CN117955735A - Data security access control method, system and storage medium - Google Patents
Data security access control method, system and storage medium Download PDFInfo
- Publication number
- CN117955735A CN117955735A CN202410337986.5A CN202410337986A CN117955735A CN 117955735 A CN117955735 A CN 117955735A CN 202410337986 A CN202410337986 A CN 202410337986A CN 117955735 A CN117955735 A CN 117955735A
- Authority
- CN
- China
- Prior art keywords
- ipv6
- message
- terminal
- stealth
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000004891 communication Methods 0.000 claims abstract description 62
- 230000005540 biological transmission Effects 0.000 claims description 38
- 238000004422 calculation algorithm Methods 0.000 claims description 30
- 238000012795 verification Methods 0.000 claims description 24
- 230000002159 abnormal effect Effects 0.000 claims description 10
- 238000013519 translation Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 claims description 4
- 238000004806 packaging method and process Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims description 3
- 230000005856 abnormality Effects 0.000 claims description 2
- 238000010276 construction Methods 0.000 claims description 2
- 238000005242 forging Methods 0.000 claims 1
- 238000005538 encapsulation Methods 0.000 description 4
- 239000012466 permeate Substances 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a data security access control method, a data security access control system and a storage medium, and belongs to the technical field of communication. When access-restricted data center equipment/cloud components access to accessed data center equipment/cloud components is detected, a request message to be sent and a local IPv6 prefix are obtained, whether the access-restricted data center equipment/cloud components have the authority to access the accessed data center equipment/cloud components or not is determined, if so, the request message is analyzed and processed to obtain an IPv6 message, a corresponding receiver IPv6 stealth terminal is determined, a target IPv6 prefix is determined based on the receiver IPv6 stealth terminal, an outer layer IPv6 message is constructed, the IPv6 message is encrypted and packaged through the outer layer IPv6 message, the packaged IPv6 message is obtained, and the packaged IPv6 message is sent to the receiver IPv6 stealth terminal. The application improves the mutual access security of the data center/cloud platform.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, a system, and a storage medium for controlling data security access.
Background
Along with popularization of internet technology, the network permeates to aspects of people's daily life due to convenient and efficient communication characteristics, so that great convenience is brought to learning and working of people, but various security risks (information leakage, virus transmission and the like) are threatened by the whole server communication system. Therefore, in the digital communication era, the security problem of network connection and server communication is receiving more attention.
Currently, when the data center and the cloud platform are accessed mutually, serious security problems are faced, for example, after an attacker permeates the data center or the cloud platform from other paths, other services or components in the data center or the cloud platform are attacked, so that the information system is damaged or sensitive data information is stolen, tampered and abused, and the security of the information system is seriously threatened.
Disclosure of Invention
In order to improve the mutual access security inside a data center/cloud platform, the application provides a data security access control method, a data security access control system and a storage medium.
In a first aspect, the present application provides a data security access control method, which adopts the following technical scheme:
The data security access control method is applied to the IPv6 stealth terminal of the local end, and the IPv6 stealth terminal of the local end is pre-deployed on each data center device/cloud component needing to be limited to access, and comprises the following steps:
When the access-restricted data center equipment/cloud component is detected to access the accessed data center equipment/cloud component, acquiring a request message to be transmitted and a local IPv6 prefix, wherein the request message is the request message transmitted by the access-restricted data center equipment/cloud component, and the local IPv6 prefix is the IPv6 prefix corresponding to the local IPv6 stealth terminal;
Determining whether the data center equipment/cloud component for limiting access has the authority for accessing the accessed data center equipment/cloud component or not based on a preset control access rule, if so, analyzing and processing the request message to obtain an IPv6 message, and determining a corresponding receiver IPv6 stealth terminal according to a preset corresponding relation and a target address of the request message;
Determining a target IPv6 prefix based on the IPv6 stealth terminal of the receiver;
Constructing an outer layer IPv6 message based on a preset data certificate, a local IPv6 prefix and a target IPv6 prefix, so that the outer layer IPv6 address has dynamic change characteristics and non-falsifiability characteristics, and encrypting and packaging the IPv6 message through the outer layer IPv6 message to obtain a packaged IPv6 message;
and sending the encapsulated IPv6 message to the IPv6 stealth terminal of the receiver through the internal network of the data center equipment/cloud component which limits access.
By adopting the technical scheme, the access limit of the corresponding data center equipment/cloud component is set, whether the data center equipment/cloud component with limited access accesses the accessed data center equipment/cloud component is detected after the access limit is set, when the access condition exists, a request message to be sent and a local IPv6 prefix are acquired, wherein the request message is the request message sent by the data center equipment/cloud component with limited access, the local IPv6 prefix is the IPv6 prefix corresponding to the local IPv6 stealth terminal, then whether the data center equipment/cloud component with limited access has the authority of accessing the accessed data center equipment/cloud component is determined based on a preset control access rule, if the authority of accessing the accessed data center equipment/cloud component is provided, the request message is analyzed and processed to obtain an IPv6 message, the corresponding IPv6 stealth terminal of a receiver is determined according to the preset corresponding relation and the target address of the request message, then the target IPv6 prefix is determined based on the receiver IPv6 stealth terminal, then the receiver IPv6 prefix is packaged based on the preset data certificate, the local outer layer IPv6 prefix and the target IPv6 prefix, the receiver IPv6 message can be packaged to have the characteristics of not being packaged by the cloud 6 terminal, and the dynamic characteristics of the receiver IPv6 message can be packaged, and the data can be packaged by the cloud terminal after the cloud terminal is packaged. The access mode can not be scanned, can not be sniffed and can not restore the content, so that the mutual access security in the data center/cloud platform is improved.
In one possible implementation, constructing the outer layer IPv6 message based on the preset data certificate, the local IPv6 prefix, and the target IPv6 prefix includes:
calculating to obtain a source IPv6 address through a random algorithm in the address range of the local IPv6 prefix;
the method comprises the steps of obtaining safety communication information, wherein the safety communication information is safety communication protocol information between a local IPv6 stealth terminal and a receiver IPv6 stealth terminal;
Determining a cryptography algorithm based on a preset data certificate, and calculating and generating a dynamic target IPv6 address according to the cryptography algorithm, the safety communication information and the target IPv6 prefix;
And carrying out association construction on the source IPv6 address and the target IPv6 address to obtain an outer layer IPv6 message.
In one possible implementation, the IPv6 message is encrypted and encapsulated by an outer layer IPv6 message, to obtain an encapsulated IPv6 message, which includes,
And encrypting the IPv6 message based on the safety communication information to obtain an updated IPv6 message.
In a second aspect, the present application provides a data security access control method, which adopts the following technical scheme:
The data security access control method is applied to the IPv6 stealth terminal of a receiver, and the IPv6 stealth terminal of the receiver is pre-deployed on each accessed data center device/cloud component, and comprises the following steps:
Receiving an IPv6 message sent by an IPv6 stealth terminal at a local end; the IPv6 message is obtained by acquiring a request message to be transmitted and a local IPv6 prefix when the access-restricted data center device/cloud component accesses the accessed data center device/cloud component is detected, wherein the request message is the request message transmitted by the access-restricted data center device/cloud component, the local IPv6 prefix is the IPv6 prefix corresponding to the local IPv6 stealth terminal, whether the access-restricted data center device/cloud component has the authority to access the accessed data center device/cloud component or not is determined based on a preset control access rule, if the access-restricted data center device/cloud component has the authority to access the accessed data center device/cloud component, the request message is analyzed, the IPv6 message is obtained, the corresponding receiver IPv6 stealth terminal is determined according to a preset corresponding relation and the target address of the request message, the target IPv6 prefix is determined based on the receiver IPv6 stealth terminal, the outer IPv6 message is constructed based on a preset data certificate, the local IPv6 prefix and the target IPv6 prefix, the outer layer IPv6 message has dynamic change characteristics and irreplaceable characteristics, and the obtained message is packaged after the encapsulation of the IPv6 message is performed;
the method comprises the steps of obtaining safety communication information, wherein the safety communication information is safety communication protocol information between a local IPv6 stealth terminal and a receiver IPv6 stealth terminal;
determining a cryptography algorithm based on a preset data certificate, and calculating and generating a dynamic verification IPv6 address according to the cryptography algorithm, the safety communication information and the target IPv6 prefix;
Performing consistency verification on the target IPv6 address in the outer layer IPv6 message and the verification IPv6 address, and discarding the IPv6 message if the target IPv6 address is inconsistent with the verification IPv6 address;
if the two messages are consistent, an inner layer IPv6 message in the IPv6 message is taken out, and the inner layer IPv6 message is decrypted through the safety communication information to obtain the decrypted IPv6 message;
and sending the decrypted IPv6 message to the accessed data center equipment/cloud component corresponding to the IPv6 stealth terminal of the receiver.
By adopting the technical scheme, after the receiver IPv6 stealth terminal receives the encapsulated IPv6 message, the access of illegal users is effectively prevented through the verification process of the IPv6 address of the dynamic change of the outer layer and the encryption and decryption process of the message content; thus, the present application data center/cloud platform internal to mutual access security.
In one possible implementation manner, the decrypted IPv6 packet is sent to the accessed data center device/cloud component corresponding to the recipient IPv6 stealth terminal, and then further includes:
And determining whether the accessed data center equipment/cloud component has an IPv6/IPv4 translation requirement or not based on the receiver IPv6 stealth terminal, if so, translating the decrypted IPv6 message into an IPv4 message based on an IPv4/IPv6 translation rule, and forwarding the IPv4 message to the accessed data center equipment/cloud component.
In one possible implementation, the method further includes:
The method comprises the steps of obtaining safety log information and system flow information, wherein the safety log information is message transmission information between a local IPv6 stealth terminal and a receiver IPv6 stealth terminal, and the system flow information is data system flow information between the local IPv6 stealth terminal and the receiver IPv6 stealth terminal;
Judging whether safety log information contains safety abnormal information or not, if not, sorting the system flow information according to the transmission time node to obtain a transmission fluctuation diagram of data transmission of the IPv6 stealth terminal of the local terminal and the IPv6 stealth terminal of the receiver;
fitting the transmission fluctuation graph and a preset flow transmission graph according to transmission time nodes, judging whether flow transmission data corresponding to different transmission time nodes are abnormal, if so, acquiring historical flow transmission data, and carrying out data transmission abnormality analysis on user equipment and application equipment based on the historical flow transmission data to obtain abnormal access degree of the user equipment;
comparing the abnormal access degree with the access degree in the abnormal access standard to obtain an access control rule, and updating and adjusting the preset control access rule based on the access control rule to obtain an adjusted preset control access rule.
In a third aspect, the present application provides a data security access control system, which adopts the following technical scheme:
the utility model provides a data security access control system, is applied to the terminal station IPv6 stealth, and terminal station IPv6 stealth is deployed in advance on every data center equipment/cloud subassembly that needs restriction access, includes:
The first acquisition module is used for acquiring a request message to be transmitted and a local IPv6 prefix when the access-restricted data center equipment/cloud component is detected to access the accessed data center equipment/cloud component, wherein the request message is the request message transmitted by the access-restricted data center equipment/cloud component, and the local IPv6 prefix is the IPv6 prefix corresponding to the local IPv6 stealth terminal;
The right determining module is used for determining whether the data center equipment/cloud component which is limited to access has the right to access the accessed data center equipment/cloud component or not based on a preset control access rule, if so, analyzing and processing the request message to obtain an IPv6 message, and determining a corresponding receiver IPv6 stealth terminal according to a preset corresponding relation and a target address of the request message;
the prefix determining module is used for determining a target IPv6 prefix based on the IPv6 stealth terminal of the receiver;
The message encryption module is used for constructing an outer layer IPv6 message based on a preset data certificate, a local IPv6 prefix and a target IPv6 prefix, so that the outer layer IPv6 address has dynamic change characteristics and non-falsifiability characteristics, and the IPv6 message is encrypted and packaged through the outer layer IPv6 message to obtain a packaged IPv6 message;
And the message sending module is used for sending the encapsulated IPv6 message to the IPv6 stealth terminal of the receiver through the internal network of the data center equipment/cloud component which limits access.
In a fourth aspect, the present application provides a data security access control system, which adopts the following technical scheme:
the utility model provides a data security access control system, is applied to receiver IPv6 stealthy terminal, receiver IPv6 stealthy terminal is deployed in advance on each visited data center equipment/cloud subassembly, includes:
The message receiving module is used for receiving an IPv6 message sent by the IPv6 stealth terminal at the local end; the IPv6 message is obtained by acquiring a request message to be transmitted and a local IPv6 prefix when the access-restricted data center device/cloud component accesses the accessed data center device/cloud component is detected, wherein the request message is the request message transmitted by the access-restricted data center device/cloud component, the local IPv6 prefix is the IPv6 prefix corresponding to the local IPv6 stealth terminal, whether the access-restricted data center device/cloud component has the authority to access the accessed data center device/cloud component or not is determined based on a preset control access rule, if the access-restricted data center device/cloud component has the authority to access the accessed data center device/cloud component, the request message is analyzed, the IPv6 message is obtained, the corresponding receiver IPv6 stealth terminal is determined according to a preset corresponding relation and the target address of the request message, the target IPv6 prefix is determined based on the receiver IPv6 stealth terminal, the outer IPv6 message is constructed based on a preset data certificate, the local IPv6 prefix and the target IPv6 prefix, the outer layer IPv6 message has dynamic change characteristics and irreplaceable characteristics, and the obtained message is packaged after the encapsulation of the IPv6 message is performed;
The second acquisition module is used for acquiring safety communication information, wherein the safety communication information is safety communication protocol information between the IPv6 stealth terminal of the local terminal and the IPv6 stealth terminal of the receiver;
The address calculation module is used for determining a cryptography algorithm based on a preset data certificate, and calculating and generating a dynamic verification IPv6 address according to the cryptography algorithm, the safety communication information and the target IPv6 prefix;
The address comparison module is used for carrying out consistency check on the target IPv6 address in the outer layer IPv6 message and the check IPv6 address, and discarding the IPv6 message if the target IPv6 address is inconsistent with the check IPv6 address;
the message decryption module is used for taking out an inner layer IPv6 message in the IPv6 message when the target IPv6 address in the outer layer IPv6 message is consistent with the verification IPv6 address, and decrypting the inner layer IPv6 message through the safety communication information to obtain a decrypted IPv6 message;
And the message forwarding module is used for sending the decrypted IPv6 message to the accessed data center equipment/cloud component corresponding to the IPv6 stealth terminal of the receiver.
In a fifth aspect, the present application provides a computer readable storage medium, which adopts the following technical scheme:
A computer readable storage medium storing a computer program capable of being loaded by a processor and executing the method according to any one of the first or second aspects.
In summary, the present application includes at least one of the following beneficial technical effects:
1. By adopting the technical scheme, the access limit of the corresponding data center equipment/cloud component is set, whether the data center equipment/cloud component with limited access accesses the accessed data center equipment/cloud component is detected after the access limit is set, when the access condition exists, a request message to be sent and a local IPv6 prefix are acquired, wherein the request message is the request message sent by the data center equipment/cloud component with limited access, the local IPv6 prefix is the IPv6 prefix corresponding to the local IPv6 stealth terminal, then whether the data center equipment/cloud component with limited access has the authority of accessing the accessed data center equipment/cloud component is determined based on a preset control access rule, if the authority of accessing the accessed data center equipment/cloud component is provided, the request message is analyzed and processed to obtain an IPv6 message, the corresponding IPv6 stealth terminal of a receiver is determined according to the preset corresponding relation and the target address of the request message, then the target IPv6 prefix is determined based on the receiver IPv6 stealth terminal, then the receiver IPv6 prefix is packaged based on the preset data certificate, the local outer layer IPv6 prefix and the target IPv6 prefix, the receiver IPv6 message can be packaged to have the characteristics of not being packaged by the cloud 6 terminal, and the dynamic characteristics of the receiver IPv6 message can be packaged, and the data can be packaged by the cloud terminal after the cloud terminal is packaged. The access mode can not be scanned, can not be sniffed and can not restore the content, so that the mutual access security in the data center/cloud platform is improved;
2. By adopting the technical scheme, after the receiver IPv6 stealth terminal receives the encapsulated IPv6 message, the access of illegal users is effectively prevented through the verification process of the IPv6 address of the dynamic change of the outer layer and the encryption and decryption process of the message content; therefore, the application improves the mutual access security inside the data center/cloud platform.
Drawings
Fig. 1 is a schematic flow chart of a data security access control method according to one embodiment of the present application.
FIG. 2 is a second flow diagram of a data security access control system according to one embodiment of the present application.
Fig. 3 is a third flow chart of a data security access control method according to one embodiment of the present application.
Fig. 4 is a fourth flowchart of a data security access control system according to one embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings 1 to 4 and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The embodiment of the application discloses a data security access control method based on an initiator IPv6 gateway side.
Referring to fig. 1, a data security access control method is applied to a home terminal IPv6 stealth terminal, where the home terminal IPv6 stealth terminal is pre-deployed on each data center device/cloud component that needs to be restricted from access, and includes:
Step S101, when it is detected that the access-restricted data center device/cloud component accesses the secure data center device/cloud component, a request message to be sent and a local IPv6 prefix are obtained.
The request message is a request message sent by the data center equipment/cloud component for limiting access, and the local IPv6 prefix is an IPv6 prefix corresponding to the local IPv6 stealth terminal.
For the embodiment of the application, when different data center devices/cloud components are accessed mutually, in order to ensure the access security of the data center devices/cloud components of both sides, the IPv6 stealth terminals, namely the local IPv6 stealth terminals, are planned and deployed in the data center devices/cloud components which need to be limited to access, each local IPv6 stealth terminal correspondingly has a section of IPv6 prefix, namely the local IPv6 prefix, and one IPv6 stealth terminal can correspond to one or more data center devices/cloud components which need to be limited to access.
When the local IPv6 stealth terminal is deployed, firstly, whether a section of IPv6 prefix exists in the data center equipment/cloud component which is limited to access currently or not is determined, if so, the local IPv6 stealth terminal can be directly installed in the data center equipment/cloud component in a software mode, if not, the local IPv6 stealth terminal can be installed in a position with the IPv6 prefix in the data center/cloud platform, wherein the data center is deployed in the data center equipment in a hardware mode, the cloud platform is deployed in the cloud component in a software mode, then, an IPv6-over-IPv4 tunnel is established with the data center equipment/cloud component which is required to be limited to access corresponding to the cloud platform, and different IPv6 prefixes are issued to different data center equipment/cloud components.
Step S102, whether the access-restricted data center equipment/cloud component has the access right to the secure data center equipment/cloud component or not is determined based on the preset control access rule, if so, the request message is analyzed and processed to obtain an IPv6 message, and the corresponding receiver IPv6 stealth terminal is determined according to the preset corresponding relation and the target address of the request message.
In the embodiment of the application, each data center device/cloud component needing to be limited to access is respectively provided with a data certificate and an identity certificate, wherein the data certificate is used for generating an encrypted IPv6 address and encrypting a transmission message during IPv6 stealth secure communication, the identity certificate is used for registering securely with a management plane and acquiring configuration parameters issued by the management plane in a unified way, and then the management plane issues the data certificate and the identity certificate to a corresponding local IPv6 stealth terminal. For each data center device/cloud component, the management plane can issue (IPv 6 prefix, private key) information to its corresponding home IPv6 stealth terminal, and issue (IPv 6 prefix, public key) information to other home IPv6 stealth terminals.
In addition, the preset control access rule mentioned in the application is an access rule formulated by the management plane, namely, according to the preset control access rule, which data center equipment/cloud components can access which data center equipment/cloud components can be determined, and the IPv6 stealth communication authorization component of the management plane sends the access rule to the related local IPv6 stealth terminal.
Specifically, when analyzing and processing the request message, judging whether the request message is an IPv6 message, if so, taking the request message as the IPv6 message to be sent, if not, judging whether the request message is an IPv4 message, and if so, translating the request message into the IPv6 message to be sent through an IPv4/IPv6 translation technology.
And step S103, determining the target IPv6 prefix based on the IPv6 stealth terminal of the receiving party.
Step S104, an outer layer IPv6 message is constructed based on the preset data certificate, the local IPv6 prefix and the target IPv6 prefix, so that the outer layer IPv6 address has dynamic change characteristics and non-falsifiability characteristics, and the IPv6 message is encrypted and packaged through the outer layer IPv6 message to obtain the packaged IPv6 message.
For the purposes of the present application, the preset data certificate is the data certificate mentioned in the foregoing, and will not be described herein.
Specifically, a source IPv6 address is obtained through calculation through a random algorithm in the address range of a local IPv6 prefix, safety communication information is obtained, the safety communication information is safety communication protocol information between a local IPv6 stealth terminal and a receiver IPv6 stealth terminal, then a cryptography algorithm is determined based on a preset data certificate, a dynamic target IPv6 address is generated through calculation according to the cryptography algorithm, the safety communication information and the target IPv6 prefix, and the source IPv6 address and the target IPv6 address are associated and constructed to obtain an outer layer IPv6 message.
For the embodiment of the application, the IPv6 address is calculated and generated by a random algorithm within the address range of the local IPv6 prefix to increase the security of communication (for example, the IPv6 prefix of the terminal is/64, and then an address is generated from/64 by the random algorithm). By randomly selecting the source IPv6 address and the target IPv6 address, the encryptor can ensure that its communication address has dynamic changing characteristics and non-falsifiable characteristics, thereby fundamentally preventing a potential attacker from easily tracking or intercepting communications. While the secure communication information typically includes information such as encryption algorithms, keys, certificates, etc. to secure communications between the two gateways.
Step S105, the encapsulated IPv6 message is sent to the IPv6 stealth terminal of the receiver through the internal network of the data center equipment/cloud component which limits access.
In the above embodiment, the access restriction of the corresponding data center device/cloud component is set, and after the access restriction is set, it is detected whether the data center device/cloud component restricted from accessing the accessed data center device/cloud component, when there is an access condition, a request message to be sent and a local IPv6 prefix are obtained, where the request message is a request message sent by the data center device/cloud component restricted from accessing, the local IPv6 prefix is an IPv6 prefix corresponding to the local IPv6 stealth terminal, and then, based on a preset control access rule, it is determined whether the data center device/cloud component restricted from accessing the accessed data center device/cloud component has the authority to access the accessed data center device/cloud component, if it has the authority to access the accessed data center device/cloud component, analyzing and processing the request message to obtain an IPv6 message, determining a corresponding receiver IPv6 stealth terminal according to a preset corresponding relation and a target address of the request message, determining a target IPv6 prefix based on the receiver IPv6 stealth terminal, constructing an outer layer IPv6 message based on a preset data certificate, a local IPv6 prefix and the target IPv6 prefix, enabling the outer layer IPv6 address to have dynamic change characteristics and non-falsifiable characteristics, encrypting and packaging the IPv6 message through the outer layer IPv6 message to obtain a packaged IPv6 message, and transmitting the packaged IPv6 message to the receiver IPv6 stealth terminal through an internal network of a data center device/cloud component for limiting access. The access mode can not be scanned, can not be sniffed and can not restore the content, so that the mutual access security in the data center/cloud platform is improved.
In one possible implementation manner of the embodiment of the present application, an outer layer IPv6 message is used to encrypt and encapsulate the IPv6 message, so as to obtain an encapsulated IPv6 message, and before the step, the method further includes encrypting the message of the IPv6 message based on the secure communication information, so as to obtain an updated IPv6 message.
Referring to fig. 2, the embodiment of the present application further discloses a data security access control system 20 based on the home IPv6 stealth terminal side.
A data security access control system 20, applied to a home IPv6 stealth terminal, the home IPv6 stealth terminal being pre-deployed on each data center device/cloud component that needs access restriction, comprising:
The first obtaining module 21 is configured to obtain, when detecting that the access-restricted data center device/cloud component accesses the secure data center device/cloud component, a request packet to be sent and a local IPv6 prefix, where the request packet is a request packet sent by the access-restricted data center device/cloud component, and the local IPv6 prefix is an IPv6 prefix corresponding to the local IPv6 stealth terminal;
The permission determining module 22 is configured to determine whether the access-restricted data center device/cloud component has permission to access the secure data center device/cloud component based on a preset control access rule, and if so, analyze and process the request message to obtain an IPv6 message, and determine a corresponding receiver IPv6 stealth terminal according to a preset correspondence and a target address of the request message;
a prefix determining module 23, configured to determine a target IPv6 prefix based on the receiver IPv6 stealth terminal;
The message encryption module 24 is configured to construct an outer layer IPv6 message based on a preset data communication certificate, a local IPv6 prefix, and a target IPv6 prefix, so that the outer layer IPv6 address has a dynamic change characteristic and a non-counterfeitable characteristic, and encrypt and encapsulate the IPv6 message through the outer layer IPv6 message, thereby obtaining an encapsulated IPv6 message;
and the message sending module 25 is configured to send the encapsulated IPv6 message to the receiver IPv6 stealth terminal through the internal network of the data center device/cloud component that restricts access.
The data security access control system based on the local IPv6 stealth terminal side can realize any one of the data security access control methods based on the local IPv6 stealth terminal side, and the specific working process of each module in the data security access control system can refer to the corresponding process in the method embodiment.
The embodiment of the application also discloses a data security access control method based on the IPv6 stealth terminal side of the receiver.
Referring to fig. 3, a data security access control method is applied to a receiver IPv6 stealth terminal, where the receiver IPv6 stealth terminal is pre-deployed on each accessed data center device/cloud component, and includes:
step S301, an IPv6 message sent by the IPv6 stealth terminal at the home terminal is received.
The IPv6 message is obtained by acquiring a request message to be transmitted and a local IPv6 prefix when the access-restricted data center device/cloud component accesses the accessed data center device/cloud component is detected, wherein the request message is the request message transmitted by the access-restricted data center device/cloud component, the local IPv6 prefix is the IPv6 prefix corresponding to the local IPv6 stealth terminal, whether the access-restricted data center device/cloud component has the authority to access the accessed data center device/cloud component or not is determined based on a preset control access rule, if the access-restricted data center device/cloud component has the authority to access the accessed data center device/cloud component, the request message is analyzed and processed to obtain the IPv6 message, the corresponding receiver IPv6 stealth terminal is determined according to a preset corresponding relation and the target address of the request message, the target IPv6 prefix is determined based on the receiver IPv6 stealth terminal, the outer layer IPv6 message is constructed based on a preset data certificate, the local IPv6 prefix and the target IPv6 prefix, the outer layer IPv6 message has dynamic change characteristics and irreplaceable characteristics, and the obtained message is packaged after the encapsulation of the IPv6 message is performed.
Step S302, secure communication information is acquired.
The safety communication information is the safety communication protocol information between the IPv6 stealth terminal of the local terminal and the IPv6 stealth terminal of the receiver.
Step S303, a cryptography algorithm is determined based on the preset data certificate, and a dynamic verification IPv6 address is calculated and generated according to the cryptography algorithm, the secure communication information and the target IPv6 prefix.
The specific selection mode is the same as the mode of selecting the target IPv6 address of the sender IPv6 stealth security gateway, and is not repeated here
Step S304, the consistency check is carried out on the target IPv6 address in the outer layer IPv6 message and the check IPv6 address, if not, the IPv6 message is discarded.
For the embodiment of the application, the cryptography algorithm is a digital signature algorithm, and in the application, the target IPv6 address is calculated by the digital signature algorithm, so that the original parameters in the target IPv6 address can be restored by carrying out reverse deduction through the digital signature algorithm, thereby obtaining the message recording parameters, and further carrying out the authenticity verification on the target IPv6 address.
Step S305, if the two messages are consistent, the inner layer IPv6 message in the IPv6 message is taken out, and the inner layer IPv6 message is decrypted through the safety communication information, so that the decrypted IPv6 message is obtained.
In the embodiment of the application, the IPv6 stealth terminal encrypts the IPv6 message through the encryption algorithm and the secret key in the secure communication information, so that the encrypted message is changed into an unreadable form, therefore, only a receiver with the correct secret key can decrypt and read the message content, and after the IPv6 stealth terminal of the receiver acquires the IPv6 message of the inner layer, the encryption algorithm and the secret key in the secure communication information which are the same as the encryption are used for decrypting the message, and the decrypted message is restored into the original form and can be read and processed by the receiver.
And step S306, the decrypted IPv6 message is sent to the accessed data center equipment/cloud component corresponding to the IPv6 stealth terminal of the receiver.
In the above embodiment, after the receiving party IPv6 stealth terminal receives the encapsulated IPv6 message, the access of the illegal user is effectively prevented through the verification process of the dynamic IPv6 address of the outer layer and the encryption and decryption process of the message content; thus, the present application data center/cloud platform internal to mutual access security.
In one possible implementation manner of the embodiment of the present application, the decrypted IPv6 message is sent to the accessed data center device/cloud component corresponding to the receiver IPv6 stealth terminal, and then further includes: and determining whether the accessed data center equipment/cloud component has an IPv6/IPv4 translation requirement or not based on the receiver IPv6 stealth terminal, if so, translating the decrypted IPv6 message into an IPv4 message based on an IPv4/IPv6 translation rule, and forwarding the IPv4 message to the accessed data center equipment/cloud component.
In one possible implementation manner of the embodiment of the present application, the method further includes: acquiring security log information and system flow information, wherein the security log information is message transmission information between a local IPv6 stealth terminal and a receiver IPv6 stealth terminal, the system flow information is data system flow information between the local IPv6 stealth terminal and the receiver IPv6 stealth terminal, judging whether the security log information has security anomaly information, if not, sorting the system flow information according to transmission time nodes to obtain a transmission wave diagram of data transmission of the local IPv6 stealth terminal and the receiver IPv6 stealth terminal, fitting the transmission wave diagram with a preset flow transmission diagram according to the transmission time nodes, judging whether flow transmission data corresponding to different transmission time nodes have anomalies, if so, acquiring historical flow transmission data, carrying out data transmission anomaly analysis on user equipment and application equipment based on the historical flow transmission data to obtain the anomaly access degree of the user equipment, comparing the anomaly access degree with the access degree in the anomaly access standard to obtain an access control rule, updating and adjusting the preset control access rule based on the access control rule to obtain the adjusted preset control access rule.
Referring to fig. 4, the embodiment of the present application also discloses a data security access control system 40 based on the receiver IPv6 stealth terminal side.
A data security access control system 40 applied to a receiver IPv6 stealth terminal, the receiver IPv6 stealth terminal being pre-deployed on each of the accessed data center devices/cloud components, comprising:
The message receiving module 41 is configured to receive an IPv6 message sent by the home terminal IPv6 stealth terminal; the IPv6 message is obtained by acquiring a request message to be transmitted and a local IPv6 prefix when the access-restricted data center device/cloud component accesses the accessed data center device/cloud component is detected, wherein the request message is the request message transmitted by the access-restricted data center device/cloud component, the local IPv6 prefix is the IPv6 prefix corresponding to the local IPv6 stealth terminal, whether the access-restricted data center device/cloud component has the authority to access the accessed data center device/cloud component or not is determined based on a preset control access rule, if the access-restricted data center device/cloud component has the authority to access the accessed data center device/cloud component, the request message is analyzed, the IPv6 message is obtained, the corresponding receiver IPv6 stealth terminal is determined according to a preset corresponding relation and the target address of the request message, the target IPv6 prefix is determined based on the receiver IPv6 stealth terminal, the outer IPv6 message is constructed based on a preset data certificate, the local IPv6 prefix and the target IPv6 prefix, the outer layer IPv6 message has dynamic change characteristics and irreplaceable characteristics, and the obtained message is packaged after the encapsulation of the IPv6 message is performed;
the second obtaining module 42 is configured to obtain secure communication information, where the secure communication information is secure communication protocol information between the home IPv6 stealth terminal and the recipient IPv6 stealth terminal;
an address calculation module 43, configured to determine a cryptographic algorithm based on a preset data certificate, and calculate and generate a dynamic verification IPv6 address according to the cryptographic algorithm, the secure communication information, and the target IPv6 prefix;
An address comparison module 44, configured to perform consistency verification on the target IPv6 address in the outer layer IPv6 packet and the verified IPv6 address, and discard the IPv6 packet if the target IPv6 address is inconsistent with the verified IPv6 address;
The message decryption module 45 is used for taking out an inner layer IPv6 message in the IPv6 message when the target IPv6 address in the outer layer IPv6 message is consistent with the verification IPv6 address, and decrypting the inner layer IPv6 message through the safety communication information to obtain a decrypted IPv6 message;
The message forwarding module 46 is configured to send the decrypted IPv6 message to the accessed data center device/cloud component corresponding to the recipient IPv6 stealth terminal.
In the embodiment, the security verification flow is optimized, encryption and decryption operations are simplified, meanwhile, the terminal is allowed to rapidly process and forward legal messages, the communication security is improved, meanwhile, the consumption of system resources is reduced, and the forwarding performance of the whole system is improved.
The data security access control system based on the receiver IPv6 stealth terminal side can realize any one of the data security access control methods based on the receiver IPv6 stealth terminal side, and the specific working process of each module in the data security access control system can refer to the corresponding process in the method embodiment.
In several embodiments provided by the present application, it should be understood that the methods and systems provided may be implemented in other ways. For example, the system embodiments described above are merely illustrative; for example, a division of a module is merely a logical function division, and there may be another division manner in actual implementation, for example, multiple modules may be combined or may be integrated into another system, or some features may be omitted or not performed.
The embodiment of the application also discloses a computer readable storage medium.
A computer readable storage medium storing a computer program capable of being loaded by a processor and executing any one of the data security access control methods described above.
Wherein a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device; program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
In the foregoing embodiments, the descriptions of the embodiments are focused on, and for those portions of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
The foregoing description of the preferred embodiments of the application is not intended to limit the scope of the application in any way, including the abstract and drawings, in which case any feature disclosed in this specification (including abstract and drawings) may be replaced by alternative features serving the same, equivalent purpose, unless expressly stated otherwise. That is, each feature is one example only of a generic series of equivalent or similar features, unless expressly stated otherwise.
Claims (10)
1. The data security access control method is characterized by being applied to a local IPv6 stealth terminal, wherein the local IPv6 stealth terminal is pre-deployed on each data center device/cloud component needing to be limited in access, and comprises the following steps:
When access-restricted data center equipment/cloud components access to accessed data center equipment/cloud components is detected, acquiring a request message to be transmitted and a local IPv6 prefix, wherein the request message is the request message transmitted by the access-restricted data center equipment/cloud components, and the local IPv6 prefix is the IPv6 prefix corresponding to the local IPv6 stealth terminal;
Determining whether the data center equipment/cloud component with limited access has the authority to access the accessed data center equipment/cloud component or not based on a preset control access rule, if so, analyzing and processing the request message to obtain an IPv6 message, and determining a corresponding receiver IPv6 stealth terminal according to a preset corresponding relation and a target address of the request message;
Determining a target IPv6 prefix based on the receiver IPv6 stealth terminal;
Constructing an outer layer IPv6 message based on a preset data certificate, the local IPv6 prefix and the target IPv6 prefix, so that an outer layer IPv6 address has dynamic change characteristics and non-falsifiability characteristics, and encrypting and packaging the IPv6 message through the outer layer IPv6 message to obtain a packaged IPv6 message;
and sending the encapsulated IPv6 message to the IPv6 stealth terminal of the receiver through the internal network of the data center equipment/cloud component which limits access.
2. The method for controlling data security access according to claim 1, wherein the analyzing the request message to obtain an IPv6 message includes:
judging whether the request message is an IPv6 message, if so, taking the request message as the IPv6 message to be sent, if not, judging whether the request message is an IPv4 message, and if so, translating the request message into the IPv6 message to be sent through an IPv4/IPv6 translation technology.
3. The method for controlling data security access according to claim 2, wherein the constructing an outer layer IPv6 message based on the preset data certificate, the local IPv6 prefix and the target IPv6 prefix includes:
calculating to obtain a source IPv6 address through a random algorithm in the address range of the local IPv6 prefix;
acquiring safety communication information, wherein the safety communication information is safety communication protocol information between the IPv6 stealth terminal of the local terminal and the IPv6 stealth terminal of the receiver;
Determining a cryptography algorithm based on the preset data certificate, and calculating and generating a dynamic target IPv6 address according to the cryptography algorithm, the secure communication information and the target IPv6 prefix;
and carrying out association construction on the source IPv6 address and the target IPv6 address to obtain an outer layer IPv6 message.
4. The method for controlling data security access according to claim 3, wherein said encrypting and encapsulating said IPv6 message by said outer layer IPv6 message, to obtain an encapsulated IPv6 message, further comprises,
And encrypting the IPv6 message based on the safety communication information to obtain an updated IPv6 message.
5. The data security access control method is characterized by being applied to the IPv6 stealth terminal of a receiver, wherein the IPv6 stealth terminal of the receiver is pre-deployed on each accessed data center device/cloud component, and comprises the following steps:
Receiving an IPv6 message sent by an IPv6 stealth terminal at a local IPv6 prefix is the request message sent by the data center equipment/cloud component with limited access, acquiring a request message to be sent and a local IPv6 prefix when the data center equipment/cloud component with limited access is detected to access the accessed data center equipment/cloud component, determining whether the data center equipment/cloud component with limited access has the authority to access the accessed data center equipment/cloud component or not based on a preset control access rule, analyzing and processing the request message if the authority to access the accessed data center equipment/cloud component is provided, obtaining the IPv6 message, determining a corresponding IPv6 prefix of a receiver according to a preset corresponding relation and a target address of the request message, forging the IPv6 prefix of the receiver based on the IPv6 stealth terminal, and packaging the IPv6 message to obtain an outer layer of the dynamic message without changing the characteristics of the IPv6 message after the dynamic message is packaged;
acquiring safety communication information, wherein the safety communication information is safety communication protocol information between the IPv6 stealth terminal of the local terminal and the IPv6 stealth terminal of the receiver;
determining a cryptography algorithm based on the preset data certificate, and calculating and generating a dynamic verification IPv6 address according to the cryptography algorithm, the secure communication information and the target IPv6 prefix;
Performing consistency verification on the target IPv6 address in the outer IPv6 message and the verification IPv6 address, and discarding the IPv6 message if the target IPv6 address is inconsistent with the verification IPv6 address;
if the two messages are consistent, an inner layer IPv6 message in the IPv6 message is taken out, and the inner layer IPv6 message is decrypted through the safety communication information to obtain a decrypted IPv6 message;
And sending the decrypted IPv6 message to the accessed data center equipment/cloud component corresponding to the receiver IPv6 stealth terminal.
6. The method for controlling data security access according to claim 5, wherein: the step of sending the decrypted IPv6 message to the accessed data center equipment/cloud component corresponding to the receiver IPv6 stealth terminal, and then further comprises the following steps:
And determining whether the accessed data center equipment/cloud component has an IPv6/IPv4 translation requirement or not based on the receiver IPv6 stealth terminal, if so, translating the decrypted IPv6 message into an IPv4 message based on an IPv4/IPv6 translation rule, and forwarding the IPv4 message to the accessed data center equipment/cloud component.
7. The method for controlling data security access according to claim 5, wherein: the method further comprises the steps of:
Acquiring security log information and system flow information, wherein the security log information is message transmission information between the IPv6 stealth terminal of the local terminal and the IPv6 stealth terminal of the receiver, and the system flow information is data system flow information between the IPv6 stealth terminal of the local terminal and the IPv6 stealth terminal of the receiver;
judging whether the safety log information has safety abnormal information or not, if not, sorting the system flow information according to a transmission time node to obtain a transmission wave diagram of data transmission of the IPv6 stealth terminal of the local end and the IPv6 stealth terminal of the receiver;
Fitting the transmission fluctuation graph and a preset flow transmission graph according to the transmission time nodes, judging whether flow transmission data corresponding to different transmission time nodes are abnormal, if so, acquiring historical flow transmission data, and carrying out data transmission abnormality analysis on user equipment and application equipment based on the historical flow transmission data to obtain abnormal access degree of the user equipment;
comparing the abnormal access degree with the access degree in the abnormal access standard to obtain an access control rule, and updating and adjusting the preset control access rule based on the access control rule to obtain an adjusted preset control access rule.
8. The utility model provides a data security access control system which characterized in that is applied to the terminal of local IPv6 stealth, and the terminal of local IPv6 stealth is deployed in advance on every data center equipment/cloud subassembly that needs restriction access, includes:
The first acquisition module is used for acquiring a request message to be transmitted and a local IPv6 prefix when the access-restricted data center equipment/cloud component accesses the accessed data center equipment/cloud component is detected, wherein the request message is a request message transmitted by the access-restricted data center equipment/cloud component, and the local IPv6 prefix is an IPv6 prefix corresponding to the local IPv6 stealth terminal;
The permission determination module is used for determining whether the data center equipment/cloud component with limited access has permission to access the accessed data center equipment/cloud component or not based on a preset control access rule, if so, analyzing and processing the request message to obtain an IPv6 message, and determining a corresponding receiver IPv6 stealth terminal according to a preset corresponding relation and a target address of the request message;
the prefix determining module is used for determining a target IPv6 prefix based on the IPv6 stealth terminal of the receiver;
The message encryption module is used for constructing an outer layer IPv6 message based on a preset data certificate, the local IPv6 prefix and the target IPv6 prefix, so that the outer layer IPv6 address has dynamic change characteristics and non-falsifiability characteristics, and the IPv6 message is encrypted and packaged through the outer layer IPv6 message to obtain a packaged IPv6 message;
and the message sending module is used for sending the encapsulated IPv6 message to the IPv6 stealth terminal of the receiver through the internal network of the data center equipment/cloud component which limits access.
9. The data security access control system is characterized by being applied to an IPv6 stealth terminal of a receiver, wherein the IPv6 stealth terminal of the receiver is pre-deployed on each accessed data center device/cloud component, and comprises the following components:
The message receiving module is used for receiving an IPv6 message sent by the IPv6 stealth terminal at the local end; the IPv6 message is obtained by acquiring a request message to be transmitted and a local IPv6 prefix when access of the data center equipment/cloud component which limits access to the accessed data center equipment/cloud component is detected, wherein the request message is a request message transmitted by the data center equipment/cloud component which limits access, the local IPv6 prefix is an IPv6 prefix corresponding to the local IPv6 stealth terminal, whether the data center equipment/cloud component which limits access has the authority to access the accessed data center equipment/cloud component or not is determined based on a preset control access rule, if the authority to access the accessed data center equipment/cloud component is provided, the request message is analyzed and processed to obtain an IPv6 message, a corresponding receiver IPv6 stealth terminal is determined according to a preset corresponding relation and a target address of the request message, the target IPv6 prefix is determined based on the receiver IPv6 stealth terminal, an outer layer 6 message is constructed based on a data certificate, the local IPv6 prefix and the target IPv6 prefix, the outer layer 6 message is packaged after the dynamic characteristics of the IPv6 message are not forged, and the obtained outer layer 6 message is packaged;
The second acquisition module is used for acquiring safety communication information, wherein the safety communication information is safety communication protocol information between the IPv6 stealth terminal of the local end and the IPv6 stealth terminal of the receiver;
The address calculation module is used for determining a cryptography algorithm based on the preset data certificate and calculating and generating a dynamic verification IPv6 address according to the cryptography algorithm, the safety communication information and the target IPv6 prefix;
an address comparison module, configured to perform consistency verification on the target IPv6 address in the outer layer IPv6 packet and the verification IPv6 address, and discard the IPv6 packet if the target IPv6 address is inconsistent with the verification IPv6 address;
The message decryption module is used for taking out an inner layer IPv6 message in the IPv6 message when the target IPv6 address in the outer layer IPv6 message is consistent with the verification IPv6 address, and decrypting the inner layer IPv6 message through the safety communication information to obtain a decrypted IPv6 message;
And the message forwarding module is used for sending the decrypted IPv6 message to the accessed data center equipment/cloud component corresponding to the receiver IPv6 stealth terminal.
10. A computer-readable storage medium, characterized by: a computer program stored with a memory capable of being loaded by a processor and executing the data security access control method according to any one of claims 1 to 4 or any one of claims 5 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410337986.5A CN117955735A (en) | 2024-03-25 | 2024-03-25 | Data security access control method, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410337986.5A CN117955735A (en) | 2024-03-25 | 2024-03-25 | Data security access control method, system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117955735A true CN117955735A (en) | 2024-04-30 |
Family
ID=90803084
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410337986.5A Pending CN117955735A (en) | 2024-03-25 | 2024-03-25 | Data security access control method, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117955735A (en) |
-
2024
- 2024-03-25 CN CN202410337986.5A patent/CN117955735A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9935954B2 (en) | System and method for securing machine-to-machine communications | |
| JP3688830B2 (en) | Packet transfer method and packet processing apparatus | |
| WO2021109756A1 (en) | Proxy anonymous communication method based on homomorphic encryption scheme | |
| CN107105060A (en) | A kind of method for realizing electric automobile information security | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| CA2310329A1 (en) | Security of data connections | |
| US10277576B1 (en) | Diameter end-to-end security with a multiway handshake | |
| CN113225352A (en) | Data transmission method and device, electronic equipment and storage medium | |
| Rongyu et al. | A PK-SIM card based end-to-end security framework for SMS | |
| CN112118242A (en) | Zero trust authentication system | |
| CN113111386A (en) | Privacy protection method for block chain transaction data | |
| CN104243452A (en) | Method and system for cloud computing access control | |
| CN108966214B (en) | Authentication method of wireless network, and secure communication method and system of wireless network | |
| CN110832806A (en) | ID-based data plane security for identity-oriented networks | |
| CN111698203A (en) | Cloud data encryption method | |
| CN112069487B (en) | Intelligent equipment network communication safety implementation method based on Internet of things | |
| KR20190115489A (en) | IOT equipment certification system utilizing security technology | |
| CN117955735A (en) | Data security access control method, system and storage medium | |
| CN111431846B (en) | Data transmission method, device and system | |
| CN112135278A (en) | D2D communication privacy protection method facing 5G | |
| CN114244569B (en) | SSL VPN remote access method, system and computer equipment | |
| CN115242392B (en) | Method and system for realizing industrial information safety transmission based on safety transmission protocol | |
| Hartl et al. | Subverting Counter Mode Encryption for Hidden Communication in High-Security Infrastructures | |
| CN116708039B (en) | Access method, device and system based on zero-trust single-package authentication | |
| KR0171003B1 (en) | Information protecting protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |