CN112887265B - Access method for preventing unregistered terminal from being falsified into legal communication under NAT - Google Patents
Access method for preventing unregistered terminal from being falsified into legal communication under NAT Download PDFInfo
- Publication number
- CN112887265B CN112887265B CN202011622370.0A CN202011622370A CN112887265B CN 112887265 B CN112887265 B CN 112887265B CN 202011622370 A CN202011622370 A CN 202011622370A CN 112887265 B CN112887265 B CN 112887265B
- Authority
- CN
- China
- Prior art keywords
- key
- nat
- terminal
- check code
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000004891 communication Methods 0.000 title claims abstract description 26
- 230000000903 blocking effect Effects 0.000 abstract 2
- 238000013519 translation Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
Abstract
The invention provides an admittance method for preventing unregistered terminals from being falsified into legal communication under NAT, which comprises the following steps: and starting up the terminal of the client under the NAT or periodically requesting a key from an access system through a secure encryption communication method, generating a new key by the access system according to the request, and returning the key content and the key ID to the terminal. The client program uses the secret key to calculate the IP address and the service port of the service server; the terminal of the registered client uses the key ID and the generated check code in the data stream of the current access service server; if the data flow is NAT data flow, and the key ID and the check code exist, the key content is searched, the check code is calculated for the target IP and the port by using the key, otherwise, the blocking is carried out. And if the access system judges that the check code in the data stream is consistent with the calculated check code, releasing the data stream, and if the check code is inconsistent with the calculated check code, blocking. The method solves the problem that the equipment accessed to the network through the NAT mode cannot be effectively found and detected to be falsified into legal equipment.
Description
[ field of technology ]
The invention relates to the technical field of network security access control, in particular to an access method for preventing unregistered terminals from being falsified into legal communication under NAT.
[ background Art ]
NAT (Network Address Translation), i.e. network address translation technology, is widely used as a temporary solution for the current exhaustion of IPv4 address resources, ranging from operators to home networks. The application of NAT greatly reduces the threshold of network access, and simultaneously makes the network topology more complex, thereby greatly increasing the difficulty of network operation and maintenance management. In particular, there is a special requirement for a network requiring admission control, and effective management must be performed on private network devices accessed in NAT, and the private network devices accessed in NAT must be prevented from being falsified to access the network with other legal devices under NAT. In order to solve the above problems, it is necessary to propose an admission control method for NAT access devices, which is used for detecting the connection legitimacy of NAT access devices in a network.
[ invention ]
The invention aims to overcome the defects of the prior art, and provides an access method for preventing a terminal of an unregistered client from being falsified into legal communication under NAT, which aims to solve the problem that the prior art cannot effectively find and detect equipment accessed to a network through NAT form to be falsified into legal equipment.
In order to achieve the above object, the present invention provides an admittance method for preventing an unregistered terminal from being falsified into legal communication under NAT, which specifically includes the following steps:
s1, starting up a terminal of a client under NAT or periodically requesting a key from an access system through a secure encryption communication method, generating a new key by the access system according to the request, returning key content and a key ID to the terminal, and transferring to step S2 after execution is completed;
s2, when a terminal of the registered client initiates access to the service server, the client program calculates the IP address of the service server and the service port of the service server by using the secret key to generate a check code, and the step S3 is carried out after the execution is finished;
s3, the terminal of the registered client uses the key ID and the generated check code in the data stream of the access service server, and the step S4 is carried out after the execution is finished;
s4, judging whether the connection is NAT data flow or not, if so, turning to step S5;
s5, the access system analyzes the intercepted NAT data stream, judges whether a key ID and a check code exist, executes the step S6 if the key ID and the check code exist, and executes the step S8 if the key ID and the check code do not exist;
s6, the access system searches the key content through the key ID, calculates the check codes for the target IP and the port by using the key, and then goes to the step S7 after the execution is finished;
s7, the admission system judges whether the check code in the data stream is consistent with the calculated check code, if so, the data stream is released, and if not, the step S8 is carried out;
s8, the access system blocks the current data flow.
Preferably, in step S1, before requesting a key from an admission system, it is first determined whether the client is a NAT environment, and the specific steps are as follows: after the terminal of the registered client under NAT is started, the terminal local IP is sent to the admittance system by a safe encryption communication method, the admittance system judges whether the terminal local IP is in NAT environment or not according to whether the received terminal local IP is consistent with the opposite terminal IP of communication, and sends the judging result back to the client, and if the terminal is in NAT environment, the client requests a secret key from the admittance system.
Preferably, the NAT list is also established while sending the determination back to the client.
Preferably, in step S1, the admission system generates a new key according to the request of the client, establishes a key list at the same time, returns the key content and the key ID to the terminal, periodically executes the process, periodically updates the key, and goes to step S2 after the execution is completed.
Preferably, in step S4, whether or not the source IP is a NAT data stream is checked by determining whether or not the source IP is in the NAT list.
Preferably, in step S4, if the source IP is not a NAT data flow, it is determined whether the source IP is on a release list, if so, the release is performed, and if not, the process proceeds to step S8.
The invention has the beneficial effects that: the invention uses the secret key consistent with both sides to encrypt and decrypt the data flow between the client and the server, thereby effectively solving the problem that the illegal terminal in the NAT access equipment falsifies legal communication to avoid the control of the admission.
The features and advantages of the present invention will be described in detail by way of example with reference to the accompanying drawings.
[ description of the drawings ]
Fig. 1 is a flow chart of an admission method for preventing unregistered terminals from being falsified as legitimate communications under NAT according to the present invention.
[ detailed description ] of the invention
When a terminal in NAT environment communicates with a service server, it is necessary to distinguish between a terminal of a registered client and a terminal of an unregistered client according to a data flow in communication, and to prevent the terminal of the unregistered client from being falsified into legal communication so as to make a system enter a network. Referring to fig. 1, the invention relates to an admittance method for preventing a terminal of an unregistered client from being falsified into legal communication under NAT, which comprises the following specific steps:
s1, after the terminal of the client under the NAT is started, the terminal local IP is sent to an admittance system through a secure encryption communication method, the admittance system judges whether the terminal local IP is in NAT environment or not according to whether the received terminal local IP is consistent with the opposite terminal IP of the communication, the judging result is sent back to the client, and an NAT list is established at the same time. And if the client judges that the Network Address Translation (NAT) environment exists, the client requests a key from the access system, the access system generates a new key according to the request, simultaneously establishes a key list, and returns the key content and the key ID to the terminal. The process also needs to be executed periodically to update the key periodically, and the process goes to step S2 after the execution is completed.
S2, when the terminal of the registered client initiates access to the service server, the client program calculates the IP address of the service server and the service port of the service server by using the secret key to generate a check code, and the step S3 is carried out after the execution is completed.
S3, the terminal of the registered client uses the key ID and the generated check code in the data stream of the current access service server, and the step S4 is carried out after the execution is completed.
S4, for the connection, whether the source IP is the NAT data flow is confirmed by judging whether the source IP is in an internal NAT list, and if so, the step S5 is carried out. If not, judging whether the source IP device is a device in the legal list pool, if yes, releasing, otherwise, turning to step S8.
S5, the access system analyzes the intercepted NAT data stream, judges whether a secret key ID and a check code exist, and executes the step S6 if the secret key ID and the check code exist, and otherwise, the step S8 is executed.
S6, the access system searches the key content through the key ID, calculates the check codes for the target IP and the port by using the key, and then goes to the step S7 after the execution is finished.
S7, the admission system judges whether the check code in the data stream is consistent with the calculated check code, if so, the data stream is released, and if not, the step S8 is carried out.
S8, the access system blocks the current data flow.
The above embodiments are illustrative of the present invention, and not limiting, and any simple modifications of the present invention fall within the scope of the present invention.
Claims (6)
1. An admittance method for preventing unregistered terminals from being falsified into legal communication under NAT is characterized in that: the method specifically comprises the following steps:
s1, starting up a terminal of a client under NAT or periodically requesting a key from an access system through a secure encryption communication method, generating a new key by the access system according to the request, returning key content and a key ID to the terminal, and transferring to step S2 after execution is completed;
s2, when a terminal of the registered client initiates access to the service server, the client program calculates the IP address of the service server and the service port of the service server by using the secret key to generate a check code, and the step S3 is carried out after the execution is finished;
s3, the terminal of the registered client uses the key ID and the generated check code in the data stream of the access service server, and the step S4 is carried out after the execution is finished;
s4, judging whether the connection is NAT data flow or not, if so, turning to step S5;
s5, the access system analyzes the intercepted NAT data stream, judges whether a key ID and a check code exist, executes the step S6 if the key ID and the check code exist, and executes the step S8 if the key ID and the check code do not exist;
s6, the access system searches the key content through the key ID, calculates the check codes for the target IP and the port by using the key, and then goes to the step S7 after the execution is finished;
s7, the admission system judges whether the check code in the data stream is consistent with the calculated check code, if so, the data stream is released, and if not, the step S8 is carried out;
s8, the access system blocks the current data flow.
2. An admittance method for preventing an unregistered terminal from being falsified as a legal communication under NAT according to claim 1, wherein: in step S1, before requesting a key from an admission system, it is first determined whether the client is a NAT environment, and the specific steps are as follows: after the terminal of the registered client under NAT is started, the terminal local IP is sent to the admittance system by a safe encryption communication method, the admittance system judges whether the terminal local IP is in NAT environment or not according to whether the received terminal local IP is consistent with the opposite terminal IP of communication, and sends the judging result back to the client, and if the terminal is in NAT environment, the client requests a secret key from the admittance system.
3. An admittance method for preventing unregistered terminals from being falsified as legitimate communications under NAT according to claim 2, wherein: and sending the judgment result back to the client, and simultaneously, establishing a NAT list.
4. An admittance method for preventing an unregistered terminal from being falsified as a legitimate communication under NAT according to claim 3, wherein: in step S1, the admission system generates a new key according to the request of the client, establishes a key list at the same time, returns the key content and the key ID to the terminal, periodically executes the process, periodically updates the key, and goes to step S2 after the execution is completed.
5. An admittance method for preventing an unregistered terminal from being falsified as a legitimate communication under NAT according to claim 3, wherein: in step S4, whether the source IP is a NAT data stream is determined by determining whether the source IP is in the NAT list.
6. An admittance method for preventing an unregistered terminal from being falsified as a legal communication under NAT according to claim 1, wherein: in step S4, if the source IP is not the NAT data flow, it is determined whether the source IP is in the release list, if so, the release is performed, and if not, the process goes to step S8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011622370.0A CN112887265B (en) | 2020-12-31 | 2020-12-31 | Access method for preventing unregistered terminal from being falsified into legal communication under NAT |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011622370.0A CN112887265B (en) | 2020-12-31 | 2020-12-31 | Access method for preventing unregistered terminal from being falsified into legal communication under NAT |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112887265A CN112887265A (en) | 2021-06-01 |
CN112887265B true CN112887265B (en) | 2024-03-26 |
Family
ID=76046482
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011622370.0A Active CN112887265B (en) | 2020-12-31 | 2020-12-31 | Access method for preventing unregistered terminal from being falsified into legal communication under NAT |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112887265B (en) |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20010046990A (en) * | 1999-11-17 | 2001-06-15 | 김진찬 | A security method of Frame Relay Routers for Advanced Information Communication Processing System |
CN101127454A (en) * | 2006-08-18 | 2008-02-20 | 北京国智恒电力管理科技有限公司 | Power monitoring information security access device |
KR20080060010A (en) * | 2006-12-26 | 2008-07-01 | 주식회사 케이티 | System for controlling total access based on user terminal and method thereof |
WO2008082441A1 (en) * | 2006-12-29 | 2008-07-10 | Prodea Systems, Inc. | Display inserts, overlays, and graphical user interfaces for multimedia systems |
WO2014075485A1 (en) * | 2012-11-14 | 2014-05-22 | 中兴通讯股份有限公司 | Processing method for network address translation technology, nat device and bng device |
CN104580553A (en) * | 2015-02-03 | 2015-04-29 | 网神信息技术(北京)股份有限公司 | Identification method and device for network address translation device |
CN104717316A (en) * | 2015-04-03 | 2015-06-17 | 山东华软金盾软件有限公司 | Client access method and system in trans-NAT environment |
CN104796261A (en) * | 2015-04-16 | 2015-07-22 | 长安大学 | Secure access control system and method for network terminal nodes |
CN106788983A (en) * | 2017-03-01 | 2017-05-31 | 深圳市中博睿存信息技术有限公司 | A kind of communication data encryption method and device based on customer end/server mode |
CN107018134A (en) * | 2017-04-06 | 2017-08-04 | 北京中电普华信息技术有限公司 | A kind of distribution terminal secure accessing platform and its implementation |
CN107483461A (en) * | 2017-08-30 | 2017-12-15 | 北京奇安信科技有限公司 | Terminal admittance control method and device under a kind of NAT environment |
CN111917706A (en) * | 2020-05-21 | 2020-11-10 | 西安交大捷普网络科技有限公司 | Method for identifying NAT equipment and determining number of terminals behind NAT |
CN111970234A (en) * | 2020-06-30 | 2020-11-20 | 浙江远望信息股份有限公司 | Cookie-based evidence obtaining method for NAT private network access illegal external connection equipment |
-
2020
- 2020-12-31 CN CN202011622370.0A patent/CN112887265B/en active Active
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20010046990A (en) * | 1999-11-17 | 2001-06-15 | 김진찬 | A security method of Frame Relay Routers for Advanced Information Communication Processing System |
CN101127454A (en) * | 2006-08-18 | 2008-02-20 | 北京国智恒电力管理科技有限公司 | Power monitoring information security access device |
KR20080060010A (en) * | 2006-12-26 | 2008-07-01 | 주식회사 케이티 | System for controlling total access based on user terminal and method thereof |
WO2008082441A1 (en) * | 2006-12-29 | 2008-07-10 | Prodea Systems, Inc. | Display inserts, overlays, and graphical user interfaces for multimedia systems |
WO2014075485A1 (en) * | 2012-11-14 | 2014-05-22 | 中兴通讯股份有限公司 | Processing method for network address translation technology, nat device and bng device |
CN104580553A (en) * | 2015-02-03 | 2015-04-29 | 网神信息技术(北京)股份有限公司 | Identification method and device for network address translation device |
CN104717316A (en) * | 2015-04-03 | 2015-06-17 | 山东华软金盾软件有限公司 | Client access method and system in trans-NAT environment |
CN104796261A (en) * | 2015-04-16 | 2015-07-22 | 长安大学 | Secure access control system and method for network terminal nodes |
CN106788983A (en) * | 2017-03-01 | 2017-05-31 | 深圳市中博睿存信息技术有限公司 | A kind of communication data encryption method and device based on customer end/server mode |
CN107018134A (en) * | 2017-04-06 | 2017-08-04 | 北京中电普华信息技术有限公司 | A kind of distribution terminal secure accessing platform and its implementation |
CN107483461A (en) * | 2017-08-30 | 2017-12-15 | 北京奇安信科技有限公司 | Terminal admittance control method and device under a kind of NAT environment |
CN111917706A (en) * | 2020-05-21 | 2020-11-10 | 西安交大捷普网络科技有限公司 | Method for identifying NAT equipment and determining number of terminals behind NAT |
CN111970234A (en) * | 2020-06-30 | 2020-11-20 | 浙江远望信息股份有限公司 | Cookie-based evidence obtaining method for NAT private network access illegal external connection equipment |
Non-Patent Citations (2)
Title |
---|
"Internet access denial by higher-tier ISPS: A NAT-based solution";A. Al-Baiz等;《2011 24th Canadian Conference on Electrical and Computer Engineering(CCECE)》;20110929;全文 * |
基于内网扫描和内网检测的非法外联监控方案;王琼;胡建钧;;信息通信技术;20081215(06);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN112887265A (en) | 2021-06-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109039436B (en) | Method and system for satellite security access authentication | |
US11140161B2 (en) | Uncloneable registration of an internet of things (IoT) device in a network | |
CA2424067A1 (en) | Peer-to-peer name resolution protocol (pnrp) security infrastructure and method | |
CN101674306B (en) | Address resolution protocol message processing method and switch | |
CN111246474B (en) | Base station authentication method and device | |
CN105553666A (en) | Security authentication system and method for smart power terminal | |
CN111988289B (en) | EPA industrial control network security test system and method | |
CN112769568A (en) | Security authentication communication system and method in fog computing environment and Internet of things equipment | |
CN102025769B (en) | Access method of distributed internet | |
CN115499235A (en) | DNS-based zero-trust network authorization method and system | |
CN114726513A (en) | Data transmission method, apparatus, medium, and product | |
US9686311B2 (en) | Interdicting undesired service | |
WO2013055037A1 (en) | System and method for controlling location information-based authentication | |
CN112887265B (en) | Access method for preventing unregistered terminal from being falsified into legal communication under NAT | |
WO2015081560A1 (en) | Instant messaging client recognition method and recognition system | |
JP2003283489A (en) | Packet authentication system, authentication method, group management server and group member device | |
CN111835765B (en) | Verification method and device | |
CN105959251B (en) | method and device for preventing NAT from traversing authentication | |
CN105516374A (en) | Home address distribution method and apparatus, server and system | |
CN110768983B (en) | Message processing method and device | |
CN113347627B (en) | Wireless network access method, device and mobile terminal | |
EP3907967A1 (en) | Method for preventing sip device from being attacked, calling device, and called device | |
CN110519253B (en) | Virtual private network mimicry method in mimicry defense | |
KR101099082B1 (en) | System for controlling server access and method thereof | |
CN116016426A (en) | Data transmission method, device, storage medium and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB03 | Change of inventor or designer information |
Inventor after: Shao Senlong Inventor after: Pang Zhuo Inventor after: Zhao Yunong Inventor after: Yang Ling Inventor after: Shen Li Inventor before: Shao Senlong Inventor before: Meng Feifei Inventor before: Fu Yuhao Inventor before: Yang Ling |
|
CB03 | Change of inventor or designer information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |