CN117395059A - NAT penetration method based on TLS protocol of negotiation - Google Patents
NAT penetration method based on TLS protocol of negotiation Download PDFInfo
- Publication number
- CN117395059A CN117395059A CN202311454540.2A CN202311454540A CN117395059A CN 117395059 A CN117395059 A CN 117395059A CN 202311454540 A CN202311454540 A CN 202311454540A CN 117395059 A CN117395059 A CN 117395059A
- Authority
- CN
- China
- Prior art keywords
- tls
- node
- handshake
- identity
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000035515 penetration Effects 0.000 title claims abstract description 17
- 230000005641 tunneling Effects 0.000 claims 1
- 230000005856 abnormality Effects 0.000 abstract description 4
- 238000011378 penetrating method Methods 0.000 abstract description 2
- 239000000284 extract Substances 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
Abstract
The invention discloses a NAT penetrating method based on a negotiated TLS protocol, comprising the following steps: preparing NAT penetration, and establishing TCP connection between a first TLS node A and a second TLS node B; the first TLS node a and the second TLS node B negotiate to determine the TLS handshake-time identity and perform a corresponding TLS handshake based on the TLS handshake-time identity. The invention firstly establishes the TCP connection, then decides the identity of the client and the identity of the server again through negotiation, and then carries out TLS handshake according to the new identity, thereby completing the establishment process of the TLS connection, and solving the problem that the TLS handshake cannot be completed due to identity abnormality in the TLS handshake process.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a NAT penetration method based on a TLS protocol of negotiation.
Background
Currently, the NAT (Network Address Translation ) pass-through method of TLS (Transport Layer Security, secure transport layer protocol) protocol comprises the steps of: the TCP connection is established through NAT, and then the TLS handshake is completed based on TCP. The process of establishing TCP connection through NAT is as follows: the two parties send connection establishment requests, and when the connection requests of the two parties are sent together, the two parties can penetrate through NAT to be received by the other party, so that the connection establishment process of TCP is completed, and the two parties successfully establish TCP connection after actively sending the connection requests, so that the two parties consider the two parties as clients of the TCP connection. The TLS handshake process is completed based on the TCP connection: both sides regard as the client side of TCP, so the client side initiates the encrypted communication request clientHello to the server, then both wait for the server Hello of the other side (transmit the connection parameter selected by the server back to the client side), but the TCP protocol is a serial transmission message, so both sides receive the clientHello sent by the other side first while waiting for the server Hello of the other side, and identity abnormality occurs, TLS handshake fails.
Therefore, how to provide a method for determining identity through negotiation, and solving the problem of identity anomaly during TLS handshake is a urgent need for those skilled in the art.
Disclosure of Invention
In view of this, the invention provides a negotiation-based TLS protocol NAT penetration method, which solves the problem that the TLS handshake cannot be completed due to identity abnormality in the TLS handshake process after the TCP protocol completes NAT penetration, and has excellent penetrability and extremely high success rate.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
a NAT traversal method based on negotiated TLS protocol, comprising:
preparing NAT penetration, and establishing TCP connection between a first TLS node A and a second TLS node B;
the first TLS node a and the second TLS node B negotiate to determine the TLS handshake-time identity and perform a corresponding TLS handshake based on the TLS handshake-time identity.
Preferably, the first TLS node a and the second TLS node B negotiate to determine an identity when the TLS handshake is performed, and performing the corresponding TLS handshake based on the identity when the TLS handshake is performed specifically includes:
if the first TLS node A is a client and the second TLS node is a server, the first TLS node A executes the handshake operation of the client, and the second TLS node B executes the handshake operation of the server, so that the TLS handshake flow is completed, and NAT penetration of a TLS protocol is realized;
if the first TLS node A is a server side and the second TLS node is a client side, the second TLS node A executes the handshake operation of the client side, and the first TLS node B executes the handshake operation of the server side, so that the TLS handshake flow is completed, and NAT penetration of the TLS protocol is realized.
Preferably, the first TLS node a and the second TLS node B negotiate to determine the TLS handshake identity, including but not limited to mutual message negotiations over a TCP connection.
Preferably, the first TLS node a and the second TLS node B establish a TCP connection, including but not limited to creating a TCP connection by way of a hole.
Preferably, the first TLS node a and the second TLS node B are behind respective NAT devices.
Compared with the prior art, the invention discloses a NAT penetration method based on the TLS protocol, which is characterized in that TCP connection is firstly established, identities of both sides of the TLS protocol are judged again by negotiating before the TLS protocol, namely, a client and a server of the TLS protocol are distinguished again, the problem of identity abnormality during the TLS protocol is solved, and therefore, the whole TLS protocol is completed, and NAT penetration of the TLS protocol is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a NAT traversal method according to the TLS protocol according to the present invention.
Fig. 2 is a flowchart of a NAT traversal method according to the TLS protocol according to the present invention.
Fig. 3 is a flow chart of a TLS handshake after identity determination according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The embodiment of the invention discloses a NAT penetrating method based on a TLS protocol of negotiation, which is shown in figures 1 and 2 and comprises the following steps:
preparing NAT penetration, wherein the first TLS node A and the second TLS node B attempt to establish TCP connection, and ending if the connection fails; wherein the first TLS node a and second TLS node B relationship includes, but is not limited to, a client-server relationship, not limited to the concept of two clients being peer-to-peer or two servers being peer-to-peer or no client server at all;
after the TCP connection is successful, the first TLS node A and the second TLS node B negotiate to determine the identity of the TLS during the TLS handshake, and execute the corresponding TLS handshake based on the identity of the TLS during the TLS handshake.
In this embodiment, the first TLS node a and the second TLS node B negotiate to determine the TLS handshake-time identity, and perform the corresponding TLS handshake based on the TLS handshake-time identity specifically includes:
if the first TLS node a is a client and the second TLS node is a server, the first TLS node a performs a handshake operation of the client (including but not limited to an operation of sending client Hello, etc.), and the second TLS node B performs a handshake operation of the server (including but not limited to an operation of sending server Hello, etc.), so as to complete a TLS handshake flow and realize NAT penetration of the TLS protocol;
if the first TLS node a is a server and the second TLS node is a client, the second TLS node a performs a handshake operation of the client (including but not limited to sending client Hello, etc.), and the first TLS node B performs a handshake operation of the server (including but not limited to sending server Hello, etc.), so as to complete a TLS handshake procedure and implement NAT penetration of the TLS protocol.
In this embodiment, the first TLS node a and the second TLS node B negotiate to determine the TLS handshake identity, including but not limited to, inter-send message negotiations over a TCP connection. If the first TLS node a and the second TLS node B were previously in a client-server relationship, they are also covered by the protocol results, or the results of this negotiation are merely used to distinguish the client-server identity during the TLS handshake.
In this embodiment, the first TLS node a and the second TLS node B establish a TCP connection, including but not limited to creating a TCP connection by way of a hole.
In this embodiment, the first TLS node a and the second TLS node B are located behind respective NAT devices, where the NAT devices are physical devices capable of implementing NAT, and common routers and firewalls are disposed behind the NAT devices and may be protected.
In this embodiment, after renegotiating identity, the client and server TLS handshake procedure is shown in fig. 3, and includes:
after the Client establishes TCP connection with the Server, the TLS handshake starts from the Client sending Client Hello, and the message contains an encryption suite and a random number supported by the Client;
after receiving Client Hello information of the Client, the Server Hello information is replied, and the information carries an encryption suite which is selected to be used by the Server from a key suite list supported by the Client, and also carries a random number;
the server sends a Certificate (the Certificate contains a public key and a signature), the server exchanges Server Key Exchange keys, and the server completes Server Hello Done the combination of messages, which are combined and sent in a TLS data packet;
the client verifies the Certificate authentication sent by the server, generates a premaster secret key after verification is passed, extracts a public key from the Certificate sent by the server, encrypts the premaster secret key by using the public key of the Certificate, and sends the encrypted premaster secret key to the server;
at this time, the Client starts to generate a master key according to the random number generated when the Client Hello is sent, the random number responded by the Server Hello sent by the Server and the premaster key generated after the Client encrypts, and the master key is used for encrypting and decrypting the data transmitted subsequently.
Then, the client sends a message for changing the password specification Change Cipher Spec to the server, and notifies the server that the client will switch to encrypting and retransmitting the data by using the negotiated master key, and simultaneously sends the message together with the client key exchange Client Key Exchange and the Finished message, wherein the Finished message is encrypted by using the master key;
after receiving the client key exchange Client Key Exchange message, the server extracts the encrypted premaster key from the message, and then decrypts the encrypted premaster key by taking the private key of the certificate to obtain the premaster key;
the server side generates a master key according to a random number carried by Client Hello sent by a previous Client side, the random number responded to the Client side by the server side and a pre-master key obtained by decryption;
the server responds to the change password specification Change Cipher Spec message and sends the change password specification Change Cipher Spec message to the client together with the finish Finished message.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (5)
1. A NAT traversal method based on negotiated TLS protocol, comprising:
preparing NAT penetration, and establishing TCP connection between a first TLS node A and a second TLS node B;
the first TLS node a and the second TLS node B negotiate to determine the TLS handshake-time identity and perform a corresponding TLS handshake based on the TLS handshake-time identity.
2. The NAT traversal method according to claim 1, wherein the first TLS node a and the second TLS node B negotiate to determine the TLS handshake-time identity, and perform the corresponding TLS handshake based on the TLS handshake-time identity, specifically comprising:
if the first TLS node A is a client and the second TLS node is a server, the first TLS node A executes the handshake operation of the client, and the second TLS node B executes the handshake operation of the server, so that the TLS handshake flow is completed, and NAT penetration of a TLS protocol is realized;
if the first TLS node A is a server side and the second TLS node is a client side, the second TLS node A executes the handshake operation of the client side, and the first TLS node B executes the handshake operation of the server side, so that the TLS handshake flow is completed, and NAT penetration of the TLS protocol is realized.
3. A method of NAT traversal of the negotiated TLS protocol according to claim 1, wherein the first TLS node a and the second TLS node B negotiate to determine the identity of the TLS handshake, including but not limited to, negotiating messages with each other via a TCP connection.
4. A NAT traversal method according to claim 1, wherein the first TLS node a and the second TLS node B establish a TCP connection, including but not limited to creating a TCP connection by tunneling.
5. The NAT traversal method according to claim 1, wherein the first TLS node a and the second TLS node B are behind respective NAT devices.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311454540.2A CN117395059A (en) | 2023-11-03 | 2023-11-03 | NAT penetration method based on TLS protocol of negotiation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311454540.2A CN117395059A (en) | 2023-11-03 | 2023-11-03 | NAT penetration method based on TLS protocol of negotiation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117395059A true CN117395059A (en) | 2024-01-12 |
Family
ID=89471828
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311454540.2A Pending CN117395059A (en) | 2023-11-03 | 2023-11-03 | NAT penetration method based on TLS protocol of negotiation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117395059A (en) |
-
2023
- 2023-11-03 CN CN202311454540.2A patent/CN117395059A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108650227B (en) | Handshaking method and system based on datagram secure transmission protocol | |
| EP3678325A1 (en) | Methods and apparatus for quantum-resistant network communication | |
| US9094206B2 (en) | Method and system for secure session establishment using identity-based encryption (VDTLS) | |
| US8214635B2 (en) | Transparent proxy of encrypted sessions | |
| US8559640B2 (en) | Method of integrating quantum key distribution with internet key exchange protocol | |
| US7222234B2 (en) | Method for key agreement for a cryptographic secure point—to—multipoint connection | |
| CN111865939A (en) | Point-to-point national secret tunnel establishment method and device | |
| CN105721502A (en) | Authorized access method for browser client and server | |
| CN110808829B (en) | SSH authentication method based on key distribution center | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| KR20080089500A (en) | Authentication method, system and authentication center based on end to end communication in the mobile network | |
| WO2009076811A1 (en) | A method, a system, a client and a server for key negotiating | |
| CN101860546A (en) | Method for improving SSL handshake protocol | |
| WO2009129734A1 (en) | Method, system and device for acquiring key | |
| CN112637136A (en) | Encrypted communication method and system | |
| CN111756528B (en) | Quantum session key distribution method, device and communication architecture | |
| CN113364811B (en) | Network layer safety protection system and method based on IKE protocol | |
| CN110247803B (en) | Protocol optimization architecture and method for network management protocol SNMPv3 | |
| CN112332986B (en) | Private encryption communication method and system based on authority control | |
| WO2013166696A1 (en) | Data transmission method, system and device | |
| CN108040071B (en) | Dynamic switching method for VoIP audio and video encryption key | |
| JP2010539839A (en) | Security method in server-based mobile Internet protocol system | |
| WO2009018510A1 (en) | Systems and methods for implementing a mutating internet protocol security | |
| CN103973438B (en) | communication channel dynamic encrypting method | |
| EP3340530B1 (en) | Transport layer security (tls) based method to generate and use a unique persistent node identity, and corresponding client and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |