CN111031075B - Network service security access method, terminal, system and readable storage medium - Google Patents
Network service security access method, terminal, system and readable storage medium Download PDFInfo
- Publication number
- CN111031075B CN111031075B CN202010137394.0A CN202010137394A CN111031075B CN 111031075 B CN111031075 B CN 111031075B CN 202010137394 A CN202010137394 A CN 202010137394A CN 111031075 B CN111031075 B CN 111031075B
- Authority
- CN
- China
- Prior art keywords
- identity information
- communication data
- network communication
- address
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0414—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Abstract
The invention relates to the technical field of information security, in particular to a network service security access method, a terminal, a system and a readable storage medium based on a local area network, wherein the network service security access method comprises the following steps: based on the local area network, if a processing event of the network communication data is monitored, the processing event is suspended from being executed, and the identity information of a processing terminal corresponding to the processing event is analyzed according to an MAC frame of the network communication data; if the processing terminal is determined to be a preset terminal capable of accessing the specific network service according to the identity information, acquiring a shared key of the processing terminal; and calculating randomized new identity information according to the shared key and the identity information and a preset calculation method, replacing the identity information with the new identity information, and continuously executing a network communication data processing event by using the network communication data carrying the new identity information so as to hide the specific network service which should be disclosed for other users except a preset specific network service visitor and further achieve the purpose of safely accessing the specific network service.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a network service security access method, a terminal, a system and a computer readable storage medium based on a local area network.
Background
In a local area network with high security requirements or special application scenarios, certain network nodes or a part of the network nodes provide specific network services to other nodes meeting the requirements. For example, in an enterprise, only one computer in a local area network of a certain department opens a data downloading service, and only the computer in the network with downloading authority can access the service; for another example, in an internal network of some industrial production areas, only one export computer has the right to access other area networks, and needs to collect and transmit various monitoring data in the production environment in this area to other areas.
At present, in a network communication scheme similar to the above application scenario, security protection of communication is generally performed by using a cryptographic method to authenticate devices of both communication parties and encrypt communication data. However, due to the openness of the specific network service, in an enterprise or home intranet, i.e., a local area network, some computers need to serve as servers to provide the specific network service, and the computers providing the network service need to expose their own IP addresses and service ports in the local area network, i.e., the servers expose their own IP addresses and port numbers due to the network service being opened, which brings about a potential safety hazard, so that the servers are easily targeted for network attacks, and open a convenient door for hacker attacks. In order to solve the problem, the prior art also has a plurality of corresponding improvements, which are specifically as follows:
patent application No. 201710211600.6: an identity authentication method, a system, a server and a terminal mainly disclose an identity authentication method, so that the terminal can carry out identity authentication by comparing the version number of the other party when carrying out authentication, and the authentication efficiency is improved.
Patent application No. 201910016548.8: a network communication method, a server, a client and a system mainly disclose a method for realizing the credible authentication of the server to the client which uploads working data, thereby ensuring the reliability of the server for receiving the working data uploaded by the client.
Patent application No. 201610503974.0: the multi-combination dynamic encryption communication authentication method and system provide an encryption mode, combine dynamic random numbers and multi-bit passwords, and ensure the safety and reliability of communication.
The above patent mainly aims to solve the problems of efficiency and reliability of the authentication method, and cannot solve the problem that a specific network server in an intranet is easy to be an attack target of other intranet users, and the risk of attacking the specific network server cannot be reduced.
Patent application No. 201610062939. X: the system and the method for defending the network security based on the dynamic transformation are provided, and through dynamically transforming the IP address information of the network terminal in the intranet, an attacker cannot obtain the topological structure of the intranet and cannot accurately obtain the real information of the network terminal in the intranet, so that the attack behavior of the intranet is effectively defended.
The method provided by the patent realizes the function of preventing attackers from acquiring network terminal information by changing the topological structure of the whole intranet at intervals. However, this change is not done in real time and the network structure remains unchanged during a window period. Meanwhile, the conversion is limited to changing the IP address of the terminal, and the number of the service port cannot be changed, which means that the well-known network service still can be sensed. For malicious end users inside the network, there is still an opportunity to complete the attack within a window period. On the other hand, the scheme for changing the whole network topology is complex, which affects the stability of the network and the network service efficiency. And the patent benefits 3 describe: in the scheme, the access to the specific network service provided by the specific terminal still tends to be in a mode of using the static IP address to improve the access efficiency, and a network service provider is not really hidden and protected.
Therefore, how to reduce the risk that a server providing a specific network service becomes a target object of network attack in a local area network is still a problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the invention aims to provide a network service security access method, a network service security access terminal, a network service security access system and a computer readable storage medium based on a local area network, which can hide specific network services which should be disclosed for other users except preset specific network service visitors, thereby achieving the purpose of safely accessing the specific network services, not influencing normal network communication, and reducing the risk of attacking a server providing the specific network services.
In order to solve the technical problems, the invention adopts the following technical scheme:
in a first aspect, a method for secure access to a network service based on a local area network is provided, which includes:
monitoring a processing event of network communication data based on a local area network, when the processing event is monitored, suspending execution of the processing event and acquiring an MAC frame of the network communication data corresponding to the processing event, and analyzing identity information of a processing terminal corresponding to the processing event according to the MAC frame; the processing event comprises a network communication data sending event or a network communication data receiving event, the processing terminal comprises a sending terminal and a receiving terminal, and the identity information comprises an IP address and a port number;
if the processing terminal is determined to be a preset terminal capable of accessing the specific network service according to the identity information, acquiring a shared key which is pre-established by the processing terminal according to a preset shared key method and is used for accessing the specific network service;
and calculating randomized new identity information corresponding to the identity information according to the shared key and the identity information and a preset calculation method, and replacing the new identity information with the identity information so that the network communication data carries the new identity information to continuously execute the network communication data processing event.
Preferably, the network service secure access method is applied to a client, and includes:
monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, suspending execution of the network communication data sending event and acquiring an MAC frame of network communication data corresponding to the network communication data sending event, and analyzing identity information of a client and a receiving terminal corresponding to the network communication data sending event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a preset server or not, if so, judging whether the analyzed port number of the receiving terminal is consistent with the port number of the preset server or not, and if so, acquiring a shared key which is pre-established between the client and the preset server according to a preset shared key method and is used for accessing the specific network service;
calculating new randomized identity information of the client and the receiving terminal corresponding to the identity information according to the shared key, the identity information of the client and the identity information of the receiving terminal and a preset calculation method, and replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the receiving terminal to continue to execute the network communication data sending event;
or;
monitoring a received network communication data event based on a local area network, when the received network communication data event is monitored, suspending execution of the received network communication data event and acquiring an MAC frame of network communication data corresponding to the received network communication data event, and analyzing identity information of a client and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
judging whether the analyzed IP address of the client is consistent with the IP address of the client, if not, acquiring a shared key which is pre-established between the client and a preset server according to a preset shared key method and is used for accessing the specific network service;
calculating new randomized identity information of the client and the sending terminal corresponding to the identity information according to a preset calculation method according to the shared key, the identity information of the client and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the sending terminal to continue to execute the network communication data receiving event.
Preferably, after determining whether the analyzed IP address of the receiving terminal is consistent with the IP address of the preset server, the method further includes, if not, continuing to execute the network communication data sending event;
after judging whether the analyzed port number of the receiving terminal is consistent with the port number of the preset server, the method further includes:
if not, judging the situation as abnormal, not executing the network communication data sending event and reporting to the network management;
if yes, inquiring whether the corresponding process is allowed to access the specific network service according to the analyzed IP address and the port number of the client, if yes, acquiring a shared key which is pre-established between the client and a preset server according to a preset shared key method and is used for accessing the specific network service, and if not, not executing the network communication data sending event and reporting the network communication data sending event to a network manager;
after judging whether the analyzed IP address of the client is consistent with the IP address of the client, if so, continuing to execute the received network communication data event;
after the new randomized identity information of the client and the sending terminal corresponding to the identity information is calculated according to a preset calculation method, the method further comprises the following steps:
if the IP address of the new identity information of the sending terminal is inconsistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, judging the situation as abnormal, and not executing the received network communication data event and reporting the received network communication data event to a network manager;
if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is inconsistent with the IP address of the client, judging the situation as abnormal, and not executing the received network communication data event and reporting the received network communication data event to a network manager;
and if the IP address of the new identity information of the sending terminal is inconsistent with the IP address of a preset server and the IP address of the new identity information of the client is inconsistent with the IP address of the client, judging the situation as an abnormal situation, and not executing the network communication data receiving event and reporting the received network communication data event to a network manager.
Preferably, the network service secure access method is applied to a server, and includes:
monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, suspending execution of the network communication data sending event and acquiring an MAC frame of network communication data corresponding to the network communication data sending event, and analyzing identity information of a server and a receiving terminal corresponding to the network communication data sending event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a terminal in a preset legal terminal group or not, if so, acquiring a shared key which is pre-established between the server and the terminal according to a preset shared key method and is used for accessing the specific network service;
calculating new randomized identity information of the server and the receiving terminal corresponding to the identity information according to the shared key, the identity information of the server and the identity information of the receiving terminal and a preset calculation method, and replacing the new identity information with the identity information so that the network communication data carries the new identity information of the server and the receiving terminal to continue to execute the network communication data sending event;
or;
monitoring a received network communication data event based on a local area network, when the received network communication data event is monitored, suspending execution of the received network communication data event and acquiring an MAC frame of network communication data corresponding to the received network communication data event, and analyzing identity information of a server and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
judging whether the analyzed IP address of the server is consistent with the IP address of the server, if not, acquiring a shared key which is pre-established between the server and a terminal in a preset legal terminal group according to a preset shared key method and is used for accessing the specific network service;
calculating new randomized identity information of the server and the sending terminal corresponding to the identity information according to a preset calculation method according to the shared key, the identity information of the server and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of the terminal, the IP address of the new identity information of the server is consistent with the IP address of the server, and the port number of the new identity information of the server is consistent with the port number of the server, replacing the new identity information with the identity information so that the network communication data carrying the new identity information continues to execute the network communication data receiving event.
Preferably, after determining whether the analyzed IP address of the receiving terminal is consistent with an IP address of a terminal in a preset legal terminal group, the method further includes:
if not, judging as an abnormal condition, not executing the network communication data sending event and reporting to the network manager;
if yes, judging whether the analyzed port number of the receiving terminal is consistent with the port number of the terminal, if not, judging the abnormal condition, not executing the network communication data sending event and reporting to the network management; if yes, inquiring whether the corresponding process is allowed to access the specific network service according to the analyzed IP address and the analyzed port number of the receiving terminal, if yes, acquiring a shared key which is pre-established between the server and the terminal according to a preset shared key method and used for accessing the specific network service, and if not, not executing the network communication data sending event and reporting the network communication data sending event to a network manager;
after judging whether the analyzed IP address of the server is consistent with the IP address of the server, if so, continuing to execute the received network communication data event;
after the new randomized identity information of the server and the sending terminal corresponding to the identity information is calculated according to a preset calculation method, the method further comprises the following steps:
if the IP address of the new identity information of the server is consistent with the IP address of the server, the port number of the new identity information of the server is consistent with the port number of the server, and the IP address of the new identity information of the sending terminal is inconsistent with the IP address of the terminal, matching the IP address of the new identity information of the sending terminal with the IP addresses of other terminals in the preset legal terminal group one by one;
if the IP address of the new identity information of the sending terminal is consistent with the IP address of one of the other terminals, replacing the new identity information with the identity information so that the network communication data carries the new identity information to continue executing the network communication data receiving event;
and if the IP address of the new identity information of the sending terminal is not consistent with the IP addresses of all terminals in the preset legal terminal group, judging the situation as abnormal, and not executing the network communication data receiving event and reporting the received network communication data event to the network manager.
In a second aspect, a network service security access terminal based on a local area network is provided, which includes:
the network interface unit is used for monitoring a processing event of network communication data based on a local area network, stopping executing the processing event and acquiring an MAC frame of the network communication data corresponding to the processing event when the processing event is monitored, and analyzing the identity information of a processing terminal corresponding to the processing event according to the MAC frame; the processing event comprises a network communication data sending event or a network communication data receiving event, the processing terminal comprises a sending terminal and a receiving terminal, and the identity information comprises an IP address and a port number;
the secret sharing unit is used for acquiring a shared key which is pre-established by the processing terminal according to a preset shared key method and is used for accessing the specific network service if the processing terminal is determined to be a preset terminal capable of accessing the specific network service according to the identity information;
and the security calculation unit is used for calculating randomized new identity information corresponding to the identity information according to the shared key and the identity information and a preset calculation method, and replacing the identity information with the new identity information so that the network communication data carries the new identity information to continuously execute the network communication data processing event.
Preferably, the network service security access terminal is a client, and the client comprises a client network interface unit, a client secret sharing unit and a client security computing unit;
the client network interface unit is used for monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, stopping executing the network communication data sending event and acquiring an MAC (media access control) frame of network communication data corresponding to the network communication data sending event, and analyzing identity information of a client and a receiving terminal corresponding to the network communication data sending event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit is used for judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a preset server or not, judging whether the analyzed port number of the receiving terminal is consistent with the port number of the preset server or not if the analyzed IP address of the receiving terminal is consistent with the IP address of the preset server, and acquiring a shared key which is pre-established between the client and the preset server according to a preset shared key method and is used for accessing the specific network service if the analyzed port number of the receiving terminal is consistent with the port number of;
the client security calculation unit is configured to calculate, according to the shared key, the identity information of the client and the identity information of the receiving terminal, randomized new identity information of the client and the receiving terminal corresponding to the identity information according to a preset calculation method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the client and the receiving terminal to continue to execute the network communication data sending event;
or;
the client network interface unit is further configured to monitor a received network communication data event based on a local area network, and when the received network communication data event is monitored, suspend execution of the received network communication data event and acquire an MAC frame of network communication data corresponding to the received network communication data event, and analyze identity information of a client and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit is further configured to determine whether the analyzed IP address of the client is consistent with the IP address of the client itself, and if not, obtain a shared key for accessing a specific network service, which is pre-established between the client and a preset server according to a preset shared key method;
the client security calculation unit is further configured to calculate new randomized identity information of the client and the sending terminal, which corresponds to the identity information, according to a preset calculation method according to the shared key, the identity information of the client and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the sending terminal to continue to execute the network communication data receiving event.
Preferably, the network service security access terminal is a server, and the server comprises a server network interface unit, a server secret sharing unit and a server security computing unit;
the server network interface unit is used for monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, stopping executing the network communication data sending event and acquiring an MAC (media access control) frame of network communication data corresponding to the network communication data sending event, and analyzing the identity information of a server and a receiving terminal corresponding to the network communication data sending event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit is used for judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a terminal in a preset legal terminal group or not, and if so, acquiring a shared key which is pre-established between the server and the terminal according to a preset shared key method and is used for accessing a specific network service;
the server security calculation unit is configured to calculate, according to the shared key, the identity information of the server and the identity information of the receiving terminal, randomized new identity information of the server and the receiving terminal corresponding to the identity information according to a preset calculation method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the server and the receiving terminal to continue to execute the network communication data sending event;
or;
the server network interface unit is further configured to monitor a received network communication data event based on a local area network, and when the received network communication data event is monitored, suspend execution of the received network communication data event and acquire an MAC frame of network communication data corresponding to the received network communication data event, and analyze identity information of a server and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit is further used for judging whether the analyzed IP address of the server is consistent with the IP address of the server, if not, a shared key which is pre-established between the server and a terminal in a preset legal terminal group according to a preset shared key method and is used for accessing the specific network service is obtained;
the server security calculation unit is further configured to calculate new randomized identity information of the server and the sending terminal, which corresponds to the identity information, according to a preset calculation method according to the shared key, the identity information of the server, and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of the terminal, the IP address of the new identity information of the server is consistent with the IP address of the server, and the port number of the new identity information of the server is consistent with the port number of the server, replacing the new identity information with the identity information so that the network communication data carrying the new identity information continues to execute the network communication data receiving event.
In a third aspect, a network service security access system based on a local area network is provided, which comprises a client and a server, wherein the client comprises a client network interface unit, a client secret sharing unit and a client security computing unit; the server comprises a server network interface unit, a server secret sharing unit and a server safety computing unit;
the client network interface unit is used for monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, stopping executing the network communication data sending event and acquiring an MAC (media access control) frame of network communication data corresponding to the network communication data sending event, and analyzing identity information of a client and a receiving terminal corresponding to the network communication data sending event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit is used for judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a preset server or not, judging whether the analyzed port number of the receiving terminal is consistent with the port number of the preset server or not if the analyzed IP address of the receiving terminal is consistent with the IP address of the preset server, and acquiring a shared key which is pre-established between the client and the preset server according to a preset shared key method and is used for accessing the specific network service if the analyzed port number of the receiving terminal is consistent with the port number of;
the client security calculation unit is configured to calculate, according to the shared key, the identity information of the client and the identity information of the receiving terminal, randomized new identity information of the client and the receiving terminal corresponding to the identity information according to a preset calculation method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the client and the receiving terminal to continue to execute the network communication data sending event;
the server network interface unit is used for monitoring a received network communication data event based on a local area network, suspending execution of the received network communication data event and acquiring an MAC frame of network communication data corresponding to the received network communication data event when the received network communication data event is monitored, and analyzing identity information of a server and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit is used for judging whether the analyzed IP address of the server is consistent with the IP address of the server, if not, acquiring a shared key which is pre-established between the server and a terminal in a preset legal terminal group according to a preset shared key method and is used for accessing the specific network service;
the server security calculation unit is used for calculating new randomized identity information of the server and the sending terminal corresponding to the identity information according to a preset calculation method and the shared key, the identity information of the server and the identity information of the sending terminal; if the IP address of the new identity information of the sending terminal is consistent with the IP address of the terminal, the IP address of the new identity information of the server is consistent with the IP address of the server, and the port number of the new identity information of the server is consistent with the port number of the server, replacing the identity information with the new identity information so that the network communication data carrying the new identity information continues to execute the network communication data receiving event;
or;
the server network interface unit is further configured to monitor a transmitted network communication data event based on a local area network, and when the transmitted network communication data event is monitored, suspend execution of the transmitted network communication data event and acquire an MAC frame of network communication data corresponding to the transmitted network communication data event, and analyze identity information of a server and a receiving terminal corresponding to the transmitted network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit is further configured to determine whether the analyzed IP address of the receiving terminal is consistent with an IP address of a terminal in a preset legal terminal group, and if so, obtain a shared key, which is pre-established between the server and the terminal according to a preset shared key method, for accessing a specific network service;
the server security calculation unit is further configured to calculate, according to the shared key, the identity information of the server and the identity information of the receiving terminal, randomized new identity information of the server and the receiving terminal corresponding to the identity information according to a preset calculation method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the server and the receiving terminal to continue to execute the network communication data sending event;
the client network interface unit is further configured to monitor a received network communication data event based on a local area network, and when the received network communication data event is monitored, suspend execution of the received network communication data event and acquire an MAC frame of network communication data corresponding to the received network communication data event, and analyze identity information of a client and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit is further configured to determine whether the analyzed IP address of the client is consistent with the IP address of the client itself, and if not, obtain a shared key for accessing a specific network service, which is pre-established between the client and a preset server according to a preset shared key method;
the client security calculation unit is further configured to calculate new randomized identity information of the client and the sending terminal, which corresponds to the identity information, according to a preset calculation method according to the shared key, the identity information of the client and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the sending terminal to continue to execute the network communication data receiving event.
In a fourth aspect, a computer-readable storage medium is provided, which stores a computer program, which when executed by a processor implements the steps of the local area network-based network service security access method according to the first aspect.
The invention has the beneficial effects that: a network service security access method, a network service security access terminal, a network service security access system and a computer readable storage medium based on a local area network, the network service security access method comprising: monitoring a processing event of network communication data based on a local area network, when the processing event is monitored, suspending execution of the processing event and acquiring an MAC frame of the network communication data corresponding to the processing event, and analyzing identity information of a processing terminal corresponding to the processing event according to the MAC frame; the processing event comprises a network communication data sending event or a network communication data receiving event, the processing terminal comprises a sending terminal and a receiving terminal, and the identity information comprises an IP address and a port number; if the processing terminal is determined to be a preset terminal capable of accessing the specific network service according to the identity information, acquiring a shared key which is pre-established by the processing terminal according to a preset shared key method and is used for accessing the specific network service; and calculating randomized new identity information corresponding to the identity information according to the shared key and the identity information and a preset calculation method, and replacing the new identity information with the identity information so that the network communication data carries the new identity information to continuously execute the network communication data processing event. The network service safe access method, the network service safe access terminal, the network service safe access system and the computer readable storage medium based on the local area network divide the client end for accessing the specific network service, logically isolate the client end authorized to access and the client end not authorized to access, and preset the client end authorized to access as the preset specific network service visitor, in addition, the real IP address and the port number of the server providing the specific network service are hidden in the local area network by using the preset calculation method to calculate the randomized new identity information to replace the original identity information, thereby realizing the purpose of hiding the specific network service which is originally disclosed for other users except the preset specific network service visitor, leading only the specified network node passing the authentication to be capable of using the specific network service, and further achieving the purpose of safely accessing the specific network service, normal network communication is not affected, and the risk of attacking a server providing a specific network service is reduced.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the figures in which like reference numerals refer to similar elements and which are not to scale unless otherwise specified.
Fig. 1 is a flowchart of a method for secure access to a network service based on a local area network according to a first embodiment of the present invention;
FIG. 2 is a flow chart of a method for secure access to a local area network-based network service according to a second embodiment of the present invention;
FIG. 3 is a flowchart of a method for secure access to a LAN-based network service according to a third embodiment of the present invention;
FIG. 4 is a flowchart of a method for secure access to a LAN-based network service according to a fourth embodiment of the present invention;
fig. 5 is a flowchart of a method for secure access to a network service based on a local area network according to a fifth embodiment of the present invention;
fig. 6 is a schematic structural diagram of a network service security access terminal based on a local area network according to a sixth embodiment of the present invention;
fig. 7 is a schematic structural diagram of a network service security access terminal based on a local area network according to a seventh embodiment of the present invention;
fig. 8 is a schematic structural diagram of a network service security access terminal based on a local area network according to an eighth embodiment of the present invention;
fig. 9 is a schematic structural diagram of a network service security access system based on a local area network according to a ninth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
Please refer to fig. 1, which is a flowchart illustrating a method for secure access to a network service based on a local area network according to a first embodiment of the present invention.
The network service security access method based on the local area network comprises the following steps:
step S101: monitoring a processing event of network communication data based on a local area network, when the processing event is monitored, suspending execution of the processing event and acquiring an MAC frame of the network communication data corresponding to the processing event, and analyzing identity information of a processing terminal corresponding to the processing event according to the MAC frame.
The processing event comprises a network communication data sending event or a network communication data receiving event, the processing terminal comprises a sending terminal and a receiving terminal, and the identity information comprises an IP address and a port number.
Step S102: and if the processing terminal is determined to be a preset terminal capable of accessing the specific network service according to the identity information, acquiring a shared key which is pre-established by the processing terminal according to a preset shared key method and is used for accessing the specific network service.
The establishment process of the preset terminal capable of accessing the specific network service comprises the following steps: dividing other client computers except a server S corresponding to a specific network service provider in the local area network into a group A capable of accessing the specific network service, wherein the group A may comprise n client computers (a 1, a2, … …, an), and only part of processes in each client computer are allowed to access the network service; a particular group B of network services, which may include m client computers (B1, B2, … …, bm), is not accessible. In the case where the server S provides a specific network service, the IP address IPs of the server S and the port number Ps to which the specific network service is opened are disclosed to the network group a.
The process of pre-establishing the shared key for accessing the specific network service according to the preset shared key method comprises the following steps: before network communication takes place, the server S shares secret information, i.e. keys ksa1, ksa2, … …, ksan, with the client computers in group a, respectively. It should be noted here that the process of sharing secret information can be generally performed by relying on a commonly used PKI architecture; it is also possible to store long secret information in advance in each device storage area in a simple sharing manner. The specific method used for secret sharing is not limited, but it is necessary to ensure that the server S and a client computer an have generated the shared secret information ksan before network communication is performed.
Step S103: and calculating randomized new identity information corresponding to the identity information according to the shared key and the identity information and a preset calculation method, and replacing the new identity information with the identity information so that the network communication data carries the new identity information to continuously execute the network communication data processing event.
The network service security access method based on the local area network of the embodiment of the invention needs to protect the idea of combining the authentication technology in cryptography with a moving target defense means to protect the access to specific network service. The purpose of using authentication technology in the method is to realize the grouping (the group which can access specific network service and the group which can not access specific network service) by utilizing authentication and establish a shared key between the client computers and the servers in the group which can access specific network service, and no special requirement is made on the advancement of the authentication technology, as long as the key sharing can be realized.
The present process differs from the background patent application No. 201610062939.X in that: the method aims not to change the network topology structure but only to protect a specific service in the network. In the scheme of the method, when all network terminals do not access the specific network service, no change is made in the network communication process, and only when the specific network service is accessed, the key information shared with the network server is simply used for carrying out randomization operation on the IP address and the port number of the network terminal, the IP address and the port number of the server. Thus, except for the service provider and the visitor sharing the key information, any other network terminal user can not recover the IP address and the port number of the network service provider, thereby realizing the hiding and the protection of the specific network service address and the port with a cost which is much lower than that of the proposal of the patent. Therefore, the core idea of the method is to hide the specific network service which should be disclosed to other users except the specific service visitor by combining the authentication technology and the moving target defense technology, thereby achieving the purpose of safely accessing the specific network service.
Compared with the prior art, the network service safe access method based on the local area network of the embodiment of the invention divides the client side accessing the specific network service, logically isolates the client side authorized to access from the client side not authorized to access, presets the client side authorized to access as the preset specific network service accessor, in addition, hides the real IP address and the port number of the server providing the specific network service in the local area network by using the mode of calculating the randomized new identity information by using the preset calculation method to replace the original identity information, realizes the hiding of the specific network service which should be disclosed for other users except the preset specific network service accessor, ensures that only the specified network node passing the authentication can use the specific network service, further achieves the aim of safely accessing the specific network service, does not influence the normal network communication, and reduces the risk of attacks on servers that provide particular network services.
Please refer to fig. 2, which is a flowchart illustrating a method for secure access to a network service based on a local area network according to a second embodiment of the present invention. The second embodiment of the present invention is based on the first embodiment, and defines an application terminal of a network service security access method based on a local area network as a client, and defines an application scenario of a network service security access method based on a local area network as a network communication data transmission event of the client, and further describes each determination process.
The network service security access method based on the local area network comprises the following steps:
step S201: monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, suspending execution of the network communication data sending event and acquiring an MAC frame of network communication data corresponding to the network communication data sending event, and analyzing identity information of a client and a receiving terminal corresponding to the network communication data sending event according to the MAC frame.
Wherein the identity information comprises an IP address and a port number.
Specifically, when the client computer an is used as a sender to generate network communication data, before the network card sends the generated MAC frame to the local area network, the source IP address sIPan, the source port number sPan, the destination IP address dIPan, and the destination port number dPan included in the MAC frame are extracted.
Step S202: and judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a preset server or not, if so, judging whether the analyzed port number of the receiving terminal is consistent with the port number of the preset server or not, and if so, acquiring a shared key which is pre-established between the client and the preset server according to a preset shared key method and is used for accessing the specific network service.
After judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of the preset server or not, the method also comprises the step of continuing to execute the network communication data sending event if the analyzed IP address of the receiving terminal is not consistent with the IP address of the preset server.
Wherein, after judging whether the analyzed port number of the receiving terminal is consistent with the port number of the preset server, the method further comprises:
if not, judging the situation as abnormal, not executing the network communication data sending event and reporting to the network management;
if yes, inquiring whether the corresponding process is allowed to access the specific network service according to the analyzed IP address and the port number of the client, if yes, acquiring a shared key which is pre-established between the client and a preset server according to a preset shared key method and is used for accessing the specific network service, and if not, not executing the network communication data sending event and reporting the network communication data sending event to a network manager;
specifically, the following checks are required for the extracted information: if the destination IP address dIPan and the destination port number dPan in the MAC frame are different from the preset IP address IPs and the preset service port number Ps of the server S, the data packet is directly delivered to the network without any processing; and if the destination IP address dIPan and the destination port number dPan in the network data packet are consistent with the preset IP address IPs and the preset service port number Ps of the server S, checking a source IP address sIPan and a source port number sPol in the network data packet, and inquiring whether the corresponding process is allowed to access the network service according to the source IP address sIPan and the source port number sPol. If not, judging the abnormal condition, not sending the data packet to the server S, and reporting to the network management. If so, the subsequent steps are continued.
Step S203: and calculating new randomized identity information of the client and the receiving terminal corresponding to the identity information according to the shared key, the identity information of the client and the identity information of the receiving terminal by a preset calculation method, and replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the receiving terminal to continue to execute the network communication data sending event.
Specifically, the process of calculating new identity information of the randomized client and the receiving terminal corresponding to the identity information according to a preset calculation method includes: the client computer an generates a random bit string rsn based on the shared secret information ksan, selects two sub-strings with q bit length from the random bit string rsn according to the bit number q with the mask in the network being 0, namely the length of the host number in the IP address, and respectively performs exclusive-or operation with the host number part in the sIPan and the sIPs to generate the IP address IP 'an and IP's after the host number transformation; two 16-bit substrings are selected from the random bit string rsn, and are subjected to exclusive or operation with sPan and dPan (source IP address sIPan, source port number sPan), respectively, to generate converted port numbers P 'an and P's. And respectively replacing the identity information source IP address sIPan, the source port number sPan, the destination IP address dIPan and the destination port number dPan in the original MAC frame by the new identity information IP 'an, the new identity information P' an, the new identity information IP's and the new identity information P's, and sending the new MAC frame after partial data replacement to the network.
It should be noted that the method for generating the new identity information IP 'an, P' an, IP's, and P's by performing xor operation with the random bit string is only one method for randomizing the IP address and the port number of the identity information, and may also implement randomization of the IP address and the port number in other manners.
Compared with the prior art, the network service security access method based on the local area network has the advantages that the application terminal is limited to be the client, the application scene is limited to be the network communication data sending event of the client, the preset calculation method is explained in detail, and the adaptability is wide.
Please refer to fig. 3, which is a flowchart illustrating a method for secure access to a network service based on a local area network according to a third embodiment of the present invention. The third embodiment of the present invention is based on the first embodiment, and defines an application terminal of a network service security access method based on a local area network as a client, and defines an application scenario of a network service security access method based on a local area network as a received network communication data event of the client, and further description is made for each determination process.
The network service security access method based on the local area network comprises the following steps:
step S301: monitoring a received network communication data event based on a local area network, when the received network communication data event is monitored, suspending execution of the received network communication data event and acquiring an MAC frame of network communication data corresponding to the received network communication data event, and analyzing identity information of a client and a sending terminal corresponding to the received network communication data event according to the MAC frame.
Wherein the identity information comprises an IP address and a port number.
Step S302: judging whether the analyzed IP address of the client is consistent with the IP address of the client, if not, acquiring a shared key which is pre-established between the client and a preset server according to a preset shared key method and is used for accessing the specific network service.
Wherein, after judging whether the analyzed IP address of the client is consistent with the IP address of the client, the method further comprises, if so, continuing to execute the received network communication data event.
Step S303: calculating new randomized identity information of the client and the sending terminal corresponding to the identity information according to a preset calculation method according to the shared key, the identity information of the client and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the sending terminal to continue to execute the network communication data receiving event.
After the new randomized identity information of the client and the sending terminal corresponding to the identity information is calculated according to a preset calculation method, the method further comprises the following steps:
if the IP address of the new identity information of the sending terminal is inconsistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, judging the situation as abnormal, and not executing the received network communication data event and reporting the received network communication data event to a network manager;
if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is inconsistent with the IP address of the client, judging the situation as abnormal, and not executing the received network communication data event and reporting the received network communication data event to a network manager;
and if the IP address of the new identity information of the sending terminal is inconsistent with the IP address of a preset server and the IP address of the new identity information of the client is inconsistent with the IP address of the client, judging the situation as an abnormal situation, and not executing the network communication data receiving event and reporting the received network communication data event to a network manager.
When the client computer an is used as a receiver to receive network communication data, a preset calculation method is used, a random bit string rsn is generated based on shared secret information ksan, two q-bit-length substrings and two 16-bit-length substrings are selected by the same method, exclusive or operation is performed on the substrings respectively with a source IP address sIPs, a source port number sPs, a destination IP address dIPs and a destination port number dPs in a network data packet received by the client computer, if the source IP address, the destination IP address and the destination port number obtained after operation are respectively consistent with an IP address IPs of a real server S, an IP address IPs of the server S and a service port number Ps, the data packet is indicated to be the network communication data packet sent by the server S, and the data packet is received and processed according to the source IP address, the destination IP address, the source port number and the destination port number obtained after operation; if some item is not consistent, the data packet of the original network communication data is processed normally.
Compared with the prior art, the network service security access method based on the local area network limits the application terminal as the client, limits the application scene as the received network communication data event of the client, and describes the received network communication data event in detail, so that the method is wide in adaptability.
Please refer to fig. 4, which is a flowchart illustrating a method for securely accessing a network service based on a local area network according to a fourth embodiment of the present invention. A fourth embodiment of the present invention is based on the first embodiment, and defines an application terminal of a network service security access method based on a local area network as a server, and defines an application scenario of a network service security access method based on a local area network as a network communication data transmission event of the server, and further description is made for each determination process.
The network service security access method based on the local area network comprises the following steps:
step S401: monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, suspending execution of the network communication data sending event and acquiring an MAC frame of network communication data corresponding to the network communication data sending event, and analyzing identity information of a server and a receiving terminal corresponding to the network communication data sending event according to the MAC frame.
Wherein the identity information comprises an IP address and a port number.
Step S402: and judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a terminal in a preset legal terminal group, if so, acquiring a shared key which is pre-established between the server and the terminal according to a preset shared key method and is used for accessing the specific network service.
Wherein, after judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a terminal in the preset legal terminal group, the method further comprises:
if not, judging as an abnormal condition, not executing the network communication data sending event and reporting to the network manager;
if yes, judging whether the analyzed port number of the receiving terminal is consistent with the port number of the terminal, if not, judging the abnormal condition, not executing the network communication data sending event and reporting to the network management; if yes, inquiring whether the corresponding process is allowed to access the specific network service according to the analyzed IP address and the analyzed port number of the receiving terminal, if yes, acquiring a shared key which is pre-established between the server and the terminal according to a preset shared key method and used for accessing the specific network service, and if not, not executing the network communication data sending event and reporting the network communication data sending event to the network management.
Step S403: and calculating new randomized identity information of the server and the receiving terminal corresponding to the identity information according to the shared key, the identity information of the server and the identity information of the receiving terminal by a preset calculation method, and replacing the new identity information with the identity information so that the network communication data carries the new identity information of the server and the receiving terminal to continue to execute the network communication data sending event.
When the server S generates network communication data as a sender, before the network card sends the generated MAC frame to the local area network, the server S extracts the source IP address sIPs, the source port number sPs, the destination IP address dIPs, and the destination port number dPs included in the MAC frame, and performs the following checks on the extracted information: if the computer corresponding to the destination IP address dIPs in the MAC frame is not contained in the group A, judging the situation to be abnormal, not sending the data packet, and reporting the data packet to the network manager; if the computer to which the dIPs corresponds is contained within group A, then a query is made as to whether the corresponding process is allowed to access the network based on the source port number sPs. If not, judging the data packet to be abnormal, not sending the data packet, and reporting to the network management. If so, the subsequent steps are continued.
Specifically, the process of calculating new identity information of the randomized server and the receiving terminal corresponding to the identity information according to a preset calculation method includes: the server S generates a random bit string rsn based on shared secret information ksan of a computer an corresponding to a target IP address dIPs, selects two q-bit-length substrings from the random bit string rsn according to the number q of bits with a mask in a network being 0, namely the length of a host number in the IP address, and respectively performs exclusive OR operation with the host number part in sIPs and dIPs to generate IP addresses sIP 'S and dIP' S after host number conversion; two 16-bit long substrings are selected from the random bit string rsn, and are subjected to exclusive-or operation with sPs and dPs respectively to generate transformed port numbers sP's and dP's. And respectively replacing the identity information source IP address sIPs, the source port number sPs, the destination IP address dIPs and the destination port number dPs in the original MAC frame by the new identity information sIP's, sP's, dIP's and dP's, and sending the new MAC frame after the partial data replacement is completed to the network.
Compared with the prior art, the network service security access method based on the local area network in the embodiment of the invention limits the application terminal as the server, limits the application scene as the network communication data sending event of the server, and describes the received network communication data event and the preset calculation method in detail, so that the adaptability is wide.
Please refer to fig. 5, which is a flowchart illustrating a method for secure access to a network service based on a local area network according to a fifth embodiment of the present invention. A fifth embodiment of the present invention is based on the first embodiment, and further describes each determination process by limiting an application terminal of the network service security access method based on the lan to be the server, and limiting an application scenario of the network service security access method based on the lan to be the received network communication data event of the server.
The network service security access method based on the local area network comprises the following steps:
step S501: monitoring a received network communication data event based on a local area network, when the received network communication data event is monitored, suspending execution of the received network communication data event and acquiring an MAC frame of network communication data corresponding to the received network communication data event, and analyzing identity information of a server and a sending terminal corresponding to the received network communication data event according to the MAC frame.
Wherein the identity information comprises an IP address and a port number.
Step S502: judging whether the analyzed IP address of the server is consistent with the IP address of the server, if not, acquiring a shared key which is pre-established between the server and a terminal in a preset legal terminal group according to a preset shared key method and is used for accessing the specific network service.
After judging whether the analyzed IP address of the server is consistent with the IP address of the server, the method also comprises the step of continuing to execute the received network communication data event if the analyzed IP address of the server is consistent with the IP address of the server.
Step S503: calculating new randomized identity information of the server and the sending terminal corresponding to the identity information according to a preset calculation method according to the shared key, the identity information of the server and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of the terminal, the IP address of the new identity information of the server is consistent with the IP address of the server, and the port number of the new identity information of the server is consistent with the port number of the server, replacing the new identity information with the identity information so that the network communication data carrying the new identity information continues to execute the network communication data receiving event.
After the new randomized identity information of the server and the sending terminal corresponding to the identity information is calculated according to a preset calculation method, the method further comprises the following steps:
if the IP address of the new identity information of the server is consistent with the IP address of the server, the port number of the new identity information of the server is consistent with the port number of the server, and the IP address of the new identity information of the sending terminal is inconsistent with the IP address of the terminal, matching the IP address of the new identity information of the sending terminal with the IP addresses of other terminals in the preset legal terminal group one by one;
if the IP address of the new identity information of the sending terminal is consistent with the IP address of one of the other terminals, replacing the new identity information with the identity information so that the network communication data carries the new identity information to continue executing the network communication data receiving event;
and if the IP address of the new identity information of the sending terminal is not consistent with the IP addresses of all terminals in the preset legal terminal group, judging the situation as abnormal, and not executing the network communication data receiving event and reporting the received network communication data event to the network manager.
When the server S receives network communication data, a preset calculation method is used, a random bit string rsn is generated based on shared secret information ksan, two q-bit-length substrings and two 16-bit-length substrings are selected by the same method, and exclusive or operation is performed on the substrings respectively with a source IP address sIPAn, a source port number sPA, a destination IP address dIPan and a destination port number dPan in a network data packet received by the server S, if the source IP address, the destination IP address and the destination port number obtained after operation are respectively consistent with a real client computer a nIP address IPAn, the server S own IP address IPs and a service port number Ps, the data packet sent by the client computer an in the group A is indicated, and the data packet is received and processed according to the IP address and the port number after operation; if a certain item is inconsistent, generating a random bit string by the same method based on the shared secret information of other client computers in the group A, checking whether the data packet is a normal data packet sent by other client computers in the group A by the same method, and if so, carrying out normal receiving processing; if all the checks are finished and the inconsistent items still exist, the abnormal condition is judged, and the data packet of the network communication data is not received and processed and is reported to the network management.
Compared with the prior art, the network service safety access method based on the local area network limits the application terminal to be the server, limits the application scene to be the received network communication data event of the server, and specifies the preset calculation method, so that the method is wide in adaptability.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
The following is an embodiment of the network service secure access terminal based on the local area network provided by the invention. The embodiment of the network service security access terminal based on the local area network belongs to the same concept as the embodiment of the network service security access method based on the local area network, and details which are not described in detail in the embodiment of the network service security access terminal based on the local area network can refer to the embodiment of the network service security access method based on the local area network.
Please refer to fig. 6, which is a schematic structural diagram of a network service security access terminal based on a local area network according to a sixth embodiment of the present invention.
The network service security access terminal based on the local area network comprises:
a network interface unit 110, configured to monitor a processing event of network communication data based on a local area network, and when the processing event is monitored, suspend execution of the processing event and acquire an MAC frame of the network communication data corresponding to the processing event, and analyze, according to the MAC frame, identity information of a processing terminal corresponding to the processing event; the processing event comprises a network communication data sending event or a network communication data receiving event, the processing terminal comprises a sending terminal and a receiving terminal, and the identity information comprises an IP address and a port number;
a secret sharing unit 120, configured to, if it is determined that the processing terminal is a preset terminal capable of accessing a specific network service according to the identity information, obtain a shared key, which is pre-established by the processing terminal according to a preset shared key method, for accessing the specific network service;
and a security calculation unit 130, configured to calculate, according to the shared key and the identity information, randomized new identity information corresponding to the identity information according to a preset calculation method, and replace the identity information with the new identity information, so that the network communication data carries the new identity information to continue to execute the network communication data processing event.
Compared with the prior art, the network service safety access terminal based on the local area network of the embodiment of the invention divides the client side for accessing the specific network service, logically isolates the client side for authorized access and the client side for unauthorized access, presets the client side for authorized access as the preset specific network service accessor, in addition, hides the real IP address and the port number of the server for providing the specific network service in the local area network by using the mode of calculating the randomized new identity information by using the preset calculation method to replace the original identity information, realizes the hiding of the specific network service which should be disclosed for other users except the preset specific network service accessor, ensures that only the specified network node which passes the authentication can use the specific network service, further achieves the aim of safely accessing the specific network service, does not influence the normal network communication, and reduces the risk of attacks on servers that provide particular network services.
Please refer to fig. 7, which is a schematic structural diagram of a network service security access terminal based on a local area network according to a seventh embodiment of the present invention. The seventh embodiment of the present invention defines a network service security access terminal based on a local area network as a client based on the sixth embodiment, where the client includes a client network interface unit 210, a client secret sharing unit 220, and a client security calculation unit 230, and further describes the functions of each unit.
The network service security access terminal based on the local area network is a client, and the client comprises a client network interface unit 210, a client secret sharing unit 220 and a client security computing unit 230;
the client network interface unit 210 is configured to monitor a network communication data sending event based on a local area network, and when the network communication data sending event is monitored, suspend execution of the network communication data sending event and acquire an MAC frame of network communication data corresponding to the network communication data sending event, and analyze, according to the MAC frame, identity information of a client and a receiving terminal corresponding to the network communication data sending event; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit 220 is configured to determine whether the analyzed IP address of the receiving terminal is consistent with an IP address of a preset server, determine whether the analyzed port number of the receiving terminal is consistent with a port number of the preset server if the analyzed IP address of the receiving terminal is consistent with the IP address of the preset server, and obtain a shared key, which is pre-established between the client and the preset server according to a preset shared key method, for accessing a specific network service if the analyzed port number of the receiving terminal is consistent with the port number of the preset server;
the client security calculating unit 230 is configured to calculate, according to the shared key, the identity information of the client and the identity information of the receiving terminal, randomized new identity information of the client and the receiving terminal corresponding to the identity information according to a preset calculating method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the client and the receiving terminal to continue to execute the network communication data sending event;
or;
the client network interface unit 210 is further configured to monitor a received network communication data event based on a local area network, and when the received network communication data event is monitored, suspend execution of the received network communication data event and acquire an MAC frame of network communication data corresponding to the received network communication data event, and analyze identity information of a client and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit 220 is further configured to determine whether the analyzed IP address of the client is consistent with the IP address of the client itself, and if not, obtain a shared key, which is pre-established between the client and a preset server according to a preset shared key method, for accessing a specific network service;
the client security calculating unit 230 is further configured to calculate, according to the shared key, the identity information of the client, and the identity information of the sending terminal, new randomized identity information of the client and the sending terminal corresponding to the identity information according to a preset calculating method; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the sending terminal to continue to execute the network communication data receiving event.
Compared with the prior art, the network service security access terminal based on the local area network of the embodiment of the invention limits the application terminal as the client, limits the application scene as the network communication data transmitting event or the network communication data receiving event of the client, and describes the network communication data transmitting event and the network communication data receiving event of the client in detail, thereby having wide adaptability.
Please refer to fig. 8, which is a schematic structural diagram of a network service security access terminal based on a local area network according to an eighth embodiment of the present invention. The eighth embodiment of the present invention is to define a network service security access terminal based on a local area network as a server on the basis of the sixth embodiment, where the server includes a server network interface unit 310, a server secret sharing unit 320, and a server security calculation unit 330, and further description is made for the function of each unit.
The network service security access terminal based on the local area network is a server, and the server comprises a server network interface unit 310, a server secret sharing unit 320 and a server security computing unit 330;
the server network interface unit 310 is configured to monitor a network communication data sending event based on a local area network, and when the network communication data sending event is monitored, suspend execution of the network communication data sending event and acquire an MAC frame of network communication data corresponding to the network communication data sending event, and analyze, according to the MAC frame, identity information of a server and a receiving terminal corresponding to the network communication data sending event; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit 320 is configured to determine whether the analyzed IP address of the receiving terminal is consistent with an IP address of a terminal in a preset legal terminal group, and if so, obtain a shared key, which is pre-established according to a preset shared key method, between the server and the terminal to access a specific network service;
the server security calculation unit 330 is configured to calculate, according to the shared key, the identity information of the server, and the identity information of the receiving terminal, new randomized identity information of the server and the receiving terminal corresponding to the identity information according to a preset calculation method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the server and the receiving terminal to continue to execute the network communication data sending event;
or;
the server network interface unit 310 is further configured to monitor a received network communication data event based on a local area network, and when the received network communication data event is monitored, suspend execution of the received network communication data event and acquire an MAC frame of network communication data corresponding to the received network communication data event, and analyze, according to the MAC frame, identity information of a server and a sending terminal corresponding to the received network communication data event; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit 320 is further configured to determine whether the analyzed IP address of the server is consistent with the IP address of the server itself, and if not, obtain a shared key for accessing a specific network service, which is pre-established between the server and a terminal in a preset legal terminal group according to a preset shared key method;
the server security calculating unit 330 is further configured to calculate, according to the shared key, the identity information of the server, and the identity information of the sending terminal, new randomized identity information of the server and the sending terminal corresponding to the identity information according to a preset calculating method; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of the terminal, the IP address of the new identity information of the server is consistent with the IP address of the server, and the port number of the new identity information of the server is consistent with the port number of the server, replacing the new identity information with the identity information so that the network communication data carrying the new identity information continues to execute the network communication data receiving event.
Compared with the prior art, the network service security access terminal based on the local area network limits the application terminal to be the server, limits the application scene to be the network communication data transmitting event or the network communication data receiving event of the server, and describes the network communication data transmitting event and the network communication data receiving event of the server in detail, so that the network service security access terminal based on the local area network is wide in adaptability.
The following is an embodiment of the network service secure access system based on the local area network provided by the invention. The embodiment of the network service secure access system based on the local area network belongs to the same concept as the embodiment of the network service secure access method based on the local area network, and details which are not described in detail in the embodiment of the network service secure access system based on the local area network can refer to the embodiment of the network service secure access method based on the local area network.
Please refer to fig. 9, which is a schematic structural diagram of a network service security access system based on a local area network according to a ninth embodiment of the present invention.
The network service safety access system based on the local area network comprises a client 200 and a server 300, wherein the client 200 comprises a client network interface unit 210, a client secret sharing unit 220 and a client safety computing unit 230; the server 300 includes a server network interface unit 310, a server secret sharing unit 320, and a server security calculation unit 330;
the client network interface unit 210 is configured to monitor a network communication data sending event based on a local area network, and when the network communication data sending event is monitored, suspend execution of the network communication data sending event and acquire an MAC frame of network communication data corresponding to the network communication data sending event, and analyze, according to the MAC frame, identity information of a client and a receiving terminal corresponding to the network communication data sending event; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit 220 is configured to determine whether the analyzed IP address of the receiving terminal is consistent with an IP address of a preset server, determine whether the analyzed port number of the receiving terminal is consistent with a port number of the preset server if the analyzed IP address of the receiving terminal is consistent with the IP address of the preset server, and obtain a shared key, which is pre-established between the client and the preset server according to a preset shared key method, for accessing a specific network service if the analyzed port number of the receiving terminal is consistent with the port number of the preset server;
the client security calculating unit 230 is configured to calculate, according to the shared key, the identity information of the client and the identity information of the receiving terminal, randomized new identity information of the client and the receiving terminal corresponding to the identity information according to a preset calculating method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the client and the receiving terminal to continue to execute the network communication data sending event;
the server network interface unit 310 is configured to monitor a received network communication data event based on a local area network, and when the received network communication data event is monitored, suspend execution of the received network communication data event and acquire an MAC frame of network communication data corresponding to the received network communication data event, and analyze, according to the MAC frame, identity information of a server and a sending terminal corresponding to the received network communication data event; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit 320 is configured to determine whether the analyzed IP address of the server is consistent with the IP address of the server itself, and if not, obtain a shared key for accessing a specific network service, which is pre-established between the server and a terminal in a preset legal terminal group according to a preset shared key method;
the server security calculation unit 330 is configured to calculate, according to the shared key, the identity information of the server, and the identity information of the sending terminal, new randomized identity information of the server and the sending terminal corresponding to the identity information according to a preset calculation method; if the IP address of the new identity information of the sending terminal is consistent with the IP address of the terminal, the IP address of the new identity information of the server is consistent with the IP address of the server, and the port number of the new identity information of the server is consistent with the port number of the server, replacing the identity information with the new identity information so that the network communication data carrying the new identity information continues to execute the network communication data receiving event;
or;
the server network interface unit 310 is further configured to monitor a network communication data sending event based on a local area network, and when the network communication data sending event is monitored, suspend execution of the network communication data sending event and acquire an MAC frame of network communication data corresponding to the network communication data sending event, and analyze, according to the MAC frame, identity information of a server and a receiving terminal corresponding to the network communication data sending event; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit 320 is further configured to determine whether the analyzed IP address of the receiving terminal is consistent with an IP address of a terminal in a preset legal terminal group, and if so, obtain a shared key, which is pre-established between the server and the terminal according to a preset shared key method, for accessing a specific network service;
the server security calculating unit 330 is further configured to calculate, according to the shared key, the identity information of the server, and the identity information of the receiving terminal, randomized new identity information of the server and the receiving terminal corresponding to the identity information according to a preset calculating method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the server and the receiving terminal to continue to execute the network communication data sending event;
the client network interface unit 210 is further configured to monitor a received network communication data event based on a local area network, and when the received network communication data event is monitored, suspend execution of the received network communication data event and acquire an MAC frame of network communication data corresponding to the received network communication data event, and analyze identity information of a client and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit 220 is further configured to determine whether the analyzed IP address of the client is consistent with the IP address of the client itself, and if not, obtain a shared key, which is pre-established between the client and a preset server according to a preset shared key method, for accessing a specific network service;
the client security calculating unit 230 is further configured to calculate, according to the shared key, the identity information of the client, and the identity information of the sending terminal, new randomized identity information of the client and the sending terminal corresponding to the identity information according to a preset calculating method; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the sending terminal to continue to execute the network communication data receiving event.
Specifically, the client network interface unit 210 intercepts a data packet of network communication data sent and received by the client computer, extracts a source IP address, a source port number, a destination IP address, and a destination port number included in a MAC frame in the data packet, and submits the data packet to the client security calculation unit 230, and after waiting for a new source IP address, a new source port number, a new destination IP address, and a new destination port number returned by the client security calculation unit 230, repackages the data packet according to the new IP address and the new port number, and sends or receives the MAC frame.
The client secret sharing unit 220 performs secret negotiation with the server secret sharing unit 320 to share secret information.
The client security calculation unit 230 checks the IP address and the port address provided by the client network interface unit 210 according to the above determination method, and if the IP address and the port address pass the check, a new IP address and a new port address are generated according to the secret information provided by the client secret sharing unit 220 according to the above predetermined calculation method and submitted to the client network interface unit 210.
The server network interface unit 310 intercepts a packet of network communication data sent and received by the server computer, extracts a source IP address, a source port number, a destination IP address and a destination port number contained in an MAC frame in the packet, and submits the packet to the server security calculation unit 330, and after the server security calculation unit 330 returns a new source IP address, source port number, destination IP address and destination port number, repackages the packet according to the new IP address and port number and sends or receives the MAC frame.
The server secret sharing unit 320 performs secret negotiation with the client secret sharing unit 220 to share secret information.
The server security calculating unit 330 checks the IP address and the port address provided by the server network interface unit 310 according to the above-mentioned determining method, and if the IP address and the port address pass the check, a new IP address and a new port address are generated according to the secret information provided by the server secret sharing unit 320 according to the above-mentioned preset calculating method and are submitted to the server network interface unit 310.
Compared with the prior art, the network service safety access system based on the local area network of the embodiment of the invention divides the client side for accessing the specific network service, logically isolates the client side for authorized access and the client side for unauthorized access, presets the client side for authorized access as the preset specific network service accessor, in addition, hides the real IP address and the port number of the server for providing the specific network service in the local area network by using the mode of calculating the randomized new identity information by using the preset calculation method to replace the original identity information, realizes the hiding of the specific network service which should be disclosed for other users except the preset specific network service accessor, ensures that only the specified network node which passes the authentication can use the specific network service, further achieves the aim of safely accessing the specific network service, does not influence the normal network communication, and reduces the risk of attacks on servers that provide particular network services.
The invention has the beneficial effects that:
1. the client terminals for accessing the specific network service are divided, the client terminal computers authorized to access and the client terminal computers not authorized to access are logically isolated, and only the client terminals sharing the secret information with the server can normally access the network service.
2. The IP address and the port address of the network service are hidden in the process of accessing the specific network service, and even if a hacker invades an unauthorized client computer in an intranet, the specific network service position cannot be obtained through means of scanning, sniffing and the like.
3. Because the IP address and the port address of the specific network service are randomized in each communication process, even if the real IP address and the port address of the specific network service are clarified, the unauthorized client can still not access the network service or initiate attack by using the service vulnerability under the condition of not sharing secret information with the server.
The following examples specifically illustrate the workflow of the network service secure access system based on the local area network:
the IP address of the client computer is set to be 192.168.1.7, the IP address of the server is set to be 192.168.1.77, the open specific network service port is 1011, the local area network is a C-type network, and the subnet mask is 255.255.255.0. The network service safety access system based on the local area network comprises two parts, wherein one part is a client subsystem corresponding to a client, and the other part is a server subsystem corresponding to a server. In the specific implementation process, both the client subsystem and the server subsystem can be used as independent devices connected to the client computer through cables such as network cables and optical fibers, and can also be used as additional devices, for example, inserted into a motherboard of the client computer/the server computer in the form of a PCIE card or a USB card. In this embodiment, both the client subsystem and the server subsystem are used as additional devices, and are inserted into the motherboard of the client computer/server computer through the PCI-E card.
The client comprises a client network interface unit 210, a client secret sharing unit 220 and a client security computing unit 230; the server includes a server network interface unit 310, a server secret sharing unit 320, a server security calculation unit 330. The functions and the work flow of each subsystem and unit are described in the following 4 cases of sending network communication data by a client, receiving network communication data by the client, sending network communication data by a server and receiving network communication data by the server.
When the client sends network communication data, the working process of the client subsystem is as follows:
s10: after an application in a client computer generates a data packet of network communication data and encapsulates the data packet into an MAC frame, the network interface unit 210 intercepts a MAC frame to be sent by an operating system, and parses a source IP address sIP, a source port number sP, a destination IP address dIP and a destination port number dP from the MAC frame. Subsequently, the network interface unit 210 transmits the parsed sIP, sP, dIP, and dP to the client security calculation unit 230.
S11: the client security calculation unit 230 checks dIP and dP after receiving sIP, sP, dIP and dP, and requests the client secret sharing unit 220 for a shared key if it finds that dIP and dP are consistent with the preset server IP address and port number.
S11': if the inconsistency between the dIP and the server IP address is detected in the S11, the client network interface unit 210 is notified to directly send the original MAC frame; if it is detected in S11 that the dIP is consistent with the preset server IP address and the dP is inconsistent with the preset server open service port number, the client network interface unit 210 is notified to send the event to the network manager.
S12: after receiving the shared key request from the client security computing unit 230, the client secret sharing unit 220 sends the shared key k established between the client secret sharing unit 220 and the server secret sharing unit 320 to the client security computing unit 230. In this embodiment, the client computer and the server computer establish the shared secret key by relying on the public key infrastructure, and there are a large number of mature technical solutions, so a specific process is not described in this description.
S13: the client security calculation unit 230 performs hash operation on the key k by using SHA-1 to obtain a 160-bit random number, and sets substring R1 composed of bits 1 to 8 of the random number to 11010101, substring R2 composed of bits 9 to 16 to 10101011, substring R3 composed of bits 17 to 32 to 0101010, and substring R4 composed of bits 33 to 48 to 1101110101011010. The client security calculation unit 230 calculates R1 respectively
sIP、R2
dIP、R3
sP and R4
dP, and sends the results 192.168.1.210, 192.168.1.210, 25934, 57001 to the client network interface unit 210 as the new source IP address sIP, source port number sP, destination IP address dIP, and destination port number dP, respectively.
S14: the client network interface unit 210 replaces the source IP address, the source port number, the destination IP address, and the destination port number in the original network communication data with the received sIP, sP, dIP, and dP, and encapsulates them into frames again and sends them through the network.
When the client receives the network communication data, the working process of the client subsystem is as follows:
s20: when the client computer operating system receives a packet of network communication data, the client network interface unit 210 intercepts the packet to be processed by the operating system, parses a source IP address sIP, a source port number sP, a destination IP address dIP and a destination port number dP from the packet, and sends the packet to the client security calculation unit 230.
S21: the client security calculation unit 230 checks whether the destination IP address dIP is the same as the own IP address 192.168.1.7, and if so, notifies the client network interface unit 210 to forward the packet to the operating system for normal processing; if not, a shared key is requested from the client secret sharing unit 220.
S22: the client secret sharing unit 220 transmits the shared key k it established with the server secret sharing unit 320 to the client secure computing unit 230.
S23: the client security calculation unit 230 calculates a new source IP address sIP, a source port number sP, a destination IP address dIP, and a destination port number dP by using the same method as described in S13, and sends a new source IP address sIP, a source port number sP, a destination IP address dIP, and a destination port number dP to the client network interface unit 210 if the new source IP address sIP and the destination IP address dIP are respectively consistent with the server IP address 192.168.1.77 and the client self IP address 192.168.1.7. Otherwise, the notification client network interface unit 210 notifies the network manager of this event.
S24: the client network interface unit 210 replaces the source IP address, the source port number, the destination IP address, and the destination port number in the original network communication data with the received sIP, sP, dIP, and dP, and encapsulates them into frames again and sends them to the operating system for normal processing.
When the server sends network communication data, the working flow of the server subsystem is as follows:
s30: after the application program in the server computer generates a data packet of network communication data and encapsulates the data packet into an MAC frame, the server network interface unit 310 intercepts the MAC frame to be sent by the operating system, and parses a source IP address sIP, a source port number sP, a destination IP address dIP and a destination port number dP from the MAC frame and sends the resulting MAC frame to the server security calculation unit 330.
S31: the server security calculation unit 330 requests the server secret sharing unit 320 for the shared key after receiving the sIP, sP, dIP, and dP.
S32: the server secret sharing unit 320 transmits the shared key k it established with the client secret sharing unit 220 to the server security calculation unit 330.
S33: the server security calculation unit 330 calculates a new source IP address sIP, a source port number sP, a destination IP address dIP and a destination port number dP in the same manner as described in S13, and sends the new source IP address sIP, the source port number sP, the destination IP address dIP and the destination port number dP to the server network interface unit 310.
S34: the server network interface unit 310 replaces the source IP address, the source port number, the destination IP address, and the destination port number in the original data packet with the received sIP, sP, dIP, and dP, and encapsulates them into frames again and sends them through the network.
When the server receives the network communication data, the working flow of the server subsystem is as follows:
s40: when the server computer operating system receives a packet of network communication data, the server network interface unit 310 intercepts the packet to be processed by the operating system, parses a source IP address sIP, a source port number sP, a destination IP address dIP and a destination port number dP from the packet, and sends the packet to the server security calculation unit 330.
S41: the server security calculation unit 330 requests the server secret sharing unit 320 for the shared key.
S42: the server secret sharing unit 320 transmits the shared key k it established with the client secret sharing unit 220 to the server security calculation unit 330.
S43: the server security calculation unit 330 calculates a new source IP address sIP, a source port number sP, a destination IP address dIP and a destination port number dP by using the same method as described in S13, checks whether the destination IP address dIP, the destination port number dP and the source IP address sIP are consistent with the own IP address 192.168.1.77, the service port number 1011 and the client IP address 192.168.1.7, and sends the calculated new source IP address sIP, the source port number sP, the destination IP address dIP and the destination port number dP to the server network interface unit 310 if they are consistent. If not, the notification server network interface unit 310 reports the event to the network manager.
S44: the server network interface unit 310 replaces the source IP address, the source port number, the destination IP address and the destination port number in the original data packet with the received sIP, sP, dIP and dP, and encapsulates them into frames again for normal processing by the operating system.
The following are embodiments of a computer-readable storage medium provided by the present invention. The embodiment of the computer-readable storage medium belongs to the same concept as the embodiment of the network service security access method based on the local area network, and details that are not described in detail in the embodiment of the computer-readable storage medium may refer to the embodiment of the network service security access method based on the local area network.
The computer-readable storage medium stores a computer program. The computer program, when executed by a processor, performs the steps of the local area network based network service security access method described above.
That is, as can be understood by those skilled in the art, all or part of the steps in the method for implementing the above embodiment may be implemented by a program instructing related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (10)
1. A network service security access method based on a local area network is characterized by comprising the following steps:
monitoring a processing event of network communication data based on a local area network, when the processing event is monitored, suspending execution of the processing event and acquiring an MAC frame of the network communication data corresponding to the processing event, and analyzing identity information of a processing terminal corresponding to the processing event according to the MAC frame; the processing event comprises a network communication data sending event or a network communication data receiving event, the processing terminal comprises a sending terminal and a receiving terminal, and the identity information comprises an IP address and a port number;
if the processing terminal is determined to be a preset terminal capable of accessing the specific network service according to the identity information, acquiring a shared key which is pre-established by the processing terminal according to a preset shared key method and is used for accessing the specific network service;
and calculating randomized new identity information corresponding to the identity information according to the shared key and the identity information and a preset calculation method, and replacing the new identity information with the identity information so that the network communication data carries the new identity information to continuously execute the network communication data processing event.
2. The secure access method for network services based on local area network according to claim 1, wherein the secure access method for network services is applied to a client and comprises:
monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, suspending execution of the network communication data sending event and acquiring an MAC frame of network communication data corresponding to the network communication data sending event, and analyzing identity information of a client and a receiving terminal corresponding to the network communication data sending event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a preset server or not, if so, judging whether the analyzed port number of the receiving terminal is consistent with the port number of the preset server or not, and if so, acquiring a shared key which is pre-established between the client and the preset server according to a preset shared key method and is used for accessing the specific network service;
calculating new randomized identity information of the client and the receiving terminal corresponding to the identity information according to the shared key, the identity information of the client and the identity information of the receiving terminal and a preset calculation method, and replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the receiving terminal to continue to execute the network communication data sending event;
or;
monitoring a received network communication data event based on a local area network, when the received network communication data event is monitored, suspending execution of the received network communication data event and acquiring an MAC frame of network communication data corresponding to the received network communication data event, and analyzing identity information of a client and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
judging whether the analyzed IP address of the client is consistent with the IP address of the client, if not, acquiring a shared key which is pre-established between the client and a preset server according to a preset shared key method and is used for accessing the specific network service;
calculating new randomized identity information of the client and the sending terminal corresponding to the identity information according to a preset calculation method according to the shared key, the identity information of the client and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the sending terminal to continue to execute the network communication data receiving event.
3. The secure access method for network services based on local area network according to claim 2, wherein:
after judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of the preset server or not, if not, continuing to execute the network communication data sending event;
after judging whether the analyzed port number of the receiving terminal is consistent with the port number of the preset server, the method further includes:
if not, judging the situation as abnormal, not executing the network communication data sending event and reporting to the network management;
if yes, inquiring whether the corresponding process is allowed to access the specific network service according to the analyzed IP address and the port number of the client, if yes, acquiring a shared key which is pre-established between the client and a preset server according to a preset shared key method and is used for accessing the specific network service, and if not, not executing the network communication data sending event and reporting the network communication data sending event to a network manager;
after judging whether the analyzed IP address of the client is consistent with the IP address of the client, if so, continuing to execute the received network communication data event;
after the new randomized identity information of the client and the sending terminal corresponding to the identity information is calculated according to a preset calculation method, the method further comprises the following steps:
if the IP address of the new identity information of the sending terminal is inconsistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, judging the situation as abnormal, and not executing the received network communication data event and reporting the received network communication data event to a network manager;
if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is inconsistent with the IP address of the client, judging the situation as abnormal, and not executing the received network communication data event and reporting the received network communication data event to a network manager;
and if the IP address of the new identity information of the sending terminal is inconsistent with the IP address of a preset server and the IP address of the new identity information of the client is inconsistent with the IP address of the client, judging the situation as an abnormal situation, and not executing the network communication data receiving event and reporting the received network communication data event to a network manager.
4. The secure access method for network services based on local area network according to claim 1, wherein the secure access method for network services is applied to a server, and comprises:
monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, suspending execution of the network communication data sending event and acquiring an MAC frame of network communication data corresponding to the network communication data sending event, and analyzing identity information of a server and a receiving terminal corresponding to the network communication data sending event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a terminal in a preset legal terminal group or not, if so, acquiring a shared key which is pre-established between the server and the terminal according to a preset shared key method and is used for accessing the specific network service;
calculating new randomized identity information of the server and the receiving terminal corresponding to the identity information according to the shared key, the identity information of the server and the identity information of the receiving terminal and a preset calculation method, and replacing the new identity information with the identity information so that the network communication data carries the new identity information of the server and the receiving terminal to continue to execute the network communication data sending event;
or;
monitoring a received network communication data event based on a local area network, when the received network communication data event is monitored, suspending execution of the received network communication data event and acquiring an MAC frame of network communication data corresponding to the received network communication data event, and analyzing identity information of a server and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
judging whether the analyzed IP address of the server is consistent with the IP address of the server, if not, acquiring a shared key which is pre-established between the server and a terminal in a preset legal terminal group according to a preset shared key method and is used for accessing the specific network service;
calculating new randomized identity information of the server and the sending terminal corresponding to the identity information according to a preset calculation method according to the shared key, the identity information of the server and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of the terminal, the IP address of the new identity information of the server is consistent with the IP address of the server, and the port number of the new identity information of the server is consistent with the port number of the server, replacing the new identity information with the identity information so that the network communication data carrying the new identity information continues to execute the network communication data receiving event.
5. The secure access method for network services based on local area network according to claim 4, wherein:
after judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a terminal in a preset legal terminal group, the method further comprises the following steps:
if not, judging as an abnormal condition, not executing the network communication data sending event and reporting to the network manager;
if yes, judging whether the analyzed port number of the receiving terminal is consistent with the port number of the terminal, if not, judging the abnormal condition, not executing the network communication data sending event and reporting to the network management; if yes, inquiring whether the corresponding process is allowed to access the specific network service according to the analyzed IP address and the analyzed port number of the receiving terminal, if yes, acquiring a shared key which is pre-established between the server and the terminal according to a preset shared key method and used for accessing the specific network service, and if not, not executing the network communication data sending event and reporting the network communication data sending event to a network manager;
after judging whether the analyzed IP address of the server is consistent with the IP address of the server, if so, continuing to execute the received network communication data event;
after the new randomized identity information of the server and the sending terminal corresponding to the identity information is calculated according to a preset calculation method, the method further comprises the following steps:
if the IP address of the new identity information of the server is consistent with the IP address of the server, the port number of the new identity information of the server is consistent with the port number of the server, and the IP address of the new identity information of the sending terminal is inconsistent with the IP address of the terminal, calculating the IP address of the new identity information and the IP addresses of the other terminals in the preset legal terminal group by the same calculation method to match based on the shared keys of the other terminals in the legal terminal group;
if the IP address of the new identity information of the sending terminal is consistent with the IP address of one of the other terminals, replacing the new identity information with the identity information so that the network communication data carries the new identity information to continue executing the network communication data receiving event;
and if the IP address of the new identity information of the sending terminal is not consistent with the IP addresses of all terminals in the preset legal terminal group, judging the situation as abnormal, and not executing the network communication data receiving event and reporting the received network communication data event to the network manager.
6. A network service security access terminal based on a local area network, comprising:
the network interface unit is used for monitoring a processing event of network communication data based on a local area network, stopping executing the processing event and acquiring an MAC frame of the network communication data corresponding to the processing event when the processing event is monitored, and analyzing the identity information of a processing terminal corresponding to the processing event according to the MAC frame; the processing event comprises a network communication data sending event or a network communication data receiving event, the processing terminal comprises a sending terminal and a receiving terminal, and the identity information comprises an IP address and a port number;
the secret sharing unit is used for acquiring a shared key which is pre-established by the processing terminal according to a preset shared key method and is used for accessing the specific network service if the processing terminal is determined to be a preset terminal capable of accessing the specific network service according to the identity information;
and the security calculation unit is used for calculating randomized new identity information corresponding to the identity information according to the shared key and the identity information and a preset calculation method, and replacing the identity information with the new identity information so that the network communication data carries the new identity information to continuously execute the network communication data processing event.
7. The local area network-based network service security access terminal of claim 6, wherein the network service security access terminal is a client, and the client comprises a client network interface unit, a client secret sharing unit and a client security computing unit;
the client network interface unit is used for monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, stopping executing the network communication data sending event and acquiring an MAC (media access control) frame of network communication data corresponding to the network communication data sending event, and analyzing identity information of a client and a receiving terminal corresponding to the network communication data sending event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit is used for judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a preset server or not, judging whether the analyzed port number of the receiving terminal is consistent with the port number of the preset server or not if the analyzed IP address of the receiving terminal is consistent with the IP address of the preset server, and acquiring a shared key which is pre-established between the client and the preset server according to a preset shared key method and is used for accessing the specific network service if the analyzed port number of the receiving terminal is consistent with the port number of;
the client security calculation unit is configured to calculate, according to the shared key, the identity information of the client and the identity information of the receiving terminal, randomized new identity information of the client and the receiving terminal corresponding to the identity information according to a preset calculation method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the client and the receiving terminal to continue to execute the network communication data sending event;
or;
the client network interface unit is further configured to monitor a received network communication data event based on a local area network, and when the received network communication data event is monitored, suspend execution of the received network communication data event and acquire an MAC frame of network communication data corresponding to the received network communication data event, and analyze identity information of a client and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit is further configured to determine whether the analyzed IP address of the client is consistent with the IP address of the client itself, and if not, obtain a shared key for accessing a specific network service, which is pre-established between the client and a preset server according to a preset shared key method;
the client security calculation unit is further configured to calculate new randomized identity information of the client and the sending terminal, which corresponds to the identity information, according to a preset calculation method according to the shared key, the identity information of the client and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the sending terminal to continue to execute the network communication data receiving event.
8. The local area network-based network service security access terminal of claim 6, wherein the network service security access terminal is a server, and the server comprises a server network interface unit, a server secret sharing unit and a server security computing unit;
the server network interface unit is used for monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, stopping executing the network communication data sending event and acquiring an MAC (media access control) frame of network communication data corresponding to the network communication data sending event, and analyzing the identity information of a server and a receiving terminal corresponding to the network communication data sending event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit is used for judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a terminal in a preset legal terminal group or not, and if so, acquiring a shared key which is pre-established between the server and the terminal according to a preset shared key method and is used for accessing a specific network service;
the server security calculation unit is configured to calculate, according to the shared key, the identity information of the server and the identity information of the receiving terminal, randomized new identity information of the server and the receiving terminal corresponding to the identity information according to a preset calculation method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the server and the receiving terminal to continue to execute the network communication data sending event;
or;
the server network interface unit is further configured to monitor a received network communication data event based on a local area network, and when the received network communication data event is monitored, suspend execution of the received network communication data event and acquire an MAC frame of network communication data corresponding to the received network communication data event, and analyze identity information of a server and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit is further used for judging whether the analyzed IP address of the server is consistent with the IP address of the server, if not, a shared key which is pre-established between the server and a terminal in a preset legal terminal group according to a preset shared key method and is used for accessing the specific network service is obtained;
the server security calculation unit is further configured to calculate new randomized identity information of the server and the sending terminal, which corresponds to the identity information, according to a preset calculation method according to the shared key, the identity information of the server, and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of the terminal, the IP address of the new identity information of the server is consistent with the IP address of the server, and the port number of the new identity information of the server is consistent with the port number of the server, replacing the new identity information with the identity information so that the network communication data carrying the new identity information continues to execute the network communication data receiving event.
9. The network service safety access system based on the local area network is characterized by comprising a client and a server, wherein the client comprises a client network interface unit, a client secret sharing unit and a client safety computing unit; the server comprises a server network interface unit, a server secret sharing unit and a server safety computing unit;
the client network interface unit is used for monitoring a network communication data sending event based on a local area network, when the network communication data sending event is monitored, stopping executing the network communication data sending event and acquiring an MAC (media access control) frame of network communication data corresponding to the network communication data sending event, and analyzing identity information of a client and a receiving terminal corresponding to the network communication data sending event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit is used for judging whether the analyzed IP address of the receiving terminal is consistent with the IP address of a preset server or not, judging whether the analyzed port number of the receiving terminal is consistent with the port number of the preset server or not if the analyzed IP address of the receiving terminal is consistent with the IP address of the preset server, and acquiring a shared key which is pre-established between the client and the preset server according to a preset shared key method and is used for accessing the specific network service if the analyzed port number of the receiving terminal is consistent with the port number of;
the client security calculation unit is configured to calculate, according to the shared key, the identity information of the client and the identity information of the receiving terminal, randomized new identity information of the client and the receiving terminal corresponding to the identity information according to a preset calculation method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the client and the receiving terminal to continue to execute the network communication data sending event;
the server network interface unit is used for monitoring a received network communication data event based on a local area network, suspending execution of the received network communication data event and acquiring an MAC frame of network communication data corresponding to the received network communication data event when the received network communication data event is monitored, and analyzing identity information of a server and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit is used for judging whether the analyzed IP address of the server is consistent with the IP address of the server, if not, acquiring a shared key which is pre-established between the server and a terminal in a preset legal terminal group according to a preset shared key method and is used for accessing the specific network service;
the server security calculation unit is used for calculating new randomized identity information of the server and the sending terminal corresponding to the identity information according to a preset calculation method and the shared key, the identity information of the server and the identity information of the sending terminal; if the IP address of the new identity information of the sending terminal is consistent with the IP address of the terminal, the IP address of the new identity information of the server is consistent with the IP address of the server, and the port number of the new identity information of the server is consistent with the port number of the server, replacing the identity information with the new identity information so that the network communication data carrying the new identity information continues to execute the network communication data receiving event;
or;
the server network interface unit is further configured to monitor a transmitted network communication data event based on a local area network, and when the transmitted network communication data event is monitored, suspend execution of the transmitted network communication data event and acquire an MAC frame of network communication data corresponding to the transmitted network communication data event, and analyze identity information of a server and a receiving terminal corresponding to the transmitted network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the server secret sharing unit is further configured to determine whether the analyzed IP address of the receiving terminal is consistent with an IP address of a terminal in a preset legal terminal group, and if so, obtain a shared key, which is pre-established between the server and the terminal according to a preset shared key method, for accessing a specific network service;
the server security calculation unit is further configured to calculate, according to the shared key, the identity information of the server and the identity information of the receiving terminal, randomized new identity information of the server and the receiving terminal corresponding to the identity information according to a preset calculation method, and replace the new identity information with the identity information, so that the network communication data carries the new identity information of the server and the receiving terminal to continue to execute the network communication data sending event;
the client network interface unit is further configured to monitor a received network communication data event based on a local area network, and when the received network communication data event is monitored, suspend execution of the received network communication data event and acquire an MAC frame of network communication data corresponding to the received network communication data event, and analyze identity information of a client and a sending terminal corresponding to the received network communication data event according to the MAC frame; wherein the identity information comprises an IP address and a port number;
the client secret sharing unit is further configured to determine whether the analyzed IP address of the client is consistent with the IP address of the client itself, and if not, obtain a shared key for accessing a specific network service, which is pre-established between the client and a preset server according to a preset shared key method;
the client security calculation unit is further configured to calculate new randomized identity information of the client and the sending terminal, which corresponds to the identity information, according to a preset calculation method according to the shared key, the identity information of the client and the identity information of the sending terminal; and if the IP address of the new identity information of the sending terminal is consistent with the IP address of a preset server and the IP address of the new identity information of the client is consistent with the IP address of the client, replacing the new identity information with the identity information so that the network communication data carries the new identity information of the client and the sending terminal to continue to execute the network communication data receiving event.
10. A computer-readable storage medium, storing a computer program, wherein the computer program, when executed by a processor, implements the steps of the local area network-based network service security access method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010137394.0A CN111031075B (en) | 2020-03-03 | 2020-03-03 | Network service security access method, terminal, system and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010137394.0A CN111031075B (en) | 2020-03-03 | 2020-03-03 | Network service security access method, terminal, system and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111031075A CN111031075A (en) | 2020-04-17 |
| CN111031075B true CN111031075B (en) | 2020-06-23 |
Family
ID=70203430
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010137394.0A Active CN111031075B (en) | 2020-03-03 | 2020-03-03 | Network service security access method, terminal, system and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111031075B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
| CN109495440A (en) * | 2018-09-06 | 2019-03-19 | 国家电网有限公司 | A kind of random device of Intranet dynamic security |
| US10284556B1 (en) * | 2016-11-11 | 2019-05-07 | Symantec Corporation | Systems and methods for verifying authentication requests using internet protocol addresses |
| CN110011786A (en) * | 2019-03-20 | 2019-07-12 | 中国电子科技集团公司第三十研究所 | A kind of IP secret communication method of high safety |
| CN110611671A (en) * | 2019-09-12 | 2019-12-24 | 北京邮电大学 | Local area network communication method and device based on moving target defense |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105391676B (en) * | 2014-09-05 | 2019-09-17 | 腾讯科技(深圳)有限公司 | Instant communication information processing method and processing device and system |
| CN109150793B (en) * | 2017-06-15 | 2021-06-01 | 华为技术有限公司 | Privacy protection method and device |
-
2020
- 2020-03-03 CN CN202010137394.0A patent/CN111031075B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721457A (en) * | 2016-01-30 | 2016-06-29 | 耿童童 | Network security defense system and network security defense method based on dynamic transformation |
| US10284556B1 (en) * | 2016-11-11 | 2019-05-07 | Symantec Corporation | Systems and methods for verifying authentication requests using internet protocol addresses |
| CN109495440A (en) * | 2018-09-06 | 2019-03-19 | 国家电网有限公司 | A kind of random device of Intranet dynamic security |
| CN110011786A (en) * | 2019-03-20 | 2019-07-12 | 中国电子科技集团公司第三十研究所 | A kind of IP secret communication method of high safety |
| CN110611671A (en) * | 2019-09-12 | 2019-12-24 | 北京邮电大学 | Local area network communication method and device based on moving target defense |
Non-Patent Citations (1)
| Title |
|---|
| 移动目标防御的攻击面动态转移技术研究综述;周余阳等;《软件学报》;20180617;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111031075A (en) | 2020-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109417553B (en) | Detecting attacks using leaked credentials via internal network monitoring | |
| RU2307391C2 (en) | Method for remote changing of communication password | |
| US20170244687A1 (en) | Techniques for confidential delivery of random data over a network | |
| CN111211908B (en) | Access control method, system, computer device and storage medium | |
| US9491174B2 (en) | System and method for authenticating a user | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| CN113626802B (en) | Login verification system and method for equipment password | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| CN112968910B (en) | Replay attack prevention method and device | |
| US20060034462A1 (en) | Method of generating key for device authentication and apparatus using the method, and device authentication method and device authentication apparatus | |
| KR102656403B1 (en) | Generate keys for use in secure communications | |
| US10122755B2 (en) | Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node | |
| Yerlikaya et al. | Authentication and authorization mechanism on message queue telemetry transport protocol | |
| CN112118242A (en) | Zero trust authentication system | |
| CN114244508A (en) | Data encryption method, device, equipment and storage medium | |
| CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
| Junghanns et al. | Engineering of secure multi-cloud storage | |
| GB2488753A (en) | Encrypted communication | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| Wu et al. | Efficient authentication for Internet of Things devices in information management systems | |
| CN106972928B (en) | Bastion machine private key management method, device and system | |
| CN111031075B (en) | Network service security access method, terminal, system and readable storage medium | |
| KR102539418B1 (en) | Apparatus and method for mutual authentication based on physical unclonable function | |
| KR20020083551A (en) | Development and Operation Method of Multiagent Based Multipass User Authentication Systems | |
| CN116708039B (en) | Access method, device and system based on zero-trust single-package authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |