CN103491073A - Safety communication method based on TLSA protocol in C/S network architecture - Google Patents
Safety communication method based on TLSA protocol in C/S network architecture Download PDFInfo
- Publication number
- CN103491073A CN103491073A CN201310407338.4A CN201310407338A CN103491073A CN 103491073 A CN103491073 A CN 103491073A CN 201310407338 A CN201310407338 A CN 201310407338A CN 103491073 A CN103491073 A CN 103491073A
- Authority
- CN
- China
- Prior art keywords
- tlsa
- domain name
- record
- method based
- network architecture
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a safety communication method based on a TLSA protocol in C/S network architecture. The safety communication method based on the TLSA protocol in the C/S network architecture comprises the steps that (1) domain names, static IP addresses corresponding to the domain names, and certificates corresponding to the domain names are distributed; (2) a user applies for IP reverse analysis of the domain name, and a holder of a static IP corresponding to the domain name applies for IP reverse analysis to a network operator, and stores a PTR record on a DNS; (3) connection is established through a domain name and/or IP building mode, before communication is established, reverse analysis is carried out on an IP in the IP building mode, and the domain name corresponding to reverse analysis is obtained according to the PTR record on the DNS; (4) the domain name obtained through the step (3) and/or the domain name and the certificate in the domain name building mode are associated with a client to generate a new TLSA record, and the corresponding TLSA record on the DNS is searched to carry out TLSA verification. The safety communication method based on the TLSA protocol in the C/S network architecture does not depend on other systems, operations are only carried out within the range of the DNS, and implementation is easy.
Description
Technical field
The present invention relates to the dispositions method under a kind of network frame, particularly the dispositions method of TLSA under the C/S network architecture, belong to the computer network information field.
Background technology
The most several years, the Network Communicate Security problem took place frequently, and the hacker utilizes the careless omission of CA audit, has got the certificate that does not belong to him, recycled the communication that these certificates are eavesdropped government website, had caused very serious harm.In August, 2012, IETF has issued RFC6698 and has defined the Entities based on DANE(The DNS-Based Authentication of Named) the TLSA agreement, can address this problem.But the agreement defined in RFC can only be for the scene connected by domain name, and the network of most of C/S frameworks all connects by IP, this agreement can not support, for example Baidu's registration login system, CNNIC domain name registration system.
Now, the U.S. has started partial deployment TLSA technology, and Verisign has also set up the laboratory of specializing in DANE.And at home, the internet communication safety problem is very serious, the TLSA agreement can only be for the scene connected by domain name, and, under the network configuration of C/S, the IP address is all used in the communication between main frame mostly.So, how IP is done to the TLSA record, how IP is carried out to the TLSA parsing, these rules all need to redefine.
In prior art, there is the people to propose the IP+ certificate is made the solution of TLSA record, but this scheme is unreasonable, the TLSA record is kept on dns server, and it does associated generation by domain name and certificate, only has the owner of domain name to have authority to submit the TLSA record of this domain name to.And whether DNS system None-identified and certain static IP address of proof belong to certain domain name registration people, if allow domain name registration people IP generation arbitrarily TLSA record, be extremely dangerous, can produce serious safety problem.
In prior art, the somebody proposes not support use IP, a support domain name when server that the TLSA protection is arranged is set up SSL and is connected.This scheme is unreasonable equally, only by domain name, connects, and may have the hacker by distorting the hosts file on user PC, and certain domain name is redirected to certain illegal IP.Due under C/S model, the time standby IP address of setting up the SSL connection is very extensive, so, also need to have the protection of TLSA with the network of IP communication.
So can either make the TLSA agreement based on DANE support the network architecture that IP connects, can make the scheme reasonable again, become the technical issues that need to address.
Summary of the invention
Based on deficiency of the prior art, the object of the invention is to propose a kind of other system that do not rely on, the TLSA only operated in the DNS scope is deployed to the communication means of C/S architecture network.
Technical scheme of the present invention is: the safety communicating method based on the TLSA agreement under the C/S network architecture, and its step comprises:
(1) distribute at least one domain name and domain name dns server, static ip address that at least one is corresponding with domain name, apply at least one certificate and domain name is associated is verified;
(2) user is to domain name application IP reverse resolution, and the static IP holder that domain name is corresponding simultaneously preserves the PTR record to Virtual network operator application IP reverse resolution and in dns server;
(3) adopt domain name and/or IP to set up mode and connect, before setting up communication, the IP that described IP is set up in mode carries out reverse resolution, according to the record of the PTR in dns server, obtains the domain name that reverse resolution is corresponding;
(4) domain name that obtains in step (3) and/or domain name are set up to domain name in mode and certificate and be associated in client and generate new TLSA record, and search corresponding TLSA record in described dns server, carry out the TLSA checking.
Further, the TLSA record is the resource record defined at RFC6698.
Further, set up communication for the SSL traffic mode.
Further, if connect while connecting neither set up and neither domain name set up by IP, reported an error.
Further, while connecting, if the reverse resolution failure, the IP address can't be reversed and be resolved to domain name, can't carry out the TLSA checking, is reported an error.
Further, described PTR record, according to the internet standard file, RFC1035 defines.
Further, described dns server records A record in whole deployment, NS record, TLSA record and PTR record.
Beneficial effect of the present invention:
Because do not rely on other system, the just operation in the DNS scope, so the scheme of the present invention's suggestion implements very simple.And this scheme changes not quite the framework of existing TLSA agreement, just before doing the TLSA checking, has carried out preliminary treatment, the IP reverse resolution is done to the TLSA checking after domain name again, be the expansion to the TLSA agreement.
The accompanying drawing explanation
Fig. 1 is the schematic diagram of IP reverse resolution in prior art.
Fig. 2 is the schematic flow sheet of the IP reverse resolution that newly increases of the present invention to domain name.
Embodiment
For the present invention clearly is described, first following concept is made an explanation:
The PTR record, a kind of data type in e-mail system, by the internet standard file, RFC1035 defines, and often is used to reverse address resolution.
The TLSA record, be similar to the A record in the DNS system, is a kind of resource record defined in RFC6698.
Whether TLSA checking, be a kind of method defined in the RFC6698 agreement, be used for TLSA record that checking client generates and the TLSA on dns server to record and mate.
The IP reverse resolution, to domain name, is verified to the TLSA record if can resolve; If can not, TLSA authentication failed.
The method is only just effective to IP address that can reverse resolution, still, the network that need to protect with TLSA be all generally large-scale, to security requirement very high network, their IP address realizes that reverse resolution can realize for those skilled in the art.Below concrete implementation step:
The IP reverse resolution, be to obtain the domain name of this IP address sensing by PTR record (Pointer Recore) pointer record of inquiry IP address, certainly, successfully obtain the PTR record that domain name just must have this IP address.Following Fig. 1 is described for processing procedure, must be to the Virtual network operator application IP reverse resolution at place for any host name test.suipy.com and static IP holder corresponding to this host name, the Virtual network operator audit by after the PTR of generation record is put into to name server.When customer reverse is resolved IP address xxx.xxx.xxx.xxx, can inquire about the PTR record to name server, thereby obtain corresponding domain name test.suipy.com.
At first the static IP holder resolves to the reverse IP of network operation business application requirement, and service operation the business examined, and audit can produce the PTR record after passing through; Network operation sends to dns server by the PTR record, and dns server produces the PTR record.Then (applied for to China Telecom by the user, China Telecom is again to domain name authority's application of being responsible for this domain name) domain name .COM (can be any suffix) applies for reverse resolution IP, and these two is to need application in advance.
Finally, in the time of customer requirements reverse resolution IP address, the PTR record in the inquiry dns server obtains the domain name of reverse resolution.
Can find out, accessed if server S erver wants by IP, and expect the protection of TLSA just a domain name, a static IP and a certificate must at least will be arranged.Then to his Virtual network operator application, the static IP reverse resolution is arrived to corresponding domain name.After these conditions all possess, just can design for IP, having carried out the TLSA agreement of communication network.That the present invention's step of resolving is as follows as shown in Figure 2:
1. in the mode of setting up before SSL connects the communication that judges, if pass through domain name, enter 3.; If 2. the IP address enters; Otherwise report an error " please input correct mailing address ", exit.
Step 1, the communication mode that connects of judgement, (situation about communicating by domain name, directly by domain name with after the certificate of access websites is associated, search TLSA and record on dns server);
2. 3. this IP address of reverse resolution, if successfully resolve, enter; If resolve unsuccessfully, report an error " this IP address can't be reversed and be resolved to domain name, can't carry out the TLSA checking ", exit.
Step 2, to the request that adopts the IP address to connect, reverse resolution IP address;
3. as requested, domain name and certificate are done associated, the TLSA that obtains a specific format records and defines in RFC6698, goes the dns server to search corresponding TLSA record, does the TLSA checking.
Step 3, obtain a plurality of or be a definite domain name according to reverse resolution IP address, client is associated with the website certificate by this domain name, generate a TLSA record, client is searched corresponding TLSA record on dns server simultaneously, the production method of TLSA record is to define in RFC6698, and whether the TLSA record that checking client generates mates with the TLSA record on dns server, i.e. TLSA checking.TLSA record is kept on dns server, and it is done domain name and certificate associatedly to generate according to special algorithm.
Be below a specific embodiment of the present invention, comprise:
Website is disposed:
Having host name test.suipy.cn(name server is ns1.cnnic.cn)
Having static ip address 218.88.106.222(ISP is China Telecom)
The portal management person will arrive host name test.suipy.cn by IP address 218.88.106.222 reverse resolution to China Telecom's application.The backward ns1.cnnic.cn contact of China Telecom's request of receiving generates corresponding PTR record on the ns1.cnnic.cn name server.
User's access websites:
1. if the user is by the test.suipy.cn access websites, directly by test.suipy.cn and the associated generation of website certificate TLSA record, carry out the TLSA checking: the TLSA record (TLSA_1) that the user is generated and the TLSA record (TLSA_2) obtained from dns server are compared, if TLSA_1 is identical with TLSA_2 be proved to be successful; Otherwise, authentication failed.
2., if the user, by the 218.88.106.222 access websites, first carries out IP address reverse resolution, obtain corresponding host name test.suipy.cn.By the host name test.suipy.cn and the associated generation of website certificate TLSA record that obtain, carry out the TLSA checking again.
After TLSA is proved to be successful, just set up safer communication.
Claims (7)
1. the safety communicating method based on the TLSA agreement under the C/S network architecture, its step comprises:
(1) distribute at least one domain name and domain name dns server, static ip address that at least one is corresponding with domain name, apply at least one certificate and domain name is associated is verified;
(2) user is to domain name application IP reverse resolution, and the static IP holder that domain name is corresponding simultaneously preserves the PTR record to Virtual network operator application IP reverse resolution and in dns server;
(3) adopt domain name and/or IP to set up mode and connect, before setting up communication, the IP that described IP is set up in mode carries out reverse resolution, according to the record of the PTR in dns server, obtains the domain name that reverse resolution is corresponding;
(4) domain name that obtains in step (3) and/or domain name are set up to domain name in mode and certificate and be associated in client and generate new TLSA record, and search corresponding TLSA record in described dns server, carry out the TLSA checking.
As claimed in claim 1 under the C/S network architecture safety communicating method based on the TLSA agreement, it is characterized in that, TLSA record be the resource record defined at RFC6698.
As claimed in claim 1 under the C/S network architecture safety communicating method based on the TLSA agreement, it is characterized in that, set up communication for the SSL traffic mode.
As claimed in claim 1 under the C/S network architecture safety communicating method based on the TLSA agreement, it is characterized in that, if connect while connecting neither sets up by IP neither domain name foundation, reported an error.
As claimed in claim 1 under the C/S network architecture safety communicating method based on the TLSA agreement, it is characterized in that, while connecting, if reverse resolution failure, the IP address can't be reversed and be resolved to domain name, can't carry out the TLSA checking, is reported an error.
As claimed in claim 1 under the C/S network architecture safety communicating method based on the TLSA agreement, it is characterized in that, described PTR record, according to the internet standard file, RFC1035 defines.
As claimed in claim 1 under the C/S network architecture safety communicating method based on the TLSA agreement, it is characterized in that, described dns server records in whole deployment A record, NS record, TLSA record and PTR record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310407338.4A CN103491073A (en) | 2013-09-09 | 2013-09-09 | Safety communication method based on TLSA protocol in C/S network architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310407338.4A CN103491073A (en) | 2013-09-09 | 2013-09-09 | Safety communication method based on TLSA protocol in C/S network architecture |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103491073A true CN103491073A (en) | 2014-01-01 |
Family
ID=49831032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310407338.4A Pending CN103491073A (en) | 2013-09-09 | 2013-09-09 | Safety communication method based on TLSA protocol in C/S network architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103491073A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468859A (en) * | 2014-11-27 | 2015-03-25 | 中国科学院计算机网络信息中心 | DANE expanding query method supporting carrying service address information and system |
| CN106453436A (en) * | 2016-12-21 | 2017-02-22 | 北京奇虎科技有限公司 | Method and device for detecting network security |
-
2013
- 2013-09-09 CN CN201310407338.4A patent/CN103491073A/en active Pending
Non-Patent Citations (4)
| Title |
|---|
| P.HOFFMAN, J.SCHLYTER: "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", 《RFC 6698》 * |
| 沈士根: "基于域名系统的证书验证系统研究与实现", 《计算机应用》 * |
| 王达: "《金牌网管师(初级)中小型企业网络组建、配置与管理》", 30 September 2009, 中国水利水电出版社 * |
| 陈强,程楠,卢博: "IPv6网络域名系统综述", 《电信网技术》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468859A (en) * | 2014-11-27 | 2015-03-25 | 中国科学院计算机网络信息中心 | DANE expanding query method supporting carrying service address information and system |
| WO2016082274A1 (en) * | 2014-11-27 | 2016-06-02 | 中国科学院计算机网络信息中心 | Dane extended query method and system supporting carrying of service address information |
| CN104468859B (en) * | 2014-11-27 | 2018-01-30 | 中国科学院计算机网络信息中心 | Support the DANE expanding query method and systems of carrying address of service information |
| CN106453436A (en) * | 2016-12-21 | 2017-02-22 | 北京奇虎科技有限公司 | Method and device for detecting network security |
| WO2018113730A1 (en) * | 2016-12-21 | 2018-06-28 | 北京奇虎科技有限公司 | Method and apparatus for detecting network security |
| CN106453436B (en) * | 2016-12-21 | 2019-05-31 | 北京奇虎科技有限公司 | A kind of detection method and device of network security |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11882109B2 (en) | Authenticated name resolution | |
| US10116644B1 (en) | Network access session detection to provide single-sign on (SSO) functionality for a network access control device | |
| US8990356B2 (en) | Adaptive name resolution | |
| US20080060054A1 (en) | Method and system for dns-based anti-pharming | |
| KR101635244B1 (en) | User-based authentication for realtime communications | |
| CN104301316A (en) | Single sign-on system and implementation method thereof | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| CN103916490A (en) | DNS tamper-proof method and device | |
| JP2016529769A (en) | How to register certificates for devices using SCEP and their respective management applications | |
| US9548982B1 (en) | Secure controlled access to authentication servers | |
| CN104410622A (en) | Safety authentication method, client side and system for logging in Web system | |
| WO2014117600A1 (en) | Dns-based method and system for user authentication and domain name access control | |
| CN103051643A (en) | Method and system for dynamically establishing secure connection of virtual host in cloud computing environment | |
| CN109274579A (en) | It is a kind of that user's uniform authentication method is applied based on wechat platform more | |
| JP2009272659A (en) | Communication control apparatus, communication control method and communication system | |
| CN102075504A (en) | Method and system for realizing two-layer Portal authentication and Portal server | |
| CN103118025B (en) | Based on the single-point logging method of networking certification, device and certificate server | |
| CN103491073A (en) | Safety communication method based on TLSA protocol in C/S network architecture | |
| JP6185934B2 (en) | Integrate server applications with many authentication providers | |
| Rattanalerdnusorn et al. | Security implementation for authentication in IoT environments | |
| US11064544B2 (en) | Mobile communication system and pre-authentication filters | |
| CN105978866B (en) | A kind of method and system of user access control, third party's client server | |
| CN111600969B (en) | Domain name addressing method, system, domain name server, electronic equipment and storage medium | |
| CN114401143B (en) | Certificate strengthening authentication system and method based on DNS (Domain name System) | |
| JP2010187223A (en) | Authentication server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140101 |
|
| RJ01 | Rejection of invention patent application after publication |