CN105991647B

CN105991647B - A kind of method of data transmission

Info

Publication number: CN105991647B
Application number: CN201610041107.XA
Authority: CN
Inventors: 李明
Original assignee: 李明
Current assignee: Tendyron Corp
Priority date: 2016-01-21
Filing date: 2016-01-21
Publication date: 2019-06-28
Anticipated expiration: 2036-01-21
Also published as: CN105991647A

Abstract

The present invention provides a kind of methods of data transmission to send data packets to the perimeter firewall selected this method comprises: border routing receives the data packet that card-reading terminal is sent；The mark of data packet and purpose equipment is sent to core switch by the perimeter firewall selected；Core switch sends data packets to dispatch server or service area firewall according to the mark of purpose equipment；After dispatch server receives data packet, an idle certification safety control module is selected for card-reading terminal, and corresponding mark is sent to card-reading terminal；After service area firewall receives data packet, the first certification security module is sent data packets to；Data packet after decryption is sent to the first verifying safety control module by the first certification safety control module；First verifying safety control module returns to corresponding first data packet to the first certification safety control module according to the data packet after decryption；First certification safety control module is sent to card-reading terminal after encrypting to the first data packet.

Description

A kind of method of data transmission

Technical field

The present invention relates to a kind of methods that electronic technology field more particularly to a kind of data transmit.

Background technique

What is stored in resident's China second-generation identity card is the ciphertext of ID card information, the verifying safety for needing to authorize by the Ministry of Public Security Control module could decrypt the ciphertext of the ID card information stored in resident identification card.Existing front end identity card card-reading terminal tool There are at least two modules, including read through model and residence card verifying safety control module.Since each front end identity card is read Card device is respectively provided with residence card verifying safety control module, and therefore, the manufacturing cost of existing front end card reader of ID card is high； Also, a residence card verifying safety control module can only carry out body to the resident identification card information that a read through model is read Part verifying, therefore, existing front end card reader of ID card utilization rate is lower, to solve this problem, occurs improvement project at present: Front end card reader of ID card no longer includes residence card verifying safety control module, by residence card verifying security control mould Block is set to backstage side, to promote the utilization rate of residence card verifying safety control module.

However the network environment due to being in from the background is open network, any card reader can request backstage to make its access Residence card verifying safety control module, the safety that this just greatly improves residence card verifying safety control module are hidden Suffer from, once residence card verifying safety control module is broken through by illegal card reader, residence card verifying safety control module The identity card root certificate of middle storage will be stolen or even be distorted by criminal, and consequence is hardly imaginable.Further, since backstage side can Multiple residence card verifying safety control modules can be equipped with, Residents identity occur since task distribution unevenness also results in Results demonstrate,prove that safety control module is idle and Residents ID card verification safety control module then overload the case where.

Summary of the invention

Present invention seek to address that one of above problem.

The main purpose of the present invention is to provide a kind of methods of data transmission.

In order to achieve the above objectives, technical solution of the present invention is specifically achieved in that

One aspect of the present invention provides a kind of method according to transmission, comprising: border routing receives the number that card-reading terminal is sent According to packet, the perimeter firewall to be sent is selected according to routing strategy, the data packet is sent to the boundary selected and is prevented Wall with flues；The perimeter firewall selected receives the data packet, determines that the card reading is whole according to the content of the data packet The mark of the purpose equipment of access is held, and the mark of the data packet and the purpose equipment is sent to core switch； The data packet is sent to dispatch server according to the mark of the purpose equipment by the core switch, alternatively, according to institute The mark of the data packet and the purpose equipment is sent to the service area firewall of service area by the mark for stating purpose equipment；? In the case that the data packet is sent dispatch server by the core switch, the dispatch server receives the data Packet selects an idle certification safety control module for the card-reading terminal；And by the certification security control mould of the free time The mark of block is sent to the card-reading terminal；In the core switch by the data packet and the mark of the purpose equipment In the case where being sent to service area, the service area firewall of the service area receives the data packet, according to preset industry Be engaged in area's firewall filtering policies, judge the purpose equipment identify whether to allow access, if it is, the data packet is sent out It send to the first certification security module, the first certification security module is that the certification of the mark instruction of the purpose equipment is controlled safely Molding block；The first certification safety control module receives the data packet, to the packet decryption, and will be after decryption Data packet is sent to the first verifying safety control module, and the first verifying safety control module is and the first certification safety The verifying safety control module of control module connection；The first verifying safety control module receives the data after the decryption Packet, the data content carried according to the data packet after the decryption return to corresponding the to the first certification safety control module One data packet；The first certification safety control module receives first number that the first verifying safety control module returns It is encrypted according to packet, and to first data packet, encrypted first data packet is sent to the card-reading terminal.

In addition, including at least the public identifier of the purpose equipment in the data packet；The boundary fire prevention selected The foot of a wall determines the mark of the purpose equipment of card-reading terminal access according to the content of the data packet, comprising: described to be selected The public identifier of the purpose equipment is mapped as the corresponding purpose according to network address translation protocol and set by perimeter firewall Standby mark.

In addition, the perimeter firewall to be sent is selected according to routing strategy in the border routing, by the data Packet is sent to before the perimeter firewall selected, the method also includes: the border routing is according to preset border routing Filtering policy, judges whether the public identifier of the purpose equipment allows through the border routing, if it is allowed, then executing institute It states and the perimeter firewall to be sent is selected according to routing strategy, the data packet is sent to the boundary fire prevention selected The step of wall.

In addition, determining that the card-reading terminal accesses according to the content of the data packet in the perimeter firewall selected Purpose equipment mark before, the method also includes: the perimeter firewall selected is prevented fires according to preset boundary Wall filtering policy judges whether the data packet includes invalid data, if it is not, then executing described according to the data packet Content determines the step of mark of the purpose equipment of the card-reading terminal access.

In addition, the data packet is at least further include: the number of the identification information of the card-reading terminal and the card-reading terminal Word certificate；It is described before the dispatch server is the card-reading terminal one idle certification safety control module of selection Method further include: whether the dispatch server allows the card-reading terminal to connect according to the identification information judgment of the card-reading terminal Enter, and judges whether the digital certificate of the card-reading terminal is abnormal；And judgement allows the card-reading terminal to access and described The certificate of card-reading terminal is normal.

In addition, before the first certification safety control module is to the packet decryption, the method also includes: institute Dispatch server is stated according to the identification information of the card-reading terminal, the certification that the card-reading terminal is obtained from authentication database is close The ciphertext of key is simultaneously sent to the first certification safety control module；Wherein, the ciphertext of the authentication key of the card-reading terminal is What the authentication key of card-reading terminal described in the protection key pair using the authentication database was encrypted；Described first recognizes Safety control module is demonstrate,proved to the packet decryption, comprising: the first certification safety control module obtains the protection key, It decrypts to obtain the authentication key of the card-reading terminal using ciphertext described in the protection key pair, and utilizes the authentication key pair The packet decryption；It is described first verifying safety control module according to after the decryption data packet carry data content to The first certification safety control module returns to corresponding first data packet, comprising: the data content is identity card card seeking number In the case where, the first verifying safety control module returns to first data to the first certification safety control module Packet, first data packet include at least: card seeking response data；In the case that the data content is identity card card selection data, The first verifying safety control module returns to first data packet to the first certification safety control module, and described first Data packet includes at least: the related data that the identity card read with the card-reading terminal is authenticated；The data content is body In the case where part card information ciphertext, the first verifying safety control module is decrypted to obtain identity to the ID card information ciphertext Demonstrate,prove information in plain text, Xiang Suoshu first authenticates safety control module and returns to first data packet, and first data packet is at least wrapped Include: the ID card information is in plain text.

In addition, the method also includes: the flow cleaning equipment monitoring connecting with the border routing flows through the boundary The service traffics of routing, if according to the service traffics for flowing through the border routing detect the border routing by point Cloth Denial of Service attack then carries out flow cleaning to the service traffics for flowing through the border routing.

In addition, the dispatch server includes multiple；The method also includes: in the core switch by the data In the case that packet is sent to the multiple dispatch server, be connected to the core switch and the multiple dispatch server it Between load balancer according to balance policy by the allocation of packets to one in the multiple dispatch server.

In addition, the method also includes: the intrusion detection device monitoring connecting with the core switch flows through the core The service traffics of heart interchanger, according to the historical behavior model of user, the expertise prestored and neural network model convection current Service traffics through the core switch are matched, once successful match, then judgement has intrusion behavior.

In addition, the method also includes: core described in the intrusion prevention equipment monitoring connecting with the core switch is handed over It changes planes the data packet received, judges whether the data packet that the core switch receives is invalid data, if it is, will The data packet discarding that the core switch receives.

As seen from the above technical solution provided by the invention, the present invention provides a kind of methods of data transmission, lead to It crosses and the system is divided into three linking Internet area, isolated area and service area levels, each level uses different safe plans Slightly, by the security perimeter of a lot of, the safety of whole system is improved on network level, to avoid service area by non- Method attack especially guarantees certification safety control module and verifies the safety of safety control module.

Detailed description of the invention

In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.

Fig. 1 is the structural schematic diagram for the identity card cloud Verification System that the embodiment of the present invention 1 provides；

Fig. 2 is the structural schematic diagram for the identity card cloud Verification System that the embodiment of the present invention 1 provides；

Fig. 3 is the structural schematic diagram for the card-reading system that the embodiment of the present invention 1 provides；

Fig. 4 is the flow chart of the method for the data transmission that the embodiment of the present invention 2 provides；

Fig. 5 is the structural schematic diagram for the inner tube server that the embodiment of the present invention 3 provides；

Fig. 6 is the flow chart for the identity card read method that the embodiment of the present invention 4 provides.

Specific embodiment

With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on this The embodiment of invention, every other implementation obtained by those of ordinary skill in the art without making creative efforts Example, belongs to protection scope of the present invention.

In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", "upper", "lower", The orientation or positional relationship of the instructions such as "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outside" is It is based on the orientation or positional relationship shown in the drawings, is merely for convenience of description of the present invention and simplification of the description, rather than instruction or dark Show that signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore should not be understood as pair Limitation of the invention.In addition, term " first ", " second " are used for description purposes only, it is not understood to indicate or imply opposite Importance or quantity or position.

In the description of the present invention, it should be noted that unless otherwise clearly defined and limited, term " installation ", " phase Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected；It can To be mechanical connection, it is also possible to be electrically connected；It can be directly connected, can also can be indirectly connected through an intermediary Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition Concrete meaning in invention.

The embodiment of the present invention is described in further detail below in conjunction with attached drawing.

Embodiment 1

Present embodiments provide a kind of identity card cloud Verification System.As shown in Figure 1, identity card cloud provided in this embodiment is recognized Card system may include: 30 3 linking Internet area 10, isolated area 20 and service area areas according to functional areas difference, to each Area takes different technical measures, to promote the safety of whole system from network level；Wherein, linking Internet area 10 positions For the Internet portal of entire identity card cloud Verification System, which is included at least: border routing 101 and boundary Firewall 102.The linking Internet area 10 is in open network environment, and major function is responsible for linking Internet, passes through side Boundary's routing and perimeter firewall resist unauthorized access, are the first line of defences for entering Intranet from internet；Isolated area 20 be in order to External network cannot access internal network server after solving the problems, such as installation firewall, and the non-security system set up with Buffer area between security system.The isolated area 20 is responsible for service area and interconnection between linking Internet area and service area The isolation of net, the isolated area 20 include at least: core switch 201, dispatch server 202；By core switch 201, adjust Spending server 202 can be by the certification safety control module of the data packet equilibrium assignment of different card-reading terminals to service area 30.Industry Area 30 be engaged in as the core space of identity card cloud Verification System, which does not directly provide clothes to internet client (i.e. card-reading terminal) Business.The service area 30 includes at least: service area firewall 301, n certification safety control module 302 and n verifying are controlled safely Molding block 303, certification safety control module 302 and verifying safety control module 303 correspond, each verifying security control mould Only one external interface of block 303, the external interface are connected with corresponding certification safety control module 302.Internet client The data of (i.e. card-reading terminal) also need just enter core space after one of service area firewall 301 from isolated area to service area Local area network guarantees the safety of core space local area network with this.

In the present embodiment, border routing 101, for receiving the data packet of card-reading terminal transmission, according to Path selection plan The perimeter firewall to be sent slightly is selected, the perimeter firewall selected is sent data packets to；The perimeter firewall selected 102, it wraps for receiving data, the mark of the purpose equipment of card-reading terminal access is determined according to the content of data packet, and by data The mark of packet and purpose equipment is sent to core switch 201；Core switch 201, for the mark according to purpose equipment Dispatch server 202 is sent data packets to, alternatively, sending out the mark of data packet and purpose equipment according to the mark of purpose equipment It send to the service area firewall 301 of service area 30；Dispatch server 202, in the case where receiving data packet, being card reading Terminal selects an idle certification safety control module, and the mark of idle certification safety control module is sent to card reading Terminal；The service area firewall 301 of service area, for being prevented fires according to preset service area in the case where receiving data packet Wall filtering policy, judge purpose equipment identify whether to allow access, if it is, send data packets to the first certification safety Module, the first certification security module are the certification safety control module 302 of the mark instruction of purpose equipment；First certification safety control Molding block 302 is sent to the first verifying safety to packet decryption, and by the data packet after decryption for receiving data packet Control module, wherein the first verifying safety control module is the verifying security control connecting with the first certification safety control module Module 303；First verifying safety control module 303 is carried for the data packet after receiving and deciphering according to the data packet after decryption Data content to first certification safety control module 302 return to corresponding first data packet；First certification safety control module 302, it is also used to receive the first data packet of the first verifying safety control module 303 return, and encrypt to the first data packet, will add The first data packet after close is sent to card-reading terminal.

The identity card cloud Verification System provided through this embodiment, is divided into linking Internet area, isolated area for the system With three levels of service area, each level uses different security strategies, through the security perimeter of a lot of, on network level The safety of whole system is improved, to avoid service area by rogue attacks, especially guarantees certification safety control module and tests Demonstrate,prove the safety of safety control module.

Single Point of Faliure promotes the stability of whole system server, Ge Gequ in order to prevent in system provided in this embodiment The network equipment can include it is multiple, for example, border routing may include: one or more；Perimeter firewall includes: one Or it is multiple；Core switch 201 includes: one or more；Service area firewall 202 includes: one or more.For the ease of retouching It states, in the present embodiment by taking each network equipment is 2 as an example, as shown in Fig. 2, preventing single-point event by the way of two-node cluster hot backup Barrier promotes the stability of whole system server.Two border routings are working simultaneously, whichever border routing receives reading The data packet that card terminal is sent all forwards the packet to the perimeter firewall to be sent selected according to routing strategy, Two core switch also simultaneously working, can receive perimeter firewall transmission data packet (service traffics), no matter which The data packet that a core switch receives perimeter firewall transmission can be forwarded according to the mark of purpose equipment, two-shipper Hot standby main purpose is exactly the normal operation for preventing a certain network equipment from breaking down and influencing system, once there is a network Equipment paralysis, another can also be worked normally.

In the present embodiment, Single Point of Faliure in order to prevent, perimeter firewall can dispose it is multiple, when there are the fire prevention of multiple boundaries When wall, border routing just needs to select the path for sending data packets to core switch 201, i.e. which side selection passes through Boundary's firewall is sent to core switch 201, and in the present embodiment, border routing selects the side to be sent according to routing strategy Boundary's firewall, the routing strategy can be for example, randomly choosing a perimeter firewall, selecting apart from border routing most Closely, the strong perimeter firewall etc. of the shortest perimeter firewall of data transmission period, selection traffic handing capacity.

Border routing is the access point of internet external network access identity card cloud Verification System, as between intranet and extranet Bridge, its safe operation are related to the safe operation of identity card cloud Verification System.Therefore, it is hacker that border routing, which stands in the breach, The emphasis of attack.Based on this, border routing ought to become the object of network manager emphasis maintenance.As one in the present embodiment Kind optional embodiment, border routing are also used to judge according to preset border routing filtering policy the public mark of purpose equipment Know whether (for example, can be the access IP address of public network) allows through border routing, sends out data packet if it is allowed, then executing It send to the operation of the perimeter firewall selected.The first line of defence of the border routing as identity card cloud Verification System as a result, can It is kept off except identity card cloud Verification System so that the unauthorized access of border routing filtering policy will do not met, is promoted on network level The safety of whole system.

It wherein, can be in advance on border routing when specific implementation as a kind of optional border routing filtering policy Configuration allow access network segment, judge purpose equipment public identifier (for example, can be the access IP address of public network) whether Within the scope of the network segment, if it is, allowing data packet by border routing, and data packet is forwarded up, otherwise abandoned The data packet that the card-reading terminal is sent.In addition, other unauthorized access in order to prevent, border routing filtering policy can also include with At least one under type:

Mode one: the default password of border routing modification default password: is revised as to the password of no Special Significance.

Mode two: closing IP and directly broadcast (IP Directed Broadcast), after closing IP is directly broadcasted, Ke Yiyou Effect prevents smurf attack.

Mode three: HTTP (HyperText Transfer Protocol, the Hyper text transfer association of closure of border router View) service.

Mode four: block ICMPping (Internet Control Message Protocol, Internet control message association View) request, make system be easier to avoid those unmanned scanning activities paid attention to by blocking ping and can be, system is made to reduce quilt A possibility that attack.

Mode five: blocking unnecessary port, other than the port that service area normally externally services, closes other cut ends Mouthful.

As a result, by boundary road maintenance can by do not meet border routing filtering policy allow by unauthorized access Gear guarantees the safety of identity card cloud Verification System except identity card cloud Verification System.

The major function of perimeter firewall 102 is the access for controlling the external network from internet to internal network, is protected Shield internal network is not subjected to the attack of internet card-reading terminal (being primarily referred to as illegal hacker).Perimeter firewall 102 passes through net By whole host addresses of shielded internal network, (i.e. purpose IP address and destination port, scheduling take network address translation technique Private IP address and the port of business device or safety control module) with being mapped to a few the effective public network IP being arranged on firewall Location (i.e. access IP address and access port), in this way, the equipment (card-reading terminal) of external network can only get access IP address And access port, and the real IP address and port (i.e. purpose IP address and purpose for being actually subjected to the equipment of access can not be got Port), thus the safety of internal network can be protected to external shield internal network structure and IP address.Therefore, the present embodiment In, the public identifier of purpose equipment is included at least in data packet；The perimeter firewall selected, for the content according to data packet Determine the mark of the purpose equipment of card-reading terminal access, comprising: the perimeter firewall selected is according to network address translation protocol The public identifier of purpose equipment is mapped as to the mark of corresponding purpose equipment.Wherein, the public identifier of purpose equipment is public affairs The access IP address and access port of net, and the mark of purpose equipment is to be actually subjected to Intranet equipment (such as dispatch service of access Device and certification safety control module) purpose IP address and destination port.It is first after perimeter firewall 102 receives data packet It first will be according to network address translation protocol (Network Address Translation, abbreviation NAT) by the public of purpose equipment Mark (that is, access IP address and access port of public network) map out corresponding purpose equipment mark (that is, purpose IP address and Destination port), and purpose IP address and destination port are only the actual address of internal network devices, according to purpose IP address and mesh Port carry out data packet forwarding.

Perimeter firewall is built upon the borderline filtering lock-out facility of internal-external network, and internal network (i.e. recognize by identity card cloud Card system) be considered as it is safe and believable, external network is then considered dangerous and untrustworthy.The effect of firewall It is to prevent undesirable, unwarranted communication from passing in and out protected internal network, internal network is strengthened by boundary Control Safety.Therefore, as one of the present embodiment optional embodiment, perimeter firewall 102 is also used to according to preset side Boundary's firewall filtering policies judge whether data packet includes invalid data, if it is not, then executing true according to the content of data packet The operation for determining the mark of the purpose equipment of card-reading terminal access, that is, execute and map out correspondence according to access IP address and access port Purpose IP address and destination port operation.Overall network can be greatly reduced by perimeter firewall as a result, to build safely If management cost, improve identity card cloud Verification System safety.

Wherein, as a kind of optional perimeter firewall filtering policy, when specific implementation, can be in advance in perimeter firewall DDoS (Distributed Denial of service, distributed denial of service) property data base is configured, the class database is seemingly In virus base, it is stored with DDoS characteristic value, perimeter firewall will be in the content and the DDoS property data base that receive data packet DDoS characteristic value is matched, if it is possible to be matched to, then specification data packet be invalid data packet, perimeter firewall by Ddos attack will not continue to be forwarded to core switch then by the data packet discarding.In general, the form of invalid data packet is a variety of Multiplicity, there is no the data of card-reading terminal in some invalid data packets, and are only made of some attack messages, the illegal number having It may include a part of valid data according to packet, a part of attack message, and will not be described here in detail.

As one of the present embodiment optional embodiment, as shown in Fig. 2, linking Internet area 10 further include: with side The flow cleaning equipment 103 of boundary's routing connection, for monitoring the service traffics for flowing through border routing, if according to boundary road is flowed through By service traffics detect border routing by distributed Denial of Service (DDOS) attack, then to the Business Stream for flowing through border routing Amount carries out flow cleaning.

In the present embodiment, flow cleaning equipment 103 is to the data of linking Internet (the i.e. data that receive of border routing Packet) it is monitored in real time, the abnormal flow including distributed denial of service ddos attack is found in time.When abnormal flow reaches When arriving or being more than preset security baseline, flow cleaning equipment will open and clean filtering process.This system is set by flow cleaning It is standby, it alleviates from ddos attack flow pressure caused by internal network, promotes the validity of bandwidth usage；Protection is internal Network improves network performance from the attack from internet.

The linking Internet area 10 in this system can refuse absolute system by border routing and perimeter firewall as a result, Unauthorized access while guarantee normal access of the card-reading terminal to system, internet can be entered by flow cleaning equipment Data monitored in real time, abnormal flow is washed while not influencing regular traffic, protects internal network from coming from The attack of internet improves network performance.

Core switch 201 is the base network device of entire identity card cloud Verification System, needs to forward very large Flow because card-reading terminal can be distributed throughout the country, have it is thousands of, therefore, core switch to redundant ability, It is more demanding in terms of reliability and transmission speed.In the present embodiment, core switch 201 receives perimeter firewall transmission Data packet and the card-reading terminal of determination access purpose equipment mark (for example, can for the purpose of equipment purpose IP address And destination port), and the data packet received is forwarded to the actual access equipment that purpose IP address and destination port are directed toward.And The equipment of card-reading terminal actual needs access mainly includes two kinds in this system: the certification peace of dispatch server 202 and service area Full control module 302.Card-reading terminal for the first time must access scheduling server 202, need dispatch server 202 to distribute one for it Idle certification safety control module 302, and dispatch server is received in card-reading terminal as the certification security control mould of its distribution After the mark (i.e. access port) of block 302, card-reading terminal can direct access registrar safety control module 302.Therefore, originally In embodiment, core switch 201 sends data packets to dispatch server 202 for the mark according to purpose equipment, or The mark of data packet and purpose equipment is sent to service area 30 according to the mark of purpose equipment, comprising:

Core switch 201 judges the mark of purpose equipment, if the mark of purpose equipment indicates dispatch service Device then sends data packets to dispatch server, if the certification safety control module of the mark instruction service area of purpose equipment, The mark of data packet and purpose equipment is then sent to the service area firewall of service area, specifically, if the mark of purpose equipment Know the IP address for dispatch server 202 and port, then sends data packets to dispatch server 202；If purpose equipment It is identified as IP address and the port of the certification safety control module 302 in service area, then by the mark of data packet and purpose equipment It is sent to the service area firewall 301 of service area.Core switch completes a large amount of data forwarding as a result,.

As soon as core switch 201 is actually the computer for forwarding data packet optimization, but computer has and is attacked The possibility hit, such as the illegal control for obtaining core switch 201, lead to network paralysis, on the other hand also will receive DDoS Attack.To prevent core switch 201 by illegal infringement, as shown in Fig. 2, isolated area provided in this embodiment 20 further include: The intrusion detection device 203 and intrusion prevention equipment 204 being connect with core switch 201.Wherein, intrusion detection device 203 is used Flow through the service traffics of core switch 201 in real-time monitoring, according to the historical behavior model of user, the expertise prestored with And neural network model matches the service traffics for flowing through core switch 201, once successful match, then judgement has invasion Behavior, disconnects the connection of card-reading terminal and access equipment immediately, and collects evidence and implement data recovery, furthermore can be combined with The strategy monitoring of abnormality detection flows through the service traffics of core switch 201.By intrusion detection device 203 to core switch 201 operation conditions is monitored, finds various attack attempts, attack or attack result as far as possible, to guarantee network The confidentiality, integrity, and availability of system resource.

Wherein, intrusion prevention equipment 204, the data packet received for monitoring core switch 201 judge that core exchanges Whether the data packet that machine 201 receives is invalid data, if it is, the data packet discarding that core switch 201 is received. Wherein, intrusion prevention equipment 204 judges whether the data packet that core switch 201 receives is invalid data, can by with Under type: for example, in data packet and preset virus database that intrusion prevention equipment 204 receives core switch 201 Virus characteristic matched, if it is possible to be matched to, it is determined that the data packet being matched to be invalid data, in addition, may be used also To consider the abnormal conditions in application program or network transmission, for example, user or user program violate regulation for safety, data packet exists Phenomena such as period that should not occur occurs, the gap of operating system or application program weakness is being utilized etc., to assist knowing It Ru Qin and not attack.Although intrusion prevention equipment also considers known viruse feature, it not relies solely on known viruse Feature.Intrusion prevention equipment is the supplement to anti-virus software and firewall, to improve the safety of system.

As a kind of optional embodiment of the present embodiment, as shown in Fig. 2, being authenticated in identity card cloud provided in this embodiment In system further include: inner tube server 205, for receiving configuration of the user to identity card cloud Verification System, inner tube server 205 It can be connect with core switch 201, and configuration information is sent to by the storage of cloud authentication database by core switch 201, Each network equipment of identity card cloud Verification System can transfer configuration information from cloud authentication database and carry out relevant configuration. Description in embodiment 3 can be referred to specifically to the description of inner tube server 205.

Dispatch server 202 provides the dispatch service of idle certification safety control module 302, service area for card-reading terminal Certification safety control module 302 in 30 is by 202 United Dispatching of dispatch server.Card-reading terminal requests identity card card reading industry every time When business, dispatch server 202 can select an idle certification safety control module all for card-reading terminal, and by idle certification The mark of safety control module is sent to card-reading terminal；Specifically, dispatch server 202 can be from the authentication database of service area The port status list in the compass of competency of dispatch server is obtained, each port corresponds to a certification safety control module, and According to the principle of task equilibrium, select the port of an idle as the visit of card-reading terminal from port status list It asks port (mark of i.e. idle certification safety control module), and access port is sent to card-reading terminal, hereby it is achieved that industry The United Dispatching of multiple certification safety control modules 302 in business area.

In identity card cloud Verification System, in order to avoid 202 Single Point of Faliure of dispatch server causes the loss of data traffic, Dispatch server 202 can be deployed as trunking mode, be taken according to the scheduling that the difference that service ability requires disposes different quantity Business device 202.The problem that data traffic in order to efficiently solve single dispatch server 202 is excessive, network load is overweight, this reality The identity card cloud Verification System for applying example offer increases load balancer 206 also before multiple dispatch servers 202, as shown in Fig. 2, Load balancer 206 is connected in intrusion prevention equipment 204, realizes the dispatch server 202 to cluster by core switch United Dispatching, load balancer can reasonably distribute to data packet each dispatch service in cluster according to balance policy Device 202 effectively solves the problems, such as that dispatch server 202 loads unevenness, and can prevent Single Point of Faliure, improves the steady of system service It is qualitative.

The present embodiment additionally provides a kind of card-reading system, the card-reading system include: above-mentioned identity card cloud Verification System and Card-reading terminal 40, based on Fig. 2, Fig. 3 is the structural schematic diagram of card-reading system, card-reading terminal 40, in service area 30 In the process for verifying 303 reading identity card information of safety control module, number relevant to ID card information is read from identity card According to, and generate data packet and be sent to border routing 201；It is also used to receive the of the encryption that certification safety control module 302 returns One data packet, and the first data packet after being decrypted to the first packet decryption of encryption.Card reading in the card-reading system is whole End 40 can be distributed throughout the country to be multiple, be distributed in card-reading terminal in all parts of the country as a result, and read to the information of identity card It can be uniformly processed by the identity card cloud Verification System in this card-reading system, substantially increase the verifying security control of service area The working efficiency of module.

As a kind of optional embodiment of the present embodiment, data packet is that card-reading terminal needs dispatch server to distribute for the first time In the case where the data packet of idle certification safety control module, card-reading terminal 40 is sent to the data packet of border routing at least also (digital certificate also can be considered card-reading terminal to the identification information and the digital certificate of card-reading terminal 40 for including: card-reading terminal 40 Identification information)；Dispatch server 202 can also carry out access authentication to card-reading terminal according to the information in data packet, if permitted Perhaps it accesses, just inquires port status, distribute idle port to card-reading terminal, if not allowing to access, directly abandon the data Packet, and the response message for not allowing to access is returned to card-reading terminal.Specifically, dispatch server 202 were also used to according to card reading end Whether the identification information judgment at end 40 allows card-reading terminal 40 to access, and judges whether the digital certificate of card-reading terminal 40 is different Often；In the normal situation of certificate that judgement allows the access of card-reading terminal 40 and card-reading terminal 40, execute from service area 30 Authentication database obtains the operation of the port status list in the compass of competency of dispatch server 202.As a result, in dispatch server Before 202 distribute idle port for card-reading terminal 40, first card-reading terminal 40 is authenticated, if certification passes through, illustrates to read Card terminal 40 is legal terminal, to guarantee the legitimacy of the outer net equipment of the certification safety control module 302 of access service area.

Wherein, whether dispatch server 202 allows card-reading terminal 40 to access according to the identification information judgment of card-reading terminal 40, It include: to judge the identification information of card-reading terminal 40 whether in blacklist or control list, wherein have recorded in blacklist and do not permit Perhaps the identification information of the card-reading terminal 40 accessed, manage had recorded in list needs according to preset control it is tactful it is accessed into The identification information of the card-reading terminal 40 of row control；In the case where judging that the identification information of card-reading terminal 40 is in blacklist, no Card-reading terminal 40 is allowed to access；In the case where judging that the identification information of card-reading terminal 40 is in control list, dispatch server 202 determine whether that the card-reading terminal 40 of request access accesses according to preset control strategy, it is possible thereby to determine scheduling clothes Whether business device 202 allows card-reading terminal 40 to access.

Wherein, dispatch server 202 determines whether that card-reading terminal 40 accesses according to preset control strategy, at least wraps Include following one:

According to preset control strategy, judge that card-reading terminal 40 is current whether in the on-position range allowed, if It is that card-reading terminal 40 is then allowed to access, otherwise, card-reading terminal 40 is not allowed to access, wherein is had recorded in preset control strategy The on-position range that card-reading terminal 40 allows；

According to preset control strategy, judge current time whether in the time range for allowing card-reading terminal 40 to access, If it is, card-reading terminal 40 is allowed to access, otherwise, card-reading terminal 40 is not allowed to access, wherein to remember in preset control strategy The time range for allowing card-reading terminal 40 to access is recorded；

According to preset control strategy, within a preset period of time, whether the history access number of card-reading terminal 40 surpasses for judgement Preset times threshold value is crossed, if it is, card-reading terminal 40 is not allowed to access, otherwise, card-reading terminal 40 is allowed to access, wherein pre- If control strategy in have recorded the duration and preset times threshold value of preset time period；

According to preset control strategy, judge within a preset period of time, the access digit that card-reading terminal 40 accesses twice in succession Whether be more than pre-determined distance, if it is, card-reading terminal 40 is not allowed to access, otherwise, allow card-reading terminal if the distance between setting 40 accesses, wherein the duration and pre-determined distance of preset time period are had recorded in preset control strategy.

As one of the present embodiment optional embodiment, as shown in Fig. 2, service area 30 further include: authentication database 304, the ciphertext of the authentication key of the port status list and card-reading terminal 40 for authentication storage safety control module 302, Wherein, the ciphertext of the authentication key of card-reading terminal 40 is recognizing using the protection key pair card-reading terminal 40 of authentication database 304 Card key is encrypted；

Dispatch server 202 is also used to the identification information according to card-reading terminal 40, and it is whole that card reading is obtained from authentication database The ciphertext of the authentication key at end 40 is simultaneously sent to the first certification safety control module 302；First certification safety control module 302, For to packet decryption, comprising: the first certification safety control module 302 obtains protection key, utilizes protection key pair ciphertext Decryption obtains the authentication key of card-reading terminal 40, and using authentication key to packet decryption.

In practical applications, the information of card-reading terminal reading identity card generally comprises 3 stages: card seeking stage, card selection rank Section and card reading stage.In the card seeking stage, card-reading terminal can broadcast card seeking instruction outward, if there is identity card has card seeking instruction Response, then return to card seeking data to card-reading terminal, and card-reading terminal needs finally will by linking Internet area 10 and isolated area 20 Card seeking data are sent to the first verifying safety control module 303 of service area, and (the first verifying safety control module 303 is and card reading The connected verifying safety control module of the first certification safety control module 302 that the assigned idle port of terminal is directed toward), first Card seeking response data can be returned to card-reading terminal by verifying safety control module 303；In the card selection stage, card-reading terminal can be from identity Card reads some configuration informations (such as identity card card sequence, identity card application data and identity card presupposed information), and by this A little configuration informations are eventually sent to the first verifying security control mould of service area 30 by linking Internet area 10 and isolated area 20 Block 303, the first verifying safety control module 303 initiate the process being mutually authenticated with identity card, and card-reading terminal forwards in the process Interaction data, after first verifying safety control module 303 and identity card completion be mutually authenticated after, into the card reading stage；It is reading In the card stage, card-reading terminal can read ID card information ciphertext from identity card, and pass through linking Internet area 10 and isolated area 20 are finally forwarded to the first verifying safety control module 303 of service area 30, and the first verifying safety control module 303 uses public security The specified special product in portion meets GA467-2013 " 303 interfacing of residence card verifying security control SAM module rule Model ", it can decrypt to obtain ID card information to ID card information ciphertext in plain text, and pass through the first certification safety control module 302 Encryption is sent to card-reading terminal, and card-reading terminal decrypts to obtain body to by the first certification encrypted ciphertext of safety control module 302 Part card information is in plain text.Therefore, in the present embodiment, the first verifying safety control module 303, for according to the data packet after decryption The data content of carrying returns to corresponding first data packet to the first certification safety control module 302, comprising:

In the case that data content is identity card card seeking data, the first verifying safety control module 303 is pacified to the first certification Full control module 302 returns to the first data packet, and the first data packet includes at least: card seeking response data；

Data content is identity card card selection data (identity card configuration information, signed data, the digital certificate of such as identity card Need the first verifying safety control module 303 to the data of authentication ids) in the case where, the first verifying safety control module 303 return to the first data packet to the first certification safety control module 302, and the first data packet includes at least: reading with card-reading terminal 40 (signed data, the digital certificate of the such as first verifying safety control module 303 need the related data that the identity card taken is authenticated The data for wanting identity card to authenticate the first verifying safety control module 303)；

In the case that data content is ID card information ciphertext, the first verifying safety control module 303 is to ID card information Ciphertext decrypts to obtain ID card information in plain text, returns to the first data packet, the first data packet to the first certification safety control module 302 Include at least: ID card information is in plain text.

In the present embodiment, the first certification safety control module 302 is receiving the of the return of the first verifying safety control module After one data packet, in order to guarantee transmission safety, it is also necessary to returning again to after the encryption of the first data packet to card-reading terminal, as one The optional embodiment of kind, the first certification safety control module are also used to the authentication key using card-reading terminal 40 to the first number According to Bao Jiami, encrypted first data packet is sent to card-reading terminal 40, the certification that card-reading terminal 40 can use oneself is close Key obtains the first data packet to encrypted first packet decryption；It as a result, can be with by authentication key encrypted primary data packet It realizes ciphertext transmission, ensure that transmission security.In addition, if even if authentication key not corresponding with card-reading terminal is intercepted and captured and is somebody's turn to do Encrypted first data packet can not also decrypt, and the card-reading terminal 40 for only possessing corresponding authentication key could be to this ciphertext solution Close, therefore, even if the ciphertext is trapped, interceptor also can not further ensure the biography of ID card information plaintext ask to crack Defeated safety.

As another optional embodiment, hold to further avoid always reusing the same key encryption and decryption Easily be cracked key the drawbacks of, the first certification safety control module 302 is also used to be utilized according to generating random number session key Session key encrypts the first data packet to obtain the first data packet ciphertext；And utilize the number card for encryption of card-reading terminal 40 The public key of book generates session ciphertext to the first data packet ciphertext and session key encryption, alternatively, utilizing the encryption of card-reading terminal 40 Digital certificate public key to session key encrypt generate session ciphertext, it will words ciphertext and the first data packet ciphertext be sent to reading Card terminal 40；Card-reading terminal 40 is also used to utilize the private key corresponding with the digital certificate for encryption being locally stored to session Ciphertext decrypts to obtain the first data packet ciphertext and session key, alternatively, session ciphertext is decrypted to obtain session key using private key, And the first data packet ciphertext is decrypted to obtain the plaintext of the first data packet using session key.The optional embodiment and upper one can Select the difference of embodiment to be: certification safety control module 302 does not continue to use the authentication key of card-reading terminal, but root According to generating random number session key, the session key be it is random, it is closeer than using fixed transmission using session key encryption The reliability of key encryption is higher, more difficult to be decrypted.

Embodiment 2

The system provided in embodiment 1 can be used in a kind of method for present embodiments providing data transmission, this method.Such as figure Shown in 4, this approach includes the following steps S101~S110:

S101: border routing receives the data packet that card-reading terminal is sent, and selects the side to be sent according to routing strategy Boundary's firewall sends data packets to the perimeter firewall selected；

In the present embodiment, Single Point of Faliure in order to prevent, perimeter firewall can dispose it is multiple, when there are the fire prevention of multiple boundaries When wall, border routing just needs to select the path for sending data packets to core switch, i.e. which boundary selection passes through Firewall is sent to core switch, and in the present embodiment, border routing selects the boundary to be sent anti-according to routing strategy Wall with flues, the routing strategy can be for example, one perimeter firewall of random selection, selection are nearest apart from border routing, count According to the strong perimeter firewall etc. of the shortest perimeter firewall of transmission time, selection traffic handing capacity.

In the present embodiment, include at least in the data packet that card-reading terminal is sent: the public identifier of purpose equipment, i.e. card reading are whole When the request access internet of end, the address of an access equipment is needed, and the public identifier of purpose equipment for example can be the mesh Equipment public network IP address and the port IP.Border routing sends data packets to perimeter firewall, true by perimeter firewall The privately owned mark of purpose equipment is determined, with the address of the real access equipment of determination.

Border routing is the access point of internet external network access identity card cloud Verification System, as between intranet and extranet Bridge, its safe operation are related to the safe operation of identity card cloud Verification System.Therefore, it is hacker that border routing, which stands in the breach, The emphasis of attack.Based on this, border routing ought to become the object of network manager emphasis maintenance.As one in the present embodiment Kind optional embodiment, border routing are selecting the perimeter firewall to be sent according to routing strategy, are sending the packet within To before the perimeter firewall selected, this step further include: border routing is according to preset border routing filtering policy, judgement Whether the public identifier (for example, can be the access IP address of public network) of purpose equipment allows through border routing, if it is allowed, Then execute the operation for sending data packets to the perimeter firewall selected.Border routing is authenticated as identity card cloud as a result, is The first line of defence of system, can by do not meet border routing filtering policy unauthorized access gear identity card cloud Verification System it Outside, the safety of whole system is improved on network level.

S102: the perimeter firewall received data packet selected determines card-reading terminal access according to the content of data packet The mark of purpose equipment, and the mark of data packet and purpose equipment is sent to core switch；

In the present embodiment, the major function of perimeter firewall is to control the external network from internet to internal network Access, protection internal network are not subjected to the attack of internet card-reading terminal (being primarily referred to as illegal hacker).Perimeter firewall is logical Crossing NAT technology, (i.e. purpose IP address and destination port are adjusted by whole host addresses of shielded internal network Private IP address and the port of degree server or safety control module) it is mapped to a few the effective public network being arranged on firewall IP address (i.e. access IP address and access port), in this way, the equipment (card-reading terminal) of external network can only get access IP Address and access port, and can not get be actually subjected to access equipment real IP address and port (i.e. purpose IP address and Destination port), thus the safety of internal network can be protected to external shield internal network structure and IP address.Therefore, this implementation In example, the perimeter firewall selected determines the mark of the purpose equipment of card-reading terminal access according to the content of data packet, comprising: The public identifier of purpose equipment is mapped as corresponding purpose according to network address translation protocol and set by the perimeter firewall selected Standby mark.Wherein, the public identifier of purpose equipment is the access IP address and access port of public network, and the mark of purpose equipment Knowing is the purpose IP address and purpose for being actually subjected to the Intranet equipment (such as dispatch server and certification safety control module) of access Port.After perimeter firewall receives data packet, first have to according to network address translation protocol (Network Address Translation, abbreviation NAT) public identifier (that is, access IP address and access port of public network) of purpose equipment is mapped out The mark (that is, purpose IP address and destination port) of corresponding purpose equipment, and purpose IP address and destination port are only inside The actual address of the network equipment carries out the forwarding of data packet according to purpose IP address and destination port.

Perimeter firewall is built upon the borderline filtering lock-out facility of internal-external network, and internal network (i.e. recognize by identity card cloud Card system) be considered as it is safe and believable, external network is then considered dangerous and untrustworthy.The effect of firewall It is to prevent undesirable, unwarranted communication from passing in and out protected internal network, internal network is strengthened by boundary Control Safety.Therefore, as one of the present embodiment optional embodiment, in step s 102, perimeter firewall is according to number Before the mark for determining the purpose equipment of card-reading terminal access according to the content of packet, this method further include: anti-according to preset boundary Wall with flues filtering policy judges whether data packet includes invalid data, reads if it is not, then executing and being determined according to the content of data packet The operation of the mark of the purpose equipment of card terminal access maps out corresponding destination IP according to access IP address and access port The operation of address and destination port.The management of overall network Security Construction can be greatly reduced by perimeter firewall as a result, Cost improves the safety of identity card cloud Verification System.

S103: core switch sends data packets to dispatch server according to the mark of purpose equipment, alternatively, according to mesh The mark of equipment the mark of data packet and purpose equipment is sent to the service area firewall of service area；

Specifically, core switch judges the mark (i.e. purpose IP address and destination port) of purpose equipment, such as Fruit purpose IP address and destination port are directed toward dispatch server, S104 are thened follow the steps, if purpose IP address and destination port It is directed toward the certification safety control module of service area, thens follow the steps S106；

And the equipment of card-reading terminal actual needs access mainly includes two kinds in this system: dispatch server and service area Authenticate safety control module.Card-reading terminal for the first time must access scheduling server, need dispatch server to distribute a sky for it Not busy certification safety control module, and dispatch server is received in card-reading terminal as the mark of the certification safety control module of its distribution After knowing (i.e. access port), card-reading terminal can direct access registrar safety control module.

S104: core switch sends data packets to dispatch server；

In the present embodiment, core switch is the base network device of entire identity card cloud Verification System, needs to forward Very large flow has thousands of, therefore, core switch because card-reading terminal can be distributed throughout the country It is more demanding in terms of to redundant ability, reliability and transmission speed.In the present embodiment, core switch receives boundary fire prevention Wall send data packet and determination card-reading terminal access purpose equipment mark (for example, can for the purpose of equipment mesh IP address and destination port), and the data packet received is forwarded to the practical visit that purpose IP address and destination port are directed toward Ask equipment.

S105: dispatch server received data packet selects an idle certification safety control module for card-reading terminal；And The mark of idle certification safety control module is sent to card-reading terminal；

In this step, specifically include: dispatch server obtains the pipe of dispatch server from the authentication database of service area Have jurisdiction over the port status list in range, the corresponding certification safety control module in each port；And according to task equilibrium Principle, selecting the port of an idle as the access port of card-reading terminal from port status list, (i.e. idle recognizes Demonstrate,prove the mark of safety control module), and access port is sent to card-reading terminal；

In the present embodiment, dispatch server provides the dispatch service of idle certification safety control module for card-reading terminal, Certification safety control module in service area is by dispatch server United Dispatching.Card-reading terminal requests identity card card reading business every time When, the port status list in the cloud authentication database in dispatch server Dou Hui inquiry business area, balanced according to task Principle selects the port of an idle as the access port of card-reading terminal from port status list, and by access end Mouth is sent to card-reading terminal, hereby it is achieved that the United Dispatching of multiple certification safety control modules of service area.

As a kind of optional embodiment of the present embodiment, data packet is that card-reading terminal needs dispatch server to distribute for the first time In the case where the data packet of idle certification safety control module, the data packet that card-reading terminal is sent to border routing is at least also wrapped Include: (digital certificate also can be considered the mark letter of card-reading terminal for the identification information of card-reading terminal and the digital certificate of card-reading terminal Breath)；Dispatch server can also carry out access authentication to card-reading terminal according to the information in data packet, if allowing to access, Port status is inquired, idle port is distributed to card-reading terminal, if not allowing to access, directly abandons the data packet, and to reading Card terminal returns to the response message for not allowing to access.Specifically, it obtains and adjusts from the authentication database of service area in dispatch server It spends before the port status list in the compass of competency of server, method provided in this embodiment further include: dispatch server root Whether card-reading terminal is allowed to access according to the identification information judgment of card-reading terminal, and judges whether the digital certificate of card-reading terminal is different Often；And judgement allows the certificate of card-reading terminal access and card-reading terminal normal.It is as a result, card-reading terminal point in dispatch server Before idle port, first card-reading terminal is authenticated, if certification passes through, illustrates that card-reading terminal is legal terminal, from And guarantee the legitimacy of the outer net equipment of the certification safety control module of access service area.

Wherein, whether dispatch server allows card-reading terminal to access according to the identification information judgment of card-reading terminal, comprising: sentences Whether the identification information of disconnected card-reading terminal is in blacklist or control list, wherein having recorded in blacklist not allows access The identification information of card-reading terminal is managed and has recorded needs in list and access the reading controlled to it according to preset control is tactful The identification information of card terminal；In the case where judging that the identification information of card-reading terminal is in blacklist, card-reading terminal is not allowed to connect Enter；In the case where judging that the identification information of card-reading terminal is in control list, dispatch server is according to preset control strategy The card-reading terminal access for determining whether request access, it is possible thereby to determine whether dispatch server allows card-reading terminal to connect Enter.

Wherein, dispatch server according to preset control strategy determine whether card-reading terminal access, include at least with It is one of lower:

According to preset control strategy, judge whether card-reading terminal is currently in the on-position range allowed, if so, Then card-reading terminal is allowed to access, otherwise, do not allow card-reading terminal to access, wherein has recorded card reading end in preset control strategy Hold the on-position range allowed；

According to preset control strategy, judge current time whether in the time range for allowing card-reading terminal to access, such as Fruit is then card-reading terminal to be allowed to access, and otherwise, does not allow card-reading terminal to access, wherein is had recorded in preset control strategy fair Perhaps the time range of card-reading terminal access；

According to preset control strategy, judgement within a preset period of time, the history access number of card-reading terminal whether be more than Otherwise preset times threshold value, allows card-reading terminal to access, wherein preset pipe if it is, not allowing card-reading terminal to access The duration and preset times threshold value of preset time period are had recorded in control strategy；

According to preset control strategy, judge within a preset period of time, the on-position that card-reading terminal accesses twice in succession The distance between whether be more than pre-determined distance, if it is, do not allow card-reading terminal to access, otherwise, card-reading terminal is allowed to access, Wherein, the duration and pre-determined distance of preset time period are had recorded in preset control strategy.

S106: data packet, the mark of purpose equipment are sent to the service area firewall of service area by core switch；

Wherein, the mark of purpose equipment for example can for the purpose of equipment purpose IP address and destination port, which sets Standby can be the certification safety control module for the free time that dispatch server is card-reading terminal distribution, therefore, in this step, need by The mark of data packet and purpose equipment is transmitted to service area firewall together, so that service area firewall can be according to purpose equipment Mark forward the packet to corresponding certification safety control module.

S107: the service area firewall received data packet of service area is sentenced according to preset service area firewall filtering policies The identifying whether to belong to of disconnected purpose equipment allows to access, if it is, the first certification security module is sent data packets to, first Authenticate the certification safety control module that security module is purpose port and purpose IP address is directed toward；

In the present embodiment, service area firewall is outside network device access service area core equipment (certification security control Module and verifying safety control module) last line of defense, for example, service area firewall can preset allow access port Table can arrive the port table inquiry for allowing to access, if destination port is present in the table, mean that after receiving data packet Certification safety control module can be sent data packets to, does not allow to lead to by judging that the ports filter of access equipment is fallen as a result, The data packet crossed, further from network level protection system safety, especially protection certification safety control module and verifying safety control The safety of molding block.

S108: the first certification safety control module receives data packet, to packet decryption, and by the data packet after decryption It is sent to the first verifying safety control module, the first verifying safety control module is to connect with the first certification safety control module Verify safety control module；

In the present embodiment, before the first certification safety control module is to packet decryption, side provided in this embodiment Method further include: dispatch server is according to the identification information of card-reading terminal, and the certification of acquisition card-reading terminal is close from authentication database The ciphertext of key is simultaneously sent to the first certification safety control module；Wherein, the ciphertext of the authentication key of card-reading terminal is using certification What the authentication key of the protection key pair card-reading terminal of database was encrypted；

In this step, the first certification safety control module is to packet decryption, comprising: the first certification safety control module Protection key is obtained, decrypts to obtain the authentication key of card-reading terminal using protection key pair ciphertext, and utilize authentication key logarithm According to Bao Xiemi；

Data packet after S109: the first verifying safety control module receiving and deciphering, carries according to the data packet after decryption Data content returns to corresponding first data packet to the first certification safety control module；

In practical applications, the information of card-reading terminal reading identity card generally comprises 3 stages: card seeking stage, card selection rank Section and card reading stage.In the card seeking stage, card-reading terminal can broadcast card seeking instruction outward, if there is identity card has card seeking instruction Response, then return to card seeking data to card-reading terminal, and card-reading terminal is needed by linking Internet area and isolated area finally by card seeking Data be sent to service area first verifying safety control module (first verifying safety control module be with card-reading terminal be assigned The connected verifying safety control module of the first certification safety control module for being directed toward of idle port), the first verifying security control Module can return to card seeking response data to card-reading terminal；In the card selection stage, card-reading terminal can read some configurations from identity card Information (such as identity card card sequence, identity card application data and identity card presupposed information), and these configuration informations are passed through Linking Internet area and isolated area are eventually sent to the first verifying safety control module of service area, the first verifying security control mould Block initiates the process being mutually authenticated with identity card, and card-reading terminal forwards the interaction data in the process, to the first verifying safety control After molding block and identity card completion are mutually authenticated, into the card reading stage；In the card reading stage, card-reading terminal can be read from identity card To ID card information ciphertext, and the first of service area is finally forwarded to by linking Internet area and isolated area and verifies security control Module, the special product that the first verifying safety control module uses the Ministry of Public Security to specify, meets GA467-2013 " residential identity results Demonstrate,prove security control SAM module interface technical specification ", it can decrypt to obtain ID card information to ID card information ciphertext in plain text, and It is sent to card-reading terminal by the first certification safety control module encryption, card-reading terminal adds to by the first certification safety control module Ciphertext after close decrypts to obtain ID card information in plain text.Therefore, in the present embodiment, the first verifying safety control module is according to solution The data content that data packet after close carries returns to corresponding first data packet to the first certification safety control module, comprising:

In the case that data content is identity card card seeking data, the first verifying safety control module is controlled to the first certification safety Molding block returns to the first data packet, and the first data packet includes at least: card seeking response data；

Data content is identity card card selection data (identity card configuration information, signed data, the digital certificate of such as identity card Need the first verifying safety control module to the data of authentication ids) in the case where, the first verifying safety control module is to the One certification safety control module returns to the first data packet, and the first data packet includes at least: the identity card read with card-reading terminal into (signed data, the digital certificate of the such as first verifying safety control module need identity card to first to the related data of row certification Verify the data of safety control module certification)；

In the case that data content is ID card information ciphertext, the first verifying safety control module is to ID card information ciphertext Decryption obtains ID card information in plain text, returns to the first data packet to the first certification safety control module, the first data packet is at least wrapped Include: ID card information is in plain text.

S110: the first certification safety control module receives the first data packet that the first verifying safety control module returns, and First data packet is encrypted, encrypted first data packet is sent to card-reading terminal.

In the present embodiment, the first certification safety control module is in the first number for receiving the return of the first verifying safety control module After packet, in order to guarantee transmission safety, it is also necessary to, can as one kind to returning again to after the encryption of the first data packet to card-reading terminal The embodiment of choosing, the first certification safety control module encrypt the first data packet, encrypted first data packet are sent to Card-reading terminal specifically includes: the first certification safety control module encrypts the first data packet using the authentication key of card-reading terminal, Encrypted first data packet is sent to card-reading terminal, card-reading terminal can use the authentication key of oneself to encrypted One packet decryption obtains the first data packet；Ciphertext transmission may be implemented by authentication key encrypted primary data packet as a result, protect Transmission security is demonstrate,proved.In addition, if even if authentication key not corresponding with card-reading terminal intercepts and captures encrypted first number It can not also be decrypted according to packet, the card-reading terminal for only possessing corresponding authentication key could decrypt this ciphertext, therefore, even if this is close Text is trapped, and interceptor ask to crack, can not also further ensure the transmission safety of ID card information plaintext.

As another optional embodiment, hold to further avoid always reusing the same key encryption and decryption Easily be cracked key the drawbacks of, first certification safety control module the first data packet is encrypted, by encrypted first data packet Be sent to card-reading terminal, specifically include: the first certification safety control module is close using session according to generating random number session key Key encrypts the first data packet to obtain the first data packet ciphertext；And utilize the public key of the digital certificate for encryption of card-reading terminal Session ciphertext is generated to the first data packet ciphertext and session key encryption, alternatively, the digital certificate of the encryption using card-reading terminal Public key to session key encrypt generate session ciphertext, it will words ciphertext and the first data packet ciphertext be sent to card-reading terminal；It reads Card terminal is also used to that the private key corresponding with the digital certificate for encryption being locally stored is utilized to decrypt to obtain to session ciphertext One data packet ciphertext and session key alternatively, decrypting to obtain session key to session ciphertext using private key, and utilize session key First data packet ciphertext is decrypted to obtain the plaintext of the first data packet.The area of the optional embodiment and a upper optional embodiment Be not: certification safety control module does not continue to use the authentication key of card-reading terminal, but according to generating random number session Key, the session key be it is random, more than the reliability using fixed transmission key encryption using session key encryption Height, it is more difficult to be decrypted.

During the entire process of the method for data provided in this embodiment transmission, as the optional reality of one of the present embodiment Apply mode, method provided in this embodiment further include: the flow cleaning equipment monitoring connecting with border routing flows through border routing Service traffics, if detecting that border routing is attacked by distributed denial of service according to the service traffics for flowing through border routing It hits, then flow cleaning is carried out to the service traffics for flowing through border routing.

In the present embodiment, flow cleaning equipment is to the data of linking Internet (i.e. border routing receive data packet) It is monitored in real time, in time abnormal flow of the discovery including distributed denial of service ddos attack.When abnormal flow reaches Or when being more than preset security baseline, flow cleaning equipment will open and clean filtering process.This system passes through flow cleaning equipment, It alleviates from ddos attack flow pressure caused by internal network, promotes the validity of bandwidth usage；Protect intranet Network improves network performance from the attack from internet.

The linking Internet area in this system can refuse absolute system by border routing and perimeter firewall as a result, Guarantee normal access of the card-reading terminal to system while unauthorized access, internet can be entered by flow cleaning equipment Data are monitored in real time, and abnormal flow is washed while not influencing regular traffic, protect internal network from from mutual The attack of networking improves network performance.

In the present embodiment, it is the computer for forwarding data packet optimization that core switch, which is actually one, but is calculated Machine just has a possibility attacked, such as the illegal control for obtaining core switch, leads to network paralysis, on the other hand also can be by To ddos attack.Therefore, to prevent core switch by illegal infringement, in above-mentioned steps, method provided in this embodiment Further include: the intrusion detection device monitoring connecting with core switch flows through the service traffics of core switch, according to user's The service traffics progress of historical behavior model, the expertise prestored and neural network model to core switch is flowed through Match, once successful match, then judgement has intrusion behavior, disconnects the connection of card-reading terminal and access equipment immediately, and collect evidence With implementation data recovery, the strategy monitoring that furthermore can be combined with abnormality detection flows through the service traffics of core switch.Pass through Intrusion detection device monitors the operation conditions of core switch, find as far as possible various attack attempts, attack or Person's attack result, to guarantee the confidentiality, integrity, and availability of network system resources.In addition, for prevent core switch by To illegal infringement, further, method provided in this embodiment further include: the intrusion prevention Supervision being connect with core switch The data packet that core switch receives is surveyed, judges whether the data packet that core switch receives is invalid data, if so, The data packet discarding that then core switch is received.Wherein, intrusion prevention equipment judges the data that core switch receives Whether packet is invalid data, can be in the following manner: for example, the data packet that intrusion prevention equipment receives core switch It is matched with the virus characteristic in preset virus database, if it is possible to be matched to, it is determined that the data packet being matched to For invalid data, it is still further contemplated that the abnormal conditions in application program or network transmission, for example, user or user program Violate regulation for safety, data packet and occur in the period that should not occur, the gap of operating system or application program weakness by Phenomena such as utilization etc., to assist in identifying invasion and attack.Although intrusion prevention equipment also considers known viruse feature, it is simultaneously Known viruse feature is not depended solely on.Intrusion prevention equipment is the supplement to anti-virus software and firewall, to improve system Safety.

The method of the data transmission provided through this embodiment, by the way that the system is divided into linking Internet area, isolation Three levels in area and service area, each level uses different security strategies, by the security perimeter of a lot of, in network level On improve the safety of whole system, to avoid service area by rogue attacks, especially guarantee certification safety control module with Verify the safety of safety control module.

Embodiment 3

Present embodiments provide a kind of inner tube server, as shown in figure 5, the inner tube server can be one it is centralized Server, to manage concentratedly, inner tube server is also possible to a distributed server, so as to integration networks resource.It should Inner tube server includes: safe access unit, display unit, the first input interface, safe processor, main control processor, system Administrative unit, parameter configuration unit and the second input interface.

Safe access unit, for detect user request, detect user request be user's logging request when, obtain with The corresponding prompt information of user's logging request, and will be prompted to information and be sent to display unit.

Specifically, safe access unit is by timing or sporadically refreshes or detects whether that receiving user asks It asks, when receiving user's request, judges the type of user request, judge whether it is that user steps on according to the feature of request Record request, for example, safe access unit can be provided with login button by the Web page of inner tube server, Web page, one Denier safe access unit detects that login button is pressed, then is judged to detecting user's logging request；Or inner tube server Web page directly display log-on message input frame, when detecting cursor in log-on message input frame, then have secure access to list Member is judged to detecting user's logging request.

Certainly, user's logging request of inner tube server can be equipped with different logging requests, example according to different users Such as, administrator logs in, ordinary user logs in, operation user logs in, operation user logs in etc. can be distinguished, for different Different login interfaces is arranged in user's logging request, to be managed respectively.

When safe access unit detects that user's request is user's logging request, subsequent operation is executed, that is, obtains and uses The corresponding prompt information of family logging request, and will be prompted to information and be sent to display unit；When safe access unit does not detect User's logging request or when detecting invalidation request, then repeat the operation of detection user's request.

When detecting user's logging request, inner tube server also obtains the type of user's logging request, similar when taking Login button is triggered to get step on corresponding with different user for the logging request of above-mentioned different user when being logged in Prompt information is recorded, for example, use can be popped up in prompt information when user is administrator, operation user or operation user While the input frame of name in an account book and password, also prompt " insertion safety equipment or electronic signature token " etc.；When user is common uses When family, prompt information can be only the input frame for popping up username and password.It is corresponding when being logged in by the way that different users is arranged Prompt information allows the user of different stage to execute different login processes, thus take into account different user safety and The demand of convenience.Certainly, any to prompt what user logged in mention the present invention is not limited to the type of above-mentioned prompt information Show information, is protection scope of the present invention.

Display unit is used for display reminding information, in which: prompt information is for prompting user to log in；Specifically, aobvious Show that unit can be integrated in inner tube server, is also possible to external display.

First input interface, for receiving authentication information corresponding with prompt information, authentication information is at least wrapped Subscriber identity information and information to be verified are included, authentication information is at least sent to safe processor；Specifically, user can To pass through the equipment such as wireline interface (USB interface, audio interface etc.), wireless interface (WiFi, NFC, RFID etc.), keyboard, touch screen Input equipment inputs authentication information corresponding with prompt information, and use can be represented by having included at least in the authentication information The information of family identity, the subscriber identity information can be the information such as user's sequence number, class of subscriber, user name, user identifier, should Information to be verified (such as user certificate, digital signature, customer identification information) is further comprised in authentication information, this is to be verified Information can be the information for being able to verify that user validation, and the legitimacy logged in for inner tube server to user is verified.

Safe processor for obtaining verification information, and obtains information to be verified from received authentication information, benefit Verification information is treated with verification information to be verified, and if the verification passes, then subscriber identity information is sent to main control processor, Otherwise, login failure information is sent to display unit, and reacquires prompt information corresponding with user's logging request；Specifically For, verification information is the information that inner tube server prestores or is obtained by the identity equipment such as safety equipment or electronic signature token The information taken, and information to be verified is the information of user's input.

The mode that safe processor carries out authentication in the present embodiment can be following one or several kinds of modes, when So the invention is not limited to following methods:

Mode one, the first input interface are USB interface, audio interface or wireless interface；First input interface is connected to peace Full equipment receives the user certificate for storing and sending in safety equipment；Safe processor obtains the root certificate that prestores, and from reception Authentication information in obtain user certificate, verified using legitimacy of the root certificate prestored to user certificate.Specifically Embodiment in, user when verifying identity, is stored with the number for representing user identity using safety equipment in the safety equipment Word certificate, and the root certificate (verification information) for signing and issuing the digital certificate is stored in safe processor, when safe processor receives After the user certificate (information to be verified) sent to the safety equipment of connection, using the root certificate prestored to the digital certificate into Row legitimacy verifies, if verifying legitimacy passes through, then it is assumed that be verified.Certainly, during being verified, work as safety When processor is verified, the first input interface can be first passed through and send instructions to safety equipment, safety equipment is receiving User certificate is just sent to safe processor after to corresponding instruction, guarantees that verifying properly and timely executes.About certificate school The process tested belongs to existing procedure, no longer superfluous herein to chat.By the verification mode of the method, the user certificate of safety equipment is utilized It is logged in verify, realizes physical isolation, ensure that the safety of login.

Mode two, the first input interface include USB interface, audio interface or wireless interface；First input interface is connected to Electronic signature token receives the signing messages that electronic signature token generates and sends, and signing messages includes: presupposed information and electricity The signature value that sub- signed tokens are signed according to presupposed information；Safe processor obtains the public key of electronic signature token, Signing messages is verified using the public key of electronic signature token；In specific embodiment, user is enabled using electronic signature Board is come when verifying identity, which is stored with the digital certificate and private key for representing user's unique identities, and can give birth to At presupposed information, which can be the identification information of the random number or user generated at random, and electronic signature enables Board can use private key and carry out signature acquisition signature value to presupposed information, and safe processor is enabled in the electronic signature for receiving connection After presupposed information and signature value (information to be verified) that board is sent, the public key of the available electronic signature token of safe processor (verification information) verifies signing messages, thinks to be verified if verifying signature is correct.The electronic signature token Public key (verification information) can be what safe processor prestores or safe processor was obtained to other servers, or connect Receive electronic signature token send digital certificate obtain (i.e. electronic signature token also sends electricity while sending signing messages The digital certificate of sub- signed tokens includes the public key of electronic signature token in the digital certificate).Certainly, it is being verified In the process, when safe processor is verified, the first input interface can be first passed through and send instructions to electronic signature order Signing messages is just sent to safe processor after receiving corresponding instruction by board, electronic signature token, guarantees that verifying is correct It is executed with timely.By the verification mode of the method, login is verified using electronic signature token, electronic signature token stores generation The digital certificate and private key for user of table user's unique identities prevent other non-by the verifying signature verification identity of user Method logs in, and ensure that the safety of login.

Mode three, the first input interface include keyboard, touch screen or information input equipment；It is defeated that first input interface receives user The customer identification information entered；Safe processor obtains the verifying identification information prestored, using the verifying identification information prestored to defeated The customer identification information entered is verified；In specific embodiment, identification information can be username and password, biological characteristic Information (fingerprint, iris etc.) etc., safe processor are prestored the verifying identification information (verification information) of user, are tested using what is prestored The customer identification information (information to be verified) of input is compared in card identification information, and comparison unanimously is then thought to be verified.It is logical The identification information for crossing user is verified, and the identity of user is demonstrated, and guarantees the safety logged in.

In concrete implementation, can take in aforesaid way it is a variety of come simultaneously guarantee to log in, such as can using just The combination of formula one and mode three, can also by employing mode two and in a manner of three combination, guarantee to log in using various ways, can be with It is further ensured that the safety of login.For above-mentioned first input interface according to the demand of login mode, the first input interface can be only It is the interface of USB interface, audio interface or wireless interface type, is also possible to include keyboard, touch screen or information input equipment type Interface, can also be the input interface for being provided simultaneously with above two style interface.

In addition, it is all made of the process that safe processor carrys out independent process to authentication in above-mentioned three kinds of implementations, It can be isolated with main control processor, the safety that user logs in is further ensured that using the Independent Safety of safe processor.

Main control processor determines the operating right of user according to subscriber identity information for receiving subscriber identity information, behaviour Making permission is the first permission and/or the second permission；Specifically, the first permission and the second permission, which can be, is capable of handling different fingers It enables and the permission of access different units (System Management Unit and parameter configuration unit), in the present embodiment, the first permission can be with It is the permission for being able to carry out the processing of system management directive, it is the processing for being able to carry out parameter configuration instruction that the second permission, which can be, Permission；One user identity can only have the first permission, can also only have the second permission, can also be provided simultaneously with first Permission and the second permission.In specific implementation, subscriber identity information (such as user's sequence number, class of subscriber, user can be passed through Name, user identifier) determine the classification of user, the operating right of user is determined by the classification of user, for example, according to user Identity information determine that the user is administrator, then the administrator is provided simultaneously with the first permission and the second permission, i.e., The administrator can handle system management directive and parameter configuration instruction；Or it is determined that the user is according to the identity information of user Operator user, then the operator user has the first permission, i.e., the operator can handle system management directive；Or according to The identity information of user determines that the user is operation person user, then the operation person has the second permission, i.e. the operation person can locate Manage parameter configuration instruction.Certainly, in actual system, can only have a kind of user, i.e., only be provided simultaneously with the first permission With the administrator of the second permission.By being imparted according to the difference of its user identity different after logging in system by user Operating right makes user that can only access the system resource that it is authorized in inner tube system Internal architecture a lot of wall.

Second input interface, is also used to receive the operation requests of user, and operation requests are sent to main control processor；Specifically For, user can be inputted keyboard or input operation requests by way of the web page selection of inner tube server, herein Second input interface and the first input interface can be different two interfaces (such as the first input interface be USB interface, second Input interface is keyboard), it is also possible to the function that the same interface realizes the first input interface and the second input interface.

Main control processor is also used to judge the type of operation requests, if operation requests include system management directive, and really When the corresponding operating right of fixed user is the first permission or the corresponding operating right of user is the first permission and the second permission, Operation requests are sent to System Management Unit；If operation requests include parameter configuration instruction, and the user determined is corresponding When operating right is the second permission or the corresponding operating right of user is the first permission and the second permission, operation requests are sent To parameter configuration unit: specifically, including at least operational order in operation requests, which can be system management directive Or parameter configuration instruction, when matching the operating right of the operational order and user, then main control processor calls different Unit completes different operations.

System Management Unit, for after receiving operation requests, obtaining the corresponding system pipes manage bar of system management directive Mesh executes corresponding operation to system administration entry according to system management directive；Specifically, operation requests include being at this time Reason instruction under the overall leadership, the system management directive can be for realizing the management to inner tube server info, the system management directive Including inquiry instruction, modification instruction, increase the instruction such as instruction or deletion instruction, realizes to management entry each in inner tube server The functions such as inquiry, modification, increase, deletion, when needing to carry out system administration, then it needs to be determined that user has corresponding permission Just it is allowed to be managed, for example, the user for having administrator or operator's permission can be managed system.System pipes Manage bar mesh is the entry modified in inner tube server for user, can include but is not limited to user, role, client, production Product, report, blacklist etc., system administration entry can be included in operation requests, are also possible to user and are inputted by keyboard Or the selection of inner tube server web page carrys out the corresponding system administration entry of input system management instruction, when necessary, it is also necessary to defeated Enter some management parameters to realize management function.

Parameter configuration unit, for the corresponding entry to be configured of the configuration-direct that after receiving operation requests, gets parms And undated parameter, it is configured according to parameter of the undated parameter to entry to be configured；Specifically, operation requests include at this time Parameter configuration instruction, parameter configuration instruction is for realizing the configuration to inner tube server parameter, when needing to carry out parameter configuration When, then just it is allowed to be managed it needs to be determined that user has corresponding permission, for example, having administrator or operation person's permission User parameter can just be configured.It may include: interior tube system ginseng that parameter configuration, which instructs corresponding entry to be configured, Number, certification safety control module parameter, card-reading terminal APP parameter, blacklist strategy, frequency control strategy etc., inner tube server Above-mentioned entry to be configured is configured by undated parameter, undated parameter may be embodied in operation requests, be also possible to use Family is inputted by keyboard or inner tube server web page selects to input undated parameter.

Specifically, it when determining that the corresponding operating right of the corresponding permission of user is the first permission and the second permission, that is, uses When family is administrator right, which can be handled system management directive and parameter configuration instruction, specific processing ginseng According to aforementioned.

Inner tube server through this embodiment may be implemented through an inner tube server to each in cloud authentication platform Subsystem component is effectively managed, and visualized management interface is provided the user with, and promotes the experience of user, is also convenient in O&M work System parameter is configured in work.In addition, management is scheduled to entire cloud authentication platform by inner tube server, to part Resource carries out limited access, by different user being arranged different access authority, guarantees the safety of access.

In one embodiment of the invention, when user logs in, login can also be protected by identifying code: Prompt information further includes referring to identifying code；Safe access unit is also used to generate random code, is generated according to random code referring to verifying Code obtains referring to identifying code, and will be sent to display unit and safe processor referring to identifying code；Specifically, user into The interface that row logs in can prompt input identifying code to be verified simultaneously, can also carry out mentioning before or after authentication Show that input identifying code is verified, inner tube server generates random code and is used as referring to identifying code, which can be number, figure The formats such as piece.

Display unit is also used to show referring to identifying code；When showing other login prompt information, reference can also be shown Identifying code, so as to user's input.

Information to be verified further includes login authentication code；First input interface is also used to receive login authentication code；Safe handling Device is also used to obtain referring to identifying code, and verifying is compared with referring to identifying code in login authentication code.Specifically, inner tube Server utilizes itself storage or the reference generated after obtaining user by the keyboard perhaps identifying code of other modes input The identifying code of input is compared in identifying code, determines that identifying code passes through when comparing consistent.

It can prevent from logging in Replay Attack by the way of login authentication code, avoid the waste of system resource, guarantee The safety of system operation.

In an embodiment of the invention, system management directive includes inquiry instruction, modification instruction, increases instruction And/or delete instruction；Main control processor is specifically used for obtaining the corresponding system administration entry of system management directive, and judge be The type of reason instruction under the overall leadership；If the system management directive that the type instruction of system management directive obtains is inquiry instruction, it is Administrative unit of uniting is specifically used for executing inquiry operation to system administration entry according to inquiry instruction；If the class of system management directive The system management directive that type instruction obtains is modification instruction, then System Management Unit is specifically used for according to modification instruction to system pipes Manage bar mesh executes modification operation；If the system management directive that the type instruction of system management directive obtains is to increase instruction, System Management Unit, which is specifically used for executing system administration entry according to increase instruction, increases operation；If system management directive The system management directive of type instruction acquisition is to delete instruction, then System Management Unit is specifically used for according to deletion instruction to system It manages entry and executes delete operation.

In an embodiment of the invention, system administration entry include: user, role, client, product, report and/or Blacklist；

When System Management Unit carries out execution inquiry operation to system administration entry according to inquiry instruction: if system pipes Manage bar mesh is user, and System Management Unit is specifically used for inquiring user according to inquiry instruction, defeated according to preset inquiry Rule output user information out；Or if system administration entry is role, System Management Unit is specifically used for according to inquiry instruction Role is inquired, exports rule output Role Information according to preset inquiry；Or if system administration entry is client, it is System administrative unit is specifically used for inquiring client according to inquiry instruction, exports rule output client's letter according to preset inquiry Breath；Or if system administration entry is product, System Management Unit is specifically used for inquiring product according to inquiry instruction, press Regular output products information is exported according to preset inquiry；Or if system administration entry is report, System Management Unit is specifically used In inquiring according to inquiry instruction report, regular output report information is exported according to preset inquiry；Or if system pipes Manage bar mesh is blacklist, and System Management Unit is specifically used for inquiring blacklist according to inquiry instruction, look into according to preset Ask output rule output black list information；

When System Management Unit executes modification operation to system administration entry according to modification instruction: if system pipes manage bar Mesh is user, and System Management Unit is specifically used for modifying to user information according to modification instruction, storage user information modification As a result；Or if system administration entry is role, System Management Unit is specifically used for carrying out Role Information according to modification instruction Modification, storage Role Information modify result；Or if system administration entry is client, System Management Unit is specifically used for basis and repairs Change instruction to modify to customer information, storage customer information modifies result；Or if system administration entry is product, system pipes Reason unit is specifically used for modifying to product information according to modification instruction, and storage product information modifies result；Or if system Management entry is report, and System Management Unit is specifically used for modifying to report messages according to modification instruction, storage report letter Breath modification result；Or if system administration entry is blacklist, System Management Unit is specifically used for according to modification instruction to black name Single information is modified, and storage black list information modifies result；

When System Management Unit is according to instruction is increased to the execution increase operation of system administration entry: if system pipes manage bar Mesh is user, and System Management Unit is specifically used for storing increased user information according to instruction increase user is increased；Or if it is Manage bar mesh under the overall leadership is role, and System Management Unit is specifically used for storing increased Role Information according to instruction increase role is increased； Or if system administration entry is client, System Management Unit is specifically used for storing increased according to instruction increase client is increased Customer information；Or if system administration entry is product, System Management Unit is specifically used for depositing according to instruction increase product is increased Store up increased product information；Or if system administration entry is report, System Management Unit is specifically used for being increased according to increase instruction Add report, stores increased report messages；Or if system administration entry is blacklist, System Management Unit is specifically used for basis Increase instruction and increase blacklist, stores increased black list information；

When System Management Unit is according to instruction is deleted to system administration entry execution delete operation: if system pipes manage bar Mesh is user, and System Management Unit, which is specifically used for being instructed according to deletion, deletes user；Or if system administration entry is role, it is Administrative unit of uniting, which is specifically used for being instructed according to deletion, deletes role；Or if system administration entry is client, System Management Unit Client is deleted specifically for instructing according to deletion；Or if system administration entry is product, System Management Unit is specifically used for root Product is deleted according to deleting to instruct；Or if system administration entry is report, System Management Unit is specifically used for being instructed according to deletion Delete report；Or if system administration entry is blacklist, System Management Unit is specifically used for deleting black name according to deletion instruction It is single.

The operation of each system administration entry is described in detail respectively below:

When system administration entry is user, the administrator or operator for logging in inner tube server can be to the information of user The operation such as inquired, modified, being increased, being deleted.For example, when administrator or operator need to inquire user information, The unique identification information (such as ID, name) that user can be inputted inquires user, can also carry out default query, then may be used To inquire all user informations that can log in the inner tube server, and query result is shown by display unit； Likewise, when administrator or operator need to modify, increases, delete operation when, can be believed according to the unique identification of user Breath (such as ID, name) determines user, modifies, increases, deletes to the information of user, and stores modification, increase, deletion As a result.

When system administration entry is role, the administrator or operator for logging in inner tube server can be to the information of role The operation such as inquired, modified, being increased, being deleted.It is that different users sets different roles, every kind of angle in inner tube server The permission of color is different, such as administrator, operator, operation person etc..When administrator or operator need to carry out the information of role When inquiry, the information such as permission under role can be inquired by the title of role or number information etc., can also be write from memory Recognize inquiry, then can inquire all Role Informations of inner tube server, and query result is shown by display unit； It equally, can be diagonal with used role's title or number information etc. when administrator or operator need to modify to role Color information is modified, such as can modify the permission etc. of certain role；When administrator or operator increase role When summing it up delete operation, then according to role's title or number information role is increased or delete operation, and storage is repaired The result change, increase, deleted.

When system administration entry is client, the administrator or operator for logging in inner tube server can be to the information of client The operation such as inquired, modified, being increased, being deleted.Client in inner tube server can be different industries in cloud Verification System Client, such as bank, trade company, telecommunications etc..Internet identity card cloud Verification System can provide identity card for the client of different industries Authentication service, card-reading terminal product number and product type used in different clients may be different, obtain ID card information Also different, this just needs to be managed different clients by inner tube server.It can also be with base for the management of client In the unique identification information (such as ID, title) of client, is identified according to the unique information of client and determine client, to the information of client Increased, modified, being deleted, inquiry operation, and showing query result, storage modification increases, the result of deletion.For example, passing through When inquiry instruction inquires client, after the client unique information mark for detecting input, finds out and be somebody's turn to do in inner tube server The relevant information of client is exported and is shown by display unit.

When system administration entry is product, the administrator or operator for logging in inner tube server can be to the information of product The operation such as inquired, modified, being increased, being deleted.Product in inner tube server corresponds to card-reading terminal, and product item records now Card-reading terminal type and card-reading terminal number, card-reading terminal sequence number is the unique identification information of product, meanwhile, each product item Mesh is also bundled with customer information.It, can be to the card-reading terminal of product entry when administrator or operator inquire the product entry The information such as type, card-reading terminal sequence number, affiliated client are inquired, of course, it is possible to carry out default query or according to unique Identification information is inquired, and shows query result by display unit；Likewise, when administrator or operator repair Change, increase, delete operation when, product can be determined according to the unique identification information of product, modify, increase to the information of product Add, delete, and stores the result of modification, increase, deletion.In addition, can also be believed by product when needing to increase product information Breath management carries out batch and increases operation.

When system administration entry is report, the administrator or operator for logging in inner tube server can be looked into report The operations such as inquiry, modification, increase, deletion.Administrator or operator can be raw to every entry state of inner tube server admin At report, it can also inquire, modify, increasing, deleting report, can additionally be classified with the data item of system administration, for visitor Family provides the data item report of customization.The content of report can cover information and the institute of all management entries of inner tube server There are configurable parameter information and other information relevant to transaction.

When system administration entry be blacklist when, log in inner tube server administrator or operator can to blacklist into The operations such as row inquiry, modification, increase, deletion.Inner tube server can maintain a series of blacklists, for example, (can read product Card terminal) blacklist mechanism is taken, the card-reading terminal of abnormality is added in blacklist, it can also be by the reading of system erroneous judgement Card terminal is deleted from blacklist, to safeguard to black list information.Certainly, when administrator or operator need to black name When singly being inquired, blacklist can be inquired with input inquiry element, default query can also be carried out, then can be inquired All black list informations, and query result is shown by display unit；Likewise, when administrator or operator need into When row modification, increase, delete operation, it can be determined according to element, modify, increase, delete to black list information, and deposit Storage modification increases, the result of deletion.

In one embodiment of the invention, entry to be configured includes: inner tube parameter of any subsystem, certification safety control module Parameter, card-reading terminal APP parameter, blacklist strategy and/or frequency control strategy；Parameter configuration unit is specifically used for getting parms The corresponding entry to be configured of configuration-direct and undated parameter, and judge the type of entry to be configured；If entry to be configured is interior Tube system parameter, then parameter configuration unit is specifically used for according to undated parameter, and the parameter of internal tube system is configured；Such as Fruit entry to be configured is certification safety control module parameter, then parameter configuration unit is specifically used for according to undated parameter, to certification The parameter of safety control module is configured；If entry to be configured is card-reading terminal APP parameter, parameter configuration unit is specific For being configured to card-reading terminal APP parameter according to undated parameter；If entry to be configured is blacklist strategy, parameter Configuration unit is specifically used for configuring blacklist strategy according to undated parameter；If entry to be configured is that frequency manages plan Slightly, then parameter configuration unit is specifically used for configuring frequency control strategy according to undated parameter.

When the user for logging on to inner tube server needs to be implemented parameter configuration instruction, then the user needs to have administrator Or operation person's permission could allow the login user to parameter configuration when the permission match for verifying the login user passes through Instruction is handled.The operation of each entry to be configured is described in detail respectively below:

When entry to be configured is inner tube parameter of any subsystem, mainly it is accomplished that the operating parameter of internal tube system carries out Configuration, such as setting authentication code create-rule, setting certification safety control module detection time interval.Specifically, inner tube takes Device reception parameter configuration of being engaged in instructs, and determines entry to be configured according to parameter configuration instruction, judges that the type of entry to be configured is interior When tube system parameter, the process of inner tube parameter of any subsystem configuration is jumped to, is obtained and is determined by keyboard or other input equipments Inner tube parameter of any subsystem configure corresponding undated parameter, for example, administrator or operation person are certification safety control module inspection When survey time interval is configured, then the time interval to be set is inputted as undated parameter by keyboard.Configured inner tube Parameter of any subsystem can provide unified parameter setting for cloud authentication platform, and other systems is facilitated to pass through inner tube server easily Get the parameter information of interior tube system.

When entry to be configured is certification safety control module parameter, the main items realized to certification safety control module Parameter configuration, and the parameter information of update is sent to certification safety control module, it can be held to authenticate safety control module Row.Specifically, inner tube server receives parameter configuration instruction, determines entry to be configured according to parameter configuration instruction, judge to When the type for configuring entry is certification safety control module parameter, the process of certification safety control module parameter configuration is jumped to, The determining corresponding undated parameter of certification safety control module parameter configuration is obtained by keyboard or other input equipments, utilizes this Undated parameter configures certification safety control module, i.e., is sent to updated certification safety control module parameter information Safety control module is authenticated so as to its execution.

When entry to be configured is card-reading terminal APP parameter, the main version updating for realizing maintenance client software and Issue card-reading terminal APP software.When card-reading terminal APP needs to update, administrator or operation person can pass through inner tube service Device configures card-reading terminal APP parameter, for example, the version number of card-reading terminal APP is updated, so that client detects new edition Automatically updating for software is carried out after this.In addition, inner tube server is also stored with the card reading of update when needing to carry out version updating Terminal APP software, to facilitate client to be downloaded update.

When entry to be configured is blacklist strategy, mainly it is accomplished that and blacklist strategy is configured, sentence for system Whether abnormal behaviour provides foundation to disconnected card-reading terminal.Blacklist strategy, which can be, sets threshold for the abnormal behaviour of card-reading terminal, Card-reading terminal more than preset threshold is judged as that abnormal behaviour has occurred, and can be included in blacklist；It simultaneously can be with The strategy that discharges from blacklist, such as the judgement benchmark that setting abnormal behaviour is eliminated are set, when judging that abnormal behaviour eliminates When, then it can be released from blacklist.Of course, it is possible to which different black names is arranged in terms of other according to actual needs Single strategy.Specifically, inner tube server receives parameter configuration instruction, determines entry to be configured according to parameter configuration instruction, sentences When the type for entry to be configured of breaking is interior list strategy, the process of blacklist strategy configuration is jumped to, by keyboard or other are defeated Enter equipment and obtain the determining corresponding undated parameter of blacklist strategy, blacklist strategy is configured using the undated parameter.

When entry to be configured is frequency control strategy, it is mainly accomplished that the access time interval of setting card-reading terminal, Frequency control is carried out for scheduling system, and foundation is provided.Since card-reading terminal frequent visit will cause the collapse of background system, because This needs that the access time interval of card-reading terminal is reasonably arranged, once the access time interval of card-reading terminal is less than in advance If Lawful access time interval when, the behavior of the card-reading terminal can be judged as abnormal behaviour.Specifically, inner tube service Device receives parameter configuration instruction, determines entry to be configured according to parameter configuration instruction, judges the type of entry to be configured for frequency When control strategy, the process of frequency control strategy configuration is jumped to, determining frequency is obtained by keyboard or other input equipments Control strategy configures corresponding undated parameter, is configured using the undated parameter to frequency control strategy.For example, when determining When 0.1s is minimum access frequency, the access lower than the interval 0.1s will be considered as abnormal behaviour, then can by keyboard or Other input equipments input parameter 0.1s, to configure frequency control strategy, it is, of course, also possible to the opening time managed from frequency, Other aspects such as rank are configured frequency control strategy.

Embodiment 4

A kind of identity card read method is present embodiments provided, as shown in fig. 6, the method comprising the steps of S201~S212:

S201: card-reading terminal sends access request to dispatch server by linking Internet area, carries in access request There is the identification information in card reading；

Wherein, the identification information of card-reading terminal includes: the digital certificate of card-reading terminal.

S202: after dispatch server receives access request, the identification information of card-reading terminal, root are obtained from access request Whether allow card-reading terminal reading identity card according to identification information judgment, if it is allowed, S203 is thened follow the steps, otherwise, to card reading Terminal returns to the feedback information for not allowing to access；

Wherein, dispatch server determines whether that card-reading terminal reading identity card includes:

Judge whether the digital certificate of card-reading terminal is abnormal, if it is, determination does not allow card-reading terminal reading identity card, Otherwise judge the digital certificate of card-reading terminal whether in blacklist or control list, wherein having recorded in blacklist does not allow The digital certificate of the card-reading terminal of access is managed to have recorded to need to access it according to preset control strategy in list and be controlled The digital certificate of the card-reading terminal of system；

In the case where judging that the digital certificate of card-reading terminal is in blacklist, do not allow card-reading terminal reading identity card, Refuse the request of card-reading terminal；

In the digital certificate for judging card-reading terminal in the case where managing in list, it is according to preset control strategy judgement No permission card-reading terminal reading identity card.

S203: in the case where determining allows card-reading terminal reading identity card, dispatch server inquires port status list, According to the principle of task equilibrium, select the idle corresponding port numbers of certification safety control module as card-reading terminal Access port；

S204: the port numbers of the certification safety control module of selection are sent to card-reading terminal by dispatch server；

S205: the certification safety control module that card-reading terminal is directed toward by linking Internet area and isolated area to the port numbers Send card seeking request；

Wherein, in order to guarantee transmission safety, the card seeking request that card-reading terminal is sent can be ciphertext form, card-reading terminal benefit Encryption is requested to generate ciphertext card seeking with the authentication key of oneself.

S206: the certification safety control module that the port numbers are directed toward receives the card seeking request of card-reading terminal transmission, will seek Card request is sent to verifying safety control module corresponding with the certification safety control module that the port numbers are directed toward；

In this step, certification safety control module receive card seeking request be ciphertext when, can use card-reading terminal Authentication key decrypts the ciphertext, and the plaintext that card seeking is requested is sent to verifying safety control module.

S207: the corresponding verifying safety control module receives card seeking request, confirms to card seeking request, will confirm that knot Fruit information is sent to the certification safety control module of selection；

S208: the certification safety control module that the port numbers are directed toward obtains session key, is tied using session key to confirmation Fruit information is encrypted, and the confirmation result information of encryption is sent to card-reading terminal；

Wherein, which can be negotiated to obtain by certification safety control module and card-reading terminal, alternatively, by a Fang Sheng At, and other side is sent to after session key is encrypted.

S209: the certification safety control module that card-reading terminal is directed toward by linking Internet area and isolated area to the port numbers Send the first data packet；

Wherein, card-reading terminal first can obtain session to the session key decryption of encryption after receiving the confirmation result of encryption Key recycles session key to be confirmed result to the confirmation result decryption of encryption.

Wherein, the first data packet includes: that card-reading terminal is encrypted to obtain to the identity card original cipher text information read Identity card ciphertext；

S210: the certification safety control module that the port numbers are directed toward receives the first data packet that card-reading terminal is sent, and uses The first data packet is decrypted in session key, obtains identity card original cipher text information, and identity card original cipher text information is sent To corresponding verifying security module；

S211: identity card original cipher text information is decrypted in corresponding verifying security module, obtains identity card and believes in plain text Identity card cleartext information is returned to the certification safety control module of port numbers direction by breath；

S212: the certification safety control module that the port numbers are directed toward adds identity card cleartext information using session key It is close, the second data packet is sent to card-reading terminal, wherein the second data packet includes: the identity card cleartext information of encryption；

S213: card-reading terminal receives the second data packet, and obtains identity to the second packet decryption using session key Demonstrate,prove cleartext information.

Above-mentioned process allows the access of card-reading terminal in linking Internet area and service area perimeter firewall, and invades Detection device and intrusion prevention equipment do not detect to be executed in the case of system is under attack, card-reading terminal and verifying safety The web-transporting device that interaction data between control module passes through linking Internet, core space and service area is passed It is defeated.

Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention Embodiment person of ordinary skill in the field understood.

It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..

Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries Suddenly be that relevant hardware can be instructed to complete by program, program can store in a kind of computer readable storage medium In, which when being executed, includes the steps that one or a combination set of embodiment of the method.

It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in a processing module It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould Block both can take the form of hardware realization, can also be realized in the form of software function module.If integrated module with The form of software function module is realized and when sold or used as an independent product, also can store computer-readable at one It takes in storage medium.

Storage medium mentioned above can be read-only memory, disk or CD etc..

In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiment or examples in can be combined in any suitable manner.

Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example Property, it is not considered as limiting the invention, those skilled in the art are not departing from the principle of the present invention and objective In the case where can make changes, modifications, alterations, and variations to the above described embodiments within the scope of the invention.The scope of the present invention By appended claims and its equivalent limit.

Claims

1. a kind of method of data transmission characterized by comprising

Border routing receives the data packet that card-reading terminal is sent, and selects the perimeter firewall to be sent according to routing strategy, The data packet is sent to the perimeter firewall selected；

The perimeter firewall selected receives the data packet, determines the card-reading terminal according to the content of the data packet The mark of the purpose equipment of access, and the mark of the data packet and the purpose equipment is sent to core switch；

The data packet is sent to dispatch server according to the mark of the purpose equipment by the core switch, alternatively, root The service area that the mark of the data packet and the purpose equipment is sent to service area is prevented fires according to the mark of the purpose equipment Wall；

In the case where the data packet is sent dispatch server by the core switch, the dispatch server receives institute Data packet is stated, whether allows the card-reading terminal to access according to the identification information judgment of the card-reading terminal, and described in judgement Whether the digital certificate of card-reading terminal is abnormal, and the certificate of the card-reading terminal is included in the data packet；Allow institute in judgement In the normal situation of digital certificate for stating card-reading terminal access and the card-reading terminal, execute from described in authentication database acquisition The operation of port status list in the compass of competency of dispatch server selects an idle certification peace for the card-reading terminal Full control module；And the mark of the certification safety control module of the free time is sent to the card-reading terminal；

In the case where the mark of the data packet and the purpose equipment is sent to service area by the core switch, institute The service area firewall for stating service area receives the data packet, according to preset service area firewall filtering policies, judgement The identifying whether to allow of the purpose equipment accesses, if it is, the data packet is sent to the first certification security module, institute State the certification safety control module for the mark instruction that the first certification security module is the purpose equipment；

The first certification safety control module receives the data packet, and the dispatch server is according to the card-reading terminal Identification information obtains the ciphertext of the authentication key of the card-reading terminal from authentication database and is sent to the first certification peace Full control module；Wherein, the ciphertext of the authentication key of the card-reading terminal is the protection key pair using the authentication database What the authentication key of the card-reading terminal was encrypted；It is close that the first certification safety control module obtains the protection Key is decrypted to obtain the authentication key of the card-reading terminal using ciphertext described in the protection key pair, and close using the certification Key is sent to the first verifying safety control module, first verifying to the packet decryption, and by the data packet after decryption Safety control module is the verifying safety control module connecting with the first certification safety control module；

The first verifying safety control module receives the data packet after the decryption, is carried according to the data packet after the decryption Data content return to corresponding first data packet to the first certification safety control module；Wherein, the data content is In the case where identity card card seeking data, the first verifying safety control module is returned to the first certification safety control module First data packet, first data packet include at least: card seeking response data；The data content is identity card card selection number In the case where, the first verifying safety control module returns to first data to the first certification safety control module Packet, first data packet include at least: the related data that the identity card read with the card-reading terminal is authenticated；The number In the case where being ID card information ciphertext according to content, the first verifying safety control module is to the ID card information ciphertext solution Close to obtain ID card information in plain text, Xiang Suoshu first authenticates safety control module and returns to first data packet, first number Include at least according to packet: the ID card information is in plain text；

The first certification safety control module receives first data packet that the first verifying safety control module returns, And first data packet is encrypted, encrypted first data packet is sent to the card-reading terminal.

2. the method as described in claim 1, it is characterised in that:

The public identifier of the purpose equipment is included at least in the data packet；

The perimeter firewall selected determines the purpose equipment of the card-reading terminal access according to the content of the data packet Mark, comprising:

The public identifier of the purpose equipment is mapped as by the perimeter firewall selected according to network address translation protocol The mark of the corresponding purpose equipment.

3. method according to claim 2, it is characterised in that:

The border routing according to routing strategy select the perimeter firewall to be sent, by the data packet be sent to by Before the perimeter firewall of selection, the method also includes:

The border routing judges whether the public identifier of the purpose equipment allows according to preset border routing filtering policy By the border routing, if it is allowed, then executing described according to the routing strategy selection perimeter firewall to be sent, general The step of data packet is sent to the perimeter firewall selected.

4. method as described in any one of claims 1 to 3, it is characterised in that:

It is set in the perimeter firewall selected according to the purpose that the content of the data packet determines the card-reading terminal access Before standby mark, the method also includes:

The perimeter firewall selected according to preset perimeter firewall filtering policy, judge the data packet whether include Invalid data is set if it is not, then executing the purpose that the content according to the data packet determines the card-reading terminal access The step of standby mark.

5. method as described in any one of claims 1 to 3, it is characterised in that: the method also includes:

The flow cleaning equipment monitoring connecting with the border routing flows through the service traffics of the border routing, if according to institute It states and flows through the service traffics of the border routing and detect the border routing by distributed denial of service attack, then to described The service traffics for flowing through the border routing carry out flow cleaning.

6. method as described in any one of claims 1 to 3, it is characterised in that:

The dispatch server includes multiple；

The method also includes: the case where the data packet is sent to the multiple dispatch server by the core switch Under, the load balancer being connected between the core switch and the multiple dispatch server will be described according to balance policy Allocation of packets is to one in the multiple dispatch server.

7. method as described in any one of claims 1 to 3, it is characterised in that: the method also includes:

The intrusion detection device monitoring connecting with the core switch flows through the service traffics of the core switch, according to The historical behavior model at family, the expertise prestored and neural network model are to the service traffics for flowing through the core switch It is matched, once successful match, then judgement has intrusion behavior.

8. method as described in any one of claims 1 to 3, it is characterised in that: the method also includes:

The data packet that core switch described in the intrusion prevention equipment monitoring connecting with the core switch receives, judges institute State whether the data packet that core switch receives is invalid data, if it is, the number that the core switch is received It is abandoned according to packet.