sent by the R i requesting the address information of the uplink/next hop node, if the node has the address information of the uplink/next hop node, then Constructing a node verification request message and returning it to R i , which carries the identity information of the node, the digital certificate, the challenge value generated by the node and the challenge response value of the node for R i ;

44、Ri收到所述上/下行请求对象节点的节点验证请求报文后,如果验证通过则发送节点验证响应报文给所述上/下行请求对象节点,其中携带Ri的数字证书及Ri针对所述上/下行请求对象节点的挑战响应值;44. After receiving the node verification request message of the uplink/downlink request object node, R i sends a node verification response message to the uplink/downlink request object node if the verification is passed, which carries the digital certificate of R i and The challenge response value of R i for the object node of the uplink/downlink request;

45、所述上/下行请求对象节点收到所述节点验证响应报文后,如果验证通过,则将本节点的上/下一跳节点的地址信息反馈给Ri45. After the uplink/downlink request target node receives the node verification response message, if the verification is passed, the address information of the uplink/next hop node of the node is fed back to R i ;

46、如果所收到的地址信息并不属于Ri要找的目标节点,则将Ri从所述上行请求对象节点所收到的地址信息对应的节点作为Ri的上行请求对象节点,将Ri从所述下行请求对象节点所收到的地址信息对应的节点作为Ri的下行请求对象节点,将所述跳数值加1,然后返回步骤42;如果收到的地址信息属于Ri要找的目标节点,则邻近节点发现过程结束。46. If the received address information does not belong to the target node R i is looking for, then use the node corresponding to the address information received by R i from the uplink request object node as the uplink request object node of R i , and set The node corresponding to the address information received by R i from the downlink request object node is used as the downlink request object node of R i , the hop value is added by 1, and then returns to step 42; if the received address information belongs to R i If the target node is found, the neighbor node discovery process ends.

本发明还提供了一种通信网络中的节点发现系统,包括:The present invention also provides a node discovery system in a communication network, including:

多个节点,其中至少包括准备进行节点发现的源节点及目的节点;A plurality of nodes, including at least a source node and a destination node for node discovery;

各节点分别包括:Each node includes:

请求发送模块,用于当本节点作为源节点时,发送发现请求报文至下一跳节点,在所述发现请求报文中携带源节点的地址信息、源节点的身份信息、目的节点的地址信息及源节点生成的挑战值;The request sending module is used to send a discovery request message to the next hop node when the current node is used as the source node, and the discovery request message carries the address information of the source node, the identity information of the source node, and the address of the destination node Information and the challenge value generated by the source node;

请求响应模块,用于当收到所述发现请求报文后,向源节点返回本节点提交给所述源节点的验证信息,包括:本节点的地址信息和数字证书,以及本节点针对源节点的挑战响应值;The request response module is used to return to the source node the verification information submitted by the node to the source node after receiving the discovery request message, including: the address information and digital certificate of the node, and the verification information of the node for the source node. challenge response value;

请求转发模块,用于当收到所述发现请求报文后,根据其中的地址信息判断本节点是否为目的节点;如果本节点是中间节点则将所述发现请求报文转发给本节点的下一跳节点;The request forwarding module is used for judging whether the node is a destination node according to the address information therein after receiving the discovery request message; if the node is an intermediate node, forwarding the discovery request message to the next node of the node one hop node;

验证模块,用于当本节点作为源节点时,当收到目的节点返回的验证信息后,根据所收到的各节点提交的验证信息对各节点进行验证;如果全部验证通过则将各所述节点确定为可信节点。The verification module is used to verify each node according to the received verification information submitted by each node after receiving the verification information returned by the destination node when the node is used as the source node; Nodes are identified as trusted nodes.

可选地,一个节点针对源节点的挑战响应值为源节点和该节点之间的相关信息,与采用该节点的私钥对该相关信息生成的签名进行逻辑运算的结果;其中,源节点和该节点之间的相关信息包括:该节点的身份信息、源节点的身份信息、及所述源节点生成的挑战值;Optionally, the challenge response value of a node to the source node is the result of logical operation between the source node and the node, and the signature generated by the node's private key; wherein, the source node and The relevant information between the nodes includes: the identity information of the node, the identity information of the source node, and the challenge value generated by the source node;

所述验证模块根据所收到的各节点提交的验证信息对各节点进行验证是指:The verification module verifying each node according to the received verification information submitted by each node refers to:

所述验证模块分别验证各节点提交的验证信息中的地址信息及数字证书是否有效;分别通过各节点数字证书中携带的公钥验证该节点生成的挑战响应值里的签名是否有效。The verification module respectively verifies whether the address information and the digital certificate in the verification information submitted by each node are valid; respectively verifies whether the signature in the challenge response value generated by the node is valid through the public key carried in the digital certificate of each node.

可选地,所述请求转发模块将所述发现请求报文转发给本节点的下一跳节点是指:Optionally, the request forwarding module forwarding the discovery request message to the next hop node of this node refers to:

所述请求转发模块保存所述发现请求报文中的上一跳的地址信息,然后删除所述发现请求报文中所述源节点以外的其它节点的附加信息,在所述发现请求报文中增加本节点的附加信息,最后发送给本节点的下一跳节点;所述附加信息包括:本节点的地址信息、身份信息及本节点生成的挑战值;The request forwarding module saves the address information of the previous hop in the discovery request message, and then deletes the additional information of nodes other than the source node in the discovery request message, and in the discovery request message Add additional information of the node, and finally send it to the next hop node of the node; the additional information includes: the address information of the node, identity information and the challenge value generated by the node;

各节点中还包括:Each node also includes:

邻近响应模块,用于当上一跳节点不为所述源节点时,构造邻近发现响应报文发送给上一跳节点,其中携带本节点提交给上一跳节点的验证信息,包括:本节点的地址信息、数字证书以及本节点针对上一跳节点的挑战响应值;本节点针对上一跳节点的挑战响应值为上一跳节点和本节点之间的相关信息,与采用本节点的私钥对该相关信息所生成的签名进行逻辑运算的结果;其中,上一跳节点和本节点之间的相关信息包括:本节点的身份信息、上一跳节点的身份信息、及所述上一跳节点生成的挑战值。The proximity response module is configured to construct a proximity discovery response message and send it to the previous hop node when the previous hop node is not the source node, which carries the verification information submitted by the current node to the previous hop node, including: the current node Address information, digital certificates, and the node’s challenge response value for the previous hop node; the node’s challenge response value for the previous hop node is the relevant information between the previous hop node and this node, and the private The result of logical operations on the signature generated by the key to the relevant information; wherein, the relevant information between the previous hop node and this node includes: the identity information of the current node, the identity information of the previous hop node, and the previous The challenge value generated by jumping nodes.

可选地,所述验证模块还用于当收到所述邻近发现响应报文后,验证其中下一跳节点的地址信息和数字证书是否有效,并通过该下一跳节点的数字证书中携带的公钥验证该下一跳节点生成的挑战响应值里的签名是否有效;如果均有效则保存该下一跳节点的地址信息。Optionally, the verification module is further configured to verify whether the address information and the digital certificate of the next-hop node are valid after receiving the proximity discovery response message, and carry in the digital certificate of the next-hop node Verify whether the signature in the challenge response value generated by the next-hop node is valid; if all are valid, save the address information of the next-hop node.

可选地,各节点中还包括:Optionally, each node also includes:

邻近节点发现模块,包括:Adjacent node discovery module, including:

地址请求单元;address request unit;

设置单元,用于当本节点收到所述发现请求报文且本节点不是所述目的节点时,将本节点的上一跳节点作为上行请求对象节点;如果本节点保存有下一跳节点的地址信息,则将该下一跳节点作为下行请求对象节点;将跳数值设为1,和所述上行、下行请求对象节点一起发送给所述地址请求单元;The setting unit is used to use the previous hop node of the current node as the uplink request object node when the current node receives the discovery request message and the current node is not the destination node; if the current node saves the next hop node For the address information, the next hop node is used as the downlink request object node; the hop value is set to 1, and sent to the address request unit together with the uplink and downlink request object nodes;

所述地址请求单元用于向所述上行请求对象节点发送节点地址请求报文,其中携带所述跳数值、对所述上行请求对象节点的上一跳节点的地址信息的请求、本节点的身份信息及本节点生成的挑战值;如果存在下行请求对象节点,则向所述下行请求对象节点发送节点地址请求报文,其中携带所述跳数值、对所述下行请求对象节点的下一跳节点的地址信息的请求、本节点的身份信息及本节点生成的挑战值;The address request unit is configured to send a node address request message to the uplink request object node, which carries the hop value, a request for the address information of the previous hop node of the uplink request object node, and the identity of the node Information and the challenge value generated by this node; if there is a downlink request object node, then send a node address request message to the downlink request object node, which carries the hop value, the next hop node to the downlink request object node The address information request, the identity information of the node and the challenge value generated by the node;

验证请求单元,用于当收到节点Ra发送的请求上/下一跳节点地址信息的所述节点地址请求报文后,如果本节点保存有上/下一跳节点的地址信息,则构造节点验证请求报文返回给所述节点Ra,其中携带本节点的身份信息、数字证书、本节点生成的挑战值及所述本节点针对所述节点Ra的挑战响应值;The verification request unit is used to construct the address information of the upper/next hop node if the node saves the address information of the upper/next hop node after receiving the node address request message sent by the node R a to request the address information of the upper/next hop node. The node verification request message is returned to the node R a , which carries the identity information of the node, the digital certificate, the challenge value generated by the node and the challenge response value of the node for the node R a ;

验证响应单元,用于当收到节点Rb返回的所述节点验证请求报文后,如果验证通过则发送节点验证响应报文给所述节点Rb,其中携带本节点的数字证书及本节点针对所述节点Rb的挑战响应值;The verification response unit is used to send a node verification response message to the node R b if the verification is passed after receiving the node verification request message returned by the node R b , which carries the digital certificate of the node and the node A challenge response value for the node R b ;

所述验证请求单元还用于当收到所述节点验证响应报文后,如果验证通过,则反馈本节点的上/下一跳节点的地址信息;The verification request unit is also used to feed back the address information of the upper/next hop node of the node if the verification is passed after receiving the node verification response message;

所述设置单元还用于当所收到的地址信息并不属于本节点要找的目标节点时,将本节点从所述上行请求对象节点所收到的地址信息对应的节点作为所述上行请求对象节点,将本节点从所述下行请求对象节点所收到的地址信息对应的节点作为所述下行请求对象节点,将所述跳数值加1,然后和所述上行请求对象节点、所述下行请求对象节点一起发送给所述地址请求单元;如果收到的地址信息属于本节点要找的目标节点,则邻近节点发现过程结束。The setting unit is further configured to use the node corresponding to the address information received by the node from the uplink request object node as the uplink request object when the received address information does not belong to the target node that the node is looking for A node, using the node corresponding to the address information received by the node from the downlink request object node as the downlink request object node, adding 1 to the hop value, and then combining with the uplink request object node and the downlink request object node The object node sends to the address request unit together; if the received address information belongs to the target node that the node is looking for, the adjacent node discovery process ends.

本发明的技术方案适用于通信网络中的可信节点发现,采用挑战-应答的方式,通过对路径上节点的真实性验证,确保发现的节点都是可信的,从而能够确保网络设备之间的通信传输是安全可靠的,而且流程简单,无需重复发送多条数据包,因此大大减少了通信延迟;本发明的优化方案适用于通信网络中的邻近节点发现,路径上的节点可通过存储相关邻近节点的IP地址查找到路径上其他节点的位置,并可实现路径上节点间的相互认证。本发明的技术方案由于流程简便且安全可靠,因此对于高速、大型、复杂多跳的通信网络也同样可以适用。The technical scheme of the present invention is applicable to the discovery of trusted nodes in a communication network, and adopts a challenge-response method to ensure that all discovered nodes are credible by verifying the authenticity of the nodes on the path, thereby ensuring that the communication between network devices is reliable. The communication transmission is safe and reliable, and the process is simple, and there is no need to repeatedly send multiple data packets, so the communication delay is greatly reduced; the optimization scheme of the present invention is suitable for the discovery of adjacent nodes in the communication network, and the nodes on the path can store correlation The IP addresses of adjacent nodes find the location of other nodes on the path, and can realize mutual authentication between nodes on the path. The technical scheme of the present invention is also applicable to high-speed, large-scale, complex and multi-hop communication networks due to its simple process, safety and reliability.

附图说明Description of drawings

图1为实施例一的节点发现方法的流程示意图;FIG. 1 is a schematic flow chart of a node discovery method in Embodiment 1;

图2为实施例一中可信节点发现方法的流程示意图;FIG. 2 is a schematic flow chart of a trusted node discovery method in Embodiment 1;

图3为实施例一的邻近节点发现方法的流程示意图。FIG. 3 is a schematic flowchart of a method for discovering adjacent nodes in Embodiment 1.

具体实施方式detailed description

下面将结合附图及实施例对本发明的技术方案进行更详细的说明。The technical solution of the present invention will be described in more detail below with reference to the drawings and embodiments.

需要说明的是,如果不冲突,本发明实施例以及实施例中的各个特征可以相互结合,均在本发明的保护范围之内。另外,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。It should be noted that, if there is no conflict, the embodiments of the present invention and various features in the embodiments can be combined with each other, and all are within the protection scope of the present invention. In addition, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

实施例一、一种通信网络中的节点发现方法,如图1所示,包括:Embodiment 1. A method for discovering nodes in a communication network, as shown in FIG. 1 , comprising:

S101、源节点发送发现请求报文至下一跳节点,所述发现请求报文中携带源节点的地址信息、源节点的身份信息、目的节点的地址信息及源节点生成的挑战值;S101. The source node sends a discovery request message to the next-hop node, and the discovery request message carries address information of the source node, identity information of the source node, address information of the destination node, and a challenge value generated by the source node;

S102、收到所述发现请求报文的节点向所述源节点返回本节点提交给所述源节点的验证信息,包括:本节点的地址信息和数字证书,以及本节点针对源节点的挑战响应值;根据其中的所述地址信息判断本节点是否为目的节点,如果不是目的节点则将所述发现请求报文转发给本节点的下一跳节点;S102. The node that receives the discovery request message returns to the source node the verification information submitted by the node to the source node, including: the address information and digital certificate of the node, and the challenge response of the node to the source node value; judging whether the current node is a destination node according to the address information therein, if not the destination node, forwarding the discovery request message to the next hop node of the current node;

S103、所述源节点当收到目的节点返回的验证信息后,根据所收到的各节点提交的验证信息对各节点进行验证;如果全部验证通过则将各所述节点确定为可信节点。S103. After receiving the verification information returned by the destination node, the source node verifies each node according to the received verification information submitted by each node; if all verifications pass, each node is determined as a trusted node.

本实施例中,将整个发现请求报文传递过程中经过的、除了所述源节点和目的节点以外的节点称为中间节点;步骤S101中,通常源节点的下一跳节点为第一个中间节点,但也不排除下一跳节点就是目的节点的情况。In this embodiment, the nodes other than the source node and the destination node passed through during the entire discovery request message delivery process are called intermediate nodes; in step S101, usually the next hop node of the source node is the first intermediate node node, but it does not rule out that the next hop node is the destination node.

本实施例中,所述中间节点可以但不限于通过非终端发现响应报文向所述源节点返回本节点提交给所述源节点的验证信息;所述目的节点可以但不限于通过节点发现结束响应报文向所述源节点返回本节点提交给所述源节点的验证信息。In this embodiment, the intermediate node may, but is not limited to, return the verification information submitted by the node to the source node to the source node through a non-terminal discovery response message; The response message returns to the source node the verification information submitted by the node to the source node.

本实施例中,所述地址信息可以但不限于为IP地址;收到所述发现请求报文的节点可以通过比较本节点的IP地址和所述目的节点的IP地址是否相同,来判断本节点是否为目的节点。In this embodiment, the address information may be, but not limited to, an IP address; the node receiving the discovery request message may determine whether the node's IP address is the same as that of the destination node by comparing the IP address of the node Whether it is the destination node.

本实施例采用身份信息和数字证书以及非对称的挑战应答认证机制来确保节点发现过程中的安全性,所述源节点可以通过验证中间节点/目的节点的地址信息、数字证书、及挑战响应值是否有效,来判断发现过程中的各节点是否可信。This embodiment uses identity information and digital certificates and an asymmetric challenge-response authentication mechanism to ensure the security of the node discovery process. The source node can verify the address information, digital certificate, and challenge response value of the intermediate node/destination node Whether it is valid to judge whether each node in the discovery process is credible.

本实施例的一种实施方式中,一个节点针对源节点的挑战响应值可以但不限于为源节点和该节点之间的相关信息,与采用该节点的私钥对该相关信息生成的签名进行逻辑运算的结果;其中,源节点和该节点之间的相关信息包括:该节点的身份信息、源节点的身份信息、及所述源节点生成的挑战值。In an implementation of this embodiment, the challenge response value of a node to the source node can be, but not limited to, related information between the source node and the node, and the signature generated by using the private key of the node to generate the related information The result of logical operation; wherein, the relevant information between the source node and the node includes: the identity information of the node, the identity information of the source node, and the challenge value generated by the source node.

本实施方式中,所述源节点根据所收到的各节点提交的验证信息对各节点进行验证的步骤具体可以包括:In this embodiment, the step of the source node verifying each node according to the received verification information submitted by each node may specifically include:

所述源节点分别验证各节点提交的验证信息中的地址信息及数字证书是否有效;分别通过各节点数字证书中携带的公钥验证该节点生成的挑战响应值里的签名是否有效。The source node respectively verifies whether the address information and the digital certificate in the verification information submitted by each node are valid; respectively verifies whether the signature in the challenge response value generated by the node is valid through the public key carried in the digital certificate of each node.

本实施方式中,所述节点的身份信息、数字证书及公私钥对可以但不限于是该节点向PKI(Public Key Infrastructure,公钥基础设施)申请的。In this implementation manner, the node's identity information, digital certificate, and public-private key pair may be, but not limited to, applied by the node to a PKI (Public Key Infrastructure, public key infrastructure).

本实施方式进一步基于证书的PKI技术体系来确保节点发现过程中的安全性;所有的节点会在初始化时向PKI申请相关的数字证书和公私钥对,只有PKI认为是合法的用户才能申请到相关的数字证书和公私钥对。在可信节点发现过程中,路径上的所有节点(各中间节点及目的节点)都发送PKI分配给本节点的数字证书以及用PKI分配给本节点的私钥生成的签名到源节点,源节点通过验证证书和签名有效性来实现对节点身份的真实性验证。只有合法的用户的数字证书和生成的签名能够通过源节点的认证。This embodiment is further based on the certificate-based PKI technical system to ensure the security of the node discovery process; all nodes will apply to PKI for relevant digital certificates and public-private key pairs during initialization, and only users who are considered legal by PKI can apply for relevant digital certificate and public-private key pair. In the process of trusted node discovery, all nodes on the path (intermediate nodes and destination nodes) send the digital certificate assigned to the node by PKI and the signature generated by the private key assigned to the node by PKI to the source node, and the source node The authenticity verification of the node identity is realized by verifying the validity of the certificate and signature. Only the legal user's digital certificate and the generated signature can pass the authentication of the source node.

本实施例的一种实施方式中,所述将所述发现请求报文转发给本节点的下一跳节点的步骤具体可以包括:In an implementation manner of this embodiment, the step of forwarding the discovery request message to the next-hop node of the current node may specifically include:

保存所述发现请求报文中的上一跳节点的地址信息,然后删除所述发现请求报文中所述源节点以外的其它节点的附加信息,在所述发现请求报文中增加本节点的附加信息,最后发送给本节点的下一跳节点;所述附加信息包括:本节点的地址信息、身份信息及本节点生成的挑战值;Save the address information of the last hop node in the discovery request message, then delete the additional information of other nodes other than the source node in the discovery request message, and add the address information of the current node in the discovery request message The additional information is finally sent to the next hop node of the node; the additional information includes: the address information of the node, the identity information and the challenge value generated by the node;

本实施方式中,为了与所述源节点发送的原始的发现请求报文相区别,可以将各中间节点转发的、增加了本节点附加信息的发现请求报文称为中转发现请求报文。In this embodiment, in order to distinguish it from the original discovery request message sent by the source node, the discovery request message forwarded by each intermediate node and added with the additional information of the own node may be called a transit discovery request message.

本实施方式中,除了直接从所述源节点收到发现请求报文的第一个中间节点之外,其余的中间节点都需要删除将发现请求报文转发给本节点的上一跳节点的附加信息。In this embodiment, except for the first intermediate node that directly receives the discovery request message from the source node, all other intermediate nodes need to delete the additional information.

本实施方式中,所述步骤S102中还可以包括:In this embodiment, the step S102 may further include:

当上一跳节点不为所述源节点时,构造邻近发现响应报文发送给上一跳节点,其中携带本节点提交给上一跳节点的验证信息,包括:本节点的地址信息、数字证书以及本节点针对上一跳节点的挑战响应值;本节点针对上一跳节点的挑战响应值可以但不限于为上一跳节点和本节点之间的相关信息,与采用本节点的私钥对该相关信息所生成的签名进行逻辑运算的结果;其中,上一跳节点和本节点之间的相关信息包括:本节点的身份信息、上一跳节点的身份信息、及所述上一跳节点生成的挑战值。When the previous hop node is not the source node, construct a proximity discovery response message and send it to the previous hop node, which carries the verification information submitted by this node to the previous hop node, including: address information of this node, digital certificate And the node's challenge response value for the previous hop node; the node's challenge response value for the previous hop node can be, but not limited to, the relevant information between the previous hop node and this node, and the private key pair using this node The result of the logical operation of the signature generated by the relevant information; wherein, the relevant information between the previous hop node and this node includes: the identity information of the current node, the identity information of the previous hop node, and the previous hop node Generated challenge value.

本实施方式中,所述方法还可以包括:In this embodiment, the method may further include:

收到所述邻近发现响应报文的节点验证其中下一跳节点的地址信息和数字证书是否有效,并通过该下一跳节点的数字证书中携带的公钥验证该下一跳节点生成的挑战响应值里的签名是否有效;如果均有效则保存该下一跳节点的地址信息。The node receiving the neighbor discovery response message verifies whether the address information and digital certificate of the next-hop node are valid, and verifies the challenge generated by the next-hop node through the public key carried in the digital certificate of the next-hop node Whether the signature in the response value is valid; if all are valid, the address information of the next-hop node is saved.

本实施方式中,只有经过验证的邻近节点的地址信息才会被中间节点存储起来用于邻近节点发现,进一步保障了节点发现过程的安全性。In this embodiment, only verified address information of adjacent nodes will be stored by the intermediate node for adjacent node discovery, which further ensures the security of the node discovery process.

下面用一个可信节点发现的具体例子进行说明;该例子中,假设PKI已经分别向各合法的中间节点下发了该节点的数字证书和公私钥对,所述地址信息为IP地址;由发送端到接收端的可信节点发现过程如图2所示,具体包括如下步骤:The following uses a specific example of trusted node discovery to illustrate; in this example, it is assumed that PKI has issued the digital certificate and public-private key pair of the node to each legal intermediate node, and the address information is an IP address; The trusted node discovery process from the end to the receiving end is shown in Figure 2, which specifically includes the following steps:

步骤201,发起方S将携带有发起方的地址IP_S、所要查找的目的节点的IP地址IP_Rn、跳数值Hop、发起方的身份信息ID_S以及发起方随机选择的挑战值Random_S的源端节点发现请求报文发送至第一个中间节点R1,此时Hop为0。Step 201, the initiator S discovers the source node carrying the initiator’s address IP_S, the IP address of the destination node IP_R n to be searched, the hop value Hop, the initiator’s identity information ID_S, and the challenge value Random_S randomly selected by the initiator The request message is sent to the first intermediate node R 1 , and Hop is 0 at this time.

步骤202,中间节点R1收到源端节点发现请求报文后,保存源端节点的IP地址IP_S,并进行如下操作:Step 202, after receiving the source node discovery request message, the intermediate node R1 saves the IP address IP_S of the source node, and performs the following operations:

2021、R1验证是否自身是发起方S所要查找的目的节点,R1对比自己的IP地址与源端节点发现请求报文中的目的节点的IP地址,如果相同则进行步骤205;如果并不相同,则R1在源端节点发现请求报文的基础上添加R1的附加信息;所述R1的附加信息包括:R1的IP地址IP_R1、R1的身份信息ID_R1和一个R1生成的挑战值Random_R1,并改变Hop为1,从而得到一个中转发现请求报文,将此中转发现请求报文发送至下一跳节点R22021. R 1 verifies whether it is the destination node that the initiator S is looking for. R 1 compares its own IP address with the IP address of the destination node in the source node discovery request message. If they are the same, proceed to step 205; if not same, then R 1 adds additional information of R 1 on the basis of the source node discovery request message; the additional information of R 1 includes: IP address IP_R 1 of R 1 , identity information ID_R 1 of R 1 and an R 1 generates the challenge value Random_R 1 , and changes the Hop to 1, thereby obtaining a transit discovery request message, and sends the transit discovery request message to the next hop node R 2 ;

2022、同时R1利用PKI给它颁发的私钥对S和R1之间的相关信息生成签名;所述S和R1之间的相关信息包括:S的身份信息ID_S、R1的身份信息ID_R1以及S生成的挑战值Random_S;将得到的签名与所述S和R1之间的相关信息构成R1针对S的挑战响应值:2022. At the same time, R 1 uses the private key issued to it by PKI to generate a signature for the related information between S and R 1 ; the related information between S and R 1 includes: S's identity information ID_S, R 1 's identity information ID_R 1 and the challenge value Random_S generated by S; the obtained signature and the relevant information between S and R 1 constitute the challenge response value of R 1 for S:

TokenR1S=ID_R1||ID_S||Random_S||SignR1(ID_R1||ID_S||Random_S);TokenR 1 S=ID_R 1 ||ID_S||Random_S||Sign R1 (ID_R 1 ||ID_S||Random_S);

其中||表示预定的逻辑运算,SignX(M)表示利用X的私钥对消息M生成的签名,这里使用的签名算法可由PKI指派也可由各节点协商确定。然后R1构造一个非终端发现响应报文发送至发起方S,其中携带R1提交给S的验证信息,包括R1的IP地址IP_R1、R1的数字证书Cert_R1以及R1针对S的挑战响应值TokenR1S。Where || represents a predetermined logical operation, and Sign X (M) represents the signature generated by X’s private key on message M. The signature algorithm used here can be assigned by PKI or negotiated by each node. Then R 1 constructs a non-terminal discovery response message and sends it to the initiator S, which carries the verification information submitted by R 1 to S, including R 1 ’s IP address IP_R 1 , R 1 ’s digital certificate Cert_R 1 and R 1 ’s certificate for S Challenge response value TokenR 1 S.

步骤2021和2022不分前后,也可以并行。Steps 2021 and 2022 may be performed in parallel, regardless of the sequence.

步骤203,中间节点R2收到中转发现请求报文后,保存上一跳节点R1的IP地址IP_R1,并进行如下操作:Step 203, after receiving the transit discovery request message, the intermediate node R 2 saves the IP address IP_R 1 of the previous hop node R 1 , and performs the following operations:

2031、R2类似于步骤2021中R1的操作,首先判断自身是否是目的节点,如果是则进行步骤205;如果发现IP地址并不匹配,则R2将所收到的中转发现请求报文中R1的附加信息删除,添加R2的附加信息(相当于在源端节点发现请求报文的基础上添加R2的附加信息);所述R2的附加信息包括:R2的IP地址IP_R2、R2的身份信息ID_R2和一个R2生成的挑战值Random_R2,并将Hop设为2,从而得到一个新的中转发现请求报文,将此新的中转发现请求报文发送至下一跳节点R32031, R 2 is similar to the operation of R 1 in step 2021, first judges whether it is the destination node, if so, proceeds to step 205; if it finds that the IP addresses do not match, then R 2 forwards the received discovery request message The additional information of R 1 is deleted, and the additional information of R 2 is added (equivalent to adding the additional information of R 2 on the basis of the source node discovery request message); the additional information of R 2 includes: IP address of R 2 IP_R 2 , identity information ID_R 2 of R 2 and a challenge value Random_R 2 generated by R 2 , and set Hop to 2 to obtain a new transit discovery request message, and send the new transit discovery request message to The next hop node R 3 ;

2032、R2类似于步骤2022中R1的操作,只是将R1提交给S的验证信息换成R2提交给S的验证信息,将S和R1之间的相关信息换成所述S和R2之间的相关信息;先生成R2针对S的挑战响应值TokenR2S=ID_R2||ID_S||Random_S||SignR2(ID_R2||ID_S||Random_S),并构造一个新的非终端发现响应报文发送至发起方S,其中携带R2提交给S的验证信息,包括R2的IP地址IP_R2、数字证书Cert_R2以及R2针对S的挑战响应值TokenR2S。2032, R 2 is similar to the operation of R 1 in step 2022, except that the verification information submitted by R 1 to S is replaced by the verification information submitted by R 2 to S, and the relevant information between S and R 1 is replaced by the above S and R 2 related information; generate R 2 ’s challenge response value for S TokenR 2 S=ID_R 2 ||ID_S||Random_S||Sign R2 (ID_R 2 ||ID_S||Random_S), and construct a new The non-terminal discovery response message is sent to the initiator S, which carries the verification information submitted by R 2 to S, including R 2 ’s IP address IP_R 2 , digital certificate Cert_R 2 and R 2 ’s challenge response value TokenR 2 S for S.

2033、R2利用PKI给它颁发的私钥对R1和R2之间的相关信息生成签名;所述R1和R2之间的相关信息包括R1的身份信息ID_R1、R2的身份信息ID_R2以及R1生成的挑战值Random_R1;将得到的签名与所述R1和R2之间的相关信息构成R2针对R1的挑战响应值:2033. R 2 uses the private key issued to it by PKI to generate a signature for the related information between R 1 and R 2 ; the related information between R 1 and R 2 includes R 1 's identity information ID_R 1 and R 2 's The identity information ID_R 2 and the challenge value Random_R 1 generated by R 1 ; the obtained signature and the related information between R 1 and R 2 constitute R 2 ’s challenge response value for R 1 :

TokenR2R1=ID_R2||ID_R1||Random_R1||SignR2(ID_R2||ID_R1||Random_R1);TokenR 2 R 1 =ID_R 2 ||ID_R 1 ||Random_R 1 ||Sign R2 (ID_R 2 ||ID_R 1 ||Random_R 1 );

R2构造一个邻近发现响应报文发送给上一跳节点R1,其中携带R2提交给R1的验证信息,包括IP_R2、Cert_R2以及R2针对R1的挑战响应值TokenR2R1R 2 constructs a proximity discovery response message and sends it to the previous hop node R 1 , which carries the verification information submitted by R 2 to R 1 , including IP_R 2 , Cert_R 2 and R 2 ’s challenge response value TokenR 2 R 1 for R 1 .

步骤203中,构造和发送中转发现请求报文、非终端发现响应报文和邻近发现响应报文的步骤不分先后且可以并行,步骤204中也是如此。In step 203, the steps of constructing and sending the transit discovery request message, the non-terminal discovery response message and the proximity discovery response message are in no particular order and can be parallelized, and the same is true in step 204.

步骤204,后继的中间节点Ri(2<i≤n-1,其中n-1为所述节点发现请求报文从所述发起方S传递到目的节点所经历的中间节点的个数)收到中转发现请求报文和邻近发现响应报文后,保存收到的中转发现请求报文中的上一跳节点的IP地址,并进行如下操作:Step 204, the subsequent intermediate node R i (2<i≤n-1, where n-1 is the number of intermediate nodes through which the node discovery request message is transmitted from the initiator S to the destination node) receives After transferring the discovery request message and the neighbor discovery response message, save the IP address of the previous hop node in the received transfer discovery request message, and perform the following operations:

2041、Ri类似于步骤2031中R2的操作,构造新的中转发现请求报文发送至下一跳节点Ri+1,这里只需将步骤2031中所有R2的附加信息替换为Ri的附加信息即可,也就是Ri删去所收到的中转发现请求报文中Ri-1的附加信息,添加Ri的附加信息,从而得到新的中转发现请求报文。2041, R i is similar to the operation of R 2 in step 2031, and constructs a new transit discovery request message and sends it to the next hop node R i+1 , here only need to replace all the additional information of R 2 in step 2031 with R i That is, R i deletes the additional information of R i-1 in the received transit discovery request message, and adds the additional information of R i , so as to obtain a new transit discovery request message.

2042、Ri类似于步骤2032中R2的操作,构造非终端响应报文发送至S;这里只需将步骤2032中R2提交给S的验证信息替换为Ri提交给S的验证信息即可。2042, R i is similar to the operation of R 2 in step 2032, constructing a non-terminal response message and sending it to S; here only need to replace the verification information submitted by R 2 to S in step 2032 with the verification information submitted by R i to S Can.

2043、Ri类似于步骤2033中R2的操作,构造新的邻近发现响应报文发送至上一跳节点Ri-1,这里只需将步骤2033中R1和R2之间的相关信息替换为Ri-1和Ri之间的相关信息(包括Ri-1的身份信息ID_Ri-1、Ri的身份信息ID_Ri以及Ri-1生成的挑战值Random_Ri-1)即可。2043, R i is similar to the operation of R 2 in step 2033, constructing a new proximity discovery response message and sending it to the previous hop node R i-1 , here only need to replace the relevant information between R 1 and R 2 in step 2033 For the relevant information between R i - 1 and R i (including the identity information ID_R i-1 of R i -1, the identity information ID_R i of R i and the challenge value Random_R i- 1 generated by R i -1 ) .

中间节点Ri(1≤i≤n-1)验证来自下一跳节点Ri+1(其中Rn-1的下一跳节点是目的节点Rn)的邻近发现响应报文中的数字证书Cert_Ri+1是否有效,并利用Ri+1的数字证书中的公钥验证Ri+1针对Ri的挑战响应值TokenRi+1Ri中的签名是否有效;如果都是有效的,则Ri存储来自下一跳的邻近发现响应报文中的Ri+1的IP地址IP_Ri+1,以备中间节点间的邻近节点发现。数字证书和签名中只要有一个无效,则Ri将不存储下一跳节点的IP地址。The intermediate node R i (1≤i≤n-1) verifies the digital certificate in the proximity discovery response message from the next-hop node R i+1 (where the next-hop node of R n-1 is the destination node R n ) Whether Cert_R i+1 is valid, and use the public key in the digital certificate of R i +1 to verify whether the signature in R i +1’s challenge response value TokenR i+1 R i is valid; if they are all valid, Then R i stores the IP address IP_R i+1 of R i+1 in the neighbor discovery response message from the next hop, for the discovery of neighbor nodes between intermediate nodes. As long as one of the digital certificate and the signature is invalid, R i will not store the IP address of the next-hop node.

步骤205,目的节点Rn收到上一跳节点Rn-1(Rn-1即最后一个中间节点)发送的中转发现请求报文后,保存上一跳节点的IP地址,并进行如下操作:Step 205, after the destination node R n receives the transit discovery request message sent by the previous hop node R n-1 (R n-1 is the last intermediate node), it saves the IP address of the previous hop node, and performs the following operations :

2051、目的节点Rn利用PKI给它颁发的私钥对S和Rn之间的相关信息生成签名;所述S和Rn之间的相关信息包括:S的身份信息ID_S、Rn的身份信息ID_Rn、以及S生成的挑战值Random_S,将得到的签名与所述S和Rn之间的相关信息构成Rn针对S的挑战响应值:2051. The destination node R n uses the private key issued to it by PKI to generate a signature for the related information between S and R n ; the related information between S and R n includes: the identity information ID_S of S, the identity of R n Information ID_R n , and the challenge value Random_S generated by S, the obtained signature and the related information between S and R n constitute R n ’s challenge response value for S:

TokenRnS=ID_Rn||ID_S||Random_S||SignRn(ID_Rn||ID_S||Random_S);TokenR n S=ID_R n ||ID_S||Random_S||Sign Rn (ID_R n ||ID_S||Random_S);

Rn构造一个节点发现结束响应报文发送至发起方S,其中携带Rn的IP地址IP_Rn、数字证书Cert_Rn以及Rn针对S的挑战响应值TokenRnS,表明发现过程已结束。R n constructs a node discovery end response message and sends it to the initiator S, which carries R n 's IP address IP_R n , digital certificate Cert_R n and R n 's challenge response value TokenR n S for S, indicating that the discovery process has ended.

2052、Rn类似于步骤2033中R2的操作,构造新的邻近发现响应报文发送至上一跳节点Rn-1,这里只需将R1和R2之间的相关信息替换为Rn-1和Rn之间的相关信息(包括Rn-1的身份信息ID_Rn-1、Rn的身份信息ID_Rn以及Rn-1生成的挑战值Random_Rn-1)即可。2052, R n is similar to the operation of R 2 in step 2033, constructing a new proximity discovery response message and sending it to the previous hop node R n-1 , here only need to replace the relevant information between R 1 and R 2 with R n The relevant information between -1 and R n (including the identity information ID_R n-1 of R n -1, the identity information ID_R n of R n and the challenge value Random_R n- 1 generated by R n-1) is enough.

步骤205中,构造节点发现结束响应报文和邻近发现响应报文的步骤不分先后且可以并行。In step 205, the steps of constructing the node discovery end response message and the neighbor discovery response message are in no particular order and can be parallelized.

步骤206,发起方S验证来自所有中间节点的非终端发现响应报文、以及来自目的节点的节点发现结束响应报文中的数字证书是否有效,并分别利用各节点的数字证书中的公钥验证该节点针对S的挑战响应值中的签名是否有效;如果全部节点(中间节点及目的节点)的数字证书及签名均有效,则将所述全部节点确定为可信节点;只要有任何一个节点的数字证书或签名是无效的,则S将不信任所搜索的路径,并重新发起可信节点发现过程。Step 206, the initiator S verifies whether the digital certificates in the non-terminal discovery response messages from all intermediate nodes and the node discovery end response messages from the destination node are valid, and uses the public keys in the digital certificates of each node to verify Whether the signature in the node’s challenge response value for S is valid; if the digital certificates and signatures of all nodes (intermediate nodes and destination nodes) are valid, all nodes will be determined as trusted nodes; as long as there is any node’s If the digital certificate or signature is invalid, S will not trust the searched path, and re-initiate the trusted node discovery process.

本实施例的一种实施方式中,所述步骤S103后还可以包括:In an implementation manner of this embodiment, after the step S103, it may further include:

S104、各中间节点Ri分别进行以下步骤,所述中间节点为所述目的节点以外的收到所述发现请求报文的节点:S104, each intermediate node R i performs the following steps respectively, and the intermediate node is a node other than the destination node that receives the discovery request message:

41、Ri将本节点的上一跳节点作为上行请求对象节点;如果本节点保存有下一跳节点的地址信息,则将该下一跳节点作为下行请求对象节点;将跳数值设为1;41. R i takes the previous hop node of this node as the uplink request target node; if the current node saves the address information of the next hop node, the next hop node is used as the downlink request target node; the hop value is set to 1 ;

42、Ri向所述上行请求对象节点发送节点地址请求报文,其中携带所述跳数值、对所述上行请求对象节点的上一跳节点的地址信息的请求、本节点的身份信息及本节点生成的挑战值;42. R i sends a node address request message to the uplink request object node, which carries the hop value, a request for the address information of the previous hop node of the uplink request object node, the identity information of the current node, and the local The challenge value generated by the node;

如果存在所述下行请求对象节点,则Ri向所述下行请求对象节点发送节点地址请求报文,其中携带所述跳数值、对所述下行请求对象节点的下一跳节点的地址信息的请求、本节点的身份信息及本节点生成的挑战值;If there is the downlink request object node, R i sends a node address request message to the downlink request object node, which carries the hop value and a request for the address information of the next hop node of the downlink request object node , the identity information of this node and the challenge value generated by this node;

43、所述上/下行请求对象节点收到所述Ri发送的请求上/下一跳节点地址信息的节点地址请求报文后,如果本节点有上/下一跳节点的地址信息,则构造节点验证请求报文返回给Ri,其中携带本节点的身份信息、数字证书、本节点生成的挑战值及所述本节点针对Ri的挑战响应值;43. After the uplink/downlink request object node receives the node address request message sent by the R i requesting the address information of the uplink/next hop node, if the node has the address information of the uplink/next hop node, then Constructing a node verification request message and returning it to R i , which carries the identity information of the node, the digital certificate, the challenge value generated by the node and the challenge response value of the node for R i ;

本步骤及后续步骤中,上行请求对象节点和下行请求对象节点的操作是各自独立的,Ri相对于上行请求对象节点和下行请求对象节点的操作也是各自独立的;各自独立意味着互不影响,且互不依赖——有可能都发生,也可能只发生上行/下行的部分。比如本步骤中,作为Ri的上行请求对象节点,只可能收到Ri发送的请求上一跳节点地址信息的节点地址请求报文,也只需要判断本节点是否有上一跳节点的地址信息;至于下行请求对象节点怎么做,是否做,甚至无论是否存在下行请求对象节点,都不会影响上行请求对象节点的操作。In this step and subsequent steps, the operations of the uplink request object node and the downlink request object node are independent, and the operations of R i with respect to the uplink request object node and the downlink request object node are also independent; independent means that they do not affect each other , and are independent of each other - it may happen both, or only the up/down part. For example, in this step, as the uplink request object node of R i , it is only possible to receive the node address request message sent by R i requesting the address information of the previous hop node, and it is only necessary to determine whether the current node has the address of the previous hop node Information; as for how to do the downlink request object node, whether to do it, or even whether there is a downlink request object node, it will not affect the operation of the uplink request object node.

44、Ri收到所述上/下行请求对象节点的节点验证请求报文后,如果验证通过则发送节点验证响应报文给所述上/下行请求对象节点,其中携带Ri的数字证书及Ri针对所述上/下行请求对象节点的挑战响应值;44. After receiving the node verification request message of the uplink/downlink request object node, R i sends a node verification response message to the uplink/downlink request object node if the verification is passed, which carries the digital certificate of R i and The challenge response value of R i for the object node of the uplink/downlink request;

45、所述上/下行请求对象节点收到所述节点验证响应报文后,如果验证通过,则将本节点的上/下一跳节点的地址信息反馈给Ri45. After the uplink/downlink request target node receives the node verification response message, if the verification is passed, the address information of the uplink/next hop node of the node is fed back to R i ;

46、如果所收到的地址信息并不属于Ri要找的目标节点,则将Ri从所述上行请求对象节点所收到的地址信息对应的节点作为Ri的上行请求对象节点,将Ri从所述下行请求对象节点所收到的地址信息对应的节点作为Ri的下行请求对象节点,将所述跳数值加1,然后返回步骤42;如果收到的地址信息属于Ri要找的目标节点,则邻近节点发现过程结束。46. If the received address information does not belong to the target node R i is looking for, then use the node corresponding to the address information received by R i from the uplink request object node as the uplink request object node of R i , and set The node corresponding to the address information received by R i from the downlink request object node is used as the downlink request object node of R i , the hop value is added by 1, and then returns to step 42; if the received address information belongs to R i If the target node is found, the neighbor node discovery process ends.

如果没收到上/下行请求对象节点返回的地址信息,则删除原有的上/下行请求对象节点,这样返回步骤42后只进行更新后的请求对象节点侧(上行或下行)的操作;如果上/下行请求对象节点都没返回地址信息,则邻近节点发现过程也可以结束。If the address information returned by the uplink/downlink request object node is not received, delete the original uplink/downlink request object node, so that after returning to step 42, only the updated request object node side (uplink or downlink) is performed; if the uplink If no address information is returned by the target node of the downlink request, the process of discovering the neighboring nodes can also end.

本实施方式中,验证的步骤和前文类似,也是包括验证所收到的数字证书是否有效,以及根据该数字证书中的公钥验证所收到的挑战响应值中的签名是否有效,数字证书和签名都有效时验证通过;得到本节点针对通信对端节点的挑战响应值的过程也和前文类似,先利用本节点的私钥对通信对端节点和本节点之间的相关信息生成签名,将得到的签名和所述通信对端节点和本节点之间的相关信息进行逻辑运算,得到本节点针对通信对端节点的挑战响应值。具体可参见后文的例子。In this embodiment, the verification steps are similar to the previous ones, including verifying whether the received digital certificate is valid, and verifying whether the signature in the received challenge response value is valid according to the public key in the digital certificate, the digital certificate and The verification is passed when the signatures are all valid; the process of obtaining the challenge response value of the node to the communication peer node is similar to the previous one. First, the private key of the node is used to generate a signature for the relevant information between the communication peer node and the node. Perform logical operations on the obtained signature and the relevant information between the communication peer node and the own node to obtain the challenge response value of the own node to the communication peer node. For details, see the examples below.

本实施方式中,步骤S104为邻近节点发现的过程,也是采用基于PKI的非对称挑战应答认证机制设计的,中间节点通过向邻近节点发送节点地址请求报文去请求邻近节点的上一跳或下一跳节点的IP地址;然后中间节点和自己的邻近节点通过执行一个挑战应答机制来实现双方相互之间的真实性验证,只有合法的请求方才能获得相关节点的邻近节点的IP地址信息,也只有可信的被请求方提供的IP地址信息才能被请求方所接受,因此实现了邻近节点间的相互认证。In this embodiment, step S104 is the process of discovering neighboring nodes, which is also designed using the asymmetric challenge-response authentication mechanism based on PKI. The intermediate node sends a node address request message to the neighboring node to request the previous hop or next hop of the neighboring node. The IP address of the one-hop node; then the intermediate node and its adjacent nodes implement a challenge response mechanism to realize the authenticity verification between the two parties, only the legal requester can obtain the IP address information of the adjacent nodes of the relevant node, and also Only the IP address information provided by the credible requesting party can be accepted by the requesting party, thus achieving mutual authentication between adjacent nodes.

下面用一个邻近节点发现的具体例子进行说明;该例子中描述的是上一例子中可信节点发现完成后的过程,利用路径上的中间节点都已知本节点邻近中间节点的IP地址的特性,路径上的任何一个中间节点Ri可根据所存储的邻近节点的IP地址查找路径中上层或下层的中间节点,如图3所示,具体步骤如下:The following is a specific example of adjacent node discovery; this example describes the process after the completion of trusted node discovery in the previous example, using the feature that all intermediate nodes on the path know the IP addresses of the adjacent intermediate nodes of this node , any intermediate node R i on the path can search for the upper or lower intermediate nodes in the path according to the stored IP addresses of adjacent nodes, as shown in Figure 3, the specific steps are as follows:

步骤301:将中间节点Ri(2<i≤n)的上一跳节点Ri-1作为Ri的上行请求对象节点,如果Ri中保存了下一跳节点Ri+1的IP地址,则将Ri+1作为Ri的下行请求对象节点。将跳数值Hop设置为1。Step 301: Take the last hop node R i-1 of the intermediate node R i (2<i≤n) as the uplink request object node of R i , if the IP address of the next hop node R i +1 is stored in R i , then take R i+1 as the downlink request object node of R i . Set the Hop value to 1.

步骤302:Ri根据所存的IP地址向本节点的上行请求对象节点发送节点地址请求报文,以请求该上行请求对象节点的上一跳节点的IP地址(比如上行请求对象节点为Ri-1时,请求的是Ri-2的IP地址),所述节点地址请求报文中携带所述Hop、请求信息ReqInfo、Ri身份信息ID_Ri以及Ri生成的挑战值Random_Ri;所述请求信息ReqInfo表明请求的是上行请求对象节点的上一跳节点的IP地址或下行请求对象节点的下一跳节点的IP地址。Step 302: R i sends a node address request message to the uplink request object node of this node according to the stored IP address, so as to request the IP address of the previous hop node of the uplink request object node (for example, the uplink request object node is R i- 1 , the request is the IP address of R i-2 ), the node address request message carries the Hop, request information ReqInfo, R i identity information ID_R i and the challenge value Random_R i generated by R i ; The request information ReqInfo indicates that the request is the IP address of the previous hop node of the uplink request object node or the IP address of the next hop node of the downlink request object node.

步骤302’、如果存在下行请求对象节点,如图3中虚线所示,则Ri向本节点的下行请求对象节点也发送节点地址请求报文,请求该下行请求对象节点的下一跳节点的IP地址(比如下行请求对象节点为Ri+1时,请求的是Ri+2的IP地址),过程与向上一跳节点Ri-1请求Ri-1的上一跳节点Ri-2的IP地址的过程类似。Step 302', if there is a downlink request object node, as shown by the dotted line in Figure 3, then R i also sends a node address request message to the downlink request object node of this node, requesting the next hop node of the downlink request object node IP address (for example, when the downlink request object node is R i+1 , the request is the IP address of R i+2 ), the process is the same as the previous hop node R i-1 requesting R i-1 ’s previous hop node R i- 2 IP address process is similar.

如果Ri只存有上一跳节点的IP地址而没有存下一跳节点的IP地址,则Ri只能向Ri-1请求它的上一跳节点Ri-2的IP地址。If R i only stores the IP address of the previous hop node but not the IP address of the next hop node, then R i can only request the IP address of its previous hop node R i-2 from R i- 1 .

下面的步骤303~305中以上行请求对象节点为Ri-1进行描述,如果上行请求对象节点为别的节点,用该节点替换这几个步骤中涉及的Ri-1即可:In the following steps 303-305, the uplink request object node is described as R i-1 . If the uplink request object node is another node, this node can be used to replace the R i-1 involved in these steps:

步骤303:Ri-1收到所述节点地址请求报文后,进行如下操作:Step 303: R i-1 performs the following operations after receiving the node address request message:

(3.1)Ri-1利用PKI给它颁发的私钥对Ri和Ri-1之间的相关信息(包括Ri的身份信息ID_Ri、Ri-1的身份信息ID_Ri-1以及Ri生成的挑战值Random_Ri)生成签名,并将得到的签名与所述Ri和Ri-1之间的相关信息构成Ri-1针对Ri的挑战响应值TokenRi-1Ri=ID_Ri-1||ID_Ri||Random_Ri||SignRi-1(ID_Ri-1||ID_Ri||Random_Ri);(3.1) R i-1 uses PKI to issue the private key pair R i and R i-1 related information (including R i ’s identity information ID_R i , R i-1 ’s identity information ID_R i-1 and The challenge value Random_R i generated by R i ) generates a signature, and the obtained signature and the related information between R i and R i-1 constitute R i-1 ’s challenge response value TokenR i -1 R i =ID_R i-1 ||ID_R i ||Random_R i ||Sign Ri-1 (ID_R i-1 ||ID_R i ||Random_R i );

(3.2)然后Ri-1构造一个节点验证请求报文,将本节点的身份信息ID_Ri-1、生成的挑战值Random_Ri-1、数字证书Cert_Ri-1以及Ri-1针对Ri的挑战响应值TokenRi-1Ri返回给中间节点Ri(3.2) Then R i-1 constructs a node verification request message, and sends the node's identity information ID_R i-1 , the generated challenge value Random_R i-1 , digital certificate Cert_R i-1 and R i-1 to R i The challenge response value TokenR i-1 R i is returned to the intermediate node R i .

步骤303’、下行请求对象节点收到所述节点地址请求报文后的处理过程类似于上述步骤(3.1)和(3.2),如图3中虚线所示,只是将其中的上行请求对象节点替换成下行请求对象节点(比如将Ri-1替换为Ri+1)。Step 303', the processing process of the downlink request object node after receiving the node address request message is similar to the above steps (3.1) and (3.2), as shown by the dotted line in Figure 3, only the uplink request object node is replaced by into a downlink request object node (for example, replace R i-1 with R i+1 ).

如果上/下行请求对象节点没有存上/下一跳节点的IP地址,则不处理所收到的节点地址请求报文。If the target node of the uplink/downlink request does not store the IP address of the uplink/next hop node, the received node address request message is not processed.

步骤304:Ri收到来自Ri-1的节点验证请求报文后,验证其中Ri-1的数字证书是否有效,并利用Ri-1证书中的公钥验证Ri-1针对Ri的挑战响应值TokenRi-1Ri中的签名是否有效,只要数字证书和签名中有一个无效,则丢弃所述节点验证请求报文;如果数字证书和签名均有效,则验证通过,Ri利用PKI给它颁发的私钥对Ri-1和Ri之间的相关信息(包括Ri-1的身份信息ID_Ri-1、Ri的身份信息ID_Ri以及Ri-1生成的挑战值Random_Ri-1)生成签名,并将得到的签名与所述Ri-1和Ri之间的相关信息构成Ri针对Ri-1的挑战响应值:Step 304: After receiving the node verification request message from R i -1 , R i verifies whether the digital certificate of R i -1 is valid, and uses the public key in the certificate of R i-1 to verify that R i-1 is against R Is the challenge response value of i TokenR i-1 whether the signature in R i is valid, as long as one of the digital certificate and the signature is invalid, the node verification request message is discarded; if the digital certificate and the signature are both valid, the verification is passed, R i uses the private key issued to it by PKI to pair the relevant information between R i - 1 and R i (including the identity information ID_R i-1 of R i -1, the identity information ID_R i of R i and the information generated by R i-1 Challenge value Random_R i-1 ) to generate a signature, and the obtained signature and the related information between R i-1 and R i form R i ’s challenge response value for R i-1 :

TokenRiRi-1=ID_Ri||ID_Ri-1||Random_Ri-1||SignRi(ID_Ri||ID_Ri-1||Random_Ri-1),然后将携带有本节点的数字证书Cert_Ri和TokenRiRi-1的节点验证响应报文发送给邻近节点Ri-1TokenR i R i-1 =ID_R i ||ID_R i-1 ||Random_R i-1 ||Sign Ri (ID_R i ||ID_R i-1 ||Random_R i-1 ), and will carry the number of this node The node verification response message of the certificate Cert_R i and TokenR i R i-1 is sent to the neighboring node R i-1 .

步骤304’、如果Ri收到的是来自下行请求对象节点的节点验证请求报文,过程类似于上述步骤304,如图3中虚线所示,只是将上行请求对象节点替换成下行请求对象节点。Step 304', if R i receives a node verification request message from the downlink request object node, the process is similar to the above step 304, as shown by the dotted line in Figure 3, only the uplink request object node is replaced with the downlink request object node .

步骤305:Ri-1收到所述节点验证响应报文后,验证Cert_Ri是否有效,并利用Cert_Ri中的公钥验证Ri针对Ri-1的挑战响应值TokenRiRi-1中的签名是否有效,如果数字证书和签名都是有效的,则验证通过,Ri-1将它的上一跳节点Ri-2的IP地址反馈给请求方Ri;数字证书和签名中只要有一个无效,则丢弃所述节点验证响应报文。Step 305: After receiving the node verification response message, R i-1 verifies whether Cert_R i is valid, and uses the public key in Cert_R i to verify R i 's challenge response value TokenR i R i- 1 for R i-1 Whether the signature in is valid, if both the digital certificate and the signature are valid, then the verification is passed, and R i-1 will feed back the IP address of its last hop node R i-2 to the requester R i ; the digital certificate and the signature As long as one is invalid, the node verification response message is discarded.

步骤305’、如果是下行请求对象节点收到所述节点验证响应报文,过程类似于上述步骤305,如图3中虚线所示,只是将上行请求对象节点替换成下行请求对象节点;如果数字证书和签名都是有效的,则验证通过,下行请求对象节点发送本节点的下一跳节点的IP地址给请求方Ri(比如下行请求对象节点为Ri+1时,发送Ri+2的IP地址)。Step 305', if the downlink request object node receives the node verification response message, the process is similar to the above step 305, as shown by the dotted line in Figure 3, just replace the uplink request object node with the downlink request object node; if the number If the certificate and signature are both valid, the verification is passed, and the downlink request object node sends the IP address of the next hop node of this node to the requester R i (for example, when the downlink request object node is R i+1 , send R i+2 IP address).

步骤306:如果所收到的IP地址并不是Ri想要找的目标节点,则将Ri从所述上行请求对象节点所收到的IP地址对应的节点作为新的Ri的上行请求对象节点,将Ri从所述下行请求对象节点所收到的IP地址对应的节点作为新的Ri的下行请求对象节点,将Hop加1,然后返回步骤302。如果收到的IP地址是Ri想要找的目标节点,则邻近节点发现过程结束。Step 306: If the received IP address is not the target node R i wants to find, then use the node corresponding to the IP address received by R i from the uplink request object node as the new uplink request object of R i The node uses the node corresponding to the IP address received by R i from the downlink request object node as the new R i downlink request object node, adds 1 to Hop, and then returns to step 302 . If the received IP address is the target node that R i wants to find, the neighbor node discovery process ends.

实施例二,一种通信网络中的节点发现系统,包括:Embodiment 2, a node discovery system in a communication network, comprising:

多个节点,其中至少包括准备进行节点发现的源节点及目的节点;A plurality of nodes, including at least a source node and a destination node for node discovery;

各节点分别包括:Each node includes:

请求发送模块,用于当本节点作为源节点时,发送发现请求报文至下一跳节点,在所述发现请求报文中携带源节点的地址信息、源节点的身份信息、目的节点的地址信息及源节点生成的挑战值;The request sending module is used to send a discovery request message to the next hop node when the current node is used as the source node, and the discovery request message carries the address information of the source node, the identity information of the source node, and the address of the destination node Information and the challenge value generated by the source node;

请求响应模块,用于当收到所述发现请求报文后,向源节点返回本节点提交给所述源节点的验证信息,包括:本节点的地址信息和数字证书,以及本节点针对源节点的挑战响应值;The request response module is used to return to the source node the verification information submitted by the node to the source node after receiving the discovery request message, including: the address information and digital certificate of the node, and the verification information of the node for the source node. challenge response value;

请求转发模块,用于当收到所述发现请求报文后,根据其中的地址信息判断本节点是否为目的节点;如果本节点是中间节点则将所述发现请求报文转发给本节点的下一跳节点;The request forwarding module is used for judging whether the node is a destination node according to the address information therein after receiving the discovery request message; if the node is an intermediate node, forwarding the discovery request message to the next node of the node one hop node;

验证模块,用于当本节点作为源节点时,当收到目的节点返回的验证信息后,根据所收到的各节点提交的验证信息对各节点进行验证;如果全部验证通过则将各所述节点确定为可信节点。The verification module is used to verify each node according to the received verification information submitted by each node after receiving the verification information returned by the destination node when the node is used as the source node; Nodes are identified as trusted nodes.

本实施例的一种实施方式中,一个节点针对源节点的挑战响应值可以为源节点和该节点之间的相关信息,与采用该节点的私钥对该相关信息生成的签名进行逻辑运算的结果;其中,源节点和该节点之间的相关信息包括:该节点的身份信息、源节点的身份信息、及所述源节点生成的挑战值;In an implementation of this embodiment, the challenge response value of a node to the source node can be related information between the source node and the node, and the signature generated by using the private key of the node to perform logical operations on the related information Result; wherein, the relevant information between the source node and the node includes: the identity information of the node, the identity information of the source node, and the challenge value generated by the source node;

所述验证模块根据所收到的各节点提交的验证信息对各节点进行验证具体可以是指:The verification module verifying each node according to the received verification information submitted by each node may specifically refer to:

所述验证模块分别验证各节点提交的验证信息中的地址信息及数字证书是否有效;分别通过各节点数字证书中携带的公钥验证该节点生成的挑战响应值里的签名是否有效。The verification module respectively verifies whether the address information and the digital certificate in the verification information submitted by each node are valid; respectively verifies whether the signature in the challenge response value generated by the node is valid through the public key carried in the digital certificate of each node.

本实施例的一种实施方式中,所述请求转发模块将所述发现请求报文转发给本节点的下一跳节点具体可以是指:In an implementation manner of this embodiment, the next-hop node that the request forwarding module forwards the discovery request message to the current node may specifically refer to:

所述请求转发模块保存所述发现请求报文中的上一跳节点的地址信息,然后删除所述发现请求报文中所述源节点以外的其它节点的附加信息,在所述发现请求报文中增加本节点的附加信息,最后发送给本节点的下一跳节点;所述附加信息包括:本节点的地址信息、身份信息及本节点生成的挑战值;The request forwarding module saves the address information of the previous hop node in the discovery request message, and then deletes the additional information of other nodes other than the source node in the discovery request message, and in the discovery request message Add the additional information of this node in , and finally send it to the next hop node of this node; the additional information includes: the address information of this node, identity information and the challenge value generated by this node;

各节点中还可以包括:Each node can also include:

邻近响应模块,用于当上一跳节点不为所述源节点时,构造邻近发现响应报文发送给上一跳节点,其中携带本节点提交给上一跳节点的验证信息,包括:本节点的地址信息、数字证书以及本节点针对上一跳节点的挑战响应值;本节点针对上一跳节点的挑战响应值为上一跳节点和本节点之间的相关信息,与采用本节点的私钥对该相关信息所生成的签名进行逻辑运算的结果;其中,上一跳节点和本节点之间的相关信息包括:本节点的身份信息、上一跳节点的身份信息、及所述上一跳节点生成的挑战值。The proximity response module is configured to construct a proximity discovery response message and send it to the previous hop node when the previous hop node is not the source node, which carries the verification information submitted by the current node to the previous hop node, including: the current node Address information, digital certificates, and the node’s challenge response value for the previous hop node; the node’s challenge response value for the previous hop node is the relevant information between the previous hop node and this node, and the private The result of logical operations on the signature generated by the key to the relevant information; wherein, the relevant information between the previous hop node and this node includes: the identity information of the current node, the identity information of the previous hop node, and the previous The challenge value generated by jumping nodes.

本实施方式中,所述验证模块还可以用于当收到所述邻近发现响应报文后,验证其中下一跳节点的地址信息和数字证书是否有效,并通过该下一跳节点的数字证书中携带的公钥验证该下一跳节点生成的挑战响应值里的签名是否有效;如果均有效则保存该下一跳节点的地址信息。In this embodiment, the verification module can also be used to verify whether the address information and digital certificate of the next-hop node are valid after receiving the proximity discovery response message, and pass the digital certificate of the next-hop node The public key carried in verifies whether the signature in the challenge response value generated by the next-hop node is valid; if all are valid, save the address information of the next-hop node.

本实施方式中,各节点中还可以包括邻近节点发现模块,具体包括:In this embodiment, each node may also include a neighboring node discovery module, specifically including:

地址请求单元;address request unit;

设置单元,用于当本节点收到所述发现请求报文且本节点不是所述目的节点时,将本节点的上一跳节点作为上行请求对象节点;如果本节点保存有下一跳节点的地址信息,则将该下一跳节点作为下行请求对象节点;将跳数值设为1,和所述上行、下行请求对象节点一起发送给所述地址请求单元;The setting unit is used to use the previous hop node of the current node as the uplink request object node when the current node receives the discovery request message and the current node is not the destination node; if the current node saves the next hop node For the address information, the next hop node is used as the downlink request object node; the hop value is set to 1, and sent to the address request unit together with the uplink and downlink request object nodes;

所述地址请求单元用于向所述上行请求对象节点发送节点地址请求报文,其中携带所述跳数值、对所述上行请求对象节点的上一跳节点的地址信息的请求、本节点的身份信息及本节点生成的挑战值;如果存在下行请求对象节点,则向所述下行请求对象节点发送节点地址请求报文,其中携带所述跳数值、对所述下行请求对象节点的下一跳节点的地址信息的请求、本节点的身份信息及本节点生成的挑战值;The address request unit is configured to send a node address request message to the uplink request object node, which carries the hop value, a request for the address information of the previous hop node of the uplink request object node, and the identity of the node Information and the challenge value generated by this node; if there is a downlink request object node, then send a node address request message to the downlink request object node, which carries the hop value, the next hop node to the downlink request object node The address information request, the identity information of the node and the challenge value generated by the node;

验证请求单元,用于当收到节点Ra发送的请求上/下一跳节点地址信息的所述节点地址请求报文后,如果本节点保存有上/下一跳节点的地址信息,则构造节点验证请求报文返回给所述节点Ra,其中携带本节点的身份信息、数字证书、本节点生成的挑战值及所述本节点针对所述节点Ra的挑战响应值;The verification request unit is used to construct the address information of the upper/next hop node if the node saves the address information of the upper/next hop node after receiving the node address request message sent by the node R a to request the address information of the upper/next hop node. The node verification request message is returned to the node R a , which carries the identity information of the node, the digital certificate, the challenge value generated by the node and the challenge response value of the node for the node R a ;

验证响应单元,用于当收到节点Rb返回的所述节点验证请求报文后,如果验证通过则发送节点验证响应报文给所述节点Rb,其中携带本节点的数字证书及本节点针对所述节点Rb的挑战响应值;The verification response unit is used to send a node verification response message to the node R b if the verification is passed after receiving the node verification request message returned by the node R b , which carries the digital certificate of the node and the node A challenge response value for the node R b ;

所述验证请求单元还用于当收到所述节点验证响应报文后,如果验证通过,则反馈本节点的上/下一跳节点的地址信息(如果收到的节点地址请求报文请求的是上一跳节点的地址信息,则反馈上一跳节点的地址信息;如果收到的节点地址请求报文请求的是下一跳节点的地址信息,则反馈下一跳节点的地址信息);The verification request unit is also used to feed back the address information of the upper/next hop node of the node (if the received node address request message requests is the address information of the previous hop node, the address information of the previous hop node is fed back; if the received node address request message requests the address information of the next hop node, the address information of the next hop node is fed back);

所述设置单元还用于当所收到的地址信息并不属于本节点要找的目标节点时,将本节点从所述上行请求对象节点所收到的地址信息对应的节点作为所述上行请求对象节点,将本节点从所述下行请求对象节点所收到的地址信息对应的节点作为所述下行请求对象节点,将所述跳数值加1,然后和所述上行请求对象节点、所述下行请求对象节点一起发送给所述地址请求单元;如果收到的地址信息属于本节点要找的目标节点,则邻近节点发现过程结束。The setting unit is further configured to use the node corresponding to the address information received by the node from the uplink request object node as the uplink request object when the received address information does not belong to the target node that the node is looking for A node, using the node corresponding to the address information received by the node from the downlink request object node as the downlink request object node, adding 1 to the hop value, and then combining with the uplink request object node and the downlink request object node The object node sends to the address request unit together; if the received address information belongs to the target node that the node is looking for, the adjacent node discovery process ends.

本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件完成,所述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。本发明不限制于任何特定形式的硬件和软件的结合。Those skilled in the art can understand that all or part of the steps in the above method can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable storage medium, such as a read-only memory, a magnetic disk or an optical disk, and the like. Optionally, all or part of the steps in the foregoing embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, or may be implemented in the form of software function modules. The present invention is not limited to any specific combination of hardware and software.

当然,本发明还可有其他多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明的权利要求的保护范围。Of course, the present invention can also have other various embodiments, and those skilled in the art can make various corresponding changes and deformations according to the present invention without departing from the spirit and essence of the present invention, but these corresponding Changes and deformations should all belong to the protection scope of the claims of the present invention.

Claims (8)

1. the node discovery method in communication network, including:
S101, source node send and find that request message, to next-hop node, is taken in described discovery request message Address information, the identity information of source node, the address information of destination node and source node with source node are raw The challenging value become;
S102, receive the node of described discovery request message and return this node to described source node and submit to institute State the checking information of source node, including: the address information of this node and digital certificate, and this node pin Challenge responses value to source node;Judge to save for the purpose of whether this node according to described address information therein Point, then preserves the upper hop address of node letter in described discovery request message if not destination node Breath, then deletes in described discovery request message the additional information of other node beyond source node, in institute State the additional information finding to increase this node in request message, be last transmitted to the down hop joint of this node Point;Described additional information includes: the challenge that the address information of this node, identity information and this node generate Value;
When upper hop node is not described source node, structure is neighbouring finds that response message is sent to upper hop Node, wherein carries this node and submits to the checking information of upper hop node, including: this address of node Information, digital certificate and this node are for the challenge responses value of upper hop node;This node is for upper one The challenge responses value of hop node is the relevant information between upper hop node and this node, with this node of employing Private key signature that this relevant information is generated carry out the result of logical operations;Wherein, upper hop node With the relevant information between this node includes: the identity information of this node, the identity information of upper hop node, And the challenging value that described upper hop node generates;
S103, described source node are after receiving the checking information that destination node returns, each according to received Each node is verified by the checking information that node is submitted to;If be all verified, by each described node It is defined as trusted node.
2. the method for claim 1, it is characterised in that:
One node is the relevant information between source node and this node for the challenge responses value of source node, With the result that the signature using the private key of this node to generate this relevant information carries out logical operations;Wherein, Relevant information between source node and this node includes: the identity information of this node, the identity letter of source node The challenging value that breath and described source node generate;
Each node is verified by the checking information that described source node is submitted to according to each node received Step includes:
Described source node separately verifies the address information in the checking information that each node is submitted to and digital certificate The most effective;The challenge generated by this node of public key verifications carried in each node digital certificate respectively is rung Signature in should being worth is the most effective.
3. the method for claim 1, it is characterised in that also include:
Receive the described neighbouring node verification wherein next-hop node finding response message address information and Whether digital certificate is effective, and by the public key verifications carried in the digital certificate of this next-hop node under this Signature in the challenge responses value that one hop node generates is the most effective;If all effective, preserve this down hop Address of node information.
4. method as claimed in claim 3, it is characterised in that also include after described S103:
S104, each intermediate node RiFollowing the steps below respectively, described intermediate node is described purpose joint The node receiving described discovery request message beyond Dian:
41、RiUsing the upper hop node of this node as upstream request Object node;If this node preserves There is the address information of next-hop node, then using this next-hop node as downbound request Object node;To jump Numerical value is set to 1;
42、RiTo described upstream request Object node sending node Address requests message, wherein carry described Jumping figure value, the request of upper hop address of node information to described upstream request Object node, this node Identity information and this node generate challenging value;
If there is described downbound request Object node, then RiSend to described downbound request Object node Node address request message, wherein carries described jumping figure value, to next of described downbound request Object node The challenging value that the request of the address information of hop node, the identity information of this node and this node generate;
43, uplink/downlink request Object node receives described RiThe request up/down one hop node address letter sent After the node address request message of breath, if this node has the address information of up/down one hop node, then structure Make node verification request message and return to Ri, wherein carry the identity information of this node, digital certificate, basis The challenging value of node generation and described node are for RiChallenge responses value;
44、RiAfter receiving the node verification request message of described uplink/downlink request Object node, if tested Demonstrate,prove and ask Object node by then sending node auth response message to described uplink/downlink, wherein carry Ri Digital certificate and RiChallenge responses value for described uplink/downlink request Object node;
45, after described uplink/downlink request Object node receives described node verification response message, if tested Card passes through, then the address information of up/down one hop node of this node is fed back to Ri
If 46 address informations received also are not belonging to RiDestination node to be looked for, then by RiFrom institute State node corresponding to address information that upstream request Object node received as RiUpstream request object Node, by RiNode corresponding to the address information that received from described downbound request Object node is as Ri Downbound request Object node, described jumping figure value is added 1, is then back to step 42;If the ground received Location information belongs to RiDestination node to be looked for, then adjacent node discovery procedure terminates.
5. the node in communication network finds a system, including:
Multiple nodes, at least a part of which includes being ready for source node and the destination node that node finds;
It is characterized in that, each node includes respectively:
Request sending module, for when this node is as source node, sends and finds that request message is to next Hop node, carry in described discovery request message the address information of source node, the identity information of source node, The challenging value that the address information of destination node and source node generate;
Request respond module, for after receiving described discovery request message, returns this node to source node Submit to the checking information of described source node, including: the address information of this node and digital certificate, and This node is for the challenge responses value of source node;
Request forwarding module, for after receiving described discovery request message, according to address information therein Judge node for the purpose of this node is whether;If this node is intermediate node, preserves described discovery and ask report The address information of the upper hop in literary composition, then deletes described in described discovery request message beyond source node The additional information of other node, increases the additional information of this node, finally in described discovery request message It is sent to the next-hop node of this node;Described additional information includes: the address information of this node, identity The challenging value that information and this node generate;
Authentication module, for when this node is as source node, when receiving the checking letter that destination node returns After breath, according to the checking information that each node received is submitted to, each node is verified;If all tested Card is by being then defined as trusted node by each described node;
Neighbouring respond module, for when upper hop node is not described source node, the neighbouring discovery of structure is rung Answer message to be sent to upper hop node, wherein carry this node and submit to the checking information of upper hop node, Including: the address information of this node, digital certificate and this node are for the challenge responses of upper hop node Value;This node is being correlated with between upper hop node and this node for the challenge responses value of upper hop node Information, with the knot that the signature using the private key of this node to be generated this relevant information carries out logical operations Really;Wherein, the relevant information between upper hop node and this node includes: the identity information of this node, The challenging value that the identity information of upper hop node and described upper hop node generate.
6. system as claimed in claim 5, it is characterised in that:
One node is the relevant information between source node and this node for the challenge responses value of source node, With the result that the signature using the private key of this node to generate this relevant information carries out logical operations;Wherein, Relevant information between source node and this node includes: the identity information of this node, the identity letter of source node The challenging value that breath and described source node generate;
Each node is verified by the checking information that described authentication module is submitted to according to each node received Refer to:
Described authentication module separately verifies the address information in the checking information that each node is submitted to and numeral card Book is the most effective;The challenge generated by this node of public key verifications carried in each node digital certificate respectively Signature in response value is the most effective.
7. system as claimed in claim 5, it is characterised in that:
Described authentication module is additionally operable to, after receiving described neighbouring discovery response message, verify wherein down hop Address of node information and digital certificate are the most effective, and by the digital certificate of this next-hop node is taken Signature in the challenge responses value that this next-hop node of public key verifications of band generates is the most effective;If all had Effect then preserves the address information of this next-hop node.
8. system as claimed in claim 7, it is characterised in that also include in each node:
Adjacent node discovery module, including:
Address requests unit;
Unit is set, for receiving described discovery request message and this node is not described purpose when this section point During node, using the upper hop node of this node as upstream request Object node;If this node is preserved The address information of next-hop node, then using this next-hop node as downbound request Object node;By jumping figure Value is set to 1, and described up, downbound request Object node sends jointly to described Address requests unit;
Described Address requests unit is for described upstream request Object node sending node Address requests report Literary composition, wherein carries described jumping figure value, believes the upper hop address of node of described upstream request Object node The challenging value that the request of breath, the identity information of this node and this node generate;If there is downbound request pair As node, then to described downbound request Object node sending node Address requests message, wherein carry described Jumping figure value, the request of address information of next-hop node to described downbound request Object node, this node Identity information and this node generate challenging value;
Checking request unit, for when receiving node RaThe request up/down one hop node address information sent Described node address request message after, if this node preserves the address information of up/down one hop node, Then structure node checking request message returns to described node Ra, wherein carry this node identity information, The challenging value of digital certificate, this node generation and described node are for described node RaChallenge responses Value;
Auth response unit, for when receiving node RbAfter the described node verification request message returned, The most then sending node auth response message gives described node Rb, wherein carry this node Digital certificate and this node are for described node RbChallenge responses value;
Described checking request unit is additionally operable to after receiving described node verification response message, if checking is logical Cross, then feed back the address information of up/down one hop node of this node;
The described unit that arranges is additionally operable to work as received address information and be not belonging to the target that this section point is to be looked for During node, node corresponding to the address information that received from described upstream request Object node by this node is made For described upstream request Object node, the address that this node is received from described downbound request Object node Then and institute described jumping figure value, as described downbound request Object node, is added 1 by node corresponding to information, State upstream request Object node, described downbound request Object node sends jointly to described Address requests list Unit;If the address information received belongs to the destination node that this node is to be looked for, then adjacent node discovery procedure Terminate.
CN201310723937.7A 2013-12-24 2013-12-24 Node discovery method in a kind of communication network and system Active CN103701700B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310723937.7A CN103701700B (en) 2013-12-24 2013-12-24 Node discovery method in a kind of communication network and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310723937.7A CN103701700B (en) 2013-12-24 2013-12-24 Node discovery method in a kind of communication network and system

Publications (2)

Publication Number Publication Date
CN103701700A CN103701700A (en) 2014-04-02
CN103701700B true CN103701700B (en) 2017-01-04

Family

ID=50363102

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310723937.7A Active CN103701700B (en) 2013-12-24 2013-12-24 Node discovery method in a kind of communication network and system

Country Status (1)

Country Link
CN (1) CN103701700B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105282161B (en) * 2015-10-23 2019-02-26 绵阳师范学院 A peer-to-peer anonymous communication method based on random stateless address allocation strategy in IPv6 network
CN105933399A (en) * 2016-04-18 2016-09-07 乐视控股(北京)有限公司 Content distribution network implementation method and system based on SDN
CN105933398A (en) * 2016-04-18 2016-09-07 乐视控股(北京)有限公司 Access request forwarding method and system in content distribution network
CN108075895B (en) * 2016-11-15 2020-03-24 深圳银链科技有限公司 Node permission method and system based on block chain
JP6665793B2 (en) * 2017-01-17 2020-03-13 京セラドキュメントソリューションズ株式会社 Ad hoc network route construction system, node, center node, and ad hoc network route construction method
CN108337092B (en) * 2017-01-17 2021-02-12 华为国际有限公司 Method and system for performing collective authentication in a communication network
CN106941492A (en) * 2017-03-30 2017-07-11 南京瑞合新信息技术有限公司 Data safe transmission method between multiple cloud service nodes
CN108551678B (en) * 2018-03-20 2021-11-12 深圳友讯达科技股份有限公司 Node dual-mode sensing method and communication system
CN109379740B (en) * 2018-10-10 2022-03-04 北京智芯微电子科技有限公司 Wireless cooperative communication security interaction method
CN109379283B (en) * 2018-12-11 2021-04-23 浩云科技股份有限公司 Ad hoc network communication method and device based on heterogeneous equipment of Internet of things and ad hoc network
US20220182243A1 (en) * 2019-04-25 2022-06-09 Telefonaktiebolaget Lm Ericsson (Publ) Method and Apparatus for Distributed Ledger
CN110234154B (en) * 2019-06-17 2021-11-30 广东工业大学 Outdoor team communication system supporting ad hoc network
CN110430221A (en) * 2019-08-30 2019-11-08 天津大学 A kind of NDP-ESP network security method based on Neighbor Discovery Protocol
CN113507434B (en) * 2021-05-28 2022-11-29 清华大学 Data security transmission method, node and system in communication network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098318A (en) * 2011-03-23 2011-06-15 电子科技大学 Method for performing end-to-end anonymity safety communication of hop network
CN102158864A (en) * 2011-04-15 2011-08-17 北京航空航天大学 Mobile AD Hoc network self-adapting secure routing method based on reliability
CN102325131A (en) * 2011-07-20 2012-01-18 北京邮电大学 Two-way identity authentication method for wireless sensor network nodes
CN102404737A (en) * 2011-12-29 2012-04-04 重庆邮电大学 Wireless sensor network secure routing method based on dynamic detection
CN102970679A (en) * 2012-11-21 2013-03-13 联想中望系统服务有限公司 Identity-based safety signature method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2034782A1 (en) * 2007-09-06 2009-03-11 Siemens Aktiengesellschaft A method for misbehaviour detection in secure wireless mesh networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098318A (en) * 2011-03-23 2011-06-15 电子科技大学 Method for performing end-to-end anonymity safety communication of hop network
CN102158864A (en) * 2011-04-15 2011-08-17 北京航空航天大学 Mobile AD Hoc network self-adapting secure routing method based on reliability
CN102325131A (en) * 2011-07-20 2012-01-18 北京邮电大学 Two-way identity authentication method for wireless sensor network nodes
CN102404737A (en) * 2011-12-29 2012-04-04 重庆邮电大学 Wireless sensor network secure routing method based on dynamic detection
CN102970679A (en) * 2012-11-21 2013-03-13 联想中望系统服务有限公司 Identity-based safety signature method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《一种双向认证Ad hoc安全路由协议的研究》;李之棠等;《小型微型计算机系统》;20050930;第26卷(第9期);第1507-1509页 *
《移动Ad Hoc网络安全按需路由协议》;刘巧平等;《现代电子技术》;20101231(第16期);第97-100页 *

Also Published As

Publication number Publication date
CN103701700A (en) 2014-04-02

Similar Documents

Publication Publication Date Title
CN103701700B (en) Node discovery method in a kind of communication network and system
EP2329621B1 (en) Key distribution to a set of routers
US11362837B2 (en) Generating trustable RPL messages having root-signed rank values
CN109698791B (en) Anonymous access method based on dynamic path
US11558194B2 (en) Secured protection of advertisement parameters in a zero trust low power and lossy network
WO2010054542A1 (en) Cga public key identification, cga public key determination method, system and device
CN105871929A (en) Wireless sensor network anonymity communication method
Wan et al. Anonymous user communication for privacy protection in wireless metropolitan mesh networks
Yang et al. I know if the journey changes: Flexible source and path validation
Wang et al. T-IP: A self-trustworthy and secure Internet protocol
CN104703174B (en) A kind of wireless Mesh netword routing safety guard method
CN102572822A (en) Method and device for realizing security routing
CN101702727B (en) Method for defending against DDos in address disjunction mapping network
JP2004134855A (en) Source authentication method in packet communication network
Elamathi et al. RETRACTED ARTICLE: Enhanced secure communication over inter-domain routing in heterogeneous wireless networks based on analysis of BGP anomalies using soft computing techniques
Fusenig et al. Acimn protocol: A protocol for anonymous communication in multi hop wireless networks.
Li et al. Enhancing the security of on-demand routing in ad hoc networks
WO2024001987A1 (en) Method for generating validation rule, and related apparatus
CN111510427B (en) Method for mitigating path creation attack in I2P network system, computer-readable storage medium, and I2P network system
CN103124257B (en) Security alliance management method and equipment
Li et al. Secure access authentication for media independent information service
Othmen et al. Shortest and secure routing protocol for multi‐hop cellular networks (SSRP‐MCN)
Vetriselvi et al. Secure communication for multipath ad hoc network
Thangadorai et al. A Novel Process to Avoid Redundant Encryption and Decryption in Wi-Fi Mesh Network
Grinshpoun et al. Avoidance of misbehaving nodes in wireless mesh networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant