	US 12,218,911 B2
	Security guarantee method and apparatus for full life cycle of packet, and decentralized network trust system
Ke Xu, Beijing (CN); Bo Wu, Beijing (CN); Jianping Wu, Beijing (CN); and Qi Li, Beijing (CN)
Assigned to TSINGHUA UNIVERSITY, Beijing (CN)
Filed by Tsinghua University, Beijing (CN)
Filed on Sep. 30, 2021, as Appl. No. 17/490,435.
Application 17/490,435 is a continuation of application No. PCT/CN2020/134039, filed on Dec. 4, 2020.
Claims priority of application No. 202010332302.4 (CN), filed on Apr. 24, 2020.
Prior Publication US 2022/0038425 A1, Feb. 3, 2022
Int. Cl. H04L 9/30 (2006.01); H04L 9/40 (2022.01)

CPC H04L 63/0236 (2013.01) [H04L 9/30 (2013.01); H04L 63/08 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01)]

13 Claims

1. A security guarantee method for a full life cycle of a data packet, applicable to a decentralized network trust system (DNTS) created by global network nodes for a plurality of autonomous domains (ASs), the plurality of ASs are connected in a blockchain, comprising:

in response to the data packet generated at a communication source, performing authenticity verification on a source address and an identity of the data packet, comprising:

sampling by a network node N_i, a source address src and a network identity NetID in the data packet, verifying by the network node N_i, the source address and a forwarding path with a public key of the communication source or a symmetric key shared between the communication source and the network node N_i, and uploading a network status to a global network node Node_i, wherein the network status is expressed as NetStatus={src, NetID, Signi (src∥NetID)}, where Signi (src∥NetID) represents a signature obtained by N_iusing its private key and splicing the src and the NetID as an input;

verifying by the Node_i, a signature in the network status with a public key of the network node N_i, or a marking in the network status with a symmetric key shared between the global network node Node_iand the network node N_i, continuing to broadcast the network status to the remaining global network nodes in response to the signature being correct and discarding the network status in response to the signature being wrong; and

recording by the Node_i, the network status in the DNTS through a consensus algorithm, and determining the authenticity of the src in the network status by querying a set of address prefixes of an AS to which the Node_ibelongs;

in a network forwarding process of the data packet, performing collaborative sampling on the data packet and performing credibility verification on related routing behaviors, comprising:

sampling by the N_i, information of the data packet and related routing behaviors of adjacent network nodes, wherein the related routing behaviors include one or more of discarding a message, tampering a message, and illegally modifying a forwarding path of a message; and

in response to the data packet reaching a destination end, determining a security degree of the data packet by querying whether behaviors of both the source end and network nodes along the forwarding path in the DNTS are abnormal;

wherein determining the authenticity of the src in the network status comprises:

determining that the src in the data packet is authentic in response to the src belonging to the set of address prefixes, and determining that the src in the data packet is not authentic in response to the src not belonging to the set of address prefixes.