Routers work in the network layer of the OSI seven-layer protocol. Their main function is to connect the network with the network and forward packets between the networks. Routers have become the most important network equipment, so the research on the new generation of routers will become the core technology of the next generation of Internet research. Due to the IPv4, IPv6 protocols that used in the Internet, the new requirements for trusted Cyber Security connections are not met. The TCP/IP protocol has no security concerns, it does not provide address authentication, does not prevent unauthorized access, and does not protect against DOS attacks.
At present, all kinds of malicious software and spam information are rampant on the Internet, which seriously pollutes the use environment of the Internet and directly affects the survival of the Internet. As a result, all countries over the world have developed a new generation of green Internet research. In 2008 the European Union’s 65 scientific institutions jointly issued the brad declaration, calling for a new generation of the Internet. The European Union has raised 9.1 billion Euros to support future Internet research and development. The U.S governments have also successive proposed identity authentication and Addressing system as major scientific research tasks, and emphasized international cooperation. ISO, the international standards body, put forward its plan for the future network in 2007.
In 2007, Chinese researchers Xie Jianping proposed the IPv9 geographical location addressing method, which solved the problem of combining IP address with geographical location. Later, South Korea also proposed the idea of geographical location addressing, and becoming the second country to propose a new method of addressing. CPK (Combined Public Key) identity authentication technology is mature and can be used in Internet protocol to realize trusted connection. So far, China had already had the technology foundation that research and development next generation router and future network protocol.
In order to realize the trusted connection between routers and users, the user name (Pc1) and route address (Alfa) are identified for identity authentication. Among routers, mutual authentication is made with IP address as identity, and mutual authentication is made with user name as identity between users. Suppose that Pc1ID is the user name of a client and AlfaID is the IP address of a router. Assume that AlfaID=“china-beijing-haidian-peking university” and BetaID=“china-beijing-haidian-tsinghua university”.
Now assume the starting address is AlfaID and the destination address is BetaID, and the connection process is shown in figure 1 (dotted lines indicate that CPK-card is used and the original address is identified)..
Data workflow diagram
The IP packet of the original router passes through multiple routing routers and finally arrives at the destination router. Illegal access is easy to access in the intermediate routing router. It can be seen from the working principle of the above router that previous routers only pay attention to the routing of the next hop and do not care where the packet comes from. Therefore, if we do not solve the origin address verification, we cannot overcome the illegal access.
Some people try to solve the problem of illegal access by means of encryption, but under the condition of public key system, this is futile. For example, Beta is the receiving party, and its public key is public, so anyone can encrypt Beta, so Beta still doesn’t know who the sender is.
In order to achieve the trusted connection, the router must meet the following four conditions:
The connection policy is as follows.
The IPV9 v4/v6 compatible data forwarding process is shown in figure 2.
Data forward process diagram
CPK is a public key-based cryptography system that takes the identity of any entity directly as the public key, while the private key is distributed in the form of ID-card. Now, for example PC1, ALFA (uppercase) and so on respectively represent their public keys, pc1, alfa (lowercase) and so on respectively represent their private keys. If it has been insert a CPK-card defined as AlfaID on any router, the router becomes the identified router as AlfaID. Similarly, any router inserts a CPK-card defined as BetaID, and the router becomes the identified router as BetaID.
The router is configured with CPK-card, which has the functions of digital signature and key exchange. The contents of CPK-card are as follows: let the router’s IP address be alfa (alfa may be the real name of China. Beijing. Haidian. Peking University etc. and it can be changed into machine executable code after the unified name translation). ID-card format and size is as table 1.
ID-CARD FORMAT AND SIZE
1 | Z1: Validate parameter | 16B | EPWD(R1)=Z1 |
2 | Z2: Validate parameter | 16B | ERl(Rl) ⊕ R1=Z2 |
3 | Identify definition | 25B | alfa |
5 | Private key 1 | 32B | ERl(cskl)=Yl |
6 | Private key 2 | 32B | ERl(csk2)=Y2 |
10 | Issue unit | 25B | KMC |
11 | Signature of issue unit | 48B | SIGkmc (MAC) |
Suppose the original place is AlfaID, the next router is GammaID, AlfaID sends data, Mas1 AlFaID→GammaID:{Alfa, signl, Beta, time data, checksum}
Where, sign1 is the signature of the original AlfaID address, that is sign1= SIGalfa (time), BetaID is the destination address, SIG is the signature function, and alfa is the private key of the signature, provided by CPK-card. Where data is data from the application layer, data may be plaintext or ciphertext. The router’s job is to pass the data to the next router.
GammaID verifies the signature of original address: SIG-1ALFA(time)=sign1’
Where SIG-1 is the validation function and ALFA is the public key. If sign1=sign1’, allow this connection, forward Msgl, and audit. Identify replay attacks against time.
The structure of data is defined as follows: Data={Pc1ID,Pc2ID,data, mac}, Where Pc1ID is the sender and Pc2ID is the receiver.
Version | Category | Flow label | Payload Length | Next Header | Hop limit |
---|---|---|---|---|---|
Source address | |||||
Destination address | |||||
time | |||||
Identification code (signature) 40BYTE |
When the data is in plaintext: Data={ Pc1ID, Pc2ID, clear-text, mac};
When the data is in ciphertext: Data={Pc1ID, Pc2ID, coded-key, coded-data, mac};
If the encryption and decryption function is provided by the router, and Alfa encryption and Beta decryption are set, then data encryption can only be done in a non-online way.
If the router is responsible for encryption and decryption, and this data is encrypted data, coded key and coded data need to be interpreted and a series of steps shall be performed:
Send ciphertext cipher=text and coded-key to BetaID.
BetaID receives a signal from the AlfaID and automatically enters the decryption process.
BetaID computes the inverse of the private key: beta-i ;
BetaID calculates the session key: beta-1(coded-key)=key;
Data decryption: Dkey(cipher-text)= data.
The new features require the development of a new IP header format that includes at least the original address, the start address identifier, the destination address, the data, and the checksum. Data encryption only affects the data format, not the IP packet header format.
The encoding format of IPV9 is shown in the following table 2.
ENCODING FORMAT OF IPV9
segment | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
---|---|---|---|---|---|---|---|
Head segment | Address area | Entity code | Vendor code | Product code | Product class code | ||
Country code | District code | Year code | Single product code | ||||
2 | 4 | 6 | 4bit | 14bit | 20bit | 8bit | 199bit |
362300 | 3211 | 123345678912345 | 12345678912345678912 | 20090317 | 32564328 |
When the industrial standard “business RFID label data format” is adopted, the enterprise product coding data format is as follows:
12345678912345-12345678912345678912-20090317-32564328.
3221-12345678912345-12345678912345678912-20090317-32564328.
362300-3221-12345678912345-12345678912345678912-20090317-32564328
00-8600-36230 — 3221-12345678912345-12345678912345678912-20090317-32564328. 01-8600-362300 — 3221-12345678912345-12345678912345678912-20090317-32564328. 02-8600-362300 — 3221-12345678912345-12345678912345678912-20090317-32564328.
12345678912345]12345678912345678912]20090317]32564328.
3221]12345678912345]12345678912345678912]2 0090317]32564328.
362300]3221]12345678912345]12345678912345678912]20090317]32564328
00]8600]362300]3221]12345678912345]12345678 912345678912]20090317]32564328 01]8600]362300]3221]12345678912345]12345678 912345678912]20090317]32564328 02]8600]362300]3221]12345678912345]12345678 912345678912]20090317]32564328
In order to ensure the credibility of the operation of the router, all the execution code in the router must be certified by the manufacturer (level 1 certification), that is, the manufacturer sign on the appearance of all the execution code. Each router has an authentication function (provided by CPK-card).
The manufacturer has a CPK-card, which can carry out manufacturer signature on all system software in the router. Implementation software is divided into software identity (codeID) and software ontology (codeBD), which are signed by the manufacturer respectively:
SIG-1manufacturer (codeID) sign1
SIG-1manufacturer (codeBD) = sign2
Where, SIG is the signature function, manufacturer is the private key of the manufacturer, codeID is the name of the executing code, and codeBD is the HASH value of the executing code ontology. Any executing code in the router has its own authentication codes, sign1 and sign2.
The router inserts the CPK-card so that it has the CPK authentication function. There are two ways to verify the router: one is to uniformly verify when the router is turned on, and the code that fails to pass the verification is uniformly deleted to ensure that the router system returns to the original state; the other is that when software code is invoked, it is validated first and then executed.
Verify sign1 and sign2 respectively:
SIG-1MANUFACTURER (codeID)=sign1’
SIG-1MANUFACTURER (codeBD)=sign2’
Where MANUFACTURER is the public key, it is allowed execute if sign1=sign1’and sign2=sign2’, otherwise it is rejected. In this way to ensure that the implementation of the router code is the manufacturer certification code, other code will not be executed, from the attack of viruses, Trojans.
The TCP/IP protocol does not guarantee trusted connections, so it must be modified. Based on geographical encoding and location addressing, three key techniques of trusted methods are proposed in this paper. Use address identification mechanism to prevent illegal connection; Adopt random Q&A mechanism to prevent replay attack; Software code can be identified by the mechanism, to prevent the intrusion of viruses, Trojans.
The above design method is fully applicable to the trusted connection of the physical layer. There are two kinds of physical layer: one is the physical layer defined in the seven-layer information network protocol, and the platform supporting the information network is the application program interface (API). The second is the physical layer defined in the telecommunications network, and the platform supporting the telecommunications network is the telecommunications reference point (TRP). In the information network, if the network layer can guarantee the credibility of transmission, the security of the physical layer can be replaced by the network layer. However, the physical layer of the telecom network, without modification, cannot achieve trusted connection, cannot prevent illegal access. It is modified in exactly the same way as the router.