CN117714151A - Access control method, system and medium for encrypted traffic - Google Patents
Access control method, system and medium for encrypted traffic Download PDFInfo
- Publication number
- CN117714151A CN117714151A CN202311724486.9A CN202311724486A CN117714151A CN 117714151 A CN117714151 A CN 117714151A CN 202311724486 A CN202311724486 A CN 202311724486A CN 117714151 A CN117714151 A CN 117714151A
- Authority
- CN
- China
- Prior art keywords
- information
- user
- traffic
- level
- authorization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000013475 authorization Methods 0.000 claims abstract description 267
- 238000012545 processing Methods 0.000 claims abstract description 28
- 238000005516 engineering process Methods 0.000 abstract description 7
- 238000012795 verification Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000007796 conventional method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the application provides an access control method, system and medium for encrypted traffic. The method comprises the following steps: obtaining importance level of the flow, obtaining level encryption flow through processing, obtaining authority level information of a user account, then matching with terminal attribute information to obtain attribute account information, obtaining matching level encryption flow information according to the level encryption flow and the authority level information, further obtaining first authorization application information and sending the first authorization application information to a management user, obtaining authorization state information through preset rules, sending a first authorization application reply to an application terminal after authorization, obtaining second authorization application information through combination with user preset login information and sending the second authorization application information to the management user, and carrying out authorization management on the matching level encryption flow by the management user according to the second authorization application information. The technology of setting the level encryption flow and the user authority level according to the user requirement and combining the attribute information of the user login terminal to realize the access control on the encryption flow is realized.
Description
Technical Field
The present application relates to the field of encrypted traffic technologies, and in particular, to an access control method, system, and medium for encrypted traffic.
Background
With the popularization and development of network applications, the application range and the use population of data traffic are increased, the use of traffic truly brings great convenience to the development of the contemporary society, but the network security problem is also increasingly prominent while the traffic brings convenience. In the prior art, in order to protect the security of network data, encryption technology is often adopted to ensure the privacy and integrity of the data. However, for access control of encrypted traffic, the conventional method is relatively single in technology, and generally only adopts a fixed static password or dynamic verification code mode, and the two modes cannot be automatically classified according to the traffic importance degree or the visitor authority level, so that certain potential safety hazards exist, meanwhile, the method is inconvenient, the logging mode is not various and high in reliability, and the method for setting and matching according to the traffic importance degree and the user authority level is not available.
In view of the above problems, an effective technical solution is currently needed.
Disclosure of Invention
The purpose of the present application is to provide an access control method, a system and a medium for encrypting traffic, which can achieve the purposes of obtaining the level encryption traffic by dividing the level of the important degree of traffic, obtaining the first authorization application information by matching and limiting the user account authority level and the attribute information of a login terminal, obtaining the second authorization application information according to the authorization condition of the first authorization application, further achieving the login of the encryption traffic, and finally achieving the purposes of setting the level encryption traffic and the user authority level according to the user demand and combining the attribute information of the user login terminal to achieve the access control technology for the encryption traffic.
The application also provides an access control method for the encrypted traffic, which comprises the following steps:
obtaining importance level information of the flow, and obtaining a level encryption flow in a preset flow encryption mode;
obtaining authority level information of a user account, logging in the user account and matching with attribute information of a terminal to obtain attribute account information;
inputting the level encryption traffic and the authority level information into a preset level encryption traffic identification matching model for processing to obtain matching level encryption traffic information;
Obtaining first authorization application information according to the matching grade encryption flow information and the attribute account information, and sending the first authorization application information to a management user;
the management user obtains authorization status information through a preset rule according to the first authorization application information, judges the authorization status information, and sends first authorization application reply information to an application terminal if the first authorization application is authorized;
acquiring user preset login information, correspondingly acquiring second authorization application information according to the first authorization application reply information and the user preset login information, and sending the second authorization application information to the management user;
and the management user performs authorization management on the matched grade encryption traffic according to the second authorization application information.
Optionally, in the method for controlling access to encrypted traffic described in the present application, the obtaining importance level information of the traffic and obtaining the level encrypted traffic by a preset traffic encryption method includes:
obtaining importance level information of the flow according to the custom rules of the management user, wherein the importance level information comprises very important, important or general important;
obtaining the level encryption flow corresponding to the importance level information through a preset flow encryption mode, wherein the level encryption flow comprises an absolute flow, a confidential flow or a secret flow;
Wherein the very important corresponds to the confidential traffic, the important corresponds to the confidential traffic, and the general important corresponds to the confidential traffic.
Optionally, in the method for controlling access to encrypted traffic described in the present application, the obtaining authority level information of a user account, logging in the user account and matching with attribute information of a terminal to obtain attribute account information specifically includes:
obtaining authority level information of a user account, wherein the authority level information comprises a super user, an important user or a common user;
logging in the user account, and if logging in is successful, extracting account information including account numbers and account authority grades;
acquiring attribute information of a terminal, wherein the attribute information comprises IP address data and mac address data;
obtaining attribute connection information through preset attribute combination model processing according to the IP address data and mac address data;
and processing according to the user account information and the attribute connection information in a preset processing mode to obtain attribute account information.
Optionally, in the method for controlling access to encrypted traffic described in the present application, the inputting the level encrypted traffic and the authority level information into a preset level encrypted traffic identification matching model is performed to obtain matching level encrypted traffic information, which specifically includes:
Inputting the level encryption traffic and the authority level information into a preset level encryption traffic identification matching model for processing to obtain matching level encryption traffic information;
the matching-level encrypted traffic information includes one or more of the encrypted traffic, confidential traffic, or secret traffic;
the common user corresponds to the secret flow, the important user corresponds to the secret flow and the secret flow, and the super user corresponds to the secret flow, the secret flow and the secret flow.
Optionally, in the method for controlling access to encrypted traffic described in the present application, the obtaining first authorization application information according to the matching-level encrypted traffic information and the attribute account information, and sending the first authorization application information to a management user specifically includes:
obtaining first authorization application information through a preset combination method according to the matching grade encryption flow information and the attribute account information;
the first authorization application information is sent to a management user;
the management user is preset with a matching database;
the matching database contains the user account number, authority level information and attribute information.
Optionally, in the method for controlling access to encrypted traffic described in the present application, the managing user obtains authorization status information according to the first authorization application information through a preset rule, determines the authorization status information, and if the first authorization application is authorized, sends first authorization application reply information to the application terminal, including:
Matching the first authorization application information with the matching database to obtain authorization status information, including authorizing the first authorization application or rejecting the first authorization application;
if the first authorization application is authorized, sending first authorization application reply information to the application terminal;
the first authorization application reply information comprises authorization first authorization application information and access login information;
the access login information comprises an access login mode and a dynamic access password;
inputting the access login mode and the authority level information into an authority login model to process and correspondingly obtain authority login matching information;
the common user corresponds to the password to log in, the important user corresponds to the password to log in combination with face recognition, and the super user corresponds to the password to dynamically recognize the password to log in combination with face recognition.
Optionally, in the method for controlling access to encrypted traffic described in the present application, the obtaining user preset login information correspondingly obtains second authorization application information according to the first authorization application reply information and the user preset login information, and sends the second authorization application information to the management user, which specifically includes:
Acquiring preset login information of a user;
the user preset login information comprises a user login password, user face dynamic data and user voiceprint data;
obtaining second authorization application information according to the first authorization application reply information and the user preset login information;
and sending the second authorization application information to the management user.
In a second aspect, the present application provides an access control system for encrypting traffic, the system comprising: the memory comprises a program of an access control method of encrypted traffic, and the program of the access control method of the encrypted traffic realizes the following steps when being executed by the processor:
obtaining importance level information of the flow, and obtaining a level encryption flow in a preset flow encryption mode;
obtaining authority level information of a user account, logging in the user account and matching with attribute information of a terminal to obtain attribute account information;
inputting the level encryption traffic and the authority level information into a preset level encryption traffic identification matching model for processing to obtain matching level encryption traffic information;
obtaining first authorization application information according to the matching grade encryption flow information and the attribute account information, and sending the first authorization application information to a management user;
The management user obtains authorization status information through a preset rule according to the first authorization application information, judges the authorization status information, and sends first authorization application reply information to an application terminal if the first authorization application is authorized;
acquiring user preset login information, correspondingly acquiring second authorization application information according to the first authorization application reply information and the user preset login information, and sending the second authorization application information to the management user;
and the management user performs authorization management on the matched grade encryption traffic according to the second authorization application information.
Optionally, in the system for controlling access to encrypted traffic described in the present application, the obtaining importance level information of the traffic and obtaining the level encrypted traffic by a preset traffic encryption method includes:
obtaining importance level information of the flow according to the custom rules of the management user, wherein the importance level information comprises very important, important or general important;
obtaining the level encryption flow corresponding to the importance level information through a preset flow encryption mode, wherein the level encryption flow comprises an absolute flow, a confidential flow or a secret flow;
wherein the very important corresponds to the confidential traffic, the important corresponds to the confidential traffic, and the general important corresponds to the confidential traffic.
In a third aspect, the present application further provides a readable storage medium, where a program for controlling access to encrypted traffic is included, where the program for controlling access to encrypted traffic, when executed by a processor, implements the steps of a method for controlling access to encrypted traffic according to any one of the above claims.
From the above, the method, system and medium for controlling access of encrypted traffic are provided. The method comprises the steps of obtaining importance level of flow, obtaining level encryption flow through processing, obtaining authority level information of a user account, then matching with terminal attribute information to obtain attribute account information, obtaining matching level encryption flow information according to the level encryption flow and the authority level information, further obtaining first authorization application information and sending the first authorization application information to a management user, obtaining authorization state information through preset rules, sending a first authorization application reply to an application terminal after authorization, obtaining second authorization application information through combination with user preset login information and sending the second authorization application information to the management user, and carrying out authorization management on the matching level encryption flow according to the second authorization application information by the management user. The technology of setting the level encryption flow and the user authority level according to the user requirement and combining the attribute information of the user login terminal to realize the access control on the encryption flow is realized.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objects and other advantages of the present application may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an access control method for encrypting traffic according to an embodiment of the present application;
fig. 2 is a flowchart of obtaining attribute account information in an access control method for encrypted traffic according to an embodiment of the present application;
fig. 3 is a flowchart of obtaining matching-level encrypted traffic information in the method for controlling access to encrypted traffic according to the embodiment of the present application;
fig. 4 is a flowchart of obtaining first authorization application information in a method for controlling access to encrypted traffic according to an embodiment of the present application;
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, fig. 1 is a flowchart of an access control method for encrypted traffic in some embodiments of the present application. The access control method of the encrypted traffic is used in terminal equipment, such as mobile phones, computers and the like. The access control method of the encrypted traffic comprises the following steps:
s11, obtaining importance level information of the flow, and obtaining level encryption flow through a preset flow encryption mode;
s12, obtaining authority level information of a user account, logging in the user account and matching with attribute information of a terminal to obtain attribute account information;
s13, inputting the level encryption traffic and the authority level information into a preset level encryption traffic identification matching model for processing to obtain matching level encryption traffic information;
s14, obtaining first authorization application information according to the matching grade encryption flow information and the attribute account information, and sending the first authorization application information to a management user;
s15, the management user obtains authorization status information through a preset rule according to the first authorization application information, judges the authorization status information, and sends first authorization application reply information to an application terminal if the first authorization application is authorized;
s16, acquiring user preset login information, correspondingly acquiring second authorization application information according to the first authorization application reply information and the user preset login information, and transmitting the second authorization application information to the management user;
And S17, the management user performs authorization management on the matched grade encryption traffic according to the second authorization application information.
In order to realize access control of encrypted traffic, importance level information of the traffic is firstly acquired, then level encrypted traffic is correspondingly acquired, then level encrypted traffic is respectively managed, user account authority level information preset according to user requirements is acquired in management, user accounts are matched with attribute information of a terminal after the terminal logs in to obtain attribute account information, the access authority of the user accounts and the corresponding level encrypted traffic can be correspondingly acquired, namely, matched level encrypted traffic information is acquired, first authorization application information is acquired by combining the matched level encrypted traffic information with the attribute account information of the terminal and then sent to a management user, the first authorization application information contains the level information of user access authorities and the attribute information of login equipment, the management user processes the first authorization application information according to preset rules to acquire authorization state information and then judges the authorization state information, and if a first authorization application is authorized, the first authorization application information is sent to an application terminal; obtaining user preset login information, correspondingly obtaining second authorization application information according to the first authorization application reply information and the user preset login information, and sending the second authorization application information to a management user, wherein the management user carries out authorization management on the matched grade encryption traffic according to the second authorization application information, and the authorization is included or refused. Finally, the method for controlling the access to the encrypted traffic by setting the level encryption traffic and the user authority level according to the user requirements and combining the attribute information of the user login terminal is realized.
According to an embodiment of the present invention, the obtaining the importance level information of the traffic and obtaining the level encrypted traffic by a preset traffic encryption method includes:
obtaining importance level information of the flow according to the custom rules of the management user, wherein the importance level information comprises very important, important or general important;
obtaining the level encryption flow corresponding to the importance level information through a preset flow encryption mode, wherein the level encryption flow comprises an absolute flow, a confidential flow or a secret flow;
wherein the very important corresponds to the confidential traffic, the important corresponds to the confidential traffic, and the general important corresponds to the confidential traffic.
The encrypted traffic refers to traffic encrypted in the process of access or transmission in order to protect the privacy and integrity of traffic data; the traffic encryption method comprises the steps that firstly, the importance degree of traffic is acquired, the importance degree of the traffic in the current instance can be the importance degree of different classification situations of the same traffic, the importance degree of different traffic created by the same management user can be also the importance degree of different traffic created by the same management user, when the management user divides the importance degree of the traffic, different importance degree division bases such as network speed priority guarantee importance degree can be set according to self requirements through a rule customized by the management user, and therefore importance degree level information comprising very important, important or general importance is acquired; the encrypted traffic can be classified into different levels of hierarchical encrypted traffic according to the importance level information, including an insulated traffic, a confidential traffic or a secret traffic, wherein the importance level information and the hierarchical encrypted traffic are in one-to-one correspondence, very important corresponding to the insulated traffic, important corresponding to the confidential traffic, and generally important corresponding to the secret traffic.
Referring to fig. 2, fig. 2 is a flowchart of obtaining attribute account information in an access control method for encrypted traffic in some embodiments of the present application. According to the embodiment of the invention, the permission level information of the user account is obtained, the user account is logged in and is matched with the attribute information of the terminal to obtain the attribute account information, and the method specifically comprises the following steps:
s21, obtaining authority level information of a user account, wherein the authority level information comprises a super user, an important user or a common user;
s22, logging in the user account, and if logging in is successful, extracting account information including account numbers and account authority grades;
s23, acquiring attribute information of a terminal, wherein the attribute information comprises IP address data and mac address data;
s24, obtaining attribute connection information through preset attribute combination model processing according to the IP address data and the mac address data;
s25, processing according to the user account information and the attribute connection information in a preset processing mode to obtain attribute account information.
The management user is used as a manager, authority conditions are related when user accounts are created, and different authority levels are set for different user accounts according to personnel level information or personnel post information; therefore, the authority level information of the user account can be acquired, wherein the authority level information comprises super users, important users or common users; logging in a user account on a terminal device, and if logging in is successful, extracting account information comprising an account number and an account authority level, wherein the account number is a unique number of the logged-in account in a management system; after the user account is successfully logged in, attribute information of the terminal can be obtained, wherein the attribute information comprises IP Address data and MAC Address data, IP refers to an internetworking protocol, the abbreviation of Internet Protocol is a network layer protocol in a TCP/IP system, and the MAC Address (English: media Access Control Address) is interpreted as a media access control Address, also called a local area network Address (LAN Address), a MAC Address, an Ethernet Address (Ethernet Address) or a Physical Address (Physical Address), which is an Address for confirming the position of network equipment; the IP address can reflect the network address commonly used by the user account, and can set the IP address commonly used/allowed to log in by the user when the account is set, the mac address has uniqueness, and the mac address commonly used/allowed to log in by the user can be set when the account is set; the IP address data and the mac address data are processed through a preset attribute combination model to obtain attribute connection information, the attribute connection information is combined with the mac data to form unique data, and therefore the unique data can be compared with the attribute data preset in the system, the security of login equipment and the network is determined, and then the user account information and the attribute connection information are processed through a preset processing mode to obtain attribute account information.
Referring to fig. 3, fig. 3 is a flowchart of obtaining matching-level encrypted traffic information in an access control method for encrypted traffic according to an embodiment of the present application. According to an embodiment of the present invention, the inputting the encrypted traffic of the level and the authority level information into a preset encrypted traffic identification matching model is performed to obtain encrypted traffic information of the matching level, which specifically includes:
s31, inputting the level encryption traffic and the authority level information into a preset level encryption traffic identification matching model for processing to obtain matching level encryption traffic information;
s32, the matching grade encryption traffic information comprises one or more of the secret traffic, confidential traffic or secret traffic;
s33, the common user corresponds to the secret flow, the important user corresponds to the secret flow and the secret flow, and the super user corresponds to the secret flow, the secret flow and the secret flow.
After the user account logs in, the level encryption traffic and the authority level of the user account can be detected, the level encryption traffic and the authority level information are input into a preset level encryption traffic identification matching model to be processed, matching level encryption traffic information is obtained, the matching level encryption traffic information is the level encryption traffic matched with the authority of the user account, the matching mode can be multiple, namely, the matching level encryption traffic can be one or more of the super-secret traffic, the confidential traffic or the secret traffic, in the embodiment, the common user corresponds to the secret traffic, the important user corresponds to the confidential traffic and the secret traffic, and the super-user corresponds to the super-secret traffic, the confidential traffic and the secret traffic.
Referring to fig. 4, fig. 4 is a flowchart of a method for obtaining first authorization application information in an access control method for encrypted traffic according to an embodiment of the present application. According to an embodiment of the present invention, the obtaining the first authorization application information according to the matching-level encrypted traffic information and the attribute account information, and sending the first authorization application information to the management user specifically includes:
s41, obtaining first authorization application information through a preset combination method according to the matching grade encryption flow information and the attribute account information;
s42, the first authorization application information is sent to a management user;
s43, presetting a matching database by the management user;
s44, the matching database comprises the user account number, the authority level information and the attribute information.
After obtaining the matching-grade encrypted flow information, only the fact that the authority for accessing the corresponding-grade encrypted flow is set in the login user account system can be described, and in order to enhance the privacy and the security, the first authorization application information is obtained through a preset combination method with the attribute account information and is sent to a management user, the attribute account information has uniqueness, and after being combined with the matching-grade encrypted flow information, the attribute account information still has uniqueness, a preset matching database is used in the management user, wherein the database comprises a user account, authority grade information and attribute information, a corresponding relation is established in the database, the authority grade information corresponding to the user account, and the attribute information corresponding to the user account and the login terminal equipment is allowed after the user account and the attribute account information are matched; in this embodiment, the first authorization application information is an application for sending attribute information of the login terminal of the user account to the management user to determine whether the usage environment is consistent with the preset.
According to the embodiment of the invention, the management user obtains the authorization status information according to the first authorization application information through a preset rule, judges the authorization status information, and if the first authorization application is authorized, sends first authorization application reply information to the application terminal, specifically including:
matching the first authorization application information with the matching database to obtain authorization status information, including authorizing the first authorization application or rejecting the first authorization application;
if the first authorization application is authorized, sending first authorization application reply information to the application terminal;
the first authorization application reply information comprises authorization first authorization application information and access login information;
the access login information comprises an access login mode and a dynamic access password;
inputting the access login mode and the authority level information into an authority login model to process and correspondingly obtain authority login matching information;
the common user corresponds to the password to log in, the important user corresponds to the password to log in combination with face recognition, and the super user corresponds to the password to dynamically recognize the password to log in combination with face recognition.
After the first authorization application information is sent to the management user, the management user matches the first authorization application information with a matching database, the matching content comprises the attribute information and the authority information preset under the account, which are based on the user account, and the matching content is compared with the attribute information and the authority information preset under the account to judge whether the user is consistent, if the user is consistent, the user is logged in under the set terminal equipment and the set IP address, the user has certain security, the next action is allowed, and if the user is inconsistent, the user is not logged in under the set terminal equipment and the set IP address, the security is at certain risk; obtaining authorization status information after matching, wherein the authorization status information comprises an authorized first authorization application after matching is consistent and a refused first authorization application after matching is inconsistent; if the first authorization application information is authorized, corresponding first authorization application reply information is sent to the application terminal, the first authorization application reply information comprises authorization first authorization application information and access login information, the authorization first authorization application information indicates that a management user approves the first authorization application, a user account logs in a terminal recording device and a network normally, the access login information comprises an access login mode and a dynamic access password, the access login mode is set according to different encryption grades, the security requirement of the security grade is high, the login mode also requires more insurance and reliability, the dynamic access password refers to that when the management user sends the first authorization application reply information, a dynamic access password is randomly generated according to the requirement and is used as a necessary filling item for user login, the login mode and the user authority grade are matched through a model, and the corresponding access password is obtained, and specifically: the login mode of the common user during login is password login, namely only password input and dynamic access password are needed; the important user login mode is that password and password are combined with face recognition login, and the user inputs the password and dynamic access password and verifies the face recognition condition of the user; the login mode of the super user during login is that password voiceprint combines with human face dynamic identification, namely, the user needs to read dynamic access password when inputting the password, and then combines with human face dynamic identification, the purpose of reading dynamic access password is to verify voiceprint information and dynamic password information of the user, and through the mode, login management of encrypted flow can be enhanced.
According to an embodiment of the present invention, the obtaining user preset login information correspondingly obtains second authorization application information according to the first authorization application reply information and the user preset login information, and sends the second authorization application information to the management user, which specifically includes:
acquiring preset login information of a user;
the user preset login information comprises a user login password, user face dynamic data and user voiceprint data;
obtaining second authorization application information according to the first authorization application reply information and the user preset login information;
and sending the second authorization application information to the management user.
The management user sets corresponding login information when the user account is managed, so that the acquired user login information comprises a user login password, user face dynamic data and user voiceprint data, second authorization application information is correspondingly acquired according to first authorization application reply information and user preset login information, the content of the second authorization application information is set in a login mode, and the second authorization application information is sent to the management user for verification.
The invention also discloses an access control system of the encrypted traffic, which comprises a memory and a processor, wherein the memory comprises an access control method program of the encrypted traffic, and the access control method program of the encrypted traffic realizes the following steps when being executed by the processor:
Obtaining importance level information of the flow, and obtaining a level encryption flow in a preset flow encryption mode;
obtaining authority level information of a user account, logging in the user account and matching with attribute information of a terminal to obtain attribute account information;
inputting the level encryption traffic and the authority level information into a preset level encryption traffic identification matching model for processing to obtain matching level encryption traffic information;
obtaining first authorization application information according to the matching grade encryption flow information and the attribute account information, and sending the first authorization application information to a management user;
the management user obtains authorization status information through a preset rule according to the first authorization application information, judges the authorization status information, and sends first authorization application reply information to an application terminal if the first authorization application is authorized;
acquiring user preset login information, correspondingly acquiring second authorization application information according to the first authorization application reply information and the user preset login information, and sending the second authorization application information to the management user;
and the management user performs authorization management on the matched grade encryption traffic according to the second authorization application information.
In order to realize access control of encrypted traffic, firstly, importance level information of the traffic is acquired, then, level encrypted traffic is correspondingly acquired, and then, the level encrypted traffic is respectively managed, when in management, user account authority level information preset according to user requirements is acquired, user account is matched with attribute information of a terminal after the terminal logs in to obtain attribute account information, the access authority of the user account and the corresponding level encrypted traffic can be correspondingly acquired, namely, matched level encrypted traffic information is acquired, the matched level encrypted traffic information is combined with the attribute account information of the terminal to acquire first authorization application information, and then, the first authorization application information is transmitted to a management user, the level information of user access authority and the attribute information of login equipment are contained, the management user processes the first authorization application information according to preset rules to acquire authorization state information, then, the authorization state information is judged, and if the first authorization application is authorized, the first authorization application information is sent to the application terminal; obtaining user preset login information, correspondingly obtaining second authorization application information according to the first authorization application reply information and the user preset login information, and sending the second authorization application information to a management user, wherein the management user carries out authorization management on the matched grade encryption traffic according to the second authorization application information, and the authorization is included or refused. Finally, the method for controlling the access to the encrypted traffic by setting the level encryption traffic and the user authority level according to the user requirements and combining the attribute information of the user login terminal is realized.
According to an embodiment of the present invention, the obtaining the importance level information of the traffic and obtaining the level encrypted traffic by a preset traffic encryption method includes:
obtaining importance level information of the flow according to the custom rules of the management user, wherein the importance level information comprises very important, important or general important;
obtaining the level encryption flow corresponding to the importance level information through a preset flow encryption mode, wherein the level encryption flow comprises an absolute flow, a confidential flow or a secret flow;
wherein the very important corresponds to the confidential traffic, the important corresponds to the confidential traffic, and the general important corresponds to the confidential traffic.
The encrypted traffic refers to traffic encrypted in the process of access or transmission in order to protect the privacy and integrity of traffic data; the traffic encryption method comprises the steps that firstly, the importance degree of traffic is acquired, the importance degree of the traffic in the current instance can be the importance degree of different classification situations of the same traffic, the importance degree of different traffic created by the same management user can be also the importance degree of different traffic created by the same management user, when the management user divides the importance degree of the traffic, different importance degree division bases such as network speed priority guarantee importance degree can be set according to self requirements through a rule customized by the management user, and therefore importance degree level information comprising very important, important or general importance is acquired; the encrypted traffic can be classified into different levels of hierarchical encrypted traffic according to the importance level information, including an insulated traffic, a confidential traffic or a secret traffic, wherein the importance level information and the hierarchical encrypted traffic are in one-to-one correspondence, very important corresponding to the insulated traffic, important corresponding to the confidential traffic, and generally important corresponding to the secret traffic.
According to the embodiment of the invention, the permission level information of the user account is obtained, the user account is logged in and is matched with the attribute information of the terminal to obtain the attribute account information, and the method specifically comprises the following steps:
obtaining authority level information of a user account, wherein the authority level information comprises a super user, an important user or a common user;
logging in the user account, and if logging in is successful, extracting account information including account numbers and account authority grades;
acquiring attribute information of a terminal, wherein the attribute information comprises IP address data and mac address data;
obtaining attribute connection information through preset attribute combination model processing according to the IP address data and mac address data;
and processing according to the user account information and the attribute connection information in a preset processing mode to obtain attribute account information.
The management user is used as a manager, authority conditions are related when user accounts are created, and different authority levels are set for different user accounts according to personnel level information or personnel post information; therefore, the authority level information of the user account can be acquired, wherein the authority level information comprises super users, important users or common users; logging in a user account on a terminal device, and if logging in is successful, extracting account information comprising an account number and an account authority level, wherein the account number is a unique number of the logged-in account in a management system; after the user account is successfully logged in, attribute information of the terminal can be obtained, wherein the attribute information comprises IP Address data and MAC Address data, IP refers to an internetworking protocol, the abbreviation of Internet Protocol is a network layer protocol in a TCP/IP system, and the MAC Address (English: media Access Control Address) is interpreted as a media access control Address, also called a local area network Address (LAN Address), a MAC Address, an Ethernet Address (Ethernet Address) or a Physical Address (Physical Address), which is an Address for confirming the position of network equipment; the IP address can reflect the network address commonly used by the user account, and can set the IP address commonly used/allowed to log in by the user when the account is set, the mac address has uniqueness, and the mac address commonly used/allowed to log in by the user can be set when the account is set; the IP address data and the mac address data are processed through a preset attribute combination model to obtain attribute connection information, the attribute connection information is combined with the mac data to form unique data, and therefore the unique data can be compared with the attribute data preset in the system, the security of login equipment and the network is determined, and then the user account information and the attribute connection information are processed through a preset processing mode to obtain attribute account information.
According to an embodiment of the present invention, the inputting the encrypted traffic of the level and the authority level information into a preset encrypted traffic identification matching model is performed to obtain encrypted traffic information of the matching level, which specifically includes:
inputting the level encryption traffic and the authority level information into a preset level encryption traffic identification matching model for processing to obtain matching level encryption traffic information;
the matching-level encrypted traffic information includes one or more of the encrypted traffic, confidential traffic, or secret traffic;
the common user corresponds to the secret flow, the important user corresponds to the secret flow and the secret flow, and the super user corresponds to the secret flow, the secret flow and the secret flow.
After the user account logs in, the level encryption traffic and the authority level of the user account can be detected, the level encryption traffic and the authority level information are input into a preset level encryption traffic identification matching model to be processed, matching level encryption traffic information is obtained, the matching level encryption traffic information is the level encryption traffic matched with the authority of the user account, the matching mode can be multiple, namely, the matching level encryption traffic can be one or more of the secret traffic, the secret traffic or the secret traffic, in the embodiment, the common user corresponds to the secret traffic, the important user corresponds to the secret traffic and the secret traffic, and the super user corresponds to the secret traffic, the secret traffic and the secret traffic.
According to an embodiment of the present invention, the obtaining the first authorization application information according to the matching-level encrypted traffic information and the attribute account information, and sending the first authorization application information to the management user specifically includes:
obtaining first authorization application information through a preset combination method according to the matching grade encryption flow information and the attribute account information;
the first authorization application information is sent to a management user;
the management user is preset with a matching database;
the matching database contains the user account number, authority level information and attribute information.
After obtaining the matching-grade encrypted flow information, only the fact that the authority for accessing the corresponding-grade encrypted flow is set in the login user account system can be described, and in order to enhance the privacy and the security, the first authorization application information is obtained through a preset combination method with the attribute account information and is sent to a management user, the attribute account information has uniqueness, and after being combined with the matching-grade encrypted flow information, the attribute account information still has uniqueness, a preset matching database is used in the management user, wherein the database comprises a user account, authority grade information and attribute information, a corresponding relation is established in the database, the authority grade information corresponding to the user account, and the attribute information corresponding to the user account and the login terminal equipment is allowed after the user account and the attribute account information are matched; in this embodiment, the first authorization application information is an application for sending attribute information of the login terminal of the user account to the management user to determine whether the usage environment is consistent with the preset.
According to the embodiment of the invention, the management user obtains the authorization status information according to the first authorization application information through a preset rule, judges the authorization status information, and if the first authorization application is authorized, sends first authorization application reply information to the application terminal, specifically including:
matching the first authorization application information with the matching database to obtain authorization status information, including authorizing the first authorization application or rejecting the first authorization application;
if the first authorization application is authorized, sending first authorization application reply information to the application terminal;
the first authorization application reply information comprises authorization first authorization application information and access login information;
the access login information comprises an access login mode and a dynamic access password;
inputting the access login mode and the authority level information into an authority login model to process and correspondingly obtain authority login matching information;
the common user corresponds to the password to log in, the important user corresponds to the password to log in combination with face recognition, and the super user corresponds to the password to dynamically recognize the password to log in combination with face recognition.
After the first authorization application information is sent to the management user, the management user matches the first authorization application information with a matching database, the matching content comprises the attribute information and the authority information preset under the account, which are based on the user account, and the matching content is compared with the attribute information and the authority information preset under the account to judge whether the user is consistent, if the user is consistent, the user is logged in under the set terminal equipment and the set IP address, the user has certain security, the next action is allowed, and if the user is inconsistent, the user is not logged in under the set terminal equipment and the set IP address, the security is at certain risk; obtaining authorization status information after matching, wherein the authorization status information comprises an authorized first authorization application after matching is consistent and a refused first authorization application after matching is inconsistent; if the first authorization application information is authorized, corresponding first authorization application reply information is sent to the application terminal, the first authorization application reply information comprises authorization first authorization application information and access login information, the authorization first authorization application information indicates that a management user approves the first authorization application, a user account logs in a terminal recording device and a network normally, the access login information comprises an access login mode and a dynamic access password, the access login mode is set according to different encryption grades, the security requirement of the security grade is high, the login mode also requires higher security and reliability, the dynamic access password refers to that when the management user sends the first authorization application reply information, a dynamic access password is randomly generated according to the requirement and is used as a necessary filling item for user login, the login mode and the user authority grade are matched through a model, and the corresponding access login matching information is obtained specifically: the login mode of the common user during login is password login, namely only password input and dynamic access password are needed; the important user login mode is that password and password are combined with face recognition login, and the user inputs the password and dynamic access password and verifies the face recognition condition of the user; the login mode of the super user during login is that password voiceprint combines with human face dynamic identification, namely, the user needs to read dynamic access password when inputting the password, and then combines with human face dynamic identification, the purpose of reading dynamic access password is to verify voiceprint information and dynamic password information of the user, and through the mode, login management of encrypted flow can be enhanced.
According to an embodiment of the present invention, the obtaining user preset login information correspondingly obtains second authorization application information according to the first authorization application reply information and the user preset login information, and sends the second authorization application information to the management user, which specifically includes:
acquiring preset login information of a user;
the user preset login information comprises a user login password, user face dynamic data and user voiceprint data;
obtaining second authorization application information according to the first authorization application reply information and the user preset login information;
and sending the second authorization application information to the management user.
The management user sets corresponding login information when the user account is managed, so that the acquired user login information comprises a user login password, user face dynamic data and user voiceprint data, second authorization application information is correspondingly acquired according to first authorization application reply information and user preset login information, the content of the second authorization application information is set in a login mode, and the second authorization application information is sent to the management user for verification.
A third aspect of the present invention provides a readable storage medium having embodied therein an access control method program for encrypted traffic, which when executed by a processor, implements the steps of an access control method for encrypted traffic as described in any one of the above.
The invention discloses an access control method, a system and a medium for encrypted traffic, which are characterized in that the importance level of the traffic is acquired, the level encrypted traffic is acquired through processing, the authority level information of a user account is acquired and then is matched with the attribute information of a terminal to acquire attribute account information, then the matched level encrypted traffic information is acquired according to the level encrypted traffic and the authority level information, further first authorization application information is acquired and is sent to a management user, authorization status information is acquired through a preset rule, a first authorization application reply is sent to the application terminal after authorization, and then second authorization application information is acquired by combining with preset login information of the user and is sent to the management user, and the management user carries out authorization management on the matched level encrypted traffic according to the second authorization application information. The technology of setting the level encryption flow and the user authority level according to the user requirement and combining the attribute information of the user login terminal to realize the access control on the encryption flow is realized.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units; can be located in one place or distributed to a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present invention may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, or the like, which can store program codes.
Alternatively, the above-described integrated units of the present invention may be stored in a readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
Claims (10)
1. An access control method for encrypted traffic, comprising:
obtaining importance level information of the flow, and obtaining a level encryption flow in a preset flow encryption mode;
obtaining authority level information of a user account, logging in the user account and matching with attribute information of a terminal to obtain attribute account information;
inputting the level encryption traffic and the authority level information into a preset level encryption traffic identification matching model for processing to obtain matching level encryption traffic information;
Obtaining first authorization application information according to the matching grade encryption flow information and the attribute account information, and sending the first authorization application information to a management user;
the management user obtains authorization status information through a preset rule according to the first authorization application information, judges the authorization status information, and sends first authorization application reply information to an application terminal if the first authorization application is authorized;
acquiring user preset login information, correspondingly acquiring second authorization application information according to the first authorization application reply information and the user preset login information, and sending the second authorization application information to the management user;
and the management user performs authorization management on the matched grade encryption traffic according to the second authorization application information.
2. The method for controlling access to encrypted traffic according to claim 1, wherein the step of obtaining importance level information of traffic and obtaining the level encrypted traffic by a preset traffic encryption method comprises:
obtaining importance level information of the flow according to the custom rules of the management user, wherein the importance level information comprises very important, important or general important;
obtaining the level encryption flow corresponding to the importance level information through a preset flow encryption mode, wherein the level encryption flow comprises an absolute flow, a confidential flow or a secret flow;
Wherein the very important corresponds to the confidential traffic, the important corresponds to the confidential traffic, and the general important corresponds to the confidential traffic.
3. The method for controlling access to encrypted traffic according to claim 2, wherein the obtaining authority level information of a user account, logging in the user account and matching with attribute information of a terminal to obtain attribute account information, specifically comprises:
obtaining authority level information of a user account, wherein the authority level information comprises a super user, an important user or a common user;
logging in the user account, and if logging in is successful, extracting account information including account numbers and account authority grades;
acquiring attribute information of a terminal, wherein the attribute information comprises IP address data and mac address data;
obtaining attribute connection information through preset attribute combination model processing according to the IP address data and mac address data;
and processing according to the user account information and the attribute connection information in a preset processing mode to obtain attribute account information.
4. The method for controlling access to encrypted traffic according to claim 3, wherein said inputting said encrypted traffic at a level and said authority level information into a preset encrypted traffic identification matching model is performed to obtain encrypted traffic information at a matching level, and specifically comprises:
Inputting the level encryption traffic and the authority level information into a preset level encryption traffic identification matching model for processing to obtain matching level encryption traffic information;
the matching-level encrypted traffic information includes one or more of the encrypted traffic, confidential traffic, or secret traffic;
the common user corresponds to the secret flow, the important user corresponds to the secret flow and the secret flow, and the super user corresponds to the secret flow, the secret flow and the secret flow.
5. The method for controlling access to encrypted traffic according to claim 4, wherein the obtaining the first authorization application information according to the matching-level encrypted traffic information and the attribute account information, and sending the first authorization application information to the management user, specifically comprises:
obtaining first authorization application information through a preset combination method according to the matching grade encryption flow information and the attribute account information;
the first authorization application information is sent to a management user;
the management user is preset with a matching database;
the matching database contains the user account number, authority level information and attribute information.
6. The method for controlling access to encrypted traffic according to claim 5, wherein the managing user obtains authorization status information according to the first authorization application information through a preset rule, determines the authorization status information, and if the first authorization application is authorized, sends first authorization application reply information to the application terminal, specifically comprising:
Matching the first authorization application information with the matching database to obtain authorization status information, including authorizing the first authorization application or rejecting the first authorization application;
if the first authorization application is authorized, sending first authorization application reply information to the application terminal;
the first authorization application reply information comprises authorization first authorization application information and access login information;
the access login information comprises an access login mode and a dynamic access password;
inputting the access login mode and the authority level information into an authority login model to process and correspondingly obtain authority login matching information;
the common user corresponds to the password to log in, the important user corresponds to the password to log in combination with face recognition, and the super user corresponds to the password to dynamically recognize the password to log in combination with face recognition.
7. The method for controlling access to encrypted traffic according to claim 6, wherein the obtaining user preset login information, obtaining second authorization application information according to the correspondence between the first authorization application reply information and the user preset login information, and sending the second authorization application information to the management user, specifically includes:
Acquiring preset login information of a user;
the user preset login information comprises a user login password, user face dynamic data and user voiceprint data;
obtaining second authorization application information according to the first authorization application reply information and the user preset login information;
and sending the second authorization application information to the management user.
8. An access control system for encrypted traffic, comprising a memory and a processor, wherein the memory comprises an access control method program for encrypted traffic, and the access control method program for encrypted traffic, when executed by the processor, realizes the following steps:
obtaining importance level information of the flow, and obtaining a level encryption flow in a preset flow encryption mode;
obtaining authority level information of a user account, logging in the user account and matching with attribute information of a terminal to obtain attribute account information;
inputting the level encryption traffic and the authority level information into a preset level encryption traffic identification matching model for processing to obtain matching level encryption traffic information;
obtaining first authorization application information according to the matching grade encryption flow information and the attribute account information, and sending the first authorization application information to a management user;
The management user obtains authorization status information through a preset rule according to the first authorization application information, judges the authorization status information, and sends first authorization application reply information to an application terminal if the first authorization application is authorized;
acquiring user preset login information, correspondingly acquiring second authorization application information according to the first authorization application reply information and the user preset login information, and sending the second authorization application information to the management user;
and the management user performs authorization management on the matched grade encryption traffic according to the second authorization application information.
9. The system for controlling access to encrypted traffic according to claim 8, wherein said obtaining the importance level information of the traffic and obtaining the level encrypted traffic by a preset traffic encryption method comprises:
obtaining importance level information of the flow according to the custom rules of the management user, wherein the importance level information comprises very important, important or general important;
obtaining the level encryption flow corresponding to the importance level information through a preset flow encryption mode, wherein the level encryption flow comprises an absolute flow, a confidential flow or a secret flow;
wherein the very important corresponds to the confidential traffic, the important corresponds to the confidential traffic, and the general important corresponds to the confidential traffic.
10. A computer-readable storage medium, characterized in that an access control method program of encrypted traffic is included in the computer-readable storage medium, which, when executed by a processor, implements the steps of an access control method of encrypted traffic according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311724486.9A CN117714151A (en) | 2023-12-14 | 2023-12-14 | Access control method, system and medium for encrypted traffic |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311724486.9A CN117714151A (en) | 2023-12-14 | 2023-12-14 | Access control method, system and medium for encrypted traffic |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117714151A true CN117714151A (en) | 2024-03-15 |
Family
ID=90149311
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311724486.9A Pending CN117714151A (en) | 2023-12-14 | 2023-12-14 | Access control method, system and medium for encrypted traffic |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117714151A (en) |
-
2023
- 2023-12-14 CN CN202311724486.9A patent/CN117714151A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6491192B2 (en) | Method and system for distinguishing humans from machines and for controlling access to network services | |
| US9396352B2 (en) | System and method to provide server control for access to mobile client data | |
| EP3120282B1 (en) | User authentication | |
| CN111147255B (en) | Data security service system, method and computer readable storage medium | |
| US7024690B1 (en) | Protected mutual authentication over an unsecured wireless communication channel | |
| CN110149328B (en) | Interface authentication method, device, equipment and computer readable storage medium | |
| CN109756446B (en) | Access method and system for vehicle-mounted equipment | |
| CN109643356B (en) | Method and system for preventing phishing or extorting software attacks | |
| CN107483495B (en) | Big data cluster host management method, management system and server | |
| KR20070024633A (en) | Renewable and private biometrics | |
| KR101809974B1 (en) | A system for security certification generating authentication key combinating multi-user element and a method thereof | |
| EP3937040B1 (en) | Systems and methods for securing login access | |
| CN111274046A (en) | Service call validity detection method and device, computer equipment and computer storage medium | |
| US7412603B2 (en) | Methods and systems for enabling secure storage of sensitive data | |
| KR102402705B1 (en) | Method and server for verifying multifactor security of mobile remote control based on zero trust model in separated netwrok environment | |
| US7487535B1 (en) | Authentication on demand in a distributed network environment | |
| CN112905965B (en) | Financial big data processing system based on block chain | |
| CN115622792A (en) | Zero trust-based data security comprehensive protection system and method | |
| CN113918977A (en) | User information transmission device based on Internet of things and big data analysis | |
| CN114157438A (en) | Network equipment management method and device and computer readable storage medium | |
| CN111538973A (en) | Personal authorization access control system based on state cryptographic algorithm | |
| US20070055478A1 (en) | System and method for active data protection in a computer system in response to a request to access to a resource of the computer system | |
| CN110582986B (en) | Security authentication method for generating security key by combining authentication factors of multiple users | |
| CN117714151A (en) | Access control method, system and medium for encrypted traffic | |
| CN117118750B (en) | Data sharing method and device based on white-box password, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |