CN101150390A - Fingerprint communication method and system based on trust detection - Google Patents
Fingerprint communication method and system based on trust detection Download PDFInfo
- Publication number
- CN101150390A CN101150390A CNA2006101222974A CN200610122297A CN101150390A CN 101150390 A CN101150390 A CN 101150390A CN A2006101222974 A CNA2006101222974 A CN A2006101222974A CN 200610122297 A CN200610122297 A CN 200610122297A CN 101150390 A CN101150390 A CN 101150390A
- Authority
- CN
- China
- Prior art keywords
- employing fingerprint
- module
- authentication
- management server
- edge device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This invention relates to an applied fingerprint communication method and a system, in which, the system includes: a client module used in authenticating with a management server and getting applied fingerprint to identify and cipher the data sent by an appointed applied program, a management server identification sub-module used in idientifying with the client module and generating an applied fingerprint to send it to a border device module and an authentication sub-module, a sub-module of the management server used in routine maintenance, management, configuration, result lookup and report output, a border device module used in identifying and deciphering trust data messages and stopping non-trust and generating alarms, which guarantees that only appointed applied program messages are transmitted in a communication tunnel provided in advance.
Description
[technical field]
The present invention relates to a kind of secure communication of network way of realization-a kind of employing fingerprint communication means and system that detects based on trust.
[background technology]
Safety products such as existing fire compartment wall, VPN all will be set up a safe communication tunnel, be that the data message what application program is sent arrives the purpose machine yet but cannot say for sure to demonstrate,prove in this effective secure tunnel; IDS, anti-virus product are individual replenishing to this, must provide knowledge base in advance again to this additional many trouble and infeasible to imprevision threat strick precaution of bringing; This method guarantees in the communication tunnel that provides in advance that by based on trusting employing fingerprint communication means and the system that detects no matter whether it is comparatively safe, the application data message that only transmits appointment is to the purpose machine.
[summary of the invention]
Purpose of the present invention designs a kind of secure communication of network way of realization exactly, by employing fingerprint communication means and the system that detects based on trust, make that using same employing fingerprint to do sign between client computer and edge device guarantees in the communication tunnel that provides in advance with the step of discerning encrypt and decrypt, no matter whether it is comparatively safe, only transmit the application data message of appointment, based on trusting the employing fingerprint communication system that detects, it is characterized in that: comprise client module: be used for management server authentication and obtain employing fingerprint, and identify and encryption etc. with the data that this employing fingerprint sends preassigned application program;
Management server authentication sub module: be used for and the client module authentication, and the generation employing fingerprint is issued edge device module and authentication sub module etc.
Management service management submodule: be used for that regular maintenance, management, configuration, result are checked, report output etc.;
Edge device module: be used to discern and decipher the data message of trust, block the message of non-trust, and produce alarm etc.
Described management server authentication sub module, management service management submodule, edge device module can be one to three module by merger physically all.
Based on trusting the employing fingerprint communication means that detects, it is characterized in that: comprising:
Step 1: client module obtains the employing fingerprint of this time authentication to management server identity verification and request;
Step 2: when having confirmed client identity, management server will produce the employing fingerprint of this authentication at random, and edge device is issued in the IP address of client computer and the employing fingerprint of MAC Address and correspondence, form white list and employing fingerprint table on edge device;
Step 3: accept response when obtaining edge device, server sends back to client module with authentication success signal and this employing fingerprint again, otherwise beams back the authentification failure signal to client module;
Step 4: client module is in the employing fingerprint term of validity, the data message that preassigned application program is sent carries out sending with the employing fingerprint encryption and after marking, the data message that other application programs are sent will be ignored or block, and all application data messages are postponed sending during authenticating;
Step 5: after edge device is received the data message that client computer sends, judge client computer then and deciphering corresponding in white list with the employing fingerprint table with data message, data message after the deciphering is sent to the purpose machine, will not transmit the data message that can't mate with employing fingerprint, and report to the police by setting in advance;
Step 6: edge device will be by specific identification and current to the authentication signal between the management server to client computer.
Before new connection generation or employing fingerprint arrival effective time, client module is incited somebody to action again above step 1 to step 5, the data message that assurance like this has only the application program of appointment to send could be dealt into the purpose machine from client computer, makes the purpose machine not threatened by the network attack of client computer.
Above-mentioned steps one be client module new connection create or old employing fingerprint with the authentication request data message of initiatively initiating when losing efficacy to management server.
Above-mentioned steps two for management server with authentication content and the client identity information contrast of leaving lane database in advance by management service management submodule in, confirm to produce employing fingerprint after the identity.
Above-mentioned steps three shows that clearly edge device receives new employing fingerprint more earlier than client computer.
Above-mentioned steps four, all application data messages are postponed sending during authenticating.
It is special processing to client computer to the authentication signal between the management server that above-mentioned steps six is described special statement edge device.
The present invention has the following advantages:
1, guarantees in the communication tunnel that provides in advance,, only transmit the application data message of appointment no matter whether it is comparatively safe.
2, need not to be concerned about the feature of non-trust content, do not have demands such as feature database upgrading.
3, data message computations amount is little, the efficiency of transmission height.
4, alarm data can carry out the secondary excavation, carries out the more analysis of deep layer.
[description of drawings]
Fig. 1 is that the utility model is based on the structural representation of trusting the employing fingerprint communication system that detects;
Fig. 2 is the client module data flowchart;
Fig. 3 is the data flowchart of management server;
Fig. 4 is the data flowchart of edge device.
[embodiment]
Fig. 1 the present invention is based on the structural representation of trusting the employing fingerprint communication system that detects, and sees Figure of description 1.System of the present invention as described in Figure comprises client module 11, management server 12, and edge device 13,
Client module 11: be used for management server authentication and obtain employing fingerprint, and identify and encryption etc. with the data that this employing fingerprint sends preassigned application program;
Wherein management server 12 comprises management server authentication sub module 121 and management service management submodule 122
Management server authentication sub module 121: be used for and the client module authentication, and the generation employing fingerprint is issued edge device module and authentication sub module etc.;
Management service management submodule 122: be used for that regular maintenance, management, configuration, result are checked, report output etc.;
Edge device module 13: be used to discern and decipher the data message of trust, block the message of non-trust, and produce alarm etc.;
Employing fingerprint is a synonym, is to produce the one piece of data content at random in fact, and is similar with fingerprint in the actual life because its randomness causes its relative uniqueness, and uses at preassigned application program, so use the employing fingerprint code name.
Whether wherein client module 11 will be from operating system bottom layer driving mode data interception message, and can write changes the data message content, and control it and be issued, and can finish the work that client module is born thus.Client computer is which application program is sent with agreement and port from data message from counter the finding of operating system also.
Edge device 13 also will catch data message from the operating system bottom, writing changes data message and whether control transmits.The mode that realizes can drive give out a contract for a project mode, operating system interface, application program of packet capturing and articulate (as the Iptable interface programming of Linux) etc.
Management server 12 includes management server administration module and management server authentication module, can peel off this two modules according to capacity and performance requirement in the practical application, even adds database server and certificate server, also available third-party certificate server.Client module 11 will adopt the tcp data message of encrypting to transmit to the authentication mode between the management server 12, and same management server 12 and 13 of edge devices also will adopt the tcp data message of encrypting to transmit to guarantee content confidentiality, integrality and availability.Management service management 12 modules mainly use Client (C/S) or browser/server pattern (B/S) to carry out operations such as the registration of client user, change, and the latter is more recommended.
Above management server authentication sub module 121, management service management submodule 122, edge device module 13 can be one to three module by merger physically all.
Fig. 2 is the client module data flowchart, as shown in Figure 2, step 1: when client module is intercepted the data message that all application programs are sent, step 2: its data message that whether is the application program of instruction is sent is judged, step 3: if the data message that application program is sent, further judge this connection whether authenticated (promptly whether obtaining employing fingerprint), step 4: whether expire if judge employing fingerprint again, step 5: if do not expire, promptly utilize employing fingerprint that its data message that sends is carried out mark and encryption, and send this data message.
Wherein, if, need not be concerned about then whether it sends or block if what send in the step 2 is not the data message that sends for the application program of appointment;
In the step 3, if this connects not authentication, then get back to step 1, request authentication, then wait for authentication signal, thus eligible access authentication result, step 6: judge whether authentication is passed through, if authentication is passed through, forward step 5 to and its data message is encrypted then sent this data message;
Above-mentioned, then abandon this data message when waiting for that if the overtime and authentication of authentication signal do not pass through.
Fig. 3 is the data flowchart of management server, and as shown in Figure 3, step 1: management server receives authentication request signal, it is authenticated, step 2: judge that whether its authentication is passed through, if pass through, then generates employing fingerprint, then send client computer IP address to edge device, MAC Address and employing fingerprint, step 3: wait for the response of edge device, whether overtime, if not overtime, send authentication success and employing fingerprint to client module.
Wherein, in the step 2 authentication not by or or step 3 in overtime then this management server respond authentification failure.
Fig. 4 is the data flowchart of edge device, as shown in Figure 4, comprise step 1: when edge device is subjected to all data messages, it is judged, whether be the authentication signal of management server, step 2: if not, further judge whether it is white list and the employing fingerprint update signal that management server sends, step 3: the IP address of further judging client computer again, MAC Address whether in white list, if, step 4: judge whether to be consistent with employing fingerprint, utilize the employing fingerprint deciphering, and send to the purpose machine.
Wherein, judge in the step 1 if the authentication signal of management server then is forwarded to management server;
Wherein, in the step 2,, then upgrade the tabulation of white list and employing fingerprint, then send and be updated to function signal to management server if not white list that sends for management server and employing fingerprint update signal;
Wherein, if the IP address of client computer in the step 3, step 4, MAC Address not in white list or with inconsistent this data literary composition newspaper of then not transmitting of employing fingerprint.
The present invention has the following advantages:
1, guarantees in the communication tunnel that provides in advance,, only transmit the application data message of appointment no matter whether it is comparatively safe.
2, need not to be concerned about the feature of non-trust content, do not have demands such as feature database upgrading.
3, data message computations amount is little, the efficiency of transmission height.
4, alarm data can carry out the secondary excavation, carries out the more analysis of deep layer.
The above person only is most preferred embodiment of the present invention, is not to be used to limit the scope of the invention, and all equivalences of being done according to the present patent application claim change or modify, and are all the present invention and contain.
Claims (9)
1. based on trusting the employing fingerprint communication system that detects, it is characterized in that:
Comprise client module: be used for management server authentication and obtain employing fingerprint, and identify and encryption etc. with the data that this employing fingerprint sends preassigned application program;
Management server authentication sub module: be used for and the client module authentication, and the generation employing fingerprint is issued edge device module and authentication sub module etc.;
Management service management submodule: be used for that regular maintenance, management, configuration, result are checked, report output etc.;
Edge device module: be used to discern and decipher the data message of trust, block the message of non-trust, and produce alarm etc.
Network safety event as claimed in claim 1 based on the employing fingerprint communication system that trust to detect,
It is characterized in that: described management server authentication sub module, management service management submodule, edge device module can be one to three module by merger physically all.
3. based on trusting the employing fingerprint communication means that detects, it is characterized in that: comprising:
Step 1: client module obtains the employing fingerprint of this time authentication to management server identity verification and request;
Step 2: when having confirmed client identity, management server will produce the employing fingerprint of this authentication at random, and edge device is issued in the IP address of client computer and the employing fingerprint of MAC Address and correspondence, form white list and employing fingerprint table on edge device;
Step 3: accept response when obtaining edge device, server sends back to client module with authentication success signal and this employing fingerprint again, otherwise beams back the authentification failure signal to client module;
Step 4: client module is in the employing fingerprint term of validity, the data message that preassigned application program is sent carries out sending with the employing fingerprint encryption and after marking, the data message that other application programs are sent will be ignored or block, and all application data messages are postponed sending during authenticating;
Step 5: after edge device is received the data message that client computer sends, judge client computer then and deciphering corresponding in white list with the employing fingerprint table with data message, data message after the deciphering is sent to the purpose machine, will not transmit the data message that can't mate with employing fingerprint, and report to the police by setting in advance;
Step 6: edge device will be by specific identification and current to the authentication signal between the management server to client computer.
4. as claimed in claim 3 based on trusting the employing fingerprint communication means that detects, it is characterized in that: before new connection generation or employing fingerprint arrival effective time, client module is incited somebody to action again above step 1 to step 5, the data message that assurance like this has only the application program of appointment to send could be dealt into the purpose machine from client computer, makes the purpose machine not threatened by the network attack of client computer.
5. as claimed in claim 3 based on the employing fingerprint communication means that trust to detect, it is characterized in that: above-mentioned steps one for client module new connection create or old employing fingerprint with the authentication request data message of initiatively initiating when losing efficacy to management server.
6. as claimed in claim 3 based on trusting the employing fingerprint communication means that detects, it is characterized in that: above-mentioned steps two for management server with authentication content and the client identity information contrast of leaving lane database in advance by management service management submodule in, confirm to produce employing fingerprint after the identity.
7. as claimed in claim 3 based on trusting the employing fingerprint communication means that detects, it is characterized in that: above-mentioned steps three shows that clearly edge device receives new employing fingerprint more earlier than client computer.
8. as claimed in claim 3 based on trusting the employing fingerprint communication means that detects, it is characterized in that: above-mentioned steps four, all application data messages are postponed sending during authenticating.
9. as claimed in claim 3 based on trusting the employing fingerprint communication means that detects, it is characterized in that: it is special processing to client computer to the authentication signal between the management server that above-mentioned steps six is described special statement edge device.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610122297 CN101150390B (en) | 2006-09-22 | 2006-09-22 | Fingerprint communication method and system based on trust detection |
| PCT/CN2007/000052 WO2008037144A1 (en) | 2006-09-22 | 2007-01-08 | Method and system for communication of application fingerprint based on the credit verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610122297 CN101150390B (en) | 2006-09-22 | 2006-09-22 | Fingerprint communication method and system based on trust detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101150390A true CN101150390A (en) | 2008-03-26 |
| CN101150390B CN101150390B (en) | 2013-05-08 |
Family
ID=39229716
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610122297 Expired - Fee Related CN101150390B (en) | 2006-09-22 | 2006-09-22 | Fingerprint communication method and system based on trust detection |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101150390B (en) |
| WO (1) | WO2008037144A1 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103106736A (en) * | 2012-12-28 | 2013-05-15 | 华为软件技术有限公司 | Identity authentication method, terminal and server |
| CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
| CN108141723A (en) * | 2015-10-16 | 2018-06-08 | 格马尔托股份有限公司 | The method for managing application program |
| CN110933028A (en) * | 2019-10-24 | 2020-03-27 | 中移(杭州)信息技术有限公司 | Message transmission method, device, network equipment and storage medium |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112989315B (en) * | 2021-02-03 | 2023-03-24 | 杭州安恒信息安全技术有限公司 | Fingerprint generation method, device and equipment for terminal of Internet of things and readable storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7200230B2 (en) * | 2000-04-06 | 2007-04-03 | Macrovision Corporation | System and method for controlling and enforcing access rights to encrypted media |
| CN1191703C (en) * | 2001-12-31 | 2005-03-02 | 西安西电捷通无线网络通信有限公司 | Safe inserting method of wide-band wireless IP system mobile terminal |
| CN1206607C (en) * | 2002-08-19 | 2005-06-15 | 英保达股份有限公司 | Information storage system fingerprint identification function and its method |
| CN100334850C (en) * | 2003-09-10 | 2007-08-29 | 华为技术有限公司 | A method for implementing access authentication of wireless local area network |
| CN1804751A (en) * | 2005-01-14 | 2006-07-19 | 沈阳上方电子有限公司 | Computer security system employing fingerprint authentication to control peripheral equipment |
-
2006
- 2006-09-22 CN CN 200610122297 patent/CN101150390B/en not_active Expired - Fee Related
-
2007
- 2007-01-08 WO PCT/CN2007/000052 patent/WO2008037144A1/en active Application Filing
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103106736A (en) * | 2012-12-28 | 2013-05-15 | 华为软件技术有限公司 | Identity authentication method, terminal and server |
| CN103106736B (en) * | 2012-12-28 | 2016-07-06 | 华为软件技术有限公司 | A kind of identity identifying method, terminal and server |
| CN108141723A (en) * | 2015-10-16 | 2018-06-08 | 格马尔托股份有限公司 | The method for managing application program |
| CN108141723B (en) * | 2015-10-16 | 2021-03-12 | 泰雷兹数字安全法国股份有限公司 | Method for managing application program |
| CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
| CN110933028A (en) * | 2019-10-24 | 2020-03-27 | 中移(杭州)信息技术有限公司 | Message transmission method, device, network equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2008037144A1 (en) | 2008-04-03 |
| CN101150390B (en) | 2013-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2332089B1 (en) | Authorization of server operations | |
| CN1685687B (en) | Method for determining proximity of target node to source node | |
| US20130268444A1 (en) | Three-factor user authentication method for generating otp using iris information and secure mutual authentication system using otp authentication module of wireless communication terminal | |
| US20180324152A1 (en) | Securely recognizing mobile devices | |
| CN106452721A (en) | Method and system for instruction identification of intelligent device based on identification public key | |
| KR101972110B1 (en) | security and device control method for fog computer using blockchain technology | |
| CN101150390B (en) | Fingerprint communication method and system based on trust detection | |
| CN1694395A (en) | Data authentication method and agent based system | |
| CN101163044A (en) | Remote updating method and system for information safety equipment | |
| CN110719203A (en) | Operation control method, device and equipment of intelligent household equipment and storage medium | |
| US11323883B2 (en) | Pattern driven selective sensor authentication for internet of things | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| US20210019451A1 (en) | Process and detachable device for using and managing encryption keys | |
| DE60300912D1 (en) | Procedure for managing the security of Border Gateway Protocol messages | |
| CN107154854A (en) | A kind of unmanned plane instruction is reinforced and discrimination method and system | |
| CN108400967B (en) | Authentication method and authentication system | |
| CN114429279A (en) | Method and system for tracing vaccine based on encryption technology | |
| CN114124572A (en) | Data transmission method, device, equipment and medium based on unidirectional network | |
| JP2002016592A (en) | Encryption key management system and encryption key management method | |
| Wu et al. | A comprehensive set of security measures for IOT | |
| CN116319949B (en) | Session migration method, session migration device, terminal equipment and storage medium | |
| KR101448711B1 (en) | security system and security method through communication encryption | |
| CN113315764B (en) | ARP attack-preventing data packet sending method and device, router and storage medium | |
| CN112468544B (en) | Express data transmission method based on middleware and middleware | |
| CN112543098B (en) | Intelligent building mobile equipment authentication system and method based on challenge response mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130508 Termination date: 20150922 |
|
| EXPY | Termination of patent right or utility model |