CN115208555A - Gateway negotiation method, device and storage medium - Google Patents

Abstract

The embodiment of the application provides a gateway negotiation method, equipment and a storage medium. In the gateway negotiation method, keys of the client for gateway negotiation are managed by a specified device. After the client requests the assignment of the VPN gateway to the specified device, a key ID of a key required for gateway negotiation may be sent to the VPN gateway. When the VPN gateway needs to use the key in the gateway negotiation process, the VPN gateway can access the key managed by the specified equipment according to the key ID. In this embodiment, the VPN gateway is distributed by the specified device, and the key required for VPN gateway negotiation is managed by the specified device, so that on one hand, the horizontal extension of the VPN gateway can be realized based on the virtual resource provided by the specified device, and on the other hand, the security of the key can be ensured based on the management of the key by the specified device, the negotiation operation of the VPN gateway can be ensured to meet the specified security requirement, and the dependence of the negotiation operation of the VPN gateway on hardware devices is reduced.

Description

Gateway negotiation method, device and storage medium

Technical Field

The present application relates to the field of internet technologies, and in particular, to a gateway negotiation method, device, and storage medium.

Background

In some scenarios, users of an industry cloud or a proprietary cloud need to meet a specified level of security protection requirements under a particular security standard. When an industry cloud or a user of a Private cloud uses a VPN (Virtual Private Network) gateway, the specified level of security protection requires that the VPN gateway performs authentication according to a specified authentication mode in a negotiation stage.

At present, the negotiation operation of the VPN gateway is realized based on hardware equipment, and the expansibility is poor. Therefore, a new solution is yet to be proposed.

Disclosure of Invention

Aspects of the present disclosure provide a gateway negotiation method, device, and storage medium, so as to reduce dependence of a negotiation operation of a VPN gateway on a hardware device.

An embodiment of the present application provides a gateway negotiation method, including: sending a gateway distribution request to specified equipment so that the specified equipment distributes VPN gateways for clients; sending a key ID of a key required by gateway negotiation corresponding to the client to the VPN gateway so that the VPN gateway accesses the key required by the gateway negotiation according to the key ID when negotiating with an opposite-end VPN gateway; and the gateway negotiates a required key and is managed by the cloud-specified equipment.

An embodiment of the present application further provides a gateway negotiation method, including: responding to a gateway allocation request sent by a client, and allocating a VPN gateway for the client; receiving a message processing request sent by the VPN gateway according to a negotiation message to be processed and a secret key ID; and processing the negotiation message to be processed according to the key corresponding to the key ID, and returning the negotiation message obtained by processing to the VPN gateway.

The embodiment of the present application further provides a gateway negotiation method, which is applicable to a VPN gateway, and includes: receiving a key ID sent by a client; the key corresponding to the key ID is managed by the specified equipment; and in the process of negotiating with the opposite-end VPN gateway, requesting the appointed equipment to process the negotiation message to be processed according to the key corresponding to the key ID according to the negotiation message to be processed and the key ID.

An embodiment of the present application further provides an electronic device, including: a memory and a processor; the memory is to store one or more computer instructions; the processor is to execute the one or more computer instructions to: and executing the steps in the gateway negotiation method provided by the embodiment of the application.

The embodiments of the present application further provide a computer-readable storage medium storing a computer program, where the computer program, when executed by a processor, can implement the steps in the gateway negotiation method provided in the embodiments of the present application.

Embodiments of the present application further provide a computer program product, which includes a computer program/instruction, where when the computer program is executed by a processor, the processor is caused to implement the steps in the gateway negotiation method provided in the embodiments of the present application.

In the gateway negotiation method provided in the embodiment of the present application, a key of a client for gateway negotiation is managed by a specified device. After the client requests the assignment of the VPN gateway to the specified device, a key ID of a key required for gateway negotiation may be sent to the VPN gateway. When the VPN gateway needs to use the key in the gateway negotiation process, the VPN gateway can access the key managed by the specified equipment according to the key ID. In this embodiment, the VPN gateway is distributed by the specified device, and the key required for VPN gateway negotiation is managed by the specified device, so that on one hand, the horizontal extension of the VPN gateway can be realized based on the virtual resource provided by the specified device, and on the other hand, the security of the key can be ensured based on the management of the key by the specified device, the negotiation operation of the VPN gateway can be ensured to meet the specified security requirement, and the dependence of the negotiation operation of the VPN gateway on hardware devices is reduced.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a schematic structural diagram of a gateway negotiation system according to an exemplary embodiment of the present application;

fig. 2a is a schematic structural diagram of a gateway negotiation system according to another exemplary embodiment of the present application;

fig. 2b is a schematic structural diagram of a gateway negotiation system according to another exemplary embodiment of the present application;

fig. 3a is a schematic flowchart of a gateway negotiation method executed on a terminal device side according to an exemplary embodiment of the present application;

fig. 3b is a schematic flowchart of a gateway negotiation method executed on a terminal device side according to another exemplary embodiment of the present application;

fig. 4 is a schematic flowchart of a gateway negotiation method executed on a cloud server side according to an exemplary embodiment of the present application;

fig. 5a is a schematic flowchart of a gateway negotiation method executed on a certificate management component side on a cloud server according to an exemplary embodiment of the present application;

fig. 5b is a schematic flowchart of a gateway negotiation method executed on an identity authentication component side of a cloud server according to an exemplary embodiment of the present application;

fig. 6 is a schematic flowchart of a gateway negotiation method executed on a VPN gateway side according to an exemplary embodiment of the present application;

fig. 7 is a schematic structural diagram of a terminal device according to an exemplary embodiment of the present application;

fig. 8 is a schematic structural diagram of a server according to an exemplary embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In some scenarios, users of an industry cloud or proprietary cloud need to meet a specified level of security protection requirements under a particular security standard. When a user of an industry cloud or a Private cloud uses a VPN (Virtual Private Network) gateway, it is necessary to satisfy a security protection requirement of a specified level under a specific security standard. This specified level of security protection requires that the VPN gateway authenticate according to a specified authentication mode during the negotiation phase.

At present, the negotiation authentication operation of the VPN gateway is realized based on hardware equipment, and a certificate and a secret key used for negotiation are stored in the hardware equipment, so that the expansibility and the portability are poor.

In view of the above technical problem, in some embodiments of the present application, a solution is provided, which will be exemplarily described below with reference to the accompanying drawings.

Fig. 1 is a schematic structural diagram and a schematic flow chart of a gateway negotiation system according to an exemplary embodiment of the present application, and as shown in fig. 1, the gateway negotiation system 100 may include: a client 10, a designated device (e.g., cloud server 20 illustrated in fig. 1), and a correspondent VPN gateway 30.

The client can be implemented based on a terminal device on a user side, and the terminal device includes: a mobile phone, a computer, a tablet computer, an intelligent wearable device, etc., and the embodiment is not limited. The terminal device may run an application program that can access the specified device or a browser that can access the specified device, and the like. The client can apply for or lease a user account on the specified equipment, and can access the user-oriented service provided by the specified equipment through the account.

Where a given device may be implemented as a device capable of providing computing, networking, and storage capabilities to other devices based on hardware resources and software resources. In some embodiments, the specific device may be implemented as a server device, such as a conventional server, a cloud host, a cloud server, a virtual center, and the like, which is not limited in this embodiment. The server device mainly includes a processor, a hard disk, a memory, a system bus, and the like, and is similar to a general computer architecture, and is not described in detail.

In the following embodiments, an example will be described in which the first terminal device is implemented as the cloud server 20 shown in fig. 1. The cloud server refers to a remote server which can provide information technology services which are distributed according to needs and can be metered under the support of cloud computing technology. In this case, the client user may also be referred to as an on-cloud user or an on-cloud tenant.

In the gateway negotiation system 100, the client 10 is mainly used to: a gateway allocation request is sent to the cloud server 20.

After receiving the gateway allocation request sent by the client 10, the cloud server 20 may allocate a VPN gateway to the client 10 based on the virtual resource in the cloud server 20. Wherein the VPN gateway may be provided by a cloud server. Based on the virtual resources of the cloud server 20 and the deployment of the virtualization environment, the VPN gateway can be quickly copied, expanded and deleted without being limited by hardware devices.

In this embodiment, the cloud server 20 is also configured to manage a key required for gateway negotiation corresponding to the client 10.

After determining the VPN gateway to which the cloud server 20 is allocated, the client 10 sends a key ID of a key required for gateway negotiation corresponding to the client 10 to the VPN gateway. Further, when negotiating with the VPN gateway 30, the VPN gateway can access a key necessary for gateway negotiation to the cloud server 20 based on the key ID. The opposite-end VPN gateway 30 may be implemented as another VPN gateway on the cloud server, or may also be implemented as a VPN gateway of the offline network of the user, and the embodiment is not limited depending on the specific application scenario.

In the gateway negotiation process, the cloud server 20 may receive a message processing request sent by the VPN gateway according to a negotiation message to be processed and a key ID; and processing the negotiation message to be processed according to the key corresponding to the key ID, and returning the negotiation message obtained by processing to the VPN gateway.

In some embodiments, the cloud server 20 may be deployed with various components having different functions, and the components may be implemented based on hardware, software, or a combination of hardware and software, which is not limited in this embodiment. For example, in the present embodiment, when the cloud server 20 is used for gateway negotiation, the cloud server 20 may include a certificate management component for managing a certificate of a client, an authentication component for authenticating the client and allocating a VPN gateway, a VPN gateway component for implementing a VPN gateway function, and the like.

The certificate management component, the identity authentication component, and the VPN gateway component may be implemented based on a virtual server on a cloud server, a cloud host, or an elastic computing instance, and the present embodiment is not limited. For example, in some embodiments, the certificate management component, the identity authentication component, and the VPN gateway component may each be implemented by an Elastic computing instance (ECS) on a cloud server.

In the following embodiments, the certificate management component, the identity authentication component, and the VPN gateway component are respectively implemented as the certificate management system 201, the identity authentication system 202, and the VPN gateway 203 shown in fig. 1. In fig. 1, the VPN gateway 203 is used to illustrate a VPN gateway allocated by the cloud server 20 to the client 10.

In some optional embodiments, when the certificate management system 201 is deployed on the cloud server 20, the client 10 may obtain the certificate and the key required by the gateway negotiation before sending the gateway allocation request to the cloud server, and send the certificate and the key to the certificate management system 201 on the cloud server 20 for management. The certificate required for the gateway negotiation usually includes a public key (public key), a certificate name, and a digital signature of a certificate authority. The gateway negotiates the required keys, typically including a private key.

The certificate management system 201 is mainly used for: receiving the certificate and the key sent by the client 10; determines the certificate ID (Identity) of the certificate and the key ID of the key, and returns the certificate ID and the key ID to the client 10.

The client 10 receives the certificate ID and the key ID returned by the certificate management system 201, and may send a gateway allocation request to the cloud server 20 according to the certificate ID.

In some alternative embodiments, when the identity authentication system 202 is deployed on the cloud server 20, the client 10 may send a gateway allocation request to the identity authentication system 202 on the cloud server 20. On cloud server 20, identity authentication system 202 is primarily used to assign VPN gateways. After receiving the gateway allocation request sent by the client 10, the identity authentication system 202 may determine the certificate ID of the client 10 carried in the gateway allocation request. Next, a VPN gateway is allocated to the client 10 according to the certificate ID of the client and the virtual resources and virtualization system on the cloud server 20.

In this embodiment, the VPN gateway allocated by the identity authentication system 202 for the client 10 is a VPN gateway provided by a cloud server, such as the VPN gateway 203 shown in fig. 1. Next, identity authentication system 202 may return an identification of VPN gateway 203 to client 10. Generally, the identity authentication system 202 can obtain the certificate corresponding to the certificate ID from the certificate management system 201 and authorize the certificate to the VPN gateway 203.

After receiving the identifier of the VPN gateway, the client 10 may send the key ID issued by the certificate management system 201 to the VPN gateway 203. The VPN gateway 203 receives the ID of the key sent by the client 10. Wherein the key corresponding to the key ID is stored at the certificate management system 201, so that the VPN gateway 203 requests the certificate management system 201 to access the key corresponding to the key ID based on the key ID.

In the process of negotiating between the VPN gateway 203 and the VPN gateway 30 at the opposite end, the VPN gateway 203 may request the certificate management system 201 to process the negotiation packet to be processed according to the key corresponding to the key ID according to the negotiation packet to be processed and the key ID.

The VPN gateway may implement a VPN gateway compliant with IPSec (Internet Protocol Security, abbreviated as IPSec, internet Security Protocol), that is, the IPSec VPN gateway, which is not limited in this embodiment.

In this embodiment, the VPN gateway is deployed on the cloud server, and a key required for VPN gateway negotiation is managed by a certificate management system on the cloud server, so that on one hand, the horizontal extension of the VPN gateway can be realized based on virtual resources provided by the cloud server, and on the other hand, the security of the key can be ensured by the certificate management system, so that the negotiation operation of the VPN gateway meets the specified security requirement, and the dependence of the negotiation operation of the VPN gateway on hardware devices is reduced.

In some alternative embodiments, there may be multiple VPN gateways 203, and this embodiment is not illustrated. The client 10 may specify the number of VPN gateways to rent or purchase when applying for using the VPN gateway of the cloud server. When the identity authentication system 202 allocates VPN gateways to the client 10, it may allocate corresponding VPN gateways to the client 10 according to the number of gateways rented or purchased by the client 10, which is not limited in this embodiment. Furthermore, the number of VPN gateways can be expanded horizontally without being limited by hardware equipment.

In some alternative embodiments, communication between VPN gateways requires a specified level of security protection under certain security standards to be met, which requires that VPN gateways use "dual certificate" authentication during the negotiation phase. Wherein the dual certificate includes: a signed certificate and an encrypted certificate.

To meet the above security protection requirement, optionally, in this embodiment, the certificate sent by the client 10 to the certificate management system 201 for safekeeping may include: a signature certificate and an encryption certificate; the keys that the client 10 sends to the certificate management system 201 for safekeeping may include: a signing key and an encryption key. The signature certificate comprises a signature public key, and the encryption certificate comprises an encryption public key; the signature key refers to a signature private key, and the encryption key refers to an encryption private key.

Accordingly, after receiving the signature certificate and the encrypted certificate, the certificate management system 201 may generate a corresponding signature certificate ID and an encrypted certificate ID; upon receiving the signing key and the encryption key, the certificate management system 201 may generate a corresponding signing key ID and encryption key ID.

Next, the certificate management system 201 may send the generated signed certificate ID, encrypted certificate ID, signed key ID, and encrypted key ID to the client 10, so that the client 10 and other devices associated with the client 10 may access the corresponding certificate or key based on the ID.

Wherein the signing key may be generated by the client 10 or may be generated by the certificate management system 201 for the client 10.

In some alternative embodiments, the client 10 may generate a public signature key as well as a private signature key. Next, optionally, the client 10 may send a key management request to the certificate management system 201, where the key management request carries the signature public key and the signature private key generated by the client 10. After receiving the public and private signature keys, the Certificate management system 201 may generate an ID of the private signature key, and generate a Certificate Request file (CSR) according to the ID of the private signature key and the public signature key. Next, the certificate management system 201 may return the certificate request file to the client 10.

In alternative embodiments, the corresponding signing key for the client 10 may be generated by the certificate management system 201. In such an embodiment, the client 10 may send a signing key generation request to the certificate management system 201. The certificate management system 201 may generate a public signature key, a private signature key, and an ID of the private signature key for the client 10 according to a key management request of the client 10. Based on the ID of the public signature key and the ID of the private signature key, the certificate management system 201 may generate a certificate request file and return the certificate request file to the client 10.

The signature certificate, the encryption certificate and the encryption key can be generated by a certificate authority. As will be exemplified below.

The Certificate Authority (CA) may be implemented as a CA provided by the cloud computing platform where the cloud server 20 is located, or may be implemented as a third party CA, which is not limited in this embodiment.

After receiving the certificate request file, the client 10 may send a certificate request to the certificate authority 40 according to the certificate request file, and receive a signature certificate, a signature key, an encryption certificate, and an encryption key issued by the certificate authority. Wherein, the encryption key can be encrypted by using the public signature key to ensure the security of the encryption key.

Based on the above, when the gateway negotiation is performed in the "dual certificate authentication" mode, the set of certificates applied by the client 10 may include an encrypted certificate and a signed certificate. A set of credentials may be distributed to multiple VPN gateways, each of which may load a set of credentials, and multiple virtual gateways may load the same set of credentials. Each VPN gateway can establish IPSec link meeting the designated security level with a plurality of opposite end VPN gateways, and VPN gateways of different opposite ends can use certificates issued by different certificate issuing organizations, so that repeated description is omitted.

In the foregoing embodiment, an implementation manner is described in which, in a process of negotiating with the VPN gateway 30, the VPN gateway 203 on the cloud server 20 may request, according to the negotiation packet to be processed and the key ID, the certificate management system 201 to process the negotiation packet to be processed according to the key corresponding to the key ID.

In some optional embodiments, the pending negotiation packet includes: the negotiation packet to be signed of the VPN gateway 203. When determining that the message to be processed is the negotiation message to be signed, the VPN gateway 203 may send a message signing request to the certificate management system according to the negotiation message to be signed and the ID of the signing key.

After receiving the message signing request, the certificate management system 201 may determine a signing key corresponding to the ID of the signing key from the managed keys, and sign the negotiation message to be signed by using the signing key corresponding to the ID of the signing key, to obtain a signed message. Next, the signature packet is returned to the VPN gateway 203.VPN gateway 203 may receive the signature message and send the signature message to the opposite VPN gateway 30 for negotiation.

In other optional embodiments, the pending negotiation packet includes: the VPN gateway 203 receives the negotiation packet to be decrypted.

When receiving the negotiation packet to be decrypted sent by the opposite-end VPN gateway 30, the VPN gateway 203 may send a packet decryption request to the certificate management system 201 according to the negotiation packet to be decrypted and the ID of the encryption key.

After receiving the message decryption request, the certificate management system 201 may determine an encryption key corresponding to the ID of the encryption key from the managed keys, and decrypt the negotiation message to be decrypted by using the encryption key corresponding to the ID of the encryption key, so as to obtain a decrypted negotiation message. Next, the decrypted negotiation packet is returned to the VPN gateway 203.VPN gateway 203 may receive the decrypted negotiation message for gateway negotiation.

The negotiation process of VPN gateway 203 with correspondent VPN gateway 30 will be further illustrated with reference to the accompanying drawings.

To meet a specified level of security protection requirements for a particular security standard, VPN gateway negotiation includes two phases: a first phase of the main mode and a second phase of the fast mode. The first stage comprises 6 negotiation messages, and the first stage needs to perform double-certificate authentication.

Wherein, in the first stage, based on the 1 st and 2 nd messages, the negotiation initiator may send one or more IKE (network key exchange protocol) security proposals to the negotiation responder. The negotiation responder searches the matched IKE security proposal and responds the searched IKE security proposal to the negotiation initiator. The principle of protocol matching is as follows: both parties of the negotiation have the same encryption algorithm.

In the first stage, based on the 3 rd and 4 th messages, the negotiation initiator and the negotiation responder can exchange data. The data exchanged includes: nonces, identification (ID), etc. of the payload data (payload). Wherein Nonce is a parameter used for generating other session keys; the identity is the identity of the negotiation initiator or the negotiation responder. The payload data is encrypted and protected by using a temporary key Sk, the Sk is encrypted and protected by using a public key in an encryption certificate of the other party, and the two parties respectively carry out digital signature on the data.

In the first stage, based on the 5 th and 6 th messages, the negotiation initiator and the negotiation responder can authenticate the data exchanged in the message exchange process. The information transmitted in the 5 th and 6 th messages is encrypted by using a symmetric cryptographic algorithm, and the symmetric cryptographic algorithm is determined by the IKE protocol negotiated by the 1 st and 2 nd messages.

Fig. 2 illustrates the negotiation process of VPN gateway 203 with correspondent VPN gateway 30.

When the VPN gateway 203 on the cloud server 20 acts as a negotiation initiator, a 1 st packet may be sent to the VPN gateway 30, where the 1 st packet includes a plurality of IKE security proposals. The correspondent VPN gateway 30 may look up a matching IKE protocol from the plurality of IKE security offers according to the supported encryption algorithm and send a 2 nd packet to the VPN gateway 203 based on the found IKE security offer.

Next, when the VPN gateway 203 sends the 3 rd packet to the opposite-end VPN gateway 30, the load data (payload) to be sent may be encrypted by using the public encryption key in the encryption certificate of the opposite-end VPN gateway 30, so as to obtain a negotiation packet to be signed. Next, the VPN gateway 203 transmits the ID of the signing key acquired from the client 10 and the negotiation packet to be signed to the certificate management system 201.

The certificate management system 201 determines the signature key corresponding to the ID of the signature key from the managed signature keys, and signs the negotiation packet to be signed by using the determined signature key to obtain a signature packet. After the signature packet is returned to the VPN gateway 203, the VPN gateway 203 may send the 3 rd packet to the opposite-end VPN gateway 30 according to the signature packet.

After receiving the 3 rd message, the VPN gateway 30 at the opposite end may verify the signature in the 3 rd message by using the public signature key in the signature certificate of the VPN gateway 203, and decrypt the 3 rd message by using its own private encryption key after the signature verification is passed. Next, the opposite-end VPN gateway 30 may send the 4 th packet to the VPN gateway 203. The payload data in this 4 th message is encrypted with the encryption public key in the encryption certificate of VPN gateway 203 and signed with the signature private key of opposite-end VPN gateway 30.

When receiving the 4 th packet, the VPN gateway 203 may first perform signature verification on the 4 th packet by using the public signature key in the signature certificate of the opposite-end VPN gateway 30, and after the signature verification passes, determine that the 4 th packet is a negotiation packet to be decrypted. Next, the VPN gateway 203 may transmit the ID of the encryption key acquired from the client 10 and the decrypted negotiation message to the certificate management system 201.

The certificate management system 201 determines the encryption key corresponding to the ID of the encryption key from the managed encryption keys, and decrypts the negotiation packet to be decrypted by using the determined encryption key to obtain a decrypted negotiation packet. After the decrypted negotiation packet is returned to the VPN gateway 203, the VPN gateway 203 may perform the subsequent negotiation steps according to the decrypted negotiation packet. For example, the VPN gateway 203 may send a 5 th packet to the opposite-end VPN gateway 30 according to the decrypted packet, and receive a 6 th packet returned by the opposite-end VPN gateway 30, so as to perform authentication on data transmitted by the 3 rd and 4 th packets, which is not described again.

In this embodiment, the virtualization system provided by the cloud server can be conveniently and horizontally expanded to create a plurality of VPN gateways, and can quickly copy, expand and delete VPN gateways on the cloud server, without being limited by hardware resources. Through a unified identity authentication system of the cloud server, the VPN gateway is ensured to access only an authorized certificate; the encryption certificate, the signature certificate and the corresponding key pair are managed by the certificate management system, so that the VPN gateway can be ensured to legally and safely access the encryption certificate and the signature certificate; in the VPN gateway negotiation process, the signature key of the signature certificate of the VPN gateway on the cloud server and the encryption key of the encryption certificate are not off-line in the VPN gateway, but are managed by a certificate management system on the cloud server, so that the safety of the certificate is guaranteed. In addition, the certificate management system can periodically check the validity of the certificate of the client, control the access of the VPN gateway according to the validity of the certificate and refuse the access of the VPN gateway after the certificate expires.

In addition to the gateway negotiation system described in the foregoing embodiment, the embodiment of the present application further provides a gateway negotiation method, which will be exemplarily described below.

Fig. 3a is a flowchart illustrating a gateway negotiation method according to an exemplary embodiment of the present application, where the method, when executed on a client side, mainly includes:

step 301a, sending a gateway allocation request to a specified device, so that the specified device allocates a VPN gateway to a client.

Step 302a, sending a key ID of a key required for gateway negotiation corresponding to the client to the VPN gateway, so that the VPN gateway accesses the key required for gateway negotiation according to the key ID when negotiating with an opposite-end VPN gateway; wherein, the gateway negotiates the required key, which is managed by the specified device.

Further optionally, the specifying device comprises: a cloud server; before sending the gateway allocation request to the specified device, the method further includes: acquiring a certificate and a key required by gateway negotiation; sending the certificate and the secret key to a certificate management component on a cloud server for management; receiving the certificate ID of the certificate and the key ID of the key returned by the certificate management component; one way to send a gateway allocation request to a designated device includes: and sending a gateway allocation request to an identity authentication component on the cloud server according to the certificate ID so that the identity authentication component allocates a VPN gateway adapted to the certificate ID to the client.

Further optionally, the certificate comprises: a signature certificate and an encryption certificate; the certificate ID, comprising: the ID of the signing certificate and the ID of the encryption certificate; the key, comprising: a signing key and an encryption key; the key ID, comprising: the ID of the signing key and the ID of the encryption key.

Further optionally, a way to obtain the certificates and keys needed for gateway negotiation comprises: sending a key management request to the certificate management component; receiving a certificate request file returned by the certificate management component according to the key management request; sending a certificate request to a certificate authority according to the certificate request file; and receiving a signature certificate, a signature key, an encryption certificate and an encryption key encrypted by using a signature public key, which are issued by the certificate authority center.

In this embodiment, the key of the client required for gateway negotiation is managed by the specified device. After the client requests the assignment of the VPN gateway to the specified device, a key ID of a key required for gateway negotiation may be sent to the VPN gateway. When the VPN gateway needs to use the key in the gateway negotiation process, the VPN gateway can access the key managed by the specified equipment according to the key ID. In this embodiment, the VPN gateway is distributed by the specified device, and the key required for VPN gateway negotiation is managed by the specified device, so that on one hand, the horizontal extension of the VPN gateway can be realized based on the virtual resource provided by the specified device, and on the other hand, the security of the key can be ensured based on the management of the key by the specified device, the negotiation operation of the VPN gateway can be ensured to meet the specified security requirement, and the dependence of the negotiation operation of the VPN gateway on hardware devices is reduced.

Fig. 3b is a flowchart illustrating a gateway negotiation method according to an exemplary embodiment of the present application. In some embodiments, the designated apparatus for allocating VPN gateways is implemented as a cloud server having a certificate management component and an identity authentication component included thereon. When executed at the client side, the method mainly comprises the following steps:

step 301b, acquiring the certificate and the key required by gateway negotiation.

Step 302b, sending the certificate and the key to a certificate management component on the cloud server for management.

Step 303b, receiving the certificate ID of the certificate and the key ID of the key returned by the certificate management component.

Step 304b, sending a gateway allocation request to an identity authentication component on the cloud server according to the certificate ID, so that the identity authentication component allocates a VPN gateway adapted to the certificate ID to the client.

Step 305, sending the key ID to the VPN gateway, so that the VPN gateway performs access to the key managed by the certificate management component according to the key ID when negotiating with an opposite-end VPN gateway.

In this embodiment, the certificate and the key required for gateway negotiation, which are acquired by the client, are managed by the certificate management component of the cloud server, and the certificate management component may return the certificate ID and the key ID to the client. The client may request assignment of a VPN gateway to an authentication component on the cloud server based on the certificate ID and send a key ID to the VPN gateway. The VPN gateway can access the key managed by the certificate management component according to the key ID when the key needs to be used in the gateway negotiation process. In this embodiment, the VPN gateway is deployed on the cloud server, and the key required for VPN gateway negotiation is managed by the certificate management component on the cloud server, so that on one hand, the horizontal extension of the VPN gateway can be realized based on the virtual resources provided by the cloud server, and on the other hand, the security of the key can be ensured by the certificate management component, so that the negotiation operation of the VPN gateway meets the specified security requirement, and the dependence of the negotiation operation of the VPN gateway on hardware devices is reduced.

Fig. 4 is a flowchart of a gateway negotiation method according to another exemplary embodiment of the present application, where the method mainly includes, when executed on a designated device side for allocating a VPN gateway:

step 401, responding to a gateway allocation request sent by a client, and allocating a VPN gateway to the client.

Step 402, receiving a message processing request sent by the VPN gateway according to the negotiation message to be processed and the key ID.

Step 403, processing the negotiation packet to be processed according to the key corresponding to the key ID, and returning the negotiation packet obtained by processing to the VPN gateway.

Further optionally, before allocating the VPN gateway to the client, the method further includes: receiving a certificate and a key which are sent by the client and are required by gateway negotiation; determining a certificate ID of the certificate and a key ID of the key; and returning the certificate ID and the key ID to the client so that the client sends the key ID to a VPN gateway matched with the certificate ID.

Further optionally, a manner of allocating a VPN gateway to the client may include: acquiring the certificate ID of the client carried by the gateway allocation request; and distributing VPN gateways for the client according to the certificate ID of the client.

Further optionally, the method further comprises; receiving a key management request sent by a client; generating a certificate request file corresponding to the client according to the key management request; and returning the certificate request file to the client so that the client requests a certificate authority to acquire an encryption certificate and an encryption key according to the certificate request file.

Further optionally, the certificate comprises: a signature certificate and an encryption certificate; the certificate ID, comprising: the ID of the signing certificate and the ID of the encryption certificate.

Further optionally, the message processing request is a message signing request, and the key ID includes: ID of the signing key; a mode of processing the negotiation packet to be processed according to the key corresponding to the key ID and returning the negotiation packet obtained by the processing to the VPN gateway includes: signing the negotiation message to be processed by adopting a signature key corresponding to the ID of the signature key to obtain a signature message; and returning the signature message to the VPN gateway so that the VPN gateway sends the signature message to an opposite-end VPN gateway for negotiation.

Further optionally, the message processing request is a message decryption request, and the key ID of the key includes: an ID of the encryption key; a mode of processing the negotiation packet to be processed according to the key corresponding to the key ID and returning the negotiation packet obtained by the processing to the VPN gateway includes: decrypting the negotiation message to be processed according to the encryption key corresponding to the ID of the encryption key to obtain a decrypted message; and returning the decrypted message to the VPN gateway for negotiation.

In this embodiment, the key of the client required for gateway negotiation is managed by the specified device. After the client requests the assignment of the VPN gateway to the specified device, a key ID of a key required for gateway negotiation may be sent to the VPN gateway. When the VPN gateway needs to use the key in the gateway negotiation process, the VPN gateway can access the key managed by the specified equipment according to the key ID. In this embodiment, the VPN gateway is distributed by the specified device, and the key required for VPN gateway negotiation is managed by the specified device, so that on one hand, the horizontal extension of the VPN gateway can be realized based on the virtual resource provided by the specified device, and on the other hand, the security of the key can be ensured based on the management of the key by the specified device, the negotiation operation of the VPN gateway can be ensured to meet the specified security requirement, and the dependence of the negotiation operation of the VPN gateway on hardware devices is reduced.

Fig. 5a is a flowchart illustrating a gateway negotiation method according to another exemplary embodiment of the present application, where a specific device for allocating a VPN gateway is implemented as a cloud server, and the cloud server may include a certificate management component. When executed on the certificate management component side in the cloud server, the method mainly comprises the following steps:

step 501a, receiving a certificate and a key required by gateway negotiation and sent by a client.

Step 502a, determining a certificate ID of the certificate and a key ID of the key.

Step 503a, returning the certificate ID and the key ID to the client, so that the client sends the key ID to the VPN gateway adapted to the certificate ID.

Step 504a, receiving a message processing request sent by the VPN gateway according to the negotiation message to be processed and the key ID.

Step 505a, according to the key corresponding to the key ID, processing the negotiation packet to be processed, and returning the negotiation packet obtained by the processing to the VPN gateway.

In this embodiment, the certificate and the key required for the gateway negotiation are managed by the certificate management system of the cloud server, and the certificate management system may return the certificate ID and the key ID to the client. The client may request assignment of a VPN gateway to an identity authentication system on the cloud server based on the certificate ID and send a key ID to the VPN gateway. When the VPN gateway needs to use the key in the gateway negotiation process, the VPN gateway can access the key managed by the certificate management system according to the key ID. In this embodiment, the VPN gateway is deployed on the cloud server, and the key required for VPN gateway negotiation is managed by the certificate management system on the cloud server, so that on one hand, the horizontal extension of the VPN gateway can be realized based on the virtual resources provided by the cloud server, and on the other hand, the security of the key can be ensured by the certificate management system, so that the negotiation operation of the VPN gateway meets the specified security requirement, and the dependence of the negotiation operation of the VPN gateway on hardware devices is reduced.

Fig. 5b is a flowchart illustrating a gateway negotiation method according to another exemplary embodiment of the present application, where a specific device for allocating a VPN gateway is implemented as a cloud server, and the cloud server may include an identity authentication component. When the method is executed on one side of an identity authentication component in a cloud server, the method mainly comprises the following steps:

step 501b, receiving a gateway allocation request sent by a client, where the gateway allocation request carries a certificate ID of the client.

Step 502b, distributing VPN gateways to the clients according to the certificate IDs of the clients.

Step 503b, returning the identifier of the VPN gateway to the client.

Alternatively, when the gateway negotiation is performed in the "dual certificate authentication" mode, the set of certificates for the client may include an encrypted certificate and a signed certificate. A set of credentials may be distributed to multiple VPN gateways, each of which may load a set of credentials, and multiple virtual gateways may load the same set of credentials. Each VPN gateway can establish IPSec link meeting the designated security level with a plurality of opposite end VPN gateways, and VPN gateways of different opposite ends can use certificates issued by different certificate issuing organizations, so that repeated description is omitted.

In this embodiment, the VPN gateway is deployed on the cloud server, and the identity authentication system may allocate the VPN gateway to the client based on the ID of the certificate of the client, and further, may implement horizontal extension of the VPN gateway based on the virtual resource provided by the cloud server, thereby reducing dependence on hardware devices.

Fig. 6 is a flowchart illustrating a gateway negotiation method according to another exemplary embodiment of the present application, where the method, when executed on the VPN gateway side, mainly includes:

601, receiving a key ID sent by a client; and managing the key corresponding to the key ID by a specified device.

Step 602, in the process of negotiating with the VPN gateway at the opposite end, according to the negotiation packet to be processed and the key ID, requesting the designated device to process the negotiation packet to be processed according to the key corresponding to the key ID.

Further optionally, the key ID includes: ID of the signing key; the specifying device includes: a cloud server; correspondingly, a manner of requesting the designated device to process the negotiation packet to be processed according to the key corresponding to the key ID according to the negotiation packet to be processed and the key ID may include: when a negotiation message to be signed is determined, sending a message signing request to a certificate management component in a cloud server according to the negotiation message to be signed and the ID of the signing key; acquiring a signature message obtained by the certificate management component signing the negotiation message to be signed according to the signature key; and sending the signature message to the opposite-end VPN gateway.

Further optionally, the key ID includes: an ID of the encryption key; the specifying device includes: a cloud server; correspondingly, a manner of requesting the designated device to process the negotiation packet to be processed according to the key corresponding to the key ID according to the negotiation packet to be processed and the key ID of the key may include: when receiving a negotiation message to be decrypted, which is sent by the opposite-end VPN gateway, sending a message decryption request to a certificate management component in the cloud server according to the negotiation message to be decrypted and the ID of the encryption key; and receiving a negotiation message obtained by the certificate management system decrypting the negotiation message to be decrypted according to the encryption key.

In this embodiment, the certificate and the key required for gateway negotiation are managed by the certificate management component of the specified device, and when the VPN gateway needs to use the key in the gateway negotiation process, the VPN gateway can access the key managed by the certificate management component according to the key ID. In this embodiment, the VPN gateway is deployed on the specified device, and the key required for VPN gateway negotiation is managed by the certificate management component on the specified device, so that on one hand, the horizontal extension of the VPN gateway can be realized based on the virtual resource provided by the specified device, and on the other hand, the security of the key can be ensured based on the certificate management component of the specified device, so that the negotiation operation of the VPN gateway meets the specified security requirement, and the dependence of the negotiation operation of the VPN gateway on hardware devices is reduced.

It should be noted that, the executing subjects of the steps of the method provided in the foregoing embodiments may be the same device, or different devices may also be used as the executing subjects of the method. For example, the execution subject of steps 401 to 404 may be device a; for another example, the execution subject of steps 401 and 402 may be device a, and the execution subject of step 403 may be device B; and so on.

In addition, in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a specific order, but it should be clearly understood that the operations may be executed out of the order presented herein or in parallel, and the sequence numbers of the operations, such as 401, 402, etc., are merely used to distinguish various operations, and the sequence numbers themselves do not represent any execution order. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.

Fig. 7 illustrates a schematic structural diagram of a terminal device according to an exemplary embodiment of the present application. As shown in fig. 7, the server includes: memory 701, processor 702, and communications component 703.

A memory 701 for storing a computer program and may be configured to store other various data to support operations on the server. Examples of such data include instructions for any application or method operating on the server, contact data, phonebook data, messages, pictures, videos, and so forth.

The memory 701 may be implemented by any type or combination of volatile and non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

A processor 702, coupled to the memory 701, for executing the computer program in the memory 701 for: sending a gateway allocation request to a specified device through a communication component 703, so that the specified device allocates a VPN gateway to a client; sending a key ID of a key required by gateway negotiation corresponding to the client to the VPN gateway so that the VPN gateway accesses the key required by the gateway negotiation according to the key ID when negotiating with an opposite-end VPN gateway; wherein, the gateway negotiates the required key, which is managed by the specified device.

Further optionally, the specifying device comprises: a cloud server; the processor 702, prior to sending a gateway allocation request to a designated device through the communication component 703, is further configured to: acquiring a certificate and a key required by gateway negotiation; sending the certificate and the secret key to a certificate management component on a cloud server for management; receiving the certificate ID of the certificate and the key ID of the key returned by the certificate management component; accordingly, when the processor 702 sends the gateway allocation request to the specified device through the communication component 703, the processor is specifically configured to: and sending a gateway allocation request to an identity authentication component on the cloud server according to the certificate ID so that the identity authentication component allocates a VPN gateway adapted to the certificate ID to the client.

Further optionally, the certificate comprises: a signature certificate and an encryption certificate; the certificate ID, comprising: the ID of the signing certificate and the ID of the encryption certificate; the key, comprising: a signing key and an encryption key; the key ID includes: the ID of the signing key and the ID of the encryption key.

Further optionally, when acquiring the certificate and the key required by the gateway negotiation, the processor 702 is specifically configured to: sending a key management request to the certificate management component; receiving a certificate request file returned by the certificate management component according to the key management request; sending a certificate request to a certificate authority according to the certificate request file; and receiving a signature certificate, a signature key, an encryption certificate and an encryption key encrypted by using a signature public key, which are issued by the certificate authority center.

Further, as shown in fig. 7, the client further includes: display component 704, audio component 705, power component 706, and the like. Only some of the components are schematically shown in fig. 7, and it is not meant that the server includes only the components shown in fig. 7.

Display assembly 704 includes, among other things, a screen, which may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation.

The audio component 705 may be configured to output and/or input audio signals, among other things. For example, the audio component includes a Microphone (MIC) configured to receive an external audio signal when the device in which the audio component is located is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may further be stored in a memory or transmitted via a communication component. In some embodiments, the audio assembly further comprises a speaker for outputting audio signals.

In this embodiment, the certificate and the key that are acquired by the client and are needed for gateway negotiation are managed by the certificate management system of the specified device, and the certificate management system may return the certificate ID and the key ID to the client. The client may request assignment of a VPN gateway to the authentication system on the specified device based on the certificate ID and send a key ID to the VPN gateway. The VPN gateway can access the key managed by the certificate management system according to the key ID when the key needs to be used in the gateway negotiation process. In this embodiment, the VPN gateway is deployed on the specified device, and the key required for VPN gateway negotiation is managed by the specified device certificate management system, so that on one hand, the horizontal extension of the VPN gateway can be realized based on the virtual resource provided by the specified device, and on the other hand, the security of the key can be ensured based on the specified device certificate management system, so that the negotiation operation of the VPN gateway meets the specified security requirement, and the dependence of the VPN gateway negotiation operation on hardware devices is reduced.

Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program can implement the steps that can be executed by the terminal device in the foregoing method embodiments when executed.

Accordingly, embodiments of the present application also provide a computer program product comprising a computer program/instructions, wherein the computer program, when executed by a processor, causes the processor to implement the steps in the method that can be performed by the terminal device.

Fig. 8 illustrates a schematic structural diagram of a server according to an exemplary embodiment of the present application. As shown in fig. 8, the server includes: memory 801, processor 802, and communications component 803.

In some embodiments, the server may be implemented as a virtual server on a cloud platform, a cloud host, or a cloud server (e.g., an elastic computing instance ECS), and the like, which are not limited in this embodiment.

A memory 801 for storing computer programs and may be configured to store other various data to support operations on the server. Examples of such data include instructions for any application or method operating on the server, contact data, phonebook data, messages, pictures, videos, and so forth.

The memory 801 may be implemented by any type or combination of volatile and non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

A processor 802, coupled to the memory 801, for executing computer programs in the memory 801 for: responding to a gateway allocation request sent by a client, and allocating a VPN gateway for the client; receiving a message processing request sent by the VPN gateway according to the negotiation message to be processed and the key ID through a communication component 803; and processing the negotiation message to be processed according to the key corresponding to the key ID, and returning the negotiation message obtained by processing to the VPN gateway.

Further optionally, the processor 802, prior to assigning the VPN gateway to the client, is further configured to: receiving, by the communication component 803, a certificate and a key required for gateway negotiation sent by the client; determining a certificate ID of the certificate and a key ID of the key; and returning the certificate ID and the key ID to the client so that the client sends the key ID to a VPN gateway matched with the certificate ID.

Further optionally, when allocating a VPN gateway to the client, the processor 802 is specifically configured to: obtaining the certificate ID of the client carried by the gateway allocation request through a communication component 803; and distributing VPN gateways to the client according to the certificate ID of the client.

Further optionally, the processor 802 is further configured to: receiving a key management request sent by a client; generating a certificate request file corresponding to the client according to the key management request; and returning the certificate request file to the client so that the client requests a certificate authority to acquire an encryption certificate and an encryption key according to the certificate request file.

Further optionally, the certificate comprises: a signature certificate and an encryption certificate; the certificate ID includes: the ID of the signing certificate and the ID of the encryption certificate.

Further optionally, the message processing request is a message signing request, and the key ID includes: ID of the signing key; the processor 802 is specifically configured to, when processing the negotiation packet to be processed according to the key corresponding to the key ID and returning the negotiation packet obtained by the processing to the VPN gateway: signing the negotiation message to be processed by adopting a signature key corresponding to the ID of the signature key to obtain a signature message; and returning the signature message to the VPN gateway so that the VPN gateway sends the signature message to an opposite-end VPN gateway for negotiation.

Further optionally, the message processing request is a message decryption request, and the key ID of the key includes: an ID of the encryption key; the processor 802 is specifically configured to, when processing the negotiation packet to be processed according to the key corresponding to the key ID and returning the negotiation packet obtained by the processing to the VPN gateway: decrypting the negotiation message to be processed according to the encryption key corresponding to the ID of the encryption key to obtain a decrypted message; and returning the decrypted message to the VPN gateway for negotiation.

In some embodiments, the server illustrated in fig. 8 is also used to implement a VPN gateway. When used to implement a VPN gateway, the processor 802 is configured with instructions or code to: receiving the key ID sent by the client through the communication component 803; the key corresponding to the key ID is managed by the server; and in the process of negotiating with the opposite-end VPN gateway, requesting the server to process the negotiation message to be processed according to the key corresponding to the key ID according to the negotiation message to be processed and the key ID.

Further optionally, the key ID includes: ID of the signing key; when the processor 802 requests the server to process the negotiation packet to be processed according to the key corresponding to the key ID and according to the negotiation packet to be processed and the key ID, the processor is specifically configured to: when a negotiation message to be signed is determined, sending a message signing request to a certificate management component in the server according to the negotiation message to be signed and the ID of the signing key; acquiring a signature message obtained by the certificate management component signing the negotiation message to be signed according to the signature key; and sending the signature message to the opposite-end VPN gateway.

Further optionally, the key ID includes: an ID of the encryption key; when the processor 802 requests the server to process the negotiation packet to be processed according to the key ID of the key and the negotiation packet to be processed, the processor is specifically configured to: when receiving a negotiation message to be decrypted sent by the opposite-end VPN gateway, sending a message decryption request to a certificate management component in the server according to the negotiation message to be decrypted and the ID of the encryption key; and receiving a negotiation message obtained by the certificate management component decrypting the negotiation message to be decrypted according to the encryption key.

Further, as shown in fig. 8, the server further includes: power supply components 804, and the like. Only some of the components are schematically shown in fig. 8, and the server is not meant to include only the components shown in fig. 8.

In this embodiment, the certificate and the key required by the gateway negotiation are managed by the certificate management system of the server, and the VPN gateway can access the key managed by the certificate management system according to the key ID when the key needs to be used in the gateway negotiation process. In this embodiment, the VPN gateway is deployed on the server, and the key required for the VPN gateway negotiation is managed by the certificate management system on the server, so that on one hand, the horizontal extension of the VPN gateway can be realized based on the virtual resource provided by the server, and on the other hand, the certificate management system of the server can ensure the security of the key, ensure that the negotiation operation of the VPN gateway meets the specified security requirement, and reduce the dependence of the negotiation operation of the VPN gateway on hardware devices.

Accordingly, the present application further provides a computer readable storage medium storing a computer program, where the computer program is capable of implementing the steps that can be executed by the server in the foregoing method embodiments when executed.

Accordingly, embodiments of the present application also provide a computer program product comprising a computer program/instructions, wherein the computer program, when executed by a processor, causes the processor to implement the steps in the method that can be performed by the server.

In fig. 7 and 8, the communication component is configured to facilitate communication between the device in which the communication component is located and other devices in a wired or wireless manner. The device in which the communication component is located may access a wireless network based on a communication standard, such as WiFi,2G, 3G, 4G, or 5G, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component may be implemented based on Near Field Communication (NFC) technology, radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.

In fig. 7 and 8, the power supply unit supplies power to various components of the device in which the power supply unit is installed. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device in which the power component is located.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (18)

1. A gateway negotiation method, comprising:

sending a gateway allocation request to a specified device so that the specified device allocates a VPN gateway to a client;

sending a key ID of a key required by gateway negotiation corresponding to the client to the VPN gateway so that the VPN gateway accesses the key required by the gateway negotiation according to the key ID when negotiating with an opposite-end VPN gateway;

wherein, the gateway negotiates the required key, which is managed by the specified device.

2. The method of claim 1, wherein the specifying the device comprises: a cloud server; before sending the gateway allocation request to the specified device, the method further includes:

acquiring a certificate and a key required by gateway negotiation;

sending the certificate and the key to a certificate management component on the cloud server for management;

receiving the certificate ID of the certificate and the key ID of the key returned by the certificate management component;

sending a gateway allocation request to a designated device, comprising:

and sending a gateway allocation request to an identity authentication component on the cloud server according to the certificate ID so that the identity authentication component allocates a VPN gateway adapted to the certificate ID to the client.

3. The method of claim 2, wherein the certificate comprises: a signature certificate and an encryption certificate; the certificate ID, comprising: an ID of the signing certificate and an ID of the encryption certificate;

the key, comprising: a signing key and an encryption key; the key ID, comprising: the ID of the signing key and the ID of the encryption key.

4. The method of claim 2, wherein obtaining the certificate and the key required for gateway negotiation comprises:

sending a key management request to the certificate management component;

receiving a certificate request file returned by the certificate management component according to the key management request;

sending a certificate request to a certificate authority according to the certificate request file;

and receiving a signature certificate, a signature key, an encryption certificate and an encryption key encrypted by using a signature public key, which are issued by the certificate authority center.

5. A gateway negotiation method, comprising:

responding to a gateway allocation request sent by a client, and allocating a VPN gateway for the client;

receiving a message processing request sent by the VPN gateway according to a negotiation message to be processed and a secret key ID;

and processing the negotiation message to be processed according to the key corresponding to the key ID, and returning the negotiation message obtained by processing to the VPN gateway.

6. The method of claim 5, wherein prior to assigning the VPN gateway to the client, further comprising:

receiving a certificate and a key which are sent by the client and are required by gateway negotiation;

determining a certificate ID of the certificate and a key ID of the key;

and returning the certificate ID and the key ID to the client so that the client sends the key ID to a VPN gateway matched with the certificate ID.

7. The method of claim 6, wherein assigning a VPN gateway to the client comprises:

acquiring the certificate ID of the client carried by the gateway allocation request;

and distributing VPN gateways to the client according to the certificate ID of the client.

8. The method of claim 6, further comprising:

receiving a key management request sent by a client;

generating a certificate request file corresponding to the client according to the key management request;

and returning the certificate request file to the client so that the client requests a certificate authority to acquire an encryption certificate and an encryption key according to the certificate request file.

9. The method of claim 6, wherein the certificate comprises: a signature certificate and an encryption certificate; the certificate ID, comprising: the ID of the signing certificate and the ID of the encryption certificate.

10. The method of claim 5, wherein the message processing request is a message signing request, and wherein the key ID comprises: ID of the signing key;

processing the negotiation message to be processed according to the key corresponding to the key ID, and returning the negotiation message obtained by processing to the VPN gateway, wherein the processing comprises the following steps:

signing the negotiation message to be processed by adopting a signature key corresponding to the ID of the signature key to obtain a signature message;

and returning the signature message to the VPN gateway so that the VPN gateway sends the signature message to an opposite-end VPN gateway for negotiation.

11. The method of claim 5, wherein the message processing request is a message decryption request, and wherein the key ID of the key comprises: an ID of the encryption key;

processing the negotiation message to be processed according to the key corresponding to the key ID, and returning the negotiation message obtained by processing to the VPN gateway, including:

decrypting the negotiation message to be processed according to the encryption key corresponding to the ID of the encryption key to obtain a decrypted message;

and returning the decrypted message to the VPN gateway for negotiation.

12. A gateway negotiation method is applicable to a VPN gateway, and is characterized by comprising the following steps:

receiving a key ID sent by a client; the key corresponding to the key ID is managed by the specified equipment;

and in the process of negotiating with the opposite-end VPN gateway, according to the negotiation message to be processed and the key ID, requesting the appointed equipment to process the negotiation message to be processed according to the key corresponding to the key ID.

13. The method of claim 12, wherein the key ID comprises: ID of the signing key; the specifying device includes: a cloud server;

according to the negotiation message to be processed and the key ID, requesting the designated equipment to process the negotiation message to be processed according to the key corresponding to the key ID, and comprising the following steps:

when a negotiation message to be signed is determined, sending a message signing request to a certificate management component in a cloud server according to the negotiation message to be signed and the ID of the signing key;

acquiring a signature message obtained by the certificate management component signing the negotiation message to be signed according to the signature key;

and sending the signature message to the opposite-end VPN gateway.

14. The method of claim 12, wherein the key ID comprises: an ID of the encryption key; the specifying device includes: a cloud server;

according to the negotiation message to be processed and the key ID of the key, requesting the designated equipment to process the negotiation message to be processed according to the key corresponding to the key ID, and comprising the following steps:

when receiving a negotiation message to be decrypted sent by the opposite-end VPN gateway, sending a message decryption request to a certificate management component in a cloud server according to the negotiation message to be decrypted and the ID of the encryption key;

and receiving a negotiation message obtained by the certificate management component decrypting the negotiation message to be decrypted according to the encryption key.

15. A terminal device, comprising: a memory, a processor, and a communications component;

the memory is to store one or more computer instructions;

the processor is to execute the one or more computer instructions to: performing, by the communication component, the steps in the method of any one of claims 1-4.

16. A server, comprising: a memory, a processor, and a communications component;

the memory is to store one or more computer instructions;

the processor is to execute the one or more computer instructions to: performing the steps in the method of any of claims 5-14 by the communication component.

17. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, is capable of performing the steps of the method of any one of claims 1-4 or 5-14.

18. A computer program product comprising computer programs/instructions, characterized in that the computer programs, when executed by a processor, cause the processor to carry out the steps of the method according to any one of claims 1-4 or 5-14.

Images