CN105991647B - A kind of method of data transmission - Google Patents
A kind of method of data transmission Download PDFInfo
- Publication number
- CN105991647B CN105991647B CN201610041107.XA CN201610041107A CN105991647B CN 105991647 B CN105991647 B CN 105991647B CN 201610041107 A CN201610041107 A CN 201610041107A CN 105991647 B CN105991647 B CN 105991647B
- Authority
- CN
- China
- Prior art keywords
- card
- data packet
- reading terminal
- control module
- safety control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The present invention provides a kind of methods of data transmission to send data packets to the perimeter firewall selected this method comprises: border routing receives the data packet that card-reading terminal is sent;The mark of data packet and purpose equipment is sent to core switch by the perimeter firewall selected;Core switch sends data packets to dispatch server or service area firewall according to the mark of purpose equipment;After dispatch server receives data packet, an idle certification safety control module is selected for card-reading terminal, and corresponding mark is sent to card-reading terminal;After service area firewall receives data packet, the first certification security module is sent data packets to;Data packet after decryption is sent to the first verifying safety control module by the first certification safety control module;First verifying safety control module returns to corresponding first data packet to the first certification safety control module according to the data packet after decryption;First certification safety control module is sent to card-reading terminal after encrypting to the first data packet.
Description
Technical field
The present invention relates to a kind of methods that electronic technology field more particularly to a kind of data transmit.
Background technique
What is stored in resident's China second-generation identity card is the ciphertext of ID card information, the verifying safety for needing to authorize by the Ministry of Public Security
Control module could decrypt the ciphertext of the ID card information stored in resident identification card.Existing front end identity card card-reading terminal tool
There are at least two modules, including read through model and residence card verifying safety control module.Since each front end identity card is read
Card device is respectively provided with residence card verifying safety control module, and therefore, the manufacturing cost of existing front end card reader of ID card is high;
Also, a residence card verifying safety control module can only carry out body to the resident identification card information that a read through model is read
Part verifying, therefore, existing front end card reader of ID card utilization rate is lower, to solve this problem, occurs improvement project at present:
Front end card reader of ID card no longer includes residence card verifying safety control module, by residence card verifying security control mould
Block is set to backstage side, to promote the utilization rate of residence card verifying safety control module.
However the network environment due to being in from the background is open network, any card reader can request backstage to make its access
Residence card verifying safety control module, the safety that this just greatly improves residence card verifying safety control module are hidden
Suffer from, once residence card verifying safety control module is broken through by illegal card reader, residence card verifying safety control module
The identity card root certificate of middle storage will be stolen or even be distorted by criminal, and consequence is hardly imaginable.Further, since backstage side can
Multiple residence card verifying safety control modules can be equipped with, Residents identity occur since task distribution unevenness also results in
Results demonstrate,prove that safety control module is idle and Residents ID card verification safety control module then overload the case where.
Summary of the invention
Present invention seek to address that one of above problem.
The main purpose of the present invention is to provide a kind of methods of data transmission.
In order to achieve the above objectives, technical solution of the present invention is specifically achieved in that
One aspect of the present invention provides a kind of method according to transmission, comprising: border routing receives the number that card-reading terminal is sent
According to packet, the perimeter firewall to be sent is selected according to routing strategy, the data packet is sent to the boundary selected and is prevented
Wall with flues;The perimeter firewall selected receives the data packet, determines that the card reading is whole according to the content of the data packet
The mark of the purpose equipment of access is held, and the mark of the data packet and the purpose equipment is sent to core switch;
The data packet is sent to dispatch server according to the mark of the purpose equipment by the core switch, alternatively, according to institute
The mark of the data packet and the purpose equipment is sent to the service area firewall of service area by the mark for stating purpose equipment;?
In the case that the data packet is sent dispatch server by the core switch, the dispatch server receives the data
Packet selects an idle certification safety control module for the card-reading terminal;And by the certification security control mould of the free time
The mark of block is sent to the card-reading terminal;In the core switch by the data packet and the mark of the purpose equipment
In the case where being sent to service area, the service area firewall of the service area receives the data packet, according to preset industry
Be engaged in area's firewall filtering policies, judge the purpose equipment identify whether to allow access, if it is, the data packet is sent out
It send to the first certification security module, the first certification security module is that the certification of the mark instruction of the purpose equipment is controlled safely
Molding block;The first certification safety control module receives the data packet, to the packet decryption, and will be after decryption
Data packet is sent to the first verifying safety control module, and the first verifying safety control module is and the first certification safety
The verifying safety control module of control module connection;The first verifying safety control module receives the data after the decryption
Packet, the data content carried according to the data packet after the decryption return to corresponding the to the first certification safety control module
One data packet;The first certification safety control module receives first number that the first verifying safety control module returns
It is encrypted according to packet, and to first data packet, encrypted first data packet is sent to the card-reading terminal.
In addition, including at least the public identifier of the purpose equipment in the data packet;The boundary fire prevention selected
The foot of a wall determines the mark of the purpose equipment of card-reading terminal access according to the content of the data packet, comprising: described to be selected
The public identifier of the purpose equipment is mapped as the corresponding purpose according to network address translation protocol and set by perimeter firewall
Standby mark.
In addition, the perimeter firewall to be sent is selected according to routing strategy in the border routing, by the data
Packet is sent to before the perimeter firewall selected, the method also includes: the border routing is according to preset border routing
Filtering policy, judges whether the public identifier of the purpose equipment allows through the border routing, if it is allowed, then executing institute
It states and the perimeter firewall to be sent is selected according to routing strategy, the data packet is sent to the boundary fire prevention selected
The step of wall.
In addition, determining that the card-reading terminal accesses according to the content of the data packet in the perimeter firewall selected
Purpose equipment mark before, the method also includes: the perimeter firewall selected is prevented fires according to preset boundary
Wall filtering policy judges whether the data packet includes invalid data, if it is not, then executing described according to the data packet
Content determines the step of mark of the purpose equipment of the card-reading terminal access.
In addition, the data packet is at least further include: the number of the identification information of the card-reading terminal and the card-reading terminal
Word certificate;It is described before the dispatch server is the card-reading terminal one idle certification safety control module of selection
Method further include: whether the dispatch server allows the card-reading terminal to connect according to the identification information judgment of the card-reading terminal
Enter, and judges whether the digital certificate of the card-reading terminal is abnormal;And judgement allows the card-reading terminal to access and described
The certificate of card-reading terminal is normal.
In addition, before the first certification safety control module is to the packet decryption, the method also includes: institute
Dispatch server is stated according to the identification information of the card-reading terminal, the certification that the card-reading terminal is obtained from authentication database is close
The ciphertext of key is simultaneously sent to the first certification safety control module;Wherein, the ciphertext of the authentication key of the card-reading terminal is
What the authentication key of card-reading terminal described in the protection key pair using the authentication database was encrypted;Described first recognizes
Safety control module is demonstrate,proved to the packet decryption, comprising: the first certification safety control module obtains the protection key,
It decrypts to obtain the authentication key of the card-reading terminal using ciphertext described in the protection key pair, and utilizes the authentication key pair
The packet decryption;It is described first verifying safety control module according to after the decryption data packet carry data content to
The first certification safety control module returns to corresponding first data packet, comprising: the data content is identity card card seeking number
In the case where, the first verifying safety control module returns to first data to the first certification safety control module
Packet, first data packet include at least: card seeking response data;In the case that the data content is identity card card selection data,
The first verifying safety control module returns to first data packet to the first certification safety control module, and described first
Data packet includes at least: the related data that the identity card read with the card-reading terminal is authenticated;The data content is body
In the case where part card information ciphertext, the first verifying safety control module is decrypted to obtain identity to the ID card information ciphertext
Demonstrate,prove information in plain text, Xiang Suoshu first authenticates safety control module and returns to first data packet, and first data packet is at least wrapped
Include: the ID card information is in plain text.
In addition, the method also includes: the flow cleaning equipment monitoring connecting with the border routing flows through the boundary
The service traffics of routing, if according to the service traffics for flowing through the border routing detect the border routing by point
Cloth Denial of Service attack then carries out flow cleaning to the service traffics for flowing through the border routing.
In addition, the dispatch server includes multiple;The method also includes: in the core switch by the data
In the case that packet is sent to the multiple dispatch server, be connected to the core switch and the multiple dispatch server it
Between load balancer according to balance policy by the allocation of packets to one in the multiple dispatch server.
In addition, the method also includes: the intrusion detection device monitoring connecting with the core switch flows through the core
The service traffics of heart interchanger, according to the historical behavior model of user, the expertise prestored and neural network model convection current
Service traffics through the core switch are matched, once successful match, then judgement has intrusion behavior.
In addition, the method also includes: core described in the intrusion prevention equipment monitoring connecting with the core switch is handed over
It changes planes the data packet received, judges whether the data packet that the core switch receives is invalid data, if it is, will
The data packet discarding that the core switch receives.
As seen from the above technical solution provided by the invention, the present invention provides a kind of methods of data transmission, lead to
It crosses and the system is divided into three linking Internet area, isolated area and service area levels, each level uses different safe plans
Slightly, by the security perimeter of a lot of, the safety of whole system is improved on network level, to avoid service area by non-
Method attack especially guarantees certification safety control module and verifies the safety of safety control module.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the structural schematic diagram for the identity card cloud Verification System that the embodiment of the present invention 1 provides;
Fig. 2 is the structural schematic diagram for the identity card cloud Verification System that the embodiment of the present invention 1 provides;
Fig. 3 is the structural schematic diagram for the card-reading system that the embodiment of the present invention 1 provides;
Fig. 4 is the flow chart of the method for the data transmission that the embodiment of the present invention 2 provides;
Fig. 5 is the structural schematic diagram for the inner tube server that the embodiment of the present invention 3 provides;
Fig. 6 is the flow chart for the identity card read method that the embodiment of the present invention 4 provides.
Specific embodiment
With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete
Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on this
The embodiment of invention, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, belongs to protection scope of the present invention.
In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", "upper", "lower",
The orientation or positional relationship of the instructions such as "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outside" is
It is based on the orientation or positional relationship shown in the drawings, is merely for convenience of description of the present invention and simplification of the description, rather than instruction or dark
Show that signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore should not be understood as pair
Limitation of the invention.In addition, term " first ", " second " are used for description purposes only, it is not understood to indicate or imply opposite
Importance or quantity or position.
In the description of the present invention, it should be noted that unless otherwise clearly defined and limited, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition
Concrete meaning in invention.
The embodiment of the present invention is described in further detail below in conjunction with attached drawing.
Embodiment 1
Present embodiments provide a kind of identity card cloud Verification System.As shown in Figure 1, identity card cloud provided in this embodiment is recognized
Card system may include: 30 3 linking Internet area 10, isolated area 20 and service area areas according to functional areas difference, to each
Area takes different technical measures, to promote the safety of whole system from network level;Wherein, linking Internet area 10 positions
For the Internet portal of entire identity card cloud Verification System, which is included at least: border routing 101 and boundary
Firewall 102.The linking Internet area 10 is in open network environment, and major function is responsible for linking Internet, passes through side
Boundary's routing and perimeter firewall resist unauthorized access, are the first line of defences for entering Intranet from internet;Isolated area 20 be in order to
External network cannot access internal network server after solving the problems, such as installation firewall, and the non-security system set up with
Buffer area between security system.The isolated area 20 is responsible for service area and interconnection between linking Internet area and service area
The isolation of net, the isolated area 20 include at least: core switch 201, dispatch server 202;By core switch 201, adjust
Spending server 202 can be by the certification safety control module of the data packet equilibrium assignment of different card-reading terminals to service area 30.Industry
Area 30 be engaged in as the core space of identity card cloud Verification System, which does not directly provide clothes to internet client (i.e. card-reading terminal)
Business.The service area 30 includes at least: service area firewall 301, n certification safety control module 302 and n verifying are controlled safely
Molding block 303, certification safety control module 302 and verifying safety control module 303 correspond, each verifying security control mould
Only one external interface of block 303, the external interface are connected with corresponding certification safety control module 302.Internet client
The data of (i.e. card-reading terminal) also need just enter core space after one of service area firewall 301 from isolated area to service area
Local area network guarantees the safety of core space local area network with this.
In the present embodiment, border routing 101, for receiving the data packet of card-reading terminal transmission, according to Path selection plan
The perimeter firewall to be sent slightly is selected, the perimeter firewall selected is sent data packets to;The perimeter firewall selected
102, it wraps for receiving data, the mark of the purpose equipment of card-reading terminal access is determined according to the content of data packet, and by data
The mark of packet and purpose equipment is sent to core switch 201;Core switch 201, for the mark according to purpose equipment
Dispatch server 202 is sent data packets to, alternatively, sending out the mark of data packet and purpose equipment according to the mark of purpose equipment
It send to the service area firewall 301 of service area 30;Dispatch server 202, in the case where receiving data packet, being card reading
Terminal selects an idle certification safety control module, and the mark of idle certification safety control module is sent to card reading
Terminal;The service area firewall 301 of service area, for being prevented fires according to preset service area in the case where receiving data packet
Wall filtering policy, judge purpose equipment identify whether to allow access, if it is, send data packets to the first certification safety
Module, the first certification security module are the certification safety control module 302 of the mark instruction of purpose equipment;First certification safety control
Molding block 302 is sent to the first verifying safety to packet decryption, and by the data packet after decryption for receiving data packet
Control module, wherein the first verifying safety control module is the verifying security control connecting with the first certification safety control module
Module 303;First verifying safety control module 303 is carried for the data packet after receiving and deciphering according to the data packet after decryption
Data content to first certification safety control module 302 return to corresponding first data packet;First certification safety control module
302, it is also used to receive the first data packet of the first verifying safety control module 303 return, and encrypt to the first data packet, will add
The first data packet after close is sent to card-reading terminal.
The identity card cloud Verification System provided through this embodiment, is divided into linking Internet area, isolated area for the system
With three levels of service area, each level uses different security strategies, through the security perimeter of a lot of, on network level
The safety of whole system is improved, to avoid service area by rogue attacks, especially guarantees certification safety control module and tests
Demonstrate,prove the safety of safety control module.
Single Point of Faliure promotes the stability of whole system server, Ge Gequ in order to prevent in system provided in this embodiment
The network equipment can include it is multiple, for example, border routing may include: one or more;Perimeter firewall includes: one
Or it is multiple;Core switch 201 includes: one or more;Service area firewall 202 includes: one or more.For the ease of retouching
It states, in the present embodiment by taking each network equipment is 2 as an example, as shown in Fig. 2, preventing single-point event by the way of two-node cluster hot backup
Barrier promotes the stability of whole system server.Two border routings are working simultaneously, whichever border routing receives reading
The data packet that card terminal is sent all forwards the packet to the perimeter firewall to be sent selected according to routing strategy,
Two core switch also simultaneously working, can receive perimeter firewall transmission data packet (service traffics), no matter which
The data packet that a core switch receives perimeter firewall transmission can be forwarded according to the mark of purpose equipment, two-shipper
Hot standby main purpose is exactly the normal operation for preventing a certain network equipment from breaking down and influencing system, once there is a network
Equipment paralysis, another can also be worked normally.
In the present embodiment, Single Point of Faliure in order to prevent, perimeter firewall can dispose it is multiple, when there are the fire prevention of multiple boundaries
When wall, border routing just needs to select the path for sending data packets to core switch 201, i.e. which side selection passes through
Boundary's firewall is sent to core switch 201, and in the present embodiment, border routing selects the side to be sent according to routing strategy
Boundary's firewall, the routing strategy can be for example, randomly choosing a perimeter firewall, selecting apart from border routing most
Closely, the strong perimeter firewall etc. of the shortest perimeter firewall of data transmission period, selection traffic handing capacity.
Border routing is the access point of internet external network access identity card cloud Verification System, as between intranet and extranet
Bridge, its safe operation are related to the safe operation of identity card cloud Verification System.Therefore, it is hacker that border routing, which stands in the breach,
The emphasis of attack.Based on this, border routing ought to become the object of network manager emphasis maintenance.As one in the present embodiment
Kind optional embodiment, border routing are also used to judge according to preset border routing filtering policy the public mark of purpose equipment
Know whether (for example, can be the access IP address of public network) allows through border routing, sends out data packet if it is allowed, then executing
It send to the operation of the perimeter firewall selected.The first line of defence of the border routing as identity card cloud Verification System as a result, can
It is kept off except identity card cloud Verification System so that the unauthorized access of border routing filtering policy will do not met, is promoted on network level
The safety of whole system.
It wherein, can be in advance on border routing when specific implementation as a kind of optional border routing filtering policy
Configuration allow access network segment, judge purpose equipment public identifier (for example, can be the access IP address of public network) whether
Within the scope of the network segment, if it is, allowing data packet by border routing, and data packet is forwarded up, otherwise abandoned
The data packet that the card-reading terminal is sent.In addition, other unauthorized access in order to prevent, border routing filtering policy can also include with
At least one under type:
Mode one: the default password of border routing modification default password: is revised as to the password of no Special Significance.
Mode two: closing IP and directly broadcast (IP Directed Broadcast), after closing IP is directly broadcasted, Ke Yiyou
Effect prevents smurf attack.
Mode three: HTTP (HyperText Transfer Protocol, the Hyper text transfer association of closure of border router
View) service.
Mode four: block ICMPping (Internet Control Message Protocol, Internet control message association
View) request, make system be easier to avoid those unmanned scanning activities paid attention to by blocking ping and can be, system is made to reduce quilt
A possibility that attack.
Mode five: blocking unnecessary port, other than the port that service area normally externally services, closes other cut ends
Mouthful.
As a result, by boundary road maintenance can by do not meet border routing filtering policy allow by unauthorized access
Gear guarantees the safety of identity card cloud Verification System except identity card cloud Verification System.
The major function of perimeter firewall 102 is the access for controlling the external network from internet to internal network, is protected
Shield internal network is not subjected to the attack of internet card-reading terminal (being primarily referred to as illegal hacker).Perimeter firewall 102 passes through net
By whole host addresses of shielded internal network, (i.e. purpose IP address and destination port, scheduling take network address translation technique
Private IP address and the port of business device or safety control module) with being mapped to a few the effective public network IP being arranged on firewall
Location (i.e. access IP address and access port), in this way, the equipment (card-reading terminal) of external network can only get access IP address
And access port, and the real IP address and port (i.e. purpose IP address and purpose for being actually subjected to the equipment of access can not be got
Port), thus the safety of internal network can be protected to external shield internal network structure and IP address.Therefore, the present embodiment
In, the public identifier of purpose equipment is included at least in data packet;The perimeter firewall selected, for the content according to data packet
Determine the mark of the purpose equipment of card-reading terminal access, comprising: the perimeter firewall selected is according to network address translation protocol
The public identifier of purpose equipment is mapped as to the mark of corresponding purpose equipment.Wherein, the public identifier of purpose equipment is public affairs
The access IP address and access port of net, and the mark of purpose equipment is to be actually subjected to Intranet equipment (such as dispatch service of access
Device and certification safety control module) purpose IP address and destination port.It is first after perimeter firewall 102 receives data packet
It first will be according to network address translation protocol (Network Address Translation, abbreviation NAT) by the public of purpose equipment
Mark (that is, access IP address and access port of public network) map out corresponding purpose equipment mark (that is, purpose IP address and
Destination port), and purpose IP address and destination port are only the actual address of internal network devices, according to purpose IP address and mesh
Port carry out data packet forwarding.
Perimeter firewall is built upon the borderline filtering lock-out facility of internal-external network, and internal network (i.e. recognize by identity card cloud
Card system) be considered as it is safe and believable, external network is then considered dangerous and untrustworthy.The effect of firewall
It is to prevent undesirable, unwarranted communication from passing in and out protected internal network, internal network is strengthened by boundary Control
Safety.Therefore, as one of the present embodiment optional embodiment, perimeter firewall 102 is also used to according to preset side
Boundary's firewall filtering policies judge whether data packet includes invalid data, if it is not, then executing true according to the content of data packet
The operation for determining the mark of the purpose equipment of card-reading terminal access, that is, execute and map out correspondence according to access IP address and access port
Purpose IP address and destination port operation.Overall network can be greatly reduced by perimeter firewall as a result, to build safely
If management cost, improve identity card cloud Verification System safety.
Wherein, as a kind of optional perimeter firewall filtering policy, when specific implementation, can be in advance in perimeter firewall
DDoS (Distributed Denial of service, distributed denial of service) property data base is configured, the class database is seemingly
In virus base, it is stored with DDoS characteristic value, perimeter firewall will be in the content and the DDoS property data base that receive data packet
DDoS characteristic value is matched, if it is possible to be matched to, then specification data packet be invalid data packet, perimeter firewall by
Ddos attack will not continue to be forwarded to core switch then by the data packet discarding.In general, the form of invalid data packet is a variety of
Multiplicity, there is no the data of card-reading terminal in some invalid data packets, and are only made of some attack messages, the illegal number having
It may include a part of valid data according to packet, a part of attack message, and will not be described here in detail.
As one of the present embodiment optional embodiment, as shown in Fig. 2, linking Internet area 10 further include: with side
The flow cleaning equipment 103 of boundary's routing connection, for monitoring the service traffics for flowing through border routing, if according to boundary road is flowed through
By service traffics detect border routing by distributed Denial of Service (DDOS) attack, then to the Business Stream for flowing through border routing
Amount carries out flow cleaning.
In the present embodiment, flow cleaning equipment 103 is to the data of linking Internet (the i.e. data that receive of border routing
Packet) it is monitored in real time, the abnormal flow including distributed denial of service ddos attack is found in time.When abnormal flow reaches
When arriving or being more than preset security baseline, flow cleaning equipment will open and clean filtering process.This system is set by flow cleaning
It is standby, it alleviates from ddos attack flow pressure caused by internal network, promotes the validity of bandwidth usage;Protection is internal
Network improves network performance from the attack from internet.
The linking Internet area 10 in this system can refuse absolute system by border routing and perimeter firewall as a result,
Unauthorized access while guarantee normal access of the card-reading terminal to system, internet can be entered by flow cleaning equipment
Data monitored in real time, abnormal flow is washed while not influencing regular traffic, protects internal network from coming from
The attack of internet improves network performance.
Core switch 201 is the base network device of entire identity card cloud Verification System, needs to forward very large
Flow because card-reading terminal can be distributed throughout the country, have it is thousands of, therefore, core switch to redundant ability,
It is more demanding in terms of reliability and transmission speed.In the present embodiment, core switch 201 receives perimeter firewall transmission
Data packet and the card-reading terminal of determination access purpose equipment mark (for example, can for the purpose of equipment purpose IP address
And destination port), and the data packet received is forwarded to the actual access equipment that purpose IP address and destination port are directed toward.And
The equipment of card-reading terminal actual needs access mainly includes two kinds in this system: the certification peace of dispatch server 202 and service area
Full control module 302.Card-reading terminal for the first time must access scheduling server 202, need dispatch server 202 to distribute one for it
Idle certification safety control module 302, and dispatch server is received in card-reading terminal as the certification security control mould of its distribution
After the mark (i.e. access port) of block 302, card-reading terminal can direct access registrar safety control module 302.Therefore, originally
In embodiment, core switch 201 sends data packets to dispatch server 202 for the mark according to purpose equipment, or
The mark of data packet and purpose equipment is sent to service area 30 according to the mark of purpose equipment, comprising:
Core switch 201 judges the mark of purpose equipment, if the mark of purpose equipment indicates dispatch service
Device then sends data packets to dispatch server, if the certification safety control module of the mark instruction service area of purpose equipment,
The mark of data packet and purpose equipment is then sent to the service area firewall of service area, specifically, if the mark of purpose equipment
Know the IP address for dispatch server 202 and port, then sends data packets to dispatch server 202;If purpose equipment
It is identified as IP address and the port of the certification safety control module 302 in service area, then by the mark of data packet and purpose equipment
It is sent to the service area firewall 301 of service area.Core switch completes a large amount of data forwarding as a result,.
As soon as core switch 201 is actually the computer for forwarding data packet optimization, but computer has and is attacked
The possibility hit, such as the illegal control for obtaining core switch 201, lead to network paralysis, on the other hand also will receive DDoS
Attack.To prevent core switch 201 by illegal infringement, as shown in Fig. 2, isolated area provided in this embodiment 20 further include:
The intrusion detection device 203 and intrusion prevention equipment 204 being connect with core switch 201.Wherein, intrusion detection device 203 is used
Flow through the service traffics of core switch 201 in real-time monitoring, according to the historical behavior model of user, the expertise prestored with
And neural network model matches the service traffics for flowing through core switch 201, once successful match, then judgement has invasion
Behavior, disconnects the connection of card-reading terminal and access equipment immediately, and collects evidence and implement data recovery, furthermore can be combined with
The strategy monitoring of abnormality detection flows through the service traffics of core switch 201.By intrusion detection device 203 to core switch
201 operation conditions is monitored, finds various attack attempts, attack or attack result as far as possible, to guarantee network
The confidentiality, integrity, and availability of system resource.
Wherein, intrusion prevention equipment 204, the data packet received for monitoring core switch 201 judge that core exchanges
Whether the data packet that machine 201 receives is invalid data, if it is, the data packet discarding that core switch 201 is received.
Wherein, intrusion prevention equipment 204 judges whether the data packet that core switch 201 receives is invalid data, can by with
Under type: for example, in data packet and preset virus database that intrusion prevention equipment 204 receives core switch 201
Virus characteristic matched, if it is possible to be matched to, it is determined that the data packet being matched to be invalid data, in addition, may be used also
To consider the abnormal conditions in application program or network transmission, for example, user or user program violate regulation for safety, data packet exists
Phenomena such as period that should not occur occurs, the gap of operating system or application program weakness is being utilized etc., to assist knowing
It Ru Qin and not attack.Although intrusion prevention equipment also considers known viruse feature, it not relies solely on known viruse
Feature.Intrusion prevention equipment is the supplement to anti-virus software and firewall, to improve the safety of system.
As a kind of optional embodiment of the present embodiment, as shown in Fig. 2, being authenticated in identity card cloud provided in this embodiment
In system further include: inner tube server 205, for receiving configuration of the user to identity card cloud Verification System, inner tube server 205
It can be connect with core switch 201, and configuration information is sent to by the storage of cloud authentication database by core switch 201,
Each network equipment of identity card cloud Verification System can transfer configuration information from cloud authentication database and carry out relevant configuration.
Description in embodiment 3 can be referred to specifically to the description of inner tube server 205.
Dispatch server 202 provides the dispatch service of idle certification safety control module 302, service area for card-reading terminal
Certification safety control module 302 in 30 is by 202 United Dispatching of dispatch server.Card-reading terminal requests identity card card reading industry every time
When business, dispatch server 202 can select an idle certification safety control module all for card-reading terminal, and by idle certification
The mark of safety control module is sent to card-reading terminal;Specifically, dispatch server 202 can be from the authentication database of service area
The port status list in the compass of competency of dispatch server is obtained, each port corresponds to a certification safety control module, and
According to the principle of task equilibrium, select the port of an idle as the visit of card-reading terminal from port status list
It asks port (mark of i.e. idle certification safety control module), and access port is sent to card-reading terminal, hereby it is achieved that industry
The United Dispatching of multiple certification safety control modules 302 in business area.
In identity card cloud Verification System, in order to avoid 202 Single Point of Faliure of dispatch server causes the loss of data traffic,
Dispatch server 202 can be deployed as trunking mode, be taken according to the scheduling that the difference that service ability requires disposes different quantity
Business device 202.The problem that data traffic in order to efficiently solve single dispatch server 202 is excessive, network load is overweight, this reality
The identity card cloud Verification System for applying example offer increases load balancer 206 also before multiple dispatch servers 202, as shown in Fig. 2,
Load balancer 206 is connected in intrusion prevention equipment 204, realizes the dispatch server 202 to cluster by core switch
United Dispatching, load balancer can reasonably distribute to data packet each dispatch service in cluster according to balance policy
Device 202 effectively solves the problems, such as that dispatch server 202 loads unevenness, and can prevent Single Point of Faliure, improves the steady of system service
It is qualitative.
The present embodiment additionally provides a kind of card-reading system, the card-reading system include: above-mentioned identity card cloud Verification System and
Card-reading terminal 40, based on Fig. 2, Fig. 3 is the structural schematic diagram of card-reading system, card-reading terminal 40, in service area 30
In the process for verifying 303 reading identity card information of safety control module, number relevant to ID card information is read from identity card
According to, and generate data packet and be sent to border routing 201;It is also used to receive the of the encryption that certification safety control module 302 returns
One data packet, and the first data packet after being decrypted to the first packet decryption of encryption.Card reading in the card-reading system is whole
End 40 can be distributed throughout the country to be multiple, be distributed in card-reading terminal in all parts of the country as a result, and read to the information of identity card
It can be uniformly processed by the identity card cloud Verification System in this card-reading system, substantially increase the verifying security control of service area
The working efficiency of module.
As a kind of optional embodiment of the present embodiment, data packet is that card-reading terminal needs dispatch server to distribute for the first time
In the case where the data packet of idle certification safety control module, card-reading terminal 40 is sent to the data packet of border routing at least also
(digital certificate also can be considered card-reading terminal to the identification information and the digital certificate of card-reading terminal 40 for including: card-reading terminal 40
Identification information);Dispatch server 202 can also carry out access authentication to card-reading terminal according to the information in data packet, if permitted
Perhaps it accesses, just inquires port status, distribute idle port to card-reading terminal, if not allowing to access, directly abandon the data
Packet, and the response message for not allowing to access is returned to card-reading terminal.Specifically, dispatch server 202 were also used to according to card reading end
Whether the identification information judgment at end 40 allows card-reading terminal 40 to access, and judges whether the digital certificate of card-reading terminal 40 is different
Often;In the normal situation of certificate that judgement allows the access of card-reading terminal 40 and card-reading terminal 40, execute from service area 30
Authentication database obtains the operation of the port status list in the compass of competency of dispatch server 202.As a result, in dispatch server
Before 202 distribute idle port for card-reading terminal 40, first card-reading terminal 40 is authenticated, if certification passes through, illustrates to read
Card terminal 40 is legal terminal, to guarantee the legitimacy of the outer net equipment of the certification safety control module 302 of access service area.
Wherein, whether dispatch server 202 allows card-reading terminal 40 to access according to the identification information judgment of card-reading terminal 40,
It include: to judge the identification information of card-reading terminal 40 whether in blacklist or control list, wherein have recorded in blacklist and do not permit
Perhaps the identification information of the card-reading terminal 40 accessed, manage had recorded in list needs according to preset control it is tactful it is accessed into
The identification information of the card-reading terminal 40 of row control;In the case where judging that the identification information of card-reading terminal 40 is in blacklist, no
Card-reading terminal 40 is allowed to access;In the case where judging that the identification information of card-reading terminal 40 is in control list, dispatch server
202 determine whether that the card-reading terminal 40 of request access accesses according to preset control strategy, it is possible thereby to determine scheduling clothes
Whether business device 202 allows card-reading terminal 40 to access.
Wherein, dispatch server 202 determines whether that card-reading terminal 40 accesses according to preset control strategy, at least wraps
Include following one:
According to preset control strategy, judge that card-reading terminal 40 is current whether in the on-position range allowed, if
It is that card-reading terminal 40 is then allowed to access, otherwise, card-reading terminal 40 is not allowed to access, wherein is had recorded in preset control strategy
The on-position range that card-reading terminal 40 allows;
According to preset control strategy, judge current time whether in the time range for allowing card-reading terminal 40 to access,
If it is, card-reading terminal 40 is allowed to access, otherwise, card-reading terminal 40 is not allowed to access, wherein to remember in preset control strategy
The time range for allowing card-reading terminal 40 to access is recorded;
According to preset control strategy, within a preset period of time, whether the history access number of card-reading terminal 40 surpasses for judgement
Preset times threshold value is crossed, if it is, card-reading terminal 40 is not allowed to access, otherwise, card-reading terminal 40 is allowed to access, wherein pre-
If control strategy in have recorded the duration and preset times threshold value of preset time period;
According to preset control strategy, judge within a preset period of time, the access digit that card-reading terminal 40 accesses twice in succession
Whether be more than pre-determined distance, if it is, card-reading terminal 40 is not allowed to access, otherwise, allow card-reading terminal if the distance between setting
40 accesses, wherein the duration and pre-determined distance of preset time period are had recorded in preset control strategy.
As one of the present embodiment optional embodiment, as shown in Fig. 2, service area 30 further include: authentication database
304, the ciphertext of the authentication key of the port status list and card-reading terminal 40 for authentication storage safety control module 302,
Wherein, the ciphertext of the authentication key of card-reading terminal 40 is recognizing using the protection key pair card-reading terminal 40 of authentication database 304
Card key is encrypted;
Dispatch server 202 is also used to the identification information according to card-reading terminal 40, and it is whole that card reading is obtained from authentication database
The ciphertext of the authentication key at end 40 is simultaneously sent to the first certification safety control module 302;First certification safety control module 302,
For to packet decryption, comprising: the first certification safety control module 302 obtains protection key, utilizes protection key pair ciphertext
Decryption obtains the authentication key of card-reading terminal 40, and using authentication key to packet decryption.
In practical applications, the information of card-reading terminal reading identity card generally comprises 3 stages: card seeking stage, card selection rank
Section and card reading stage.In the card seeking stage, card-reading terminal can broadcast card seeking instruction outward, if there is identity card has card seeking instruction
Response, then return to card seeking data to card-reading terminal, and card-reading terminal needs finally will by linking Internet area 10 and isolated area 20
Card seeking data are sent to the first verifying safety control module 303 of service area, and (the first verifying safety control module 303 is and card reading
The connected verifying safety control module of the first certification safety control module 302 that the assigned idle port of terminal is directed toward), first
Card seeking response data can be returned to card-reading terminal by verifying safety control module 303;In the card selection stage, card-reading terminal can be from identity
Card reads some configuration informations (such as identity card card sequence, identity card application data and identity card presupposed information), and by this
A little configuration informations are eventually sent to the first verifying security control mould of service area 30 by linking Internet area 10 and isolated area 20
Block 303, the first verifying safety control module 303 initiate the process being mutually authenticated with identity card, and card-reading terminal forwards in the process
Interaction data, after first verifying safety control module 303 and identity card completion be mutually authenticated after, into the card reading stage;It is reading
In the card stage, card-reading terminal can read ID card information ciphertext from identity card, and pass through linking Internet area 10 and isolated area
20 are finally forwarded to the first verifying safety control module 303 of service area 30, and the first verifying safety control module 303 uses public security
The specified special product in portion meets GA467-2013 " 303 interfacing of residence card verifying security control SAM module rule
Model ", it can decrypt to obtain ID card information to ID card information ciphertext in plain text, and pass through the first certification safety control module 302
Encryption is sent to card-reading terminal, and card-reading terminal decrypts to obtain body to by the first certification encrypted ciphertext of safety control module 302
Part card information is in plain text.Therefore, in the present embodiment, the first verifying safety control module 303, for according to the data packet after decryption
The data content of carrying returns to corresponding first data packet to the first certification safety control module 302, comprising:
In the case that data content is identity card card seeking data, the first verifying safety control module 303 is pacified to the first certification
Full control module 302 returns to the first data packet, and the first data packet includes at least: card seeking response data;
Data content is identity card card selection data (identity card configuration information, signed data, the digital certificate of such as identity card
Need the first verifying safety control module 303 to the data of authentication ids) in the case where, the first verifying safety control module
303 return to the first data packet to the first certification safety control module 302, and the first data packet includes at least: reading with card-reading terminal 40
(signed data, the digital certificate of the such as first verifying safety control module 303 need the related data that the identity card taken is authenticated
The data for wanting identity card to authenticate the first verifying safety control module 303);
In the case that data content is ID card information ciphertext, the first verifying safety control module 303 is to ID card information
Ciphertext decrypts to obtain ID card information in plain text, returns to the first data packet, the first data packet to the first certification safety control module 302
Include at least: ID card information is in plain text.
In the present embodiment, the first certification safety control module 302 is receiving the of the return of the first verifying safety control module
After one data packet, in order to guarantee transmission safety, it is also necessary to returning again to after the encryption of the first data packet to card-reading terminal, as one
The optional embodiment of kind, the first certification safety control module are also used to the authentication key using card-reading terminal 40 to the first number
According to Bao Jiami, encrypted first data packet is sent to card-reading terminal 40, the certification that card-reading terminal 40 can use oneself is close
Key obtains the first data packet to encrypted first packet decryption;It as a result, can be with by authentication key encrypted primary data packet
It realizes ciphertext transmission, ensure that transmission security.In addition, if even if authentication key not corresponding with card-reading terminal is intercepted and captured and is somebody's turn to do
Encrypted first data packet can not also decrypt, and the card-reading terminal 40 for only possessing corresponding authentication key could be to this ciphertext solution
Close, therefore, even if the ciphertext is trapped, interceptor also can not further ensure the biography of ID card information plaintext ask to crack
Defeated safety.
As another optional embodiment, hold to further avoid always reusing the same key encryption and decryption
Easily be cracked key the drawbacks of, the first certification safety control module 302 is also used to be utilized according to generating random number session key
Session key encrypts the first data packet to obtain the first data packet ciphertext;And utilize the number card for encryption of card-reading terminal 40
The public key of book generates session ciphertext to the first data packet ciphertext and session key encryption, alternatively, utilizing the encryption of card-reading terminal 40
Digital certificate public key to session key encrypt generate session ciphertext, it will words ciphertext and the first data packet ciphertext be sent to reading
Card terminal 40;Card-reading terminal 40 is also used to utilize the private key corresponding with the digital certificate for encryption being locally stored to session
Ciphertext decrypts to obtain the first data packet ciphertext and session key, alternatively, session ciphertext is decrypted to obtain session key using private key,
And the first data packet ciphertext is decrypted to obtain the plaintext of the first data packet using session key.The optional embodiment and upper one can
Select the difference of embodiment to be: certification safety control module 302 does not continue to use the authentication key of card-reading terminal, but root
According to generating random number session key, the session key be it is random, it is closeer than using fixed transmission using session key encryption
The reliability of key encryption is higher, more difficult to be decrypted.
Embodiment 2
The system provided in embodiment 1 can be used in a kind of method for present embodiments providing data transmission, this method.Such as figure
Shown in 4, this approach includes the following steps S101~S110:
S101: border routing receives the data packet that card-reading terminal is sent, and selects the side to be sent according to routing strategy
Boundary's firewall sends data packets to the perimeter firewall selected;
In the present embodiment, Single Point of Faliure in order to prevent, perimeter firewall can dispose it is multiple, when there are the fire prevention of multiple boundaries
When wall, border routing just needs to select the path for sending data packets to core switch, i.e. which boundary selection passes through
Firewall is sent to core switch, and in the present embodiment, border routing selects the boundary to be sent anti-according to routing strategy
Wall with flues, the routing strategy can be for example, one perimeter firewall of random selection, selection are nearest apart from border routing, count
According to the strong perimeter firewall etc. of the shortest perimeter firewall of transmission time, selection traffic handing capacity.
In the present embodiment, include at least in the data packet that card-reading terminal is sent: the public identifier of purpose equipment, i.e. card reading are whole
When the request access internet of end, the address of an access equipment is needed, and the public identifier of purpose equipment for example can be the mesh
Equipment public network IP address and the port IP.Border routing sends data packets to perimeter firewall, true by perimeter firewall
The privately owned mark of purpose equipment is determined, with the address of the real access equipment of determination.
Border routing is the access point of internet external network access identity card cloud Verification System, as between intranet and extranet
Bridge, its safe operation are related to the safe operation of identity card cloud Verification System.Therefore, it is hacker that border routing, which stands in the breach,
The emphasis of attack.Based on this, border routing ought to become the object of network manager emphasis maintenance.As one in the present embodiment
Kind optional embodiment, border routing are selecting the perimeter firewall to be sent according to routing strategy, are sending the packet within
To before the perimeter firewall selected, this step further include: border routing is according to preset border routing filtering policy, judgement
Whether the public identifier (for example, can be the access IP address of public network) of purpose equipment allows through border routing, if it is allowed,
Then execute the operation for sending data packets to the perimeter firewall selected.Border routing is authenticated as identity card cloud as a result, is
The first line of defence of system, can by do not meet border routing filtering policy unauthorized access gear identity card cloud Verification System it
Outside, the safety of whole system is improved on network level.
It wherein, can be in advance on border routing when specific implementation as a kind of optional border routing filtering policy
Configuration allow access network segment, judge purpose equipment public identifier (for example, can be the access IP address of public network) whether
Within the scope of the network segment, if it is, allowing data packet by border routing, and data packet is forwarded up, otherwise abandoned
The data packet that the card-reading terminal is sent.In addition, other unauthorized access in order to prevent, border routing filtering policy can also include with
At least one under type:
Mode one: the default password of border routing modification default password: is revised as to the password of no Special Significance.
Mode two: closing IP and directly broadcast (IP Directed Broadcast), after closing IP is directly broadcasted, Ke Yiyou
Effect prevents smurf attack.
Mode three: HTTP (HyperText Transfer Protocol, the Hyper text transfer association of closure of border router
View) service.
Mode four: block ICMPping (Internet Control Message Protocol, Internet control message association
View) request, make system be easier to avoid those unmanned scanning activities paid attention to by blocking ping and can be, system is made to reduce quilt
A possibility that attack.
Mode five: blocking unnecessary port, other than the port that service area normally externally services, closes other cut ends
Mouthful.
As a result, by boundary road maintenance can by do not meet border routing filtering policy allow by unauthorized access
Gear guarantees the safety of identity card cloud Verification System except identity card cloud Verification System.
S102: the perimeter firewall received data packet selected determines card-reading terminal access according to the content of data packet
The mark of purpose equipment, and the mark of data packet and purpose equipment is sent to core switch;
In the present embodiment, the major function of perimeter firewall is to control the external network from internet to internal network
Access, protection internal network are not subjected to the attack of internet card-reading terminal (being primarily referred to as illegal hacker).Perimeter firewall is logical
Crossing NAT technology, (i.e. purpose IP address and destination port are adjusted by whole host addresses of shielded internal network
Private IP address and the port of degree server or safety control module) it is mapped to a few the effective public network being arranged on firewall
IP address (i.e. access IP address and access port), in this way, the equipment (card-reading terminal) of external network can only get access IP
Address and access port, and can not get be actually subjected to access equipment real IP address and port (i.e. purpose IP address and
Destination port), thus the safety of internal network can be protected to external shield internal network structure and IP address.Therefore, this implementation
In example, the perimeter firewall selected determines the mark of the purpose equipment of card-reading terminal access according to the content of data packet, comprising:
The public identifier of purpose equipment is mapped as corresponding purpose according to network address translation protocol and set by the perimeter firewall selected
Standby mark.Wherein, the public identifier of purpose equipment is the access IP address and access port of public network, and the mark of purpose equipment
Knowing is the purpose IP address and purpose for being actually subjected to the Intranet equipment (such as dispatch server and certification safety control module) of access
Port.After perimeter firewall receives data packet, first have to according to network address translation protocol (Network Address
Translation, abbreviation NAT) public identifier (that is, access IP address and access port of public network) of purpose equipment is mapped out
The mark (that is, purpose IP address and destination port) of corresponding purpose equipment, and purpose IP address and destination port are only inside
The actual address of the network equipment carries out the forwarding of data packet according to purpose IP address and destination port.
Perimeter firewall is built upon the borderline filtering lock-out facility of internal-external network, and internal network (i.e. recognize by identity card cloud
Card system) be considered as it is safe and believable, external network is then considered dangerous and untrustworthy.The effect of firewall
It is to prevent undesirable, unwarranted communication from passing in and out protected internal network, internal network is strengthened by boundary Control
Safety.Therefore, as one of the present embodiment optional embodiment, in step s 102, perimeter firewall is according to number
Before the mark for determining the purpose equipment of card-reading terminal access according to the content of packet, this method further include: anti-according to preset boundary
Wall with flues filtering policy judges whether data packet includes invalid data, reads if it is not, then executing and being determined according to the content of data packet
The operation of the mark of the purpose equipment of card terminal access maps out corresponding destination IP according to access IP address and access port
The operation of address and destination port.The management of overall network Security Construction can be greatly reduced by perimeter firewall as a result,
Cost improves the safety of identity card cloud Verification System.
Wherein, as a kind of optional perimeter firewall filtering policy, when specific implementation, can be in advance in perimeter firewall
DDoS (Distributed Denial of service, distributed denial of service) property data base is configured, the class database is seemingly
In virus base, it is stored with DDoS characteristic value, perimeter firewall will be in the content and the DDoS property data base that receive data packet
DDoS characteristic value is matched, if it is possible to be matched to, then specification data packet be invalid data packet, perimeter firewall by
Ddos attack will not continue to be forwarded to core switch then by the data packet discarding.In general, the form of invalid data packet is a variety of
Multiplicity, there is no the data of card-reading terminal in some invalid data packets, and are only made of some attack messages, the illegal number having
It may include a part of valid data according to packet, a part of attack message, and will not be described here in detail.
S103: core switch sends data packets to dispatch server according to the mark of purpose equipment, alternatively, according to mesh
The mark of equipment the mark of data packet and purpose equipment is sent to the service area firewall of service area;
Specifically, core switch judges the mark (i.e. purpose IP address and destination port) of purpose equipment, such as
Fruit purpose IP address and destination port are directed toward dispatch server, S104 are thened follow the steps, if purpose IP address and destination port
It is directed toward the certification safety control module of service area, thens follow the steps S106;
And the equipment of card-reading terminal actual needs access mainly includes two kinds in this system: dispatch server and service area
Authenticate safety control module.Card-reading terminal for the first time must access scheduling server, need dispatch server to distribute a sky for it
Not busy certification safety control module, and dispatch server is received in card-reading terminal as the mark of the certification safety control module of its distribution
After knowing (i.e. access port), card-reading terminal can direct access registrar safety control module.
S104: core switch sends data packets to dispatch server;
In the present embodiment, core switch is the base network device of entire identity card cloud Verification System, needs to forward
Very large flow has thousands of, therefore, core switch because card-reading terminal can be distributed throughout the country
It is more demanding in terms of to redundant ability, reliability and transmission speed.In the present embodiment, core switch receives boundary fire prevention
Wall send data packet and determination card-reading terminal access purpose equipment mark (for example, can for the purpose of equipment mesh
IP address and destination port), and the data packet received is forwarded to the practical visit that purpose IP address and destination port are directed toward
Ask equipment.
S105: dispatch server received data packet selects an idle certification safety control module for card-reading terminal;And
The mark of idle certification safety control module is sent to card-reading terminal;
In this step, specifically include: dispatch server obtains the pipe of dispatch server from the authentication database of service area
Have jurisdiction over the port status list in range, the corresponding certification safety control module in each port;And according to task equilibrium
Principle, selecting the port of an idle as the access port of card-reading terminal from port status list, (i.e. idle recognizes
Demonstrate,prove the mark of safety control module), and access port is sent to card-reading terminal;
In the present embodiment, dispatch server provides the dispatch service of idle certification safety control module for card-reading terminal,
Certification safety control module in service area is by dispatch server United Dispatching.Card-reading terminal requests identity card card reading business every time
When, the port status list in the cloud authentication database in dispatch server Dou Hui inquiry business area, balanced according to task
Principle selects the port of an idle as the access port of card-reading terminal from port status list, and by access end
Mouth is sent to card-reading terminal, hereby it is achieved that the United Dispatching of multiple certification safety control modules of service area.
As a kind of optional embodiment of the present embodiment, data packet is that card-reading terminal needs dispatch server to distribute for the first time
In the case where the data packet of idle certification safety control module, the data packet that card-reading terminal is sent to border routing is at least also wrapped
Include: (digital certificate also can be considered the mark letter of card-reading terminal for the identification information of card-reading terminal and the digital certificate of card-reading terminal
Breath);Dispatch server can also carry out access authentication to card-reading terminal according to the information in data packet, if allowing to access,
Port status is inquired, idle port is distributed to card-reading terminal, if not allowing to access, directly abandons the data packet, and to reading
Card terminal returns to the response message for not allowing to access.Specifically, it obtains and adjusts from the authentication database of service area in dispatch server
It spends before the port status list in the compass of competency of server, method provided in this embodiment further include: dispatch server root
Whether card-reading terminal is allowed to access according to the identification information judgment of card-reading terminal, and judges whether the digital certificate of card-reading terminal is different
Often;And judgement allows the certificate of card-reading terminal access and card-reading terminal normal.It is as a result, card-reading terminal point in dispatch server
Before idle port, first card-reading terminal is authenticated, if certification passes through, illustrates that card-reading terminal is legal terminal, from
And guarantee the legitimacy of the outer net equipment of the certification safety control module of access service area.
Wherein, whether dispatch server allows card-reading terminal to access according to the identification information judgment of card-reading terminal, comprising: sentences
Whether the identification information of disconnected card-reading terminal is in blacklist or control list, wherein having recorded in blacklist not allows access
The identification information of card-reading terminal is managed and has recorded needs in list and access the reading controlled to it according to preset control is tactful
The identification information of card terminal;In the case where judging that the identification information of card-reading terminal is in blacklist, card-reading terminal is not allowed to connect
Enter;In the case where judging that the identification information of card-reading terminal is in control list, dispatch server is according to preset control strategy
The card-reading terminal access for determining whether request access, it is possible thereby to determine whether dispatch server allows card-reading terminal to connect
Enter.
Wherein, dispatch server according to preset control strategy determine whether card-reading terminal access, include at least with
It is one of lower:
According to preset control strategy, judge whether card-reading terminal is currently in the on-position range allowed, if so,
Then card-reading terminal is allowed to access, otherwise, do not allow card-reading terminal to access, wherein has recorded card reading end in preset control strategy
Hold the on-position range allowed;
According to preset control strategy, judge current time whether in the time range for allowing card-reading terminal to access, such as
Fruit is then card-reading terminal to be allowed to access, and otherwise, does not allow card-reading terminal to access, wherein is had recorded in preset control strategy fair
Perhaps the time range of card-reading terminal access;
According to preset control strategy, judgement within a preset period of time, the history access number of card-reading terminal whether be more than
Otherwise preset times threshold value, allows card-reading terminal to access, wherein preset pipe if it is, not allowing card-reading terminal to access
The duration and preset times threshold value of preset time period are had recorded in control strategy;
According to preset control strategy, judge within a preset period of time, the on-position that card-reading terminal accesses twice in succession
The distance between whether be more than pre-determined distance, if it is, do not allow card-reading terminal to access, otherwise, card-reading terminal is allowed to access,
Wherein, the duration and pre-determined distance of preset time period are had recorded in preset control strategy.
S106: data packet, the mark of purpose equipment are sent to the service area firewall of service area by core switch;
Wherein, the mark of purpose equipment for example can for the purpose of equipment purpose IP address and destination port, which sets
Standby can be the certification safety control module for the free time that dispatch server is card-reading terminal distribution, therefore, in this step, need by
The mark of data packet and purpose equipment is transmitted to service area firewall together, so that service area firewall can be according to purpose equipment
Mark forward the packet to corresponding certification safety control module.
S107: the service area firewall received data packet of service area is sentenced according to preset service area firewall filtering policies
The identifying whether to belong to of disconnected purpose equipment allows to access, if it is, the first certification security module is sent data packets to, first
Authenticate the certification safety control module that security module is purpose port and purpose IP address is directed toward;
In the present embodiment, service area firewall is outside network device access service area core equipment (certification security control
Module and verifying safety control module) last line of defense, for example, service area firewall can preset allow access port
Table can arrive the port table inquiry for allowing to access, if destination port is present in the table, mean that after receiving data packet
Certification safety control module can be sent data packets to, does not allow to lead to by judging that the ports filter of access equipment is fallen as a result,
The data packet crossed, further from network level protection system safety, especially protection certification safety control module and verifying safety control
The safety of molding block.
S108: the first certification safety control module receives data packet, to packet decryption, and by the data packet after decryption
It is sent to the first verifying safety control module, the first verifying safety control module is to connect with the first certification safety control module
Verify safety control module;
In the present embodiment, before the first certification safety control module is to packet decryption, side provided in this embodiment
Method further include: dispatch server is according to the identification information of card-reading terminal, and the certification of acquisition card-reading terminal is close from authentication database
The ciphertext of key is simultaneously sent to the first certification safety control module;Wherein, the ciphertext of the authentication key of card-reading terminal is using certification
What the authentication key of the protection key pair card-reading terminal of database was encrypted;
In this step, the first certification safety control module is to packet decryption, comprising: the first certification safety control module
Protection key is obtained, decrypts to obtain the authentication key of card-reading terminal using protection key pair ciphertext, and utilize authentication key logarithm
According to Bao Xiemi;
Data packet after S109: the first verifying safety control module receiving and deciphering, carries according to the data packet after decryption
Data content returns to corresponding first data packet to the first certification safety control module;
In practical applications, the information of card-reading terminal reading identity card generally comprises 3 stages: card seeking stage, card selection rank
Section and card reading stage.In the card seeking stage, card-reading terminal can broadcast card seeking instruction outward, if there is identity card has card seeking instruction
Response, then return to card seeking data to card-reading terminal, and card-reading terminal is needed by linking Internet area and isolated area finally by card seeking
Data be sent to service area first verifying safety control module (first verifying safety control module be with card-reading terminal be assigned
The connected verifying safety control module of the first certification safety control module for being directed toward of idle port), the first verifying security control
Module can return to card seeking response data to card-reading terminal;In the card selection stage, card-reading terminal can read some configurations from identity card
Information (such as identity card card sequence, identity card application data and identity card presupposed information), and these configuration informations are passed through
Linking Internet area and isolated area are eventually sent to the first verifying safety control module of service area, the first verifying security control mould
Block initiates the process being mutually authenticated with identity card, and card-reading terminal forwards the interaction data in the process, to the first verifying safety control
After molding block and identity card completion are mutually authenticated, into the card reading stage;In the card reading stage, card-reading terminal can be read from identity card
To ID card information ciphertext, and the first of service area is finally forwarded to by linking Internet area and isolated area and verifies security control
Module, the special product that the first verifying safety control module uses the Ministry of Public Security to specify, meets GA467-2013 " residential identity results
Demonstrate,prove security control SAM module interface technical specification ", it can decrypt to obtain ID card information to ID card information ciphertext in plain text, and
It is sent to card-reading terminal by the first certification safety control module encryption, card-reading terminal adds to by the first certification safety control module
Ciphertext after close decrypts to obtain ID card information in plain text.Therefore, in the present embodiment, the first verifying safety control module is according to solution
The data content that data packet after close carries returns to corresponding first data packet to the first certification safety control module, comprising:
In the case that data content is identity card card seeking data, the first verifying safety control module is controlled to the first certification safety
Molding block returns to the first data packet, and the first data packet includes at least: card seeking response data;
Data content is identity card card selection data (identity card configuration information, signed data, the digital certificate of such as identity card
Need the first verifying safety control module to the data of authentication ids) in the case where, the first verifying safety control module is to the
One certification safety control module returns to the first data packet, and the first data packet includes at least: the identity card read with card-reading terminal into
(signed data, the digital certificate of the such as first verifying safety control module need identity card to first to the related data of row certification
Verify the data of safety control module certification);
In the case that data content is ID card information ciphertext, the first verifying safety control module is to ID card information ciphertext
Decryption obtains ID card information in plain text, returns to the first data packet to the first certification safety control module, the first data packet is at least wrapped
Include: ID card information is in plain text.
S110: the first certification safety control module receives the first data packet that the first verifying safety control module returns, and
First data packet is encrypted, encrypted first data packet is sent to card-reading terminal.
In the present embodiment, the first certification safety control module is in the first number for receiving the return of the first verifying safety control module
After packet, in order to guarantee transmission safety, it is also necessary to, can as one kind to returning again to after the encryption of the first data packet to card-reading terminal
The embodiment of choosing, the first certification safety control module encrypt the first data packet, encrypted first data packet are sent to
Card-reading terminal specifically includes: the first certification safety control module encrypts the first data packet using the authentication key of card-reading terminal,
Encrypted first data packet is sent to card-reading terminal, card-reading terminal can use the authentication key of oneself to encrypted
One packet decryption obtains the first data packet;Ciphertext transmission may be implemented by authentication key encrypted primary data packet as a result, protect
Transmission security is demonstrate,proved.In addition, if even if authentication key not corresponding with card-reading terminal intercepts and captures encrypted first number
It can not also be decrypted according to packet, the card-reading terminal for only possessing corresponding authentication key could decrypt this ciphertext, therefore, even if this is close
Text is trapped, and interceptor ask to crack, can not also further ensure the transmission safety of ID card information plaintext.
As another optional embodiment, hold to further avoid always reusing the same key encryption and decryption
Easily be cracked key the drawbacks of, first certification safety control module the first data packet is encrypted, by encrypted first data packet
Be sent to card-reading terminal, specifically include: the first certification safety control module is close using session according to generating random number session key
Key encrypts the first data packet to obtain the first data packet ciphertext;And utilize the public key of the digital certificate for encryption of card-reading terminal
Session ciphertext is generated to the first data packet ciphertext and session key encryption, alternatively, the digital certificate of the encryption using card-reading terminal
Public key to session key encrypt generate session ciphertext, it will words ciphertext and the first data packet ciphertext be sent to card-reading terminal;It reads
Card terminal is also used to that the private key corresponding with the digital certificate for encryption being locally stored is utilized to decrypt to obtain to session ciphertext
One data packet ciphertext and session key alternatively, decrypting to obtain session key to session ciphertext using private key, and utilize session key
First data packet ciphertext is decrypted to obtain the plaintext of the first data packet.The area of the optional embodiment and a upper optional embodiment
Be not: certification safety control module does not continue to use the authentication key of card-reading terminal, but according to generating random number session
Key, the session key be it is random, more than the reliability using fixed transmission key encryption using session key encryption
Height, it is more difficult to be decrypted.
During the entire process of the method for data provided in this embodiment transmission, as the optional reality of one of the present embodiment
Apply mode, method provided in this embodiment further include: the flow cleaning equipment monitoring connecting with border routing flows through border routing
Service traffics, if detecting that border routing is attacked by distributed denial of service according to the service traffics for flowing through border routing
It hits, then flow cleaning is carried out to the service traffics for flowing through border routing.
In the present embodiment, flow cleaning equipment is to the data of linking Internet (i.e. border routing receive data packet)
It is monitored in real time, in time abnormal flow of the discovery including distributed denial of service ddos attack.When abnormal flow reaches
Or when being more than preset security baseline, flow cleaning equipment will open and clean filtering process.This system passes through flow cleaning equipment,
It alleviates from ddos attack flow pressure caused by internal network, promotes the validity of bandwidth usage;Protect intranet
Network improves network performance from the attack from internet.
The linking Internet area in this system can refuse absolute system by border routing and perimeter firewall as a result,
Guarantee normal access of the card-reading terminal to system while unauthorized access, internet can be entered by flow cleaning equipment
Data are monitored in real time, and abnormal flow is washed while not influencing regular traffic, protect internal network from from mutual
The attack of networking improves network performance.
In the present embodiment, it is the computer for forwarding data packet optimization that core switch, which is actually one, but is calculated
Machine just has a possibility attacked, such as the illegal control for obtaining core switch, leads to network paralysis, on the other hand also can be by
To ddos attack.Therefore, to prevent core switch by illegal infringement, in above-mentioned steps, method provided in this embodiment
Further include: the intrusion detection device monitoring connecting with core switch flows through the service traffics of core switch, according to user's
The service traffics progress of historical behavior model, the expertise prestored and neural network model to core switch is flowed through
Match, once successful match, then judgement has intrusion behavior, disconnects the connection of card-reading terminal and access equipment immediately, and collect evidence
With implementation data recovery, the strategy monitoring that furthermore can be combined with abnormality detection flows through the service traffics of core switch.Pass through
Intrusion detection device monitors the operation conditions of core switch, find as far as possible various attack attempts, attack or
Person's attack result, to guarantee the confidentiality, integrity, and availability of network system resources.In addition, for prevent core switch by
To illegal infringement, further, method provided in this embodiment further include: the intrusion prevention Supervision being connect with core switch
The data packet that core switch receives is surveyed, judges whether the data packet that core switch receives is invalid data, if so,
The data packet discarding that then core switch is received.Wherein, intrusion prevention equipment judges the data that core switch receives
Whether packet is invalid data, can be in the following manner: for example, the data packet that intrusion prevention equipment receives core switch
It is matched with the virus characteristic in preset virus database, if it is possible to be matched to, it is determined that the data packet being matched to
For invalid data, it is still further contemplated that the abnormal conditions in application program or network transmission, for example, user or user program
Violate regulation for safety, data packet and occur in the period that should not occur, the gap of operating system or application program weakness by
Phenomena such as utilization etc., to assist in identifying invasion and attack.Although intrusion prevention equipment also considers known viruse feature, it is simultaneously
Known viruse feature is not depended solely on.Intrusion prevention equipment is the supplement to anti-virus software and firewall, to improve system
Safety.
The method of the data transmission provided through this embodiment, by the way that the system is divided into linking Internet area, isolation
Three levels in area and service area, each level uses different security strategies, by the security perimeter of a lot of, in network level
On improve the safety of whole system, to avoid service area by rogue attacks, especially guarantee certification safety control module with
Verify the safety of safety control module.
Embodiment 3
Present embodiments provide a kind of inner tube server, as shown in figure 5, the inner tube server can be one it is centralized
Server, to manage concentratedly, inner tube server is also possible to a distributed server, so as to integration networks resource.It should
Inner tube server includes: safe access unit, display unit, the first input interface, safe processor, main control processor, system
Administrative unit, parameter configuration unit and the second input interface.
Safe access unit, for detect user request, detect user request be user's logging request when, obtain with
The corresponding prompt information of user's logging request, and will be prompted to information and be sent to display unit.
Specifically, safe access unit is by timing or sporadically refreshes or detects whether that receiving user asks
It asks, when receiving user's request, judges the type of user request, judge whether it is that user steps on according to the feature of request
Record request, for example, safe access unit can be provided with login button by the Web page of inner tube server, Web page, one
Denier safe access unit detects that login button is pressed, then is judged to detecting user's logging request;Or inner tube server
Web page directly display log-on message input frame, when detecting cursor in log-on message input frame, then have secure access to list
Member is judged to detecting user's logging request.
Certainly, user's logging request of inner tube server can be equipped with different logging requests, example according to different users
Such as, administrator logs in, ordinary user logs in, operation user logs in, operation user logs in etc. can be distinguished, for different
Different login interfaces is arranged in user's logging request, to be managed respectively.
When safe access unit detects that user's request is user's logging request, subsequent operation is executed, that is, obtains and uses
The corresponding prompt information of family logging request, and will be prompted to information and be sent to display unit;When safe access unit does not detect
User's logging request or when detecting invalidation request, then repeat the operation of detection user's request.
When detecting user's logging request, inner tube server also obtains the type of user's logging request, similar when taking
Login button is triggered to get step on corresponding with different user for the logging request of above-mentioned different user when being logged in
Prompt information is recorded, for example, use can be popped up in prompt information when user is administrator, operation user or operation user
While the input frame of name in an account book and password, also prompt " insertion safety equipment or electronic signature token " etc.;When user is common uses
When family, prompt information can be only the input frame for popping up username and password.It is corresponding when being logged in by the way that different users is arranged
Prompt information allows the user of different stage to execute different login processes, thus take into account different user safety and
The demand of convenience.Certainly, any to prompt what user logged in mention the present invention is not limited to the type of above-mentioned prompt information
Show information, is protection scope of the present invention.
Display unit is used for display reminding information, in which: prompt information is for prompting user to log in;Specifically, aobvious
Show that unit can be integrated in inner tube server, is also possible to external display.
First input interface, for receiving authentication information corresponding with prompt information, authentication information is at least wrapped
Subscriber identity information and information to be verified are included, authentication information is at least sent to safe processor;Specifically, user can
To pass through the equipment such as wireline interface (USB interface, audio interface etc.), wireless interface (WiFi, NFC, RFID etc.), keyboard, touch screen
Input equipment inputs authentication information corresponding with prompt information, and use can be represented by having included at least in the authentication information
The information of family identity, the subscriber identity information can be the information such as user's sequence number, class of subscriber, user name, user identifier, should
Information to be verified (such as user certificate, digital signature, customer identification information) is further comprised in authentication information, this is to be verified
Information can be the information for being able to verify that user validation, and the legitimacy logged in for inner tube server to user is verified.
Safe processor for obtaining verification information, and obtains information to be verified from received authentication information, benefit
Verification information is treated with verification information to be verified, and if the verification passes, then subscriber identity information is sent to main control processor,
Otherwise, login failure information is sent to display unit, and reacquires prompt information corresponding with user's logging request;Specifically
For, verification information is the information that inner tube server prestores or is obtained by the identity equipment such as safety equipment or electronic signature token
The information taken, and information to be verified is the information of user's input.
The mode that safe processor carries out authentication in the present embodiment can be following one or several kinds of modes, when
So the invention is not limited to following methods:
Mode one, the first input interface are USB interface, audio interface or wireless interface;First input interface is connected to peace
Full equipment receives the user certificate for storing and sending in safety equipment;Safe processor obtains the root certificate that prestores, and from reception
Authentication information in obtain user certificate, verified using legitimacy of the root certificate prestored to user certificate.Specifically
Embodiment in, user when verifying identity, is stored with the number for representing user identity using safety equipment in the safety equipment
Word certificate, and the root certificate (verification information) for signing and issuing the digital certificate is stored in safe processor, when safe processor receives
After the user certificate (information to be verified) sent to the safety equipment of connection, using the root certificate prestored to the digital certificate into
Row legitimacy verifies, if verifying legitimacy passes through, then it is assumed that be verified.Certainly, during being verified, work as safety
When processor is verified, the first input interface can be first passed through and send instructions to safety equipment, safety equipment is receiving
User certificate is just sent to safe processor after to corresponding instruction, guarantees that verifying properly and timely executes.About certificate school
The process tested belongs to existing procedure, no longer superfluous herein to chat.By the verification mode of the method, the user certificate of safety equipment is utilized
It is logged in verify, realizes physical isolation, ensure that the safety of login.
Mode two, the first input interface include USB interface, audio interface or wireless interface;First input interface is connected to
Electronic signature token receives the signing messages that electronic signature token generates and sends, and signing messages includes: presupposed information and electricity
The signature value that sub- signed tokens are signed according to presupposed information;Safe processor obtains the public key of electronic signature token,
Signing messages is verified using the public key of electronic signature token;In specific embodiment, user is enabled using electronic signature
Board is come when verifying identity, which is stored with the digital certificate and private key for representing user's unique identities, and can give birth to
At presupposed information, which can be the identification information of the random number or user generated at random, and electronic signature enables
Board can use private key and carry out signature acquisition signature value to presupposed information, and safe processor is enabled in the electronic signature for receiving connection
After presupposed information and signature value (information to be verified) that board is sent, the public key of the available electronic signature token of safe processor
(verification information) verifies signing messages, thinks to be verified if verifying signature is correct.The electronic signature token
Public key (verification information) can be what safe processor prestores or safe processor was obtained to other servers, or connect
Receive electronic signature token send digital certificate obtain (i.e. electronic signature token also sends electricity while sending signing messages
The digital certificate of sub- signed tokens includes the public key of electronic signature token in the digital certificate).Certainly, it is being verified
In the process, when safe processor is verified, the first input interface can be first passed through and send instructions to electronic signature order
Signing messages is just sent to safe processor after receiving corresponding instruction by board, electronic signature token, guarantees that verifying is correct
It is executed with timely.By the verification mode of the method, login is verified using electronic signature token, electronic signature token stores generation
The digital certificate and private key for user of table user's unique identities prevent other non-by the verifying signature verification identity of user
Method logs in, and ensure that the safety of login.
Mode three, the first input interface include keyboard, touch screen or information input equipment;It is defeated that first input interface receives user
The customer identification information entered;Safe processor obtains the verifying identification information prestored, using the verifying identification information prestored to defeated
The customer identification information entered is verified;In specific embodiment, identification information can be username and password, biological characteristic
Information (fingerprint, iris etc.) etc., safe processor are prestored the verifying identification information (verification information) of user, are tested using what is prestored
The customer identification information (information to be verified) of input is compared in card identification information, and comparison unanimously is then thought to be verified.It is logical
The identification information for crossing user is verified, and the identity of user is demonstrated, and guarantees the safety logged in.
In concrete implementation, can take in aforesaid way it is a variety of come simultaneously guarantee to log in, such as can using just
The combination of formula one and mode three, can also by employing mode two and in a manner of three combination, guarantee to log in using various ways, can be with
It is further ensured that the safety of login.For above-mentioned first input interface according to the demand of login mode, the first input interface can be only
It is the interface of USB interface, audio interface or wireless interface type, is also possible to include keyboard, touch screen or information input equipment type
Interface, can also be the input interface for being provided simultaneously with above two style interface.
In addition, it is all made of the process that safe processor carrys out independent process to authentication in above-mentioned three kinds of implementations,
It can be isolated with main control processor, the safety that user logs in is further ensured that using the Independent Safety of safe processor.
Main control processor determines the operating right of user according to subscriber identity information for receiving subscriber identity information, behaviour
Making permission is the first permission and/or the second permission;Specifically, the first permission and the second permission, which can be, is capable of handling different fingers
It enables and the permission of access different units (System Management Unit and parameter configuration unit), in the present embodiment, the first permission can be with
It is the permission for being able to carry out the processing of system management directive, it is the processing for being able to carry out parameter configuration instruction that the second permission, which can be,
Permission;One user identity can only have the first permission, can also only have the second permission, can also be provided simultaneously with first
Permission and the second permission.In specific implementation, subscriber identity information (such as user's sequence number, class of subscriber, user can be passed through
Name, user identifier) determine the classification of user, the operating right of user is determined by the classification of user, for example, according to user
Identity information determine that the user is administrator, then the administrator is provided simultaneously with the first permission and the second permission, i.e.,
The administrator can handle system management directive and parameter configuration instruction;Or it is determined that the user is according to the identity information of user
Operator user, then the operator user has the first permission, i.e., the operator can handle system management directive;Or according to
The identity information of user determines that the user is operation person user, then the operation person has the second permission, i.e. the operation person can locate
Manage parameter configuration instruction.Certainly, in actual system, can only have a kind of user, i.e., only be provided simultaneously with the first permission
With the administrator of the second permission.By being imparted according to the difference of its user identity different after logging in system by user
Operating right makes user that can only access the system resource that it is authorized in inner tube system Internal architecture a lot of wall.
Second input interface, is also used to receive the operation requests of user, and operation requests are sent to main control processor;Specifically
For, user can be inputted keyboard or input operation requests by way of the web page selection of inner tube server, herein
Second input interface and the first input interface can be different two interfaces (such as the first input interface be USB interface, second
Input interface is keyboard), it is also possible to the function that the same interface realizes the first input interface and the second input interface.
Main control processor is also used to judge the type of operation requests, if operation requests include system management directive, and really
When the corresponding operating right of fixed user is the first permission or the corresponding operating right of user is the first permission and the second permission,
Operation requests are sent to System Management Unit;If operation requests include parameter configuration instruction, and the user determined is corresponding
When operating right is the second permission or the corresponding operating right of user is the first permission and the second permission, operation requests are sent
To parameter configuration unit: specifically, including at least operational order in operation requests, which can be system management directive
Or parameter configuration instruction, when matching the operating right of the operational order and user, then main control processor calls different
Unit completes different operations.
System Management Unit, for after receiving operation requests, obtaining the corresponding system pipes manage bar of system management directive
Mesh executes corresponding operation to system administration entry according to system management directive;Specifically, operation requests include being at this time
Reason instruction under the overall leadership, the system management directive can be for realizing the management to inner tube server info, the system management directive
Including inquiry instruction, modification instruction, increase the instruction such as instruction or deletion instruction, realizes to management entry each in inner tube server
The functions such as inquiry, modification, increase, deletion, when needing to carry out system administration, then it needs to be determined that user has corresponding permission
Just it is allowed to be managed, for example, the user for having administrator or operator's permission can be managed system.System pipes
Manage bar mesh is the entry modified in inner tube server for user, can include but is not limited to user, role, client, production
Product, report, blacklist etc., system administration entry can be included in operation requests, are also possible to user and are inputted by keyboard
Or the selection of inner tube server web page carrys out the corresponding system administration entry of input system management instruction, when necessary, it is also necessary to defeated
Enter some management parameters to realize management function.
Parameter configuration unit, for the corresponding entry to be configured of the configuration-direct that after receiving operation requests, gets parms
And undated parameter, it is configured according to parameter of the undated parameter to entry to be configured;Specifically, operation requests include at this time
Parameter configuration instruction, parameter configuration instruction is for realizing the configuration to inner tube server parameter, when needing to carry out parameter configuration
When, then just it is allowed to be managed it needs to be determined that user has corresponding permission, for example, having administrator or operation person's permission
User parameter can just be configured.It may include: interior tube system ginseng that parameter configuration, which instructs corresponding entry to be configured,
Number, certification safety control module parameter, card-reading terminal APP parameter, blacklist strategy, frequency control strategy etc., inner tube server
Above-mentioned entry to be configured is configured by undated parameter, undated parameter may be embodied in operation requests, be also possible to use
Family is inputted by keyboard or inner tube server web page selects to input undated parameter.
Specifically, it when determining that the corresponding operating right of the corresponding permission of user is the first permission and the second permission, that is, uses
When family is administrator right, which can be handled system management directive and parameter configuration instruction, specific processing ginseng
According to aforementioned.
Inner tube server through this embodiment may be implemented through an inner tube server to each in cloud authentication platform
Subsystem component is effectively managed, and visualized management interface is provided the user with, and promotes the experience of user, is also convenient in O&M work
System parameter is configured in work.In addition, management is scheduled to entire cloud authentication platform by inner tube server, to part
Resource carries out limited access, by different user being arranged different access authority, guarantees the safety of access.
In one embodiment of the invention, when user logs in, login can also be protected by identifying code:
Prompt information further includes referring to identifying code;Safe access unit is also used to generate random code, is generated according to random code referring to verifying
Code obtains referring to identifying code, and will be sent to display unit and safe processor referring to identifying code;Specifically, user into
The interface that row logs in can prompt input identifying code to be verified simultaneously, can also carry out mentioning before or after authentication
Show that input identifying code is verified, inner tube server generates random code and is used as referring to identifying code, which can be number, figure
The formats such as piece.
Display unit is also used to show referring to identifying code;When showing other login prompt information, reference can also be shown
Identifying code, so as to user's input.
Information to be verified further includes login authentication code;First input interface is also used to receive login authentication code;Safe handling
Device is also used to obtain referring to identifying code, and verifying is compared with referring to identifying code in login authentication code.Specifically, inner tube
Server utilizes itself storage or the reference generated after obtaining user by the keyboard perhaps identifying code of other modes input
The identifying code of input is compared in identifying code, determines that identifying code passes through when comparing consistent.
It can prevent from logging in Replay Attack by the way of login authentication code, avoid the waste of system resource, guarantee
The safety of system operation.
In an embodiment of the invention, system management directive includes inquiry instruction, modification instruction, increases instruction
And/or delete instruction;Main control processor is specifically used for obtaining the corresponding system administration entry of system management directive, and judge be
The type of reason instruction under the overall leadership;If the system management directive that the type instruction of system management directive obtains is inquiry instruction, it is
Administrative unit of uniting is specifically used for executing inquiry operation to system administration entry according to inquiry instruction;If the class of system management directive
The system management directive that type instruction obtains is modification instruction, then System Management Unit is specifically used for according to modification instruction to system pipes
Manage bar mesh executes modification operation;If the system management directive that the type instruction of system management directive obtains is to increase instruction,
System Management Unit, which is specifically used for executing system administration entry according to increase instruction, increases operation;If system management directive
The system management directive of type instruction acquisition is to delete instruction, then System Management Unit is specifically used for according to deletion instruction to system
It manages entry and executes delete operation.
In an embodiment of the invention, system administration entry include: user, role, client, product, report and/or
Blacklist;
When System Management Unit carries out execution inquiry operation to system administration entry according to inquiry instruction: if system pipes
Manage bar mesh is user, and System Management Unit is specifically used for inquiring user according to inquiry instruction, defeated according to preset inquiry
Rule output user information out;Or if system administration entry is role, System Management Unit is specifically used for according to inquiry instruction
Role is inquired, exports rule output Role Information according to preset inquiry;Or if system administration entry is client, it is
System administrative unit is specifically used for inquiring client according to inquiry instruction, exports rule output client's letter according to preset inquiry
Breath;Or if system administration entry is product, System Management Unit is specifically used for inquiring product according to inquiry instruction, press
Regular output products information is exported according to preset inquiry;Or if system administration entry is report, System Management Unit is specifically used
In inquiring according to inquiry instruction report, regular output report information is exported according to preset inquiry;Or if system pipes
Manage bar mesh is blacklist, and System Management Unit is specifically used for inquiring blacklist according to inquiry instruction, look into according to preset
Ask output rule output black list information;
When System Management Unit executes modification operation to system administration entry according to modification instruction: if system pipes manage bar
Mesh is user, and System Management Unit is specifically used for modifying to user information according to modification instruction, storage user information modification
As a result;Or if system administration entry is role, System Management Unit is specifically used for carrying out Role Information according to modification instruction
Modification, storage Role Information modify result;Or if system administration entry is client, System Management Unit is specifically used for basis and repairs
Change instruction to modify to customer information, storage customer information modifies result;Or if system administration entry is product, system pipes
Reason unit is specifically used for modifying to product information according to modification instruction, and storage product information modifies result;Or if system
Management entry is report, and System Management Unit is specifically used for modifying to report messages according to modification instruction, storage report letter
Breath modification result;Or if system administration entry is blacklist, System Management Unit is specifically used for according to modification instruction to black name
Single information is modified, and storage black list information modifies result;
When System Management Unit is according to instruction is increased to the execution increase operation of system administration entry: if system pipes manage bar
Mesh is user, and System Management Unit is specifically used for storing increased user information according to instruction increase user is increased;Or if it is
Manage bar mesh under the overall leadership is role, and System Management Unit is specifically used for storing increased Role Information according to instruction increase role is increased;
Or if system administration entry is client, System Management Unit is specifically used for storing increased according to instruction increase client is increased
Customer information;Or if system administration entry is product, System Management Unit is specifically used for depositing according to instruction increase product is increased
Store up increased product information;Or if system administration entry is report, System Management Unit is specifically used for being increased according to increase instruction
Add report, stores increased report messages;Or if system administration entry is blacklist, System Management Unit is specifically used for basis
Increase instruction and increase blacklist, stores increased black list information;
When System Management Unit is according to instruction is deleted to system administration entry execution delete operation: if system pipes manage bar
Mesh is user, and System Management Unit, which is specifically used for being instructed according to deletion, deletes user;Or if system administration entry is role, it is
Administrative unit of uniting, which is specifically used for being instructed according to deletion, deletes role;Or if system administration entry is client, System Management Unit
Client is deleted specifically for instructing according to deletion;Or if system administration entry is product, System Management Unit is specifically used for root
Product is deleted according to deleting to instruct;Or if system administration entry is report, System Management Unit is specifically used for being instructed according to deletion
Delete report;Or if system administration entry is blacklist, System Management Unit is specifically used for deleting black name according to deletion instruction
It is single.
The operation of each system administration entry is described in detail respectively below:
When system administration entry is user, the administrator or operator for logging in inner tube server can be to the information of user
The operation such as inquired, modified, being increased, being deleted.For example, when administrator or operator need to inquire user information,
The unique identification information (such as ID, name) that user can be inputted inquires user, can also carry out default query, then may be used
To inquire all user informations that can log in the inner tube server, and query result is shown by display unit;
Likewise, when administrator or operator need to modify, increases, delete operation when, can be believed according to the unique identification of user
Breath (such as ID, name) determines user, modifies, increases, deletes to the information of user, and stores modification, increase, deletion
As a result.
When system administration entry is role, the administrator or operator for logging in inner tube server can be to the information of role
The operation such as inquired, modified, being increased, being deleted.It is that different users sets different roles, every kind of angle in inner tube server
The permission of color is different, such as administrator, operator, operation person etc..When administrator or operator need to carry out the information of role
When inquiry, the information such as permission under role can be inquired by the title of role or number information etc., can also be write from memory
Recognize inquiry, then can inquire all Role Informations of inner tube server, and query result is shown by display unit;
It equally, can be diagonal with used role's title or number information etc. when administrator or operator need to modify to role
Color information is modified, such as can modify the permission etc. of certain role;When administrator or operator increase role
When summing it up delete operation, then according to role's title or number information role is increased or delete operation, and storage is repaired
The result change, increase, deleted.
When system administration entry is client, the administrator or operator for logging in inner tube server can be to the information of client
The operation such as inquired, modified, being increased, being deleted.Client in inner tube server can be different industries in cloud Verification System
Client, such as bank, trade company, telecommunications etc..Internet identity card cloud Verification System can provide identity card for the client of different industries
Authentication service, card-reading terminal product number and product type used in different clients may be different, obtain ID card information
Also different, this just needs to be managed different clients by inner tube server.It can also be with base for the management of client
In the unique identification information (such as ID, title) of client, is identified according to the unique information of client and determine client, to the information of client
Increased, modified, being deleted, inquiry operation, and showing query result, storage modification increases, the result of deletion.For example, passing through
When inquiry instruction inquires client, after the client unique information mark for detecting input, finds out and be somebody's turn to do in inner tube server
The relevant information of client is exported and is shown by display unit.
When system administration entry is product, the administrator or operator for logging in inner tube server can be to the information of product
The operation such as inquired, modified, being increased, being deleted.Product in inner tube server corresponds to card-reading terminal, and product item records now
Card-reading terminal type and card-reading terminal number, card-reading terminal sequence number is the unique identification information of product, meanwhile, each product item
Mesh is also bundled with customer information.It, can be to the card-reading terminal of product entry when administrator or operator inquire the product entry
The information such as type, card-reading terminal sequence number, affiliated client are inquired, of course, it is possible to carry out default query or according to unique
Identification information is inquired, and shows query result by display unit;Likewise, when administrator or operator repair
Change, increase, delete operation when, product can be determined according to the unique identification information of product, modify, increase to the information of product
Add, delete, and stores the result of modification, increase, deletion.In addition, can also be believed by product when needing to increase product information
Breath management carries out batch and increases operation.
When system administration entry is report, the administrator or operator for logging in inner tube server can be looked into report
The operations such as inquiry, modification, increase, deletion.Administrator or operator can be raw to every entry state of inner tube server admin
At report, it can also inquire, modify, increasing, deleting report, can additionally be classified with the data item of system administration, for visitor
Family provides the data item report of customization.The content of report can cover information and the institute of all management entries of inner tube server
There are configurable parameter information and other information relevant to transaction.
When system administration entry be blacklist when, log in inner tube server administrator or operator can to blacklist into
The operations such as row inquiry, modification, increase, deletion.Inner tube server can maintain a series of blacklists, for example, (can read product
Card terminal) blacklist mechanism is taken, the card-reading terminal of abnormality is added in blacklist, it can also be by the reading of system erroneous judgement
Card terminal is deleted from blacklist, to safeguard to black list information.Certainly, when administrator or operator need to black name
When singly being inquired, blacklist can be inquired with input inquiry element, default query can also be carried out, then can be inquired
All black list informations, and query result is shown by display unit;Likewise, when administrator or operator need into
When row modification, increase, delete operation, it can be determined according to element, modify, increase, delete to black list information, and deposit
Storage modification increases, the result of deletion.
In one embodiment of the invention, entry to be configured includes: inner tube parameter of any subsystem, certification safety control module
Parameter, card-reading terminal APP parameter, blacklist strategy and/or frequency control strategy;Parameter configuration unit is specifically used for getting parms
The corresponding entry to be configured of configuration-direct and undated parameter, and judge the type of entry to be configured;If entry to be configured is interior
Tube system parameter, then parameter configuration unit is specifically used for according to undated parameter, and the parameter of internal tube system is configured;Such as
Fruit entry to be configured is certification safety control module parameter, then parameter configuration unit is specifically used for according to undated parameter, to certification
The parameter of safety control module is configured;If entry to be configured is card-reading terminal APP parameter, parameter configuration unit is specific
For being configured to card-reading terminal APP parameter according to undated parameter;If entry to be configured is blacklist strategy, parameter
Configuration unit is specifically used for configuring blacklist strategy according to undated parameter;If entry to be configured is that frequency manages plan
Slightly, then parameter configuration unit is specifically used for configuring frequency control strategy according to undated parameter.
When the user for logging on to inner tube server needs to be implemented parameter configuration instruction, then the user needs to have administrator
Or operation person's permission could allow the login user to parameter configuration when the permission match for verifying the login user passes through
Instruction is handled.The operation of each entry to be configured is described in detail respectively below:
When entry to be configured is inner tube parameter of any subsystem, mainly it is accomplished that the operating parameter of internal tube system carries out
Configuration, such as setting authentication code create-rule, setting certification safety control module detection time interval.Specifically, inner tube takes
Device reception parameter configuration of being engaged in instructs, and determines entry to be configured according to parameter configuration instruction, judges that the type of entry to be configured is interior
When tube system parameter, the process of inner tube parameter of any subsystem configuration is jumped to, is obtained and is determined by keyboard or other input equipments
Inner tube parameter of any subsystem configure corresponding undated parameter, for example, administrator or operation person are certification safety control module inspection
When survey time interval is configured, then the time interval to be set is inputted as undated parameter by keyboard.Configured inner tube
Parameter of any subsystem can provide unified parameter setting for cloud authentication platform, and other systems is facilitated to pass through inner tube server easily
Get the parameter information of interior tube system.
When entry to be configured is certification safety control module parameter, the main items realized to certification safety control module
Parameter configuration, and the parameter information of update is sent to certification safety control module, it can be held to authenticate safety control module
Row.Specifically, inner tube server receives parameter configuration instruction, determines entry to be configured according to parameter configuration instruction, judge to
When the type for configuring entry is certification safety control module parameter, the process of certification safety control module parameter configuration is jumped to,
The determining corresponding undated parameter of certification safety control module parameter configuration is obtained by keyboard or other input equipments, utilizes this
Undated parameter configures certification safety control module, i.e., is sent to updated certification safety control module parameter information
Safety control module is authenticated so as to its execution.
When entry to be configured is card-reading terminal APP parameter, the main version updating for realizing maintenance client software and
Issue card-reading terminal APP software.When card-reading terminal APP needs to update, administrator or operation person can pass through inner tube service
Device configures card-reading terminal APP parameter, for example, the version number of card-reading terminal APP is updated, so that client detects new edition
Automatically updating for software is carried out after this.In addition, inner tube server is also stored with the card reading of update when needing to carry out version updating
Terminal APP software, to facilitate client to be downloaded update.
When entry to be configured is blacklist strategy, mainly it is accomplished that and blacklist strategy is configured, sentence for system
Whether abnormal behaviour provides foundation to disconnected card-reading terminal.Blacklist strategy, which can be, sets threshold for the abnormal behaviour of card-reading terminal,
Card-reading terminal more than preset threshold is judged as that abnormal behaviour has occurred, and can be included in blacklist;It simultaneously can be with
The strategy that discharges from blacklist, such as the judgement benchmark that setting abnormal behaviour is eliminated are set, when judging that abnormal behaviour eliminates
When, then it can be released from blacklist.Of course, it is possible to which different black names is arranged in terms of other according to actual needs
Single strategy.Specifically, inner tube server receives parameter configuration instruction, determines entry to be configured according to parameter configuration instruction, sentences
When the type for entry to be configured of breaking is interior list strategy, the process of blacklist strategy configuration is jumped to, by keyboard or other are defeated
Enter equipment and obtain the determining corresponding undated parameter of blacklist strategy, blacklist strategy is configured using the undated parameter.
When entry to be configured is frequency control strategy, it is mainly accomplished that the access time interval of setting card-reading terminal,
Frequency control is carried out for scheduling system, and foundation is provided.Since card-reading terminal frequent visit will cause the collapse of background system, because
This needs that the access time interval of card-reading terminal is reasonably arranged, once the access time interval of card-reading terminal is less than in advance
If Lawful access time interval when, the behavior of the card-reading terminal can be judged as abnormal behaviour.Specifically, inner tube service
Device receives parameter configuration instruction, determines entry to be configured according to parameter configuration instruction, judges the type of entry to be configured for frequency
When control strategy, the process of frequency control strategy configuration is jumped to, determining frequency is obtained by keyboard or other input equipments
Control strategy configures corresponding undated parameter, is configured using the undated parameter to frequency control strategy.For example, when determining
When 0.1s is minimum access frequency, the access lower than the interval 0.1s will be considered as abnormal behaviour, then can by keyboard or
Other input equipments input parameter 0.1s, to configure frequency control strategy, it is, of course, also possible to the opening time managed from frequency,
Other aspects such as rank are configured frequency control strategy.
Embodiment 4
A kind of identity card read method is present embodiments provided, as shown in fig. 6, the method comprising the steps of S201~S212:
S201: card-reading terminal sends access request to dispatch server by linking Internet area, carries in access request
There is the identification information in card reading;
Wherein, the identification information of card-reading terminal includes: the digital certificate of card-reading terminal.
S202: after dispatch server receives access request, the identification information of card-reading terminal, root are obtained from access request
Whether allow card-reading terminal reading identity card according to identification information judgment, if it is allowed, S203 is thened follow the steps, otherwise, to card reading
Terminal returns to the feedback information for not allowing to access;
Wherein, dispatch server determines whether that card-reading terminal reading identity card includes:
Judge whether the digital certificate of card-reading terminal is abnormal, if it is, determination does not allow card-reading terminal reading identity card,
Otherwise judge the digital certificate of card-reading terminal whether in blacklist or control list, wherein having recorded in blacklist does not allow
The digital certificate of the card-reading terminal of access is managed to have recorded to need to access it according to preset control strategy in list and be controlled
The digital certificate of the card-reading terminal of system;
In the case where judging that the digital certificate of card-reading terminal is in blacklist, do not allow card-reading terminal reading identity card,
Refuse the request of card-reading terminal;
In the digital certificate for judging card-reading terminal in the case where managing in list, it is according to preset control strategy judgement
No permission card-reading terminal reading identity card.
S203: in the case where determining allows card-reading terminal reading identity card, dispatch server inquires port status list,
According to the principle of task equilibrium, select the idle corresponding port numbers of certification safety control module as card-reading terminal
Access port;
S204: the port numbers of the certification safety control module of selection are sent to card-reading terminal by dispatch server;
S205: the certification safety control module that card-reading terminal is directed toward by linking Internet area and isolated area to the port numbers
Send card seeking request;
Wherein, in order to guarantee transmission safety, the card seeking request that card-reading terminal is sent can be ciphertext form, card-reading terminal benefit
Encryption is requested to generate ciphertext card seeking with the authentication key of oneself.
S206: the certification safety control module that the port numbers are directed toward receives the card seeking request of card-reading terminal transmission, will seek
Card request is sent to verifying safety control module corresponding with the certification safety control module that the port numbers are directed toward;
In this step, certification safety control module receive card seeking request be ciphertext when, can use card-reading terminal
Authentication key decrypts the ciphertext, and the plaintext that card seeking is requested is sent to verifying safety control module.
S207: the corresponding verifying safety control module receives card seeking request, confirms to card seeking request, will confirm that knot
Fruit information is sent to the certification safety control module of selection;
S208: the certification safety control module that the port numbers are directed toward obtains session key, is tied using session key to confirmation
Fruit information is encrypted, and the confirmation result information of encryption is sent to card-reading terminal;
Wherein, which can be negotiated to obtain by certification safety control module and card-reading terminal, alternatively, by a Fang Sheng
At, and other side is sent to after session key is encrypted.
S209: the certification safety control module that card-reading terminal is directed toward by linking Internet area and isolated area to the port numbers
Send the first data packet;
Wherein, card-reading terminal first can obtain session to the session key decryption of encryption after receiving the confirmation result of encryption
Key recycles session key to be confirmed result to the confirmation result decryption of encryption.
Wherein, the first data packet includes: that card-reading terminal is encrypted to obtain to the identity card original cipher text information read
Identity card ciphertext;
S210: the certification safety control module that the port numbers are directed toward receives the first data packet that card-reading terminal is sent, and uses
The first data packet is decrypted in session key, obtains identity card original cipher text information, and identity card original cipher text information is sent
To corresponding verifying security module;
S211: identity card original cipher text information is decrypted in corresponding verifying security module, obtains identity card and believes in plain text
Identity card cleartext information is returned to the certification safety control module of port numbers direction by breath;
S212: the certification safety control module that the port numbers are directed toward adds identity card cleartext information using session key
It is close, the second data packet is sent to card-reading terminal, wherein the second data packet includes: the identity card cleartext information of encryption;
S213: card-reading terminal receives the second data packet, and obtains identity to the second packet decryption using session key
Demonstrate,prove cleartext information.
Above-mentioned process allows the access of card-reading terminal in linking Internet area and service area perimeter firewall, and invades
Detection device and intrusion prevention equipment do not detect to be executed in the case of system is under attack, card-reading terminal and verifying safety
The web-transporting device that interaction data between control module passes through linking Internet, core space and service area is passed
It is defeated.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes
It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion
Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable
Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention
Embodiment person of ordinary skill in the field understood.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned
In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage
Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware
Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal
Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene
Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
Suddenly be that relevant hardware can be instructed to complete by program, program can store in a kind of computer readable storage medium
In, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in a processing module
It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.If integrated module with
The form of software function module is realized and when sold or used as an independent product, also can store computer-readable at one
It takes in storage medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any
One or more embodiment or examples in can be combined in any suitable manner.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example
Property, it is not considered as limiting the invention, those skilled in the art are not departing from the principle of the present invention and objective
In the case where can make changes, modifications, alterations, and variations to the above described embodiments within the scope of the invention.The scope of the present invention
By appended claims and its equivalent limit.
Claims (8)
1. a kind of method of data transmission characterized by comprising
Border routing receives the data packet that card-reading terminal is sent, and selects the perimeter firewall to be sent according to routing strategy,
The data packet is sent to the perimeter firewall selected;
The perimeter firewall selected receives the data packet, determines the card-reading terminal according to the content of the data packet
The mark of the purpose equipment of access, and the mark of the data packet and the purpose equipment is sent to core switch;
The data packet is sent to dispatch server according to the mark of the purpose equipment by the core switch, alternatively, root
The service area that the mark of the data packet and the purpose equipment is sent to service area is prevented fires according to the mark of the purpose equipment
Wall;
In the case where the data packet is sent dispatch server by the core switch, the dispatch server receives institute
Data packet is stated, whether allows the card-reading terminal to access according to the identification information judgment of the card-reading terminal, and described in judgement
Whether the digital certificate of card-reading terminal is abnormal, and the certificate of the card-reading terminal is included in the data packet;Allow institute in judgement
In the normal situation of digital certificate for stating card-reading terminal access and the card-reading terminal, execute from described in authentication database acquisition
The operation of port status list in the compass of competency of dispatch server selects an idle certification peace for the card-reading terminal
Full control module;And the mark of the certification safety control module of the free time is sent to the card-reading terminal;
In the case where the mark of the data packet and the purpose equipment is sent to service area by the core switch, institute
The service area firewall for stating service area receives the data packet, according to preset service area firewall filtering policies, judgement
The identifying whether to allow of the purpose equipment accesses, if it is, the data packet is sent to the first certification security module, institute
State the certification safety control module for the mark instruction that the first certification security module is the purpose equipment;
The first certification safety control module receives the data packet, and the dispatch server is according to the card-reading terminal
Identification information obtains the ciphertext of the authentication key of the card-reading terminal from authentication database and is sent to the first certification peace
Full control module;Wherein, the ciphertext of the authentication key of the card-reading terminal is the protection key pair using the authentication database
What the authentication key of the card-reading terminal was encrypted;It is close that the first certification safety control module obtains the protection
Key is decrypted to obtain the authentication key of the card-reading terminal using ciphertext described in the protection key pair, and close using the certification
Key is sent to the first verifying safety control module, first verifying to the packet decryption, and by the data packet after decryption
Safety control module is the verifying safety control module connecting with the first certification safety control module;
The first verifying safety control module receives the data packet after the decryption, is carried according to the data packet after the decryption
Data content return to corresponding first data packet to the first certification safety control module;Wherein, the data content is
In the case where identity card card seeking data, the first verifying safety control module is returned to the first certification safety control module
First data packet, first data packet include at least: card seeking response data;The data content is identity card card selection number
In the case where, the first verifying safety control module returns to first data to the first certification safety control module
Packet, first data packet include at least: the related data that the identity card read with the card-reading terminal is authenticated;The number
In the case where being ID card information ciphertext according to content, the first verifying safety control module is to the ID card information ciphertext solution
Close to obtain ID card information in plain text, Xiang Suoshu first authenticates safety control module and returns to first data packet, first number
Include at least according to packet: the ID card information is in plain text;
The first certification safety control module receives first data packet that the first verifying safety control module returns,
And first data packet is encrypted, encrypted first data packet is sent to the card-reading terminal.
2. the method as described in claim 1, it is characterised in that:
The public identifier of the purpose equipment is included at least in the data packet;
The perimeter firewall selected determines the purpose equipment of the card-reading terminal access according to the content of the data packet
Mark, comprising:
The public identifier of the purpose equipment is mapped as by the perimeter firewall selected according to network address translation protocol
The mark of the corresponding purpose equipment.
3. method according to claim 2, it is characterised in that:
The border routing according to routing strategy select the perimeter firewall to be sent, by the data packet be sent to by
Before the perimeter firewall of selection, the method also includes:
The border routing judges whether the public identifier of the purpose equipment allows according to preset border routing filtering policy
By the border routing, if it is allowed, then executing described according to the routing strategy selection perimeter firewall to be sent, general
The step of data packet is sent to the perimeter firewall selected.
4. method as described in any one of claims 1 to 3, it is characterised in that:
It is set in the perimeter firewall selected according to the purpose that the content of the data packet determines the card-reading terminal access
Before standby mark, the method also includes:
The perimeter firewall selected according to preset perimeter firewall filtering policy, judge the data packet whether include
Invalid data is set if it is not, then executing the purpose that the content according to the data packet determines the card-reading terminal access
The step of standby mark.
5. method as described in any one of claims 1 to 3, it is characterised in that: the method also includes:
The flow cleaning equipment monitoring connecting with the border routing flows through the service traffics of the border routing, if according to institute
It states and flows through the service traffics of the border routing and detect the border routing by distributed denial of service attack, then to described
The service traffics for flowing through the border routing carry out flow cleaning.
6. method as described in any one of claims 1 to 3, it is characterised in that:
The dispatch server includes multiple;
The method also includes: the case where the data packet is sent to the multiple dispatch server by the core switch
Under, the load balancer being connected between the core switch and the multiple dispatch server will be described according to balance policy
Allocation of packets is to one in the multiple dispatch server.
7. method as described in any one of claims 1 to 3, it is characterised in that: the method also includes:
The intrusion detection device monitoring connecting with the core switch flows through the service traffics of the core switch, according to
The historical behavior model at family, the expertise prestored and neural network model are to the service traffics for flowing through the core switch
It is matched, once successful match, then judgement has intrusion behavior.
8. method as described in any one of claims 1 to 3, it is characterised in that: the method also includes:
The data packet that core switch described in the intrusion prevention equipment monitoring connecting with the core switch receives, judges institute
State whether the data packet that core switch receives is invalid data, if it is, the number that the core switch is received
It is abandoned according to packet.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610041107.XA CN105991647B (en) | 2016-01-21 | 2016-01-21 | A kind of method of data transmission |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610041107.XA CN105991647B (en) | 2016-01-21 | 2016-01-21 | A kind of method of data transmission |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105991647A CN105991647A (en) | 2016-10-05 |
CN105991647B true CN105991647B (en) | 2019-06-28 |
Family
ID=57039910
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610041107.XA Active CN105991647B (en) | 2016-01-21 | 2016-01-21 | A kind of method of data transmission |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105991647B (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10931652B2 (en) * | 2017-01-24 | 2021-02-23 | Microsoft Technology Licensing, Llc | Data sealing with a sealing enclave |
CN107481372B (en) * | 2017-08-16 | 2021-04-23 | 广州甩手技术有限公司 | Dual-redundancy intelligent storage device, dual-redundancy Internet of things storage system and implementation method thereof |
CN107948199B (en) * | 2017-12-27 | 2021-05-25 | 北京奇安信科技有限公司 | Method and device for rapidly detecting terminal shared access |
CN108696541A (en) * | 2018-07-20 | 2018-10-23 | 国家电网公司 | The method and device of safe processing of communication network |
CN109639580B (en) * | 2019-02-03 | 2021-05-14 | 新华三信息安全技术有限公司 | Message forwarding method and device |
CN109992940B (en) * | 2019-03-29 | 2021-03-12 | 北京金山云网络技术有限公司 | Identity verification method, device and system and identity verification server |
CN110428510B (en) * | 2019-08-23 | 2022-03-08 | 深圳市金溢科技股份有限公司 | PSAM card centralized management method and device and secure cloud box system |
CN111277660B (en) * | 2020-01-22 | 2021-09-14 | 中国银联股份有限公司 | System and method for forming DMZ (digital multiplex) area |
CN111600866B (en) * | 2020-05-12 | 2022-03-01 | 福建龙净环保股份有限公司 | Data transmission method and system based on Internet |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN2702376Y (en) * | 2004-05-16 | 2005-05-25 | 苏明儒 | Document information checking machine |
CN103593634A (en) * | 2013-11-08 | 2014-02-19 | 国家电网公司 | Network centralized decoding system and method of identity card identifier |
CN104993954A (en) * | 2015-06-24 | 2015-10-21 | 深圳市金正方科技股份有限公司 | Method and system for identifying terminal by intelligent electric meter |
-
2016
- 2016-01-21 CN CN201610041107.XA patent/CN105991647B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN2702376Y (en) * | 2004-05-16 | 2005-05-25 | 苏明儒 | Document information checking machine |
CN103593634A (en) * | 2013-11-08 | 2014-02-19 | 国家电网公司 | Network centralized decoding system and method of identity card identifier |
CN104993954A (en) * | 2015-06-24 | 2015-10-21 | 深圳市金正方科技股份有限公司 | Method and system for identifying terminal by intelligent electric meter |
Also Published As
Publication number | Publication date |
---|---|
CN105991647A (en) | 2016-10-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106027463B (en) | A kind of method of data transmission | |
CN105991647B (en) | A kind of method of data transmission | |
CN106027476B (en) | A kind of identity card cloud Verification System and card-reading system | |
CN106027466B (en) | A kind of identity card cloud Verification System and card-reading system | |
Aujla et al. | Blocksdn: Blockchain-as-a-service for software defined networking in smart city applications | |
US20230035336A1 (en) | Systems and methods for mitigating and/or preventing distributed denial-of-service attacks | |
CN109729180A (en) | Entirety is intelligence community platform | |
CN110324287A (en) | Access authentication method, device and server | |
US20100235879A1 (en) | Systems, methods, and media for enforcing a security policy in a network including a plurality of components | |
US20120151565A1 (en) | System, apparatus and method for identifying and blocking anomalous or improper use of identity information on computer networks | |
ES2768049T3 (en) | Procedures and systems to secure and protect repositories and directories | |
CN109564603B (en) | System and method for securely altering network configuration settings of a multiplexer in an industrial control system | |
JP3967550B2 (en) | Method and system for protecting communication devices from intrusion | |
Patwary et al. | Authentication, access control, privacy, threats and trust management towards securing fog computing environments: A review | |
US9608973B2 (en) | Security management system including multiple relay servers and security management method | |
Mishra et al. | Software defined internet of things security: Properties, state of the art, and future research | |
CN106506491B (en) | Network safety system | |
CN110855707A (en) | Internet of things communication pipeline safety control system and method | |
US20110023088A1 (en) | Flow-based dynamic access control system and method | |
TWI668987B (en) | System of host protection based on moving target defense and method thereof | |
Miloslavskaya et al. | Ensuring information security for internet of things | |
DesRuisseaux | Practical overview of implementing IEC 62443 security levels in industrial control applications | |
CN110417769A (en) | A kind of industry internet platform Multi Identity Attestation method | |
Jena et al. | A Pragmatic Analysis of Security Concerns in Cloud, Fog, and Edge Environment | |
Kfouri et al. | Design of a Distributed HIDS for IoT Backbone Components. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220413 Address after: Tiantianrong building, No. 1, Zhongguancun, Beiqing Road, Haidian District, Beijing 100094 Patentee after: TENDYRON Corp. Address before: 100086 room 603, building 12, taiyueyuan, Haidian District, Beijing Patentee before: Li Ming |
|
TR01 | Transfer of patent right |