CN111586026B - Software defined boundary implementation method and system based on SDN - Google Patents
Software defined boundary implementation method and system based on SDN Download PDFInfo
- Publication number
- CN111586026B CN111586026B CN202010362581.9A CN202010362581A CN111586026B CN 111586026 B CN111586026 B CN 111586026B CN 202010362581 A CN202010362581 A CN 202010362581A CN 111586026 B CN111586026 B CN 111586026B
- Authority
- CN
- China
- Prior art keywords
- sdn
- authorization
- defined boundary
- information
- implementation method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Abstract
The invention discloses a software defined boundary implementation method and a system based on an SDN, wherein the SDN controller replaces an SDP controller, the SDN switch replaces an SDP gateway, and a flow table method of the SDN network is used for implementing SPA single-packet authorization service logic.
Description
Technical Field
The invention belongs to the technical field of software defined boundaries, and particularly relates to a software defined boundary implementation method and system based on an SDN.
Background
Software defined boundaries (SDP) is a security framework developed by the Cloud Security Association (CSA) that controls access to resources based on identity. Each terminal must perform unicast authorization (SPA) authentication before connecting to the server to ensure that each device is allowed access. The core idea is to hide the core network assets and facilities through the SDP architecture, so that the core network assets and facilities are not directly exposed under the Internet, and the network assets and facilities are protected from external security threats. The conventional SDP architecture generally adopts a gateway mode due to a large range of protected services, as shown in fig. 1: the access rule established by the SDP controller is only open for authorized users and services, the key and the strategy are also dynamic and only used for a single time, through the access control form similar to a white list, unauthorized strange access in the network is completely shielded and rejected in a TCP link establishing stage, and through a single access control mode, the protected service is completely shielded from illegal users, so that external violent attacks (such as DDoS (distributed denial of service) flow attacks), accurate attacks (such as APT (android package) continuous threats), vulnerability utilization (such as heart hemorrhage vulnerabilities) and the like are greatly prevented, and the attacked surface of the network is reduced through the SDP software defined boundary.
However, the conventional SDP software-defined boundary architecture has several disadvantages:
the single point problem of the SDP gateway, the SDP gateway is used as a uniform flow inlet of protected service, and the network processing performance is insufficient.
2. Since the SDP controller acts as a unicast authority, it needs to be exposed to the external network, and is easily targeted by hackers, resulting in network crash or hijacking control of the SDP controller.
And 3, the SDP gateway defends illegal access or attack of an external network and cannot defend illegal access or attack between internal networks.
Disclosure of Invention
In order to overcome the technical defects, the invention provides a software defined boundary implementation method and system based on an SDN, wherein the method does not need to add extra SDP gateway equipment when a system of the software defined boundary is arranged, solves the problem of single-point processing performance, and can be used for security protection among internal networks to prevent illegal access or attack among the internal networks.
In order to solve the problems, the invention is realized according to the following technical scheme:
a software defined boundary implementation method based on SDN comprises the following steps:
the SDN controller issues an SPA acquisition flow table to the SDN switch;
the SDN switch collects SPA authorization messages from a client according to the SPA collection flow table and sends the collected SPA authorization messages to the SDN controller; the SPA authorization message comprises an encryption certificate, client information and target service information;
the SDN controller judges the validity of the encryption certificate according to preset registration information and the target service information, and when the encryption certificate is judged to be valid, the SDN controller generates an authorization forwarding flow table according to the client information and the target service information;
and the SDN switch matches the received access message according to the authorization forwarding flow table, and forwards the access message to the target service specified by the target service information when the matching is successful.
As a further improvement of the method, the method also comprises the following steps:
registering network information of a protected service to the SDN controller to generate the registration information and the encryption certificate; the registration information includes credentials for decrypting the encrypted certificate.
As a further improvement of the method, the method also comprises the following steps: and the client acquires the encryption certificate and generates the SPA authorization message according to the encryption certificate and the target service information of the protected service to be accessed.
As a further improvement of the method, the SPA authorization message further includes encryption information corresponding to the encryption certificate.
As a further improvement of the method, the encryption information includes an encryption type, an encryption mode, signature data, and encryption authentication data.
As a further improvement of the method, before the step of generating the authorization forwarding flow table by the SDN controller, the method further includes the steps of: and the SDN controller issues a default interception flow table to the SDN switch according to the network information of the protected service, wherein the default interception flow table is set to discard an access message with a target address as the protected service.
As a further improvement of the method, the SDN switch matches the received access packet according to the authorized forwarding flow table, and discards the access packet according to the default interception flow table when the matching is unsuccessful.
As a further improvement of the method, the target service information includes IP address and port information of the target service.
As a further improvement of the method, the manner in which the client acquires the encryption certificate is offline acquisition.
The invention also discloses a software defined boundary implementation system based on the SDN, which comprises an SDN controller and an SDN switch, wherein the SDN controller and the SDN switch are used for executing the software defined boundary implementation method based on the SDN to implement the software defined boundary.
Compared with the prior art, the invention has the beneficial effects that:
the invention discloses a software defined boundary implementation method and a system based on an SDN, wherein the SDN controller replaces an SDP controller, the SDN switch replaces an SDP gateway, and a flow table method of the SDN network is used for implementing SPA single-packet authorization service logic.
Drawings
Fig. 1 is a schematic structural diagram of the conventional SDP architecture described in the background of the invention.
Fig. 2 is a schematic step diagram of a software defined boundary implementation method based on SDN in embodiment 1 of the present invention.
Fig. 3 is a system architecture and data flow diagram of the specific application described in embodiment 2 of the present invention.
Fig. 4 is a data transmission flow chart of the specific application scheme described in embodiment 2 of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present invention, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance. In addition, the drawings in the present invention are only for illustrating the structure or function of the embodiments in the present invention, and the size, length, and ratio thereof are not particularly limited to the structure or function in the embodiments unless otherwise stated or noted.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
In the description of the present invention, it should be noted that the terms "upper", "lower", "inside", "outside", and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings or orientations or positional relationships conventionally put in use of products of the present invention, and are only for convenience of description and simplification of description, but do not indicate or imply that the devices or elements referred to must have specific orientations, be constructed in specific orientations, and be operated, and thus, should not be construed as limiting the present invention.
In the description of the present invention, it should also be noted that, unless otherwise explicitly specified or limited, the terms "disposed" and "connected" are to be interpreted broadly, e.g., as being either fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1
As shown in fig. 2 and fig. 4, the embodiment discloses a software defined boundary implementation method based on SDN, which includes the steps of:
s1, registering the network information of the protected service to the SDN controller to generate registration information and an encryption certificate.
Specifically, the registration information includes a credential for decrypting the encrypted certificate. The SDN controller may subsequently verify the legitimacy of the received cryptographic certificate from the credentials in the registration information.
And S2, the SDN controller issues a default interception flow table to the SDN switch according to the network information of the protected service.
Specifically, the default interception flow table is set to discard the access packet whose target address is the protected service. In this embodiment, the purpose of this setup is that when a protected service is registered with the SDN controller, the SDN controller confirms that the service is a protected service, and for security, the SDN controller may intercept all unauthorized clients attempting to access the protected service through a default interception flow table before no client attempts to send an SPA authorization message.
S3, the client side obtains the encrypted certificate and generates the SPA authorization message according to the encrypted certificate and the target service information of the protected service to be accessed.
Specifically, in this embodiment, the manner in which the client acquires the encryption certificate is offline acquisition. The purpose of this setting is that the conventional manner of acquiring the certificate online may cause the SDN controller to be exposed, so that the SDN controller is easily targeted for network attack, and therefore, the client may effectively reduce the probability of the SDN controller being attacked by acquiring the encryption certificate offline, thereby improving the security of the entire system.
Specifically, the SPA authorization message includes an encryption certificate, client information, and target service information. Specifically, the target service information is related network information of a protected service to be accessed by the client. Specifically, in this embodiment, the target service information includes an IP address and port information of the target service.
Specifically, in this embodiment, the SPA authorization message further includes encryption information corresponding to the encryption certificate. Specifically, in this embodiment, the encryption information includes an encryption type, an encryption mode, signature data, and encryption authentication data.
And S4, issuing the SPA acquisition flow table to the SDN switch by the SDN controller.
And S5, the SDN switch collects the SPA authorization message from the client according to the SPA collection flow table and sends the collected SPA authorization message to the SDN controller.
And S6, judging the validity of the encryption certificate by the SDN controller, and generating an authorization forwarding flow table by the SDN controller according to the client information and the target service information when the encryption certificate is judged to be valid.
Specifically, the SDN controller determines the encrypted certificate according to preset registration information and target service information, and optionally, the SDN controller decrypts the encrypted certificate through credentials in the registration information and determines that the encrypted certificate is legal when decryption is successful and verification is successful.
And S7, the SDN switch matches the received access message according to the authorized forwarding flow table, and forwards the access message to the target service specified by the target service information when the matching is successful.
Specifically, in this embodiment, the SDN switch matches the received access packet according to the authorized forwarding flow table, and discards the access packet according to the default interception flow table when the matching is unsuccessful.
The embodiment discloses a software defined boundary implementation method based on an SDN, the SDN controller replaces an SDP controller, the SDN switch replaces an SDP gateway, and the SDP gateway replaces an SDP gateway, so that an SPA single-packet authorization service logic is implemented through a flow table method of the SDN.
Example 2
As shown in fig. 3 and 4, this embodiment discloses a specific application scheme of the method, which corresponds to the SDN-based software defined boundary implementation method disclosed in embodiment 1.
Specifically, the application scheme comprises the following steps:
the administrator registers the user to the SDN controller and generates a certificate.
And the client acquires the user certificate in a offline mode, so that the SDN controller is not required to be exposed to an external network, and the SDN controller is prevented from being attacked by hackers.
The client generates an SPA single packet authorization message according to the certificate and sends the message to the protected service. The SPA message is a UDP protocol message, the message target IP is the IP address of the protected service, and the data content of the message comprises: user name, timestamp, encryption type, encryption mode, signature data, encryption authentication data, source IP address (the emulated client IP is modified by the NAT), etc.
And fourthly, the SDN switch receives the SPA single-packet authorization message and sends the SPA message to the SDN controller through an SPA single-packet authorization acquisition flow table.
And fifthly, the SDN controller extracts the encryption certificate of the SPA message and judges the legality of the certificate. If not, discarding, and if yes, extracting the client IP address, the target port and other information carried in the SPA message to generate an authorized forwarding flow table.
Issuing the authorization forwarding flow table to the SDN switch by the SDN controller
The client accesses the protected service.
And allowing the authorized forwarding flow table of the SDN switch to match the IP address, the target IP address and the target port information of the message, and forwarding the message to the specified protected service if the matching is hit.
And ninthly, if the matching is not successful, the SDN switch discards the message according to a default interception flow table so as to intercept the access of the unauthorized client to the protected service.
Example 3
The present embodiment discloses a software defined boundary implementation system based on SDN, and the structure of the system may refer to fig. 3, and the system includes an SDN controller and an SDN switch, where the SDN controller controls a plurality of virtual machines in a service group through the SDN switch, and specifically, the SDN controller and the SDN switch in the present embodiment are configured to execute the software defined boundary implementation method based on SDN according to embodiment 1 to implement a software defined boundary. Specifically, the technical effect of the technical solution in this embodiment is similar to that in embodiment 1, and is not described herein again.
Those of ordinary skill in the art will appreciate that the various illustrative method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-viewable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
While the preferred embodiments of the present invention have been illustrated and described in detail, it should be understood that modifications and variations can be effected by one skilled in the art in light of the above teachings without undue experimentation. Therefore, any technical solutions that can be obtained by a person skilled in the art through logical analysis, reasoning or limited experiments based on the prior art according to the present inventive concept should be within the scope of protection defined by the present claims.
Claims (10)
1. A software defined boundary implementation method based on SDN is characterized by comprising the following steps:
the SDN controller issues unicast authorization SPA to acquire a flow table to the SDN switch;
the SDN switch collects unicast authorization SPA authorization messages from a client according to the unicast authorization SPA collection flow table and sends the collected unicast authorization SPA authorization messages to the SDN controller; the unicast authorization SPA authorization message comprises an encryption certificate, client information and target service information;
the SDN controller judges the validity of the encryption certificate according to preset registration information and the target service information, and when the encryption certificate is judged to be valid, the SDN controller generates an authorization forwarding flow table according to the client information and the target service information;
and the SDN switch matches the received access message according to the authorization forwarding flow table, and forwards the access message to the target service specified by the target service information when the matching is successful.
2. The SDN based software defined boundary implementation method of claim 1, further comprising the steps of:
registering network information of a protected service to the SDN controller to generate the registration information and the encryption certificate; the registration information includes credentials for decrypting the encrypted certificate.
3. The SDN based software defined boundary implementation method of claim 2, further comprising the steps of:
and the client acquires the encryption certificate and generates the unicast authorization SPA authorization message according to the encryption certificate and the target service information of the protected service to be accessed.
4. The SDN-based software defined boundary implementation method of claim 3, wherein the unicast authorized SPA authorization message further comprises encryption information corresponding to the encryption certificate.
5. The SDN-based software defined boundary implementation method of claim 4, wherein the encryption information comprises encryption type, encryption mode, signature data and encryption authentication data.
6. The SDN based software defined boundary implementation method of claim 2, further comprising, before the step of generating the authorization forwarding flow table by the SDN controller, the steps of:
and the SDN controller issues a default interception flow table to the SDN switch according to the network information of the protected service, wherein the default interception flow table is set to discard an access message with a target address as the protected service.
7. The SDN-based software-defined boundary implementation method of claim 6, wherein the SDN switch matches the received access packet according to the authorized forwarding flow table, and discards the access packet according to the default interception flow table when the matching is unsuccessful.
8. The SDN-based software defined boundary implementation method of claim 1, wherein the target service information comprises an IP address and port information of a target service.
9. The SDN-based software defined boundary implementation method of claim 3, wherein the client obtains the encryption certificate by offline acquisition.
10. An SDN-based software-defined boundary implementation system comprising an SDN controller and an SDN switch, the SDN controller and the SDN switch being configured to execute the SDN-based software-defined boundary implementation method according to any one of claims 1 to 9 to implement a software-defined boundary.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010362581.9A CN111586026B (en) | 2020-04-30 | 2020-04-30 | Software defined boundary implementation method and system based on SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010362581.9A CN111586026B (en) | 2020-04-30 | 2020-04-30 | Software defined boundary implementation method and system based on SDN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111586026A CN111586026A (en) | 2020-08-25 |
| CN111586026B true CN111586026B (en) | 2021-01-29 |
Family
ID=72111917
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010362581.9A Active CN111586026B (en) | 2020-04-30 | 2020-04-30 | Software defined boundary implementation method and system based on SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111586026B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112202756A (en) * | 2020-09-27 | 2021-01-08 | 中孚安全技术有限公司 | Method and system for realizing network boundary access control based on SDN technology |
| CN114553430B (en) * | 2022-01-21 | 2024-02-06 | 华北电力大学 | SDP-based safety access system for power service terminal |
| CN114710544B (en) * | 2022-03-23 | 2023-11-03 | 新华三信息安全技术有限公司 | Channel establishment method and device |
| CN115225412B (en) * | 2022-09-20 | 2023-01-03 | 国网江西省电力有限公司信息通信分公司 | Cloud-edge access control system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102542418A (en) * | 2012-01-05 | 2012-07-04 | 北京邮电大学 | Cloud storage-based campus resource sharing method |
| CN104780052A (en) * | 2015-04-27 | 2015-07-15 | 北京航空航天大学 | Network device group authentication method in software-defined network |
| CN105338003A (en) * | 2015-12-09 | 2016-02-17 | 中国电子科技集团公司第二十八研究所 | Firewall implementation method applied to software defined networking |
| CN107070895A (en) * | 2017-03-17 | 2017-08-18 | 中国科学院信息工程研究所 | A kind of data flow source tracing method based on SDN |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103354525A (en) * | 2013-06-08 | 2013-10-16 | 中国科学院计算机网络信息中心 | System and method for realizing wide area network anycast load balancing based on OpenFlow |
| CN103401791B (en) * | 2013-07-25 | 2016-12-28 | 杭州华三通信技术有限公司 | The recognition methods of a kind of boundary port and equipment |
| CN103428031B (en) * | 2013-08-05 | 2016-04-13 | 浙江大学 | A kind of inter-domain link fast failure recovery method based on software defined network |
| US10863558B2 (en) * | 2016-03-30 | 2020-12-08 | Schweitzer Engineering Laboratories, Inc. | Communication device for implementing trusted relationships in a software defined network |
-
2020
- 2020-04-30 CN CN202010362581.9A patent/CN111586026B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102542418A (en) * | 2012-01-05 | 2012-07-04 | 北京邮电大学 | Cloud storage-based campus resource sharing method |
| CN104780052A (en) * | 2015-04-27 | 2015-07-15 | 北京航空航天大学 | Network device group authentication method in software-defined network |
| CN105338003A (en) * | 2015-12-09 | 2016-02-17 | 中国电子科技集团公司第二十八研究所 | Firewall implementation method applied to software defined networking |
| CN107070895A (en) * | 2017-03-17 | 2017-08-18 | 中国科学院信息工程研究所 | A kind of data flow source tracing method based on SDN |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111586026A (en) | 2020-08-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111586026B (en) | Software defined boundary implementation method and system based on SDN | |
| CN111586025B (en) | SDN-based SDP security group implementation method and security system | |
| US8074264B2 (en) | Secure key distribution to internet clients | |
| US8990356B2 (en) | Adaptive name resolution | |
| US9210126B2 (en) | Method for secure single-packet authorization within cloud computing networks | |
| US10164956B2 (en) | Method and system for trust-based processing of network requests | |
| US20170302644A1 (en) | Network user identification and authentication | |
| US7464402B2 (en) | Authentication of network users | |
| US10050938B2 (en) | Highly secure firewall system | |
| Hijazi et al. | Address resolution protocol spoofing attacks and security approaches: A survey | |
| Younes | Securing ARP and DHCP for mitigating link layer attacks | |
| WO2019093932A1 (en) | Lawful interception security | |
| CN113645115B (en) | Virtual private network access method and system | |
| JP2017537546A (en) | Method for unblocking an external computer system in a computer network infrastructure, a distributed computer network and a computer program product having such a computer network infrastructure | |
| Dinu et al. | DHCPAuth—a DHCP message authentication module | |
| Khan et al. | Performance evaluation of widely used portknoking algorithms | |
| US10425416B2 (en) | Method of unblocking external computer systems in a computer network infrastructure, distributed computer network having such a computer network infrastructure as well as computer program product | |
| CN114567479B (en) | Intelligent equipment safety control reinforcement and monitoring early warning method | |
| Zhu et al. | A web database Security model using the Host identity protocol | |
| Alhaidary et al. | Security vulnerability analysis and corresponding mitigation for password-based authentication using an offline personal authentication device | |
| Reid | Plugging the holes in host-based authentication | |
| CN116319103B (en) | Network trusted access authentication method, device, system and storage medium | |
| WO2010070456A2 (en) | Method and apparatus for authenticating online transactions using a browser | |
| CN115834164A (en) | Method and system for preventing bill attack in Kerberos authentication | |
| Talluri et al. | Cryptanalysis and security enhancement of two advanced authentication protocols |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |