CN117375932A - Single-package authentication method and device for old system, electronic equipment and storage medium - Google Patents
Single-package authentication method and device for old system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117375932A CN117375932A CN202311354264.2A CN202311354264A CN117375932A CN 117375932 A CN117375932 A CN 117375932A CN 202311354264 A CN202311354264 A CN 202311354264A CN 117375932 A CN117375932 A CN 117375932A
- Authority
- CN
- China
- Prior art keywords
- old system
- message
- spa
- authentication result
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000004590 computer program Methods 0.000 claims 1
- 238000013475 authorization Methods 0.000 abstract description 13
- 238000004891 communication Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The embodiment of the application discloses a single-package authentication method and device of an old system, electronic equipment and a storage medium. When the method is executed, firstly, an SPA message sent by an old system is received, wherein the SPA message comprises a message header; then determining the type of the SPA message according to the message header of the SPA message; then analyzing the SPA message to obtain the identity information of the old system; authenticating the identity information of the old system by utilizing the pre-stored standard identity information of the old system to obtain an authentication result corresponding to the old system; and finally, sending the authentication result to the old system so that the old system executes corresponding operation according to the authentication result. After determining the type of the SPA message according to the message header of the SPA message, authenticating the identity information of the old system by utilizing the pre-stored standard identity information of the old system, thereby obtaining the authentication result corresponding to the old system, solving the problem that the old Windows XP system cannot be authenticated by using a virtual private network protocol (VPN) or Fwknop authorization mode in the prior art, and improving the network security.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method and apparatus for authenticating a single packet of an old system, an electronic device, and a storage medium.
Background
Currently, a virtual private network protocol, wireguard or Fwknop, authorization mode is typically used to authenticate a system or device terminal.
However, in the old Windows XP system or some embedded systems, the authorization mode of the virtual private network protocol (VPN) or Fwknop cannot be supported, so that when the old systems access server resources, the old systems cannot be identified and authenticated by the gateway, the server is easy to attack, and the network security is poor.
Therefore, in order to improve network security, a method of authenticating an old system is urgently needed.
Disclosure of Invention
In view of the above, the present application provides a single-packet authentication method, apparatus, electronic device and storage medium for an old system, which are used for authenticating the old system and improving network security.
In a first aspect, the present application provides a method for single-packet authentication of an old system, the method comprising:
receiving an SPA message sent by an old system, wherein the SPA message comprises a message header;
determining the type of the SPA message according to the message header of the SPA message;
analyzing the SPA message to obtain the identity information of the old system;
authenticating the identity information of the old system by utilizing pre-stored standard identity information of the old system to obtain an authentication result corresponding to the old system;
and sending the authentication result to the old system so that the old system executes corresponding operation according to the authentication result.
Optionally, the determining the type of the SPA message according to the message header of the SPA message includes:
if the message header of the SPA message is an online message header, determining that the SPA message is an online SPA message;
and if the message header of the SPA message is the off-machine message header, determining that the SPA message is the off-machine SPA message.
Optionally, the identity information of the old system includes a user name of the old system and a password of the old system;
the step of authenticating the identity information of the old system by using the pre-stored standard identity information of the old system to obtain the authentication result of the old system comprises the following steps:
authenticating a user name of the old system and a password of the old system by using pre-stored standard identity information of the old system;
if the user name of the old system and the password of the old system are correct, the authentication result of the old system is that the authentication is successful;
and if the user name of the old system and the password of the old system are incorrect, the authentication result of the old system is authentication failure.
Optionally, after the obtaining the authentication result of the old system, the method further includes:
if the SPA message is an online SPA message and the authentication result of the old system is that the authentication is successful, setting a security policy to pass;
if the SPA message is an uplink SPA message and the authentication result of the old system is authentication failure, setting a security policy to be forbidden to pass.
Optionally, the method further comprises:
and if the SPA message is the off-machine SPA message, setting a security policy to be forbidden to pass.
Optionally, the type of the SPA message further includes a keep-alive SPA message;
after the old system authentication result is that the authentication is successful, the method further comprises the following steps:
receiving a keep-alive SPA message sent by the old system within a preset time;
analyzing the keep-alive SPA message, and acquiring a user name of the old system and a password of the old system;
authenticating a user name of the old system and a password of the old system by using pre-stored standard identity information of the old system to obtain a keep-alive authentication result;
and sending the keep-alive authentication result to the old system so that the old system executes corresponding operation according to the keep-alive authentication result.
In a second aspect, the present application provides a single-packet authentication apparatus of an old system, the apparatus comprising:
the receiving module is used for receiving the SPA message sent by the old system, wherein the SPA message comprises a message header;
the message type determining module is used for determining the type of the SPA message according to the message header of the SPA message;
the message analysis module is used for analyzing the SPA message and acquiring the identity information of the old system;
the authentication module is used for authenticating the identity information of the old system by utilizing the pre-stored standard identity information of the old system to obtain an authentication result corresponding to the old system;
and the sending module is used for sending the authentication result to the old system so that the old system executes corresponding operation according to the authentication result.
Optionally, the message type determining module is specifically configured to determine that the SPA message is an online SPA message if the message header of the SPA message is an online message header;
and if the message header of the SPA message is the off-machine message header, determining that the SPA message is the off-machine SPA message.
Optionally, the identity information of the old system includes a user name of the old system and a password of the old system;
the authentication module is specifically configured to authenticate a user name of the old system and a password of the old system by using pre-stored standard identity information of the old system;
if the user name of the old system and the password of the old system are correct, the authentication result of the old system is that the authentication is successful;
and if the user name of the old system and the password of the old system are incorrect, the authentication result of the old system is authentication failure.
Optionally, after the obtaining the authentication result of the old system, the apparatus further includes:
setting a security policy module, configured to set a security policy to pass if the SPA message is an online SPA message and the authentication result of the old system is authentication success;
if the SPA message is an uplink SPA message and the authentication result of the old system is authentication failure, setting a security policy to be forbidden to pass.
Optionally, a security policy module is configured to set a security policy to prohibit passing if the SPA packet is an off-machine SPA packet.
Optionally, the type of the SPA message further includes a keep-alive SPA message;
after the authentication result of the old system is that the authentication is successful, the receiving module is further configured to receive a keep-alive SPA message sent by the old system within a preset time;
the message analysis module is further used for analyzing the keep-alive SPA message and acquiring a user name of the old system and a password of the old system;
the authentication module is further used for authenticating the user name of the old system and the password of the old system by using pre-stored standard identity information of the old system to obtain a keep-alive authentication result;
the sending module is further configured to send the keep-alive authentication result to the old system, so that the old system performs a corresponding operation according to the keep-alive authentication result.
In a third aspect, an embodiment of the present application provides an electronic device, including:
a memory for storing one or more programs;
a processor; the one-package authentication method of the old system of any one of the preceding first aspects is implemented when the one or more programs are executed by the processor.
In a fourth aspect, embodiments of the present application provide a computer storage medium having a program stored therein, which when executed by a processor, implements the single-packet authentication method of the old system of any one of the preceding first aspects.
The technical scheme has the following beneficial effects:
the embodiment of the application provides a single-package authentication method and device of an old system, electronic equipment and a storage medium. When the method is executed, firstly, receiving an SPA message sent by an old system, wherein the SPA message comprises a message header; then determining the type of the SPA message according to the message header of the SPA message; then analyzing the SPA message to obtain the identity information of the old system; then, authenticating the identity information of the old system by utilizing the pre-stored standard identity information of the old system to obtain an authentication result corresponding to the old system; and finally, sending the authentication result to the old system so that the old system executes corresponding operation according to the authentication result.
In this way, after determining the type of the SPA message according to the message header of the SPA message, the identity information of the old system is authenticated by using the pre-stored standard identity information of the old system, so as to obtain the authentication result corresponding to the old system, solve the problem that the old Windows XP system cannot be authenticated by using a virtual private network protocol (VPN) or Fwknop authorization mode in the prior art, and improve the network security.
Drawings
In order to more clearly illustrate the present embodiments or the technical solutions in the prior art, the drawings that are required for the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method of a single-packet authentication method of an old system according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a single-packet authentication device of an old system according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
In order to facilitate understanding of the technical solution provided in the present application, related technical terms in the embodiments of the present application are introduced:
WireGuard is a lightweight Virtual Private Network (VPN) protocol that aims to provide fast, secure, simple network connections. It was invented by Jason Donenfeld in 2015 and formally released in 2018. WireGuard has many advantages over other common VPN protocols, such as smaller code libraries, faster speeds, lower system resource consumption, simpler architecture, and safer encryption. The system is generally used for personal computers, servers, mobile equipment and the like, and can help users to protect online privacy, improve network security, remove network restriction and the like. WireGuard uses an efficient packet format and an efficient handshake mechanism to improve network speed and efficiency. It also uses a new key management scheme to accomplish handshaking and communication faster. In general, wireGuard is a very excellent VPN protocol that provides a fast, secure, simple network connection that can help users protect their online privacy, improve network security, remove network restrictions, etc.
SPA (Single Packet Authorization ) is a special Authentication way to protect service ports from attacks, i.e. Authentication information (Authentication) is carried by a Single Packet (Single Packet) so that Authorization (Authorization) is obtained after Authentication is completed, and access to services is allowed.
Gateway (Gateway) is also called Gateway and protocol converter. The gateway realizes network interconnection above the network layer, is a complex network interconnection device, and is only used for network interconnection with two different higher-layer protocols. The gateway may be used for both wide area network and local area network interconnections. A gateway is a computer system or device that acts as a translation rendition. The gateway is a translator for use between two systems of different communication protocols, data formats or languages, even with disparate architectures. Rather than simply conveying the information, the gateway repacks the received information to accommodate the needs of the destination system.
Fwknop authorization mode implements a so-called single packet authorization, requiring only one encrypted data packet to convey various information, including the required access to be performed on the target system through iptables, ipfw or pf firewall policies and/or specific commands. The primary application is a protection service such as SSH and an additional security layer to make exploitation of vulnerabilities more difficult.
In order to facilitate further understanding of the technical solutions provided in the present application, the following description will first explain the background art related to the present application.
Currently, a virtual private network protocol, wireguard or Fwknop, authorization mode is typically used to authenticate a system or device terminal.
However, in the old Windows XP system or some embedded systems, the authorization mode of the virtual private network protocol (VPN) or Fwknop cannot be supported, so that when the old systems access server resources, the old systems cannot be identified and authenticated by the gateway, the server is easy to attack, and the network security is poor.
Therefore, in order to improve network security, a method of authenticating an old system is urgently needed.
In order to overcome the technical problems described above, the embodiments of the present application provide a single-packet authentication method of an old system, which may be performed by a gateway, where the gateway implements network interconnection above a network layer, and is a complex network interconnection device, and is only used for network interconnection with two higher-layer protocols different from each other.
Referring to fig. 1, fig. 1 is a flowchart of a method for single-packet authentication of an old system according to an embodiment of the present application, where the method may include:
step S101: and receiving an SPA message sent by the old system, wherein the SPA message comprises a message header.
In this embodiment, the gateway receives the SPA packet sent by the old system. The SPA message comprises a message header, and the message header of the SPA message is used for determining the type of the SPA message subsequently.
It should be noted that, 0x00 in the SPA message format is a binary position from which the content starts, and there are two formats of the SPA message, where the first format is:
0x00: a header message header;
0x04: is the type of message;
0x05: is the length of the message;
0x09: is the content of the message;
the second format is:
0x09+ulen: is the type of message;
0x0a+ulen: is the length of the message;
0x0e+ulen: is the content of the message;
0x0e+ulen+plen: is the tail of the message.
Step S102: and determining the type of the SPA message according to the message header of the SPA message.
In this embodiment, after receiving the SPA message sent by the old system, the type of the SPA message is determined according to the message header of the SPA message. The types of the SPA messages comprise an uplink SPA message, a downlink SPA message and a keep-alive SPA message.
In one possible implementation manner, the determining the type of the SPA packet according to the message header of the SPA packet includes:
if the message header of the SPA message is an online message header, determining that the SPA message is an online SPA message;
and if the message header of the SPA message is the off-machine message header, determining that the SPA message is the off-machine SPA message.
Specifically, when the message header of the SPA message is the online message header 0 xfffffffffe, determining that the SPA message is the online SPA message.
And when the message header of the SPA message is the next message header 0 xdeadead, determining that the SPA message is the next SPA message.
Step S103: and analyzing the SPA message to obtain the identity information of the old system.
In the embodiment of the application, after receiving the SPA message sent by the old system, the gateway analyzes the SPA message to acquire the identity information of the old system, so that the identity information of the old system can be verified later.
Step S104: and authenticating the identity information of the old system by using the pre-stored standard identity information of the old system to obtain an authentication result corresponding to the old system.
Specifically, after the identity information of the old system is obtained, the gateway uses the pre-stored standard identity information of the old system to authenticate the identity information of the old system, and an authentication result corresponding to the old system is obtained.
It should be noted that, the stored standard identity information of the old system is pre-stored by the gateway, and is used for authenticating the identity information of the old system.
In one possible implementation, the identity information of the old system includes a user name of the old system and a password of the old system;
the step of authenticating the identity information of the old system by using the pre-stored standard identity information of the old system to obtain the authentication result of the old system comprises the following steps:
authenticating a user name of the old system and a password of the old system by using pre-stored standard identity information of the old system;
if the user name of the old system and the password of the old system are correct, the authentication result of the old system is that the authentication is successful;
and if the user name of the old system and the password of the old system are incorrect, the authentication result of the old system is authentication failure.
Specifically, the gateway uses pre-stored old system standard identity information, including a standard user name and a standard password. Comparing the standard user name with the user name of the old system, and the standard password with the password of the old system respectively, and if the user name of the old system and the password of the old system are correct, the authentication result of the old system is successful authentication; and if the user name of the old system and the password of the old system are incorrect, the authentication result of the old system is authentication failure.
In one possible implementation manner, after the obtaining the authentication result of the old system, the method further includes:
if the SPA message is an online SPA message and the authentication result of the old system is that the authentication is successful, setting a security policy to pass;
if the SPA message is an uplink SPA message and the authentication result of the old system is authentication failure, setting a security policy to be forbidden to pass.
In this embodiment, when the SPA message is an online SPA message and the authentication result of the old system is that the authentication is successful, the gateway sets a security policy to pass, and at this time, the old system successfully logs on the internet and can access the server resource.
And when the SPA message is an online SPA message and the authentication result of the old system is authentication failure, setting a security policy to be forbidden to pass, wherein the old system cannot access the Internet and cannot access the server resource.
In one possible implementation, the method further includes:
and if the SPA message is the off-machine SPA message, setting a security policy to be forbidden to pass.
According to the embodiment of the application, when the SPA message is the off-machine SPA message, the authentication of the identity information of the old system is performed without using the pre-stored standard identity information of the old system, and the gateway directly sets the security policy to be forbidden to pass, so that the authentication efficiency is improved.
Step S105: and sending the authentication result to the old system so that the old system executes corresponding operation according to the authentication result.
In this embodiment, after obtaining the authentication result corresponding to the old system, the gateway sends the authentication result to the old system, so that the old system performs a corresponding operation according to the authentication result.
Specifically, if the authentication result of the old system is that the authentication is successful, the old system is successfully surfing the internet at this time, and the server resource can be accessed.
If the authentication result of the old system is authentication failure, the old system cannot access the internet and cannot access the server resource.
From the above technical solution, it can be seen that in the embodiment of the present application, firstly, an SPA packet sent by an old system is received, where the SPA packet includes a message header; then determining the type of the SPA message according to the message header of the SPA message; then analyzing the SPA message to obtain the identity information of the old system; then, authenticating the identity information of the old system by utilizing the pre-stored standard identity information of the old system to obtain an authentication result corresponding to the old system; and finally, sending the authentication result to the old system so that the old system executes corresponding operation according to the authentication result.
In this way, after determining the type of the SPA message according to the message header of the SPA message, the identity information of the old system is authenticated by using the pre-stored standard identity information of the old system, so as to obtain the authentication result corresponding to the old system, solve the problem that the old Windows XP system cannot be authenticated by using a virtual private network protocol (VPN) or Fwknop authorization mode in the prior art, and improve the network security.
In order to further improve network security, the type of the SPA message further comprises a keep-alive SPA message;
after the old system authentication result is that the authentication is successful, the method further comprises the following steps:
receiving a keep-alive SPA message sent by the old system within a preset time;
analyzing the keep-alive SPA message, and acquiring a user name of the old system and a password of the old system;
authenticating a user name of the old system and a password of the old system by using pre-stored standard identity information of the old system to obtain a keep-alive authentication result;
and sending the keep-alive authentication result to the old system so that the old system executes corresponding operation according to the keep-alive authentication result.
Specifically, after the authentication result of the old system is that the authentication is successful, the gateway receives a keep-alive SPA message sent by the old system within a preset time.
It should be noted that, the preset time may be set by the user according to the actual requirement, and is not limited herein, and the message header of the keep-alive SPA message is consistent with the message header of the online line and is 0 xfffffffffe.
The gateway analyzes the keep-alive SPA message and obtains the user name of the old system and the password of the old system; and authenticating the user name of the old system and the password of the old system by utilizing pre-stored standard identity information of the old system to obtain a keep-alive authentication result, and finally transmitting the keep-alive authentication result to the old system so that the old system executes corresponding operation according to the keep-alive authentication result.
If the result of the keep-alive authentication is that the user passes, the old system can continue to access the internet and continue to access the server resource.
It can be understood that, in the embodiment of the present application, after the authentication result of the old system is that the authentication is successful, the old system periodically sends the keep-alive SPA message to the gateway, so that the gateway verifies the identity information of the old system again, thereby ensuring the security of the identity information of the old system, and further improving the network security.
If the gateway does not receive the keep-alive SPA message sent by the old system within the preset time, setting the security policy to prohibit access, and at this time, the old system cannot access to the network and the server resource, which can be understood that the preset time can be set by the user according to the actual situation, and is not limited herein.
It should be noted that, if the gateway does not receive the keep-alive SPA message sent by the old system for multiple times, at this time, the identity information of the old system may have a security problem, so the gateway sets a security policy to prohibit access to the server resource, thereby further improving network security.
For the foregoing method embodiments, for simplicity of explanation, the methodologies are shown as a series of acts, but one of ordinary skill in the art will appreciate that the present invention is not limited by the order of acts, as some steps may, in accordance with the present invention, occur in other orders or concurrently. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.
The foregoing is a specific implementation manner of a single-packet authentication method of an old system provided in the embodiments of the present application, and based on this, the present application further provides a corresponding device. The apparatus provided in the embodiments of the present application will be described from the viewpoint of functional modularization.
Referring to fig. 2, a schematic structural diagram of a single packet authentication device of an old system is shown, which includes a receiving module 100, a message type determining module 200, a message parsing module 300, an authentication module 400, and a transmitting module 500.
A receiving module 100, configured to receive an SPA packet sent by an old system, where the SPA packet includes a message header;
a message type determining module 200, configured to determine a type of the SPA message according to a message header of the SPA message;
the message parsing module 300 is configured to parse the SPA message and obtain identity information of the old system;
the authentication module 400 is configured to authenticate identity information of an old system by using pre-stored standard identity information of the old system, so as to obtain an authentication result corresponding to the old system;
and the sending module 500 is configured to send the authentication result to the old system, so that the old system performs a corresponding operation according to the authentication result.
Optionally, the message type determining module 200 is specifically configured to determine that the SPA message is an online SPA message if the message header of the SPA message is an online message header;
and if the message header of the SPA message is the off-machine message header, determining that the SPA message is the off-machine SPA message.
Optionally, the identity information of the old system includes a user name of the old system and a password of the old system;
the authentication module 400 is specifically configured to authenticate a user name of the old system and a password of the old system by using pre-stored standard identity information of the old system;
if the user name of the old system and the password of the old system are correct, the authentication result of the old system is that the authentication is successful;
and if the user name of the old system and the password of the old system are incorrect, the authentication result of the old system is authentication failure.
Optionally, after the obtaining the authentication result of the old system, the apparatus further includes:
setting a security policy module, configured to set a security policy to pass if the SPA message is an online SPA message and the authentication result of the old system is authentication success;
if the SPA message is an uplink SPA message and the authentication result of the old system is authentication failure, setting a security policy to be forbidden to pass.
Optionally, a security policy module is configured to set a security policy to prohibit passing if the SPA packet is an off-machine SPA packet.
Optionally, the type of the SPA message further includes a keep-alive SPA message;
after the authentication result of the old system is that the authentication is successful, the receiving module 100 is further configured to receive a keep-alive SPA packet sent by the old system within a preset time;
the message parsing module 300 is further configured to parse the keep-alive SPA message, and obtain a user name of the old system and a password of the old system;
the authentication module 400 is further configured to authenticate a user name of the old system and a password of the old system by using pre-stored standard identity information of the old system, so as to obtain a keep-alive authentication result;
the sending module 500 is further configured to send the keep-alive authentication result to the old system, so that the old system performs a corresponding operation according to the keep-alive authentication result.
From the above technical solution, it can be seen that in the embodiment of the present application, firstly, an SPA packet sent by an old system is received, where the SPA packet includes a message header; then determining the type of the SPA message according to the message header of the SPA message; then analyzing the SPA message to obtain the identity information of the old system; then, authenticating the identity information of the old system by utilizing the pre-stored standard identity information of the old system to obtain an authentication result corresponding to the old system; and finally, sending the authentication result to the old system so that the old system executes corresponding operation according to the authentication result.
In this way, after determining the type of the SPA message according to the message header of the SPA message, the identity information of the old system is authenticated by using the pre-stored standard identity information of the old system, so as to obtain the authentication result corresponding to the old system, solve the problem that the old Windows XP system cannot be authenticated by using a virtual private network protocol (VPN) or Fwknop authorization mode in the prior art, and improve the network security.
The embodiment of the application also provides electronic equipment, which comprises: a memory for storing one or more programs;
a processor; the one-package authentication method of the old system in the above-described embodiment is implemented when the one or more programs are executed by the processor.
The present embodiment also provides a computer storage medium in which a program is stored, which when executed by a processor, implements the single-packet authentication method of the old system in the above embodiment.
The "first" and "second" in the names of "first", "second" (where present) and the like in the embodiments of the present application are used for name identification only, and do not represent the first and second in sequence.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other.
Those skilled in the art will appreciate that the flow chart shown in the figures is only one example in which embodiments of the present application may be implemented, and the scope of applicability of embodiments of the present application is not limited in any way by the flow chart.
In the several embodiments provided in the present application, it should be understood that the disclosed methods, apparatuses, and devices may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment. In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for single-packet authentication of an old system, the method comprising:
receiving an SPA message sent by an old system, wherein the SPA message comprises a message header;
determining the type of the SPA message according to the message header of the SPA message;
analyzing the SPA message to obtain the identity information of the old system;
authenticating the identity information of the old system by utilizing pre-stored standard identity information of the old system to obtain an authentication result corresponding to the old system;
and sending the authentication result to the old system so that the old system executes corresponding operation according to the authentication result.
2. The method of claim 1, wherein determining the type of the SPA message based on the message header of the SPA message comprises:
if the message header of the SPA message is an online message header, determining that the SPA message is an online SPA message;
and if the message header of the SPA message is the off-machine message header, determining that the SPA message is the off-machine SPA message.
3. The method of claim 1, wherein the identity information of the old system includes a user name of the old system and a password of the old system;
the step of authenticating the identity information of the old system by using the pre-stored standard identity information of the old system to obtain the authentication result of the old system comprises the following steps:
authenticating a user name of the old system and a password of the old system by using pre-stored standard identity information of the old system;
if the user name of the old system and the password of the old system are correct, the authentication result of the old system is that the authentication is successful;
and if the user name of the old system and the password of the old system are incorrect, the authentication result of the old system is authentication failure.
4. The method of claim 2, wherein after the obtaining the authentication result of the old system, the method further comprises:
if the SPA message is an online SPA message and the authentication result of the old system is that the authentication is successful, setting a security policy to pass;
if the SPA message is an uplink SPA message and the authentication result of the old system is authentication failure, setting a security policy to be forbidden to pass.
5. The method according to claim 2, wherein the method further comprises:
and if the SPA message is the off-machine SPA message, setting a security policy to be forbidden to pass.
6. The method of claim 3, wherein the type of SPA message further comprises a keep-alive SPA message;
after the old system authentication result is that the authentication is successful, the method further comprises the following steps:
receiving a keep-alive SPA message sent by the old system within a preset time;
analyzing the keep-alive SPA message, and acquiring a user name of the old system and a password of the old system;
authenticating a user name of the old system and a password of the old system by using pre-stored standard identity information of the old system to obtain a keep-alive authentication result;
and sending the keep-alive authentication result to the old system so that the old system executes corresponding operation according to the keep-alive authentication result.
7. A single packet authentication apparatus for an old system, the apparatus comprising:
the receiving module is used for receiving the SPA message sent by the old system, wherein the SPA message comprises a message header;
the message type determining module is used for determining the type of the SPA message according to the message header of the SPA message;
the message analysis module is used for analyzing the SPA message and acquiring the identity information of the old system;
the authentication module is used for authenticating the identity information of the old system by utilizing the pre-stored standard identity information of the old system to obtain an authentication result corresponding to the old system;
and the sending module is used for sending the authentication result to the old system so that the old system executes corresponding operation according to the authentication result.
8. The apparatus of claim 7, wherein the message type determining module is specifically configured to determine the SPA message as an uplink SPA message if a message header of the SPA message is an uplink message header;
and if the message header of the SPA message is the off-machine message header, determining that the SPA message is the off-machine SPA message.
9. An electronic device, comprising:
a memory for storing one or more programs;
a processor; a single-packet authentication method of an old system according to any one of claims 1 to 6, when said one or more programs are executed by said processor.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the single-packet authentication method of an old system according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311354264.2A CN117375932A (en) | 2023-10-18 | 2023-10-18 | Single-package authentication method and device for old system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311354264.2A CN117375932A (en) | 2023-10-18 | 2023-10-18 | Single-package authentication method and device for old system, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117375932A true CN117375932A (en) | 2024-01-09 |
Family
ID=89397851
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311354264.2A Pending CN117375932A (en) | 2023-10-18 | 2023-10-18 | Single-package authentication method and device for old system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117375932A (en) |
-
2023
- 2023-10-18 CN CN202311354264.2A patent/CN117375932A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10523678B2 (en) | System and method for architecture initiated network access control | |
| CN107534651B (en) | Method and apparatus for communicating session identifier | |
| Aboba et al. | RADIUS (remote authentication dial in user service) support for extensible authentication protocol (EAP) | |
| US8176327B2 (en) | Authentication protocol | |
| JP4376711B2 (en) | Access management method and apparatus | |
| US7765309B2 (en) | Wireless provisioning device | |
| CA2421665C (en) | Wireless provisioning device | |
| US20040107360A1 (en) | System and Methodology for Policy Enforcement | |
| US7735118B2 (en) | Method and apparatus for preventing bridging of secure networks and insecure networks | |
| US20140068702A1 (en) | Single sign-on system and method | |
| US20100070634A1 (en) | Protocol exchange and policy enforcement for a terminal server session | |
| CN102474516A (en) | Device, method, and apparatus for authentication on untrusted networks via trusted networks | |
| EP2638496B1 (en) | Method and system for providing service access to a user | |
| CN109167780B (en) | Method, device, system and medium for controlling resource access | |
| DeKok et al. | RADIUS Design Guidelines | |
| US11539695B2 (en) | Secure controlled access to protected resources | |
| CN112954683B (en) | Domain name resolution method, domain name resolution device, electronic equipment and storage medium | |
| CN116346375A (en) | Access control method, access control system, terminal and storage medium | |
| CN111031540B (en) | Wireless network connection method and computer storage medium | |
| US8051464B2 (en) | Method for provisioning policy on user devices in wired and wireless networks | |
| CN116633562A (en) | Network zero trust security interaction method and system based on WireGuard | |
| CN117375932A (en) | Single-package authentication method and device for old system, electronic equipment and storage medium | |
| Ventura | Diameter: Next generations AAA protocol | |
| EP1530343A1 (en) | Method and system for creating authentication stacks in communication networks | |
| Sørensen et al. | Automatic profile-based firewall for iot devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |