Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and the embodiments.Should be appreciated that embodiment described herein only is used to explain the present invention, and be not used in qualification the present invention.
Please refer to Fig. 1, be the schematic flow sheet of the embodiment of the invention one user authen method, this method will connect originating end and be called client, and the opposite end is called server, and described client and described server can communicate by the relaying of fire compartment wall.Described authentication method can realize that specifically described authentication method comprises by fire compartment wall:
Step S30: receive the TCP sync message that client is sent to server;
Step S32: the TCP sync message structure source address that sends according to described client is that address, the window of server is zero syn ack message, and is sent to described client;
Step S34: receive the affirmation response message that described client sends at described syn ack message; So far, described fire compartment wall replaces described server to finish the process of three-way handshake for the first time.
Step S36: send authentication request packet and carry out authentification of user to described client.
After the three-way handshake of above-mentioned fire compartment wall and client was finished, described fire compartment wall did not carry out three-way handshake with server at once, but sent described authentication request packet to client, and requesting client authenticates (for example challenge of HTTP).
The embodiment of the invention is acted on behalf of the connection request that described server is realized client TCP by described fire compartment wall, on the basis of realizing the agency client is carried out authentification of user, can effectively prevent disabled user's TCP business, has realized the authentication to the TCP business.
Please refer to Fig. 2, be the schematic flow sheet of the embodiment of the invention two user's authentication methods, the difference of itself and the embodiment of the invention one is: also comprise after step S36:
Step S38: judge whether authentication is passed through; Concrete, after step S36 fire compartment wall sends to described client with described authentication request packet, described client structure message identifying sends to described fire compartment wall and authenticates, described fire compartment wall carries out authentification of user according to the message identifying that described end sends, if authentication success is acted on behalf of flow process, i.e. execution in step S40 before then fire compartment wall continues.
Step S40: set up TCP with described server and be connected.Concrete, fire compartment wall structure TCP sync message also is sent to described server, server returns the syn ack message of described TCP sync message to fire compartment wall, after fire compartment wall receives the syn ack message of described server transmission, return the affirmation response message of described syn ack message to server, so far, described fire compartment wall is finished secondary three-way handshake.
Further, described method can also comprise: fire compartment wall structure destination address is that client, source address are the affirmation response message ACK of the window non-zero of server, and sends it to described client.This step is equivalent to described fire compartment wall and upgrades message to described client send window, and client receives window and upgrades after the message, recovers to send datagram.
The embodiment of the invention is acted on behalf of the connection request that described server is realized client TCP by described fire compartment wall, on the basis of realizing the agency client is carried out authentification of user, can effectively prevent disabled user's TCP business, has realized the authentication to the TCP business; In addition the authentication of TCP business is all concentrated on the described fire compartment wall and realize, can finish the management of server, do not need server to be configured, alleviated network maintenance staff's workload by platform by the fire compartment wall unification.
Please refer to Fig. 3, signaling process schematic diagram for embodiment of the invention user authen method, fire compartment wall is arranged between client and the server, this method will connect originating end and be called client, the opposite end is called server, and described client and described server communicate by the relaying of described fire compartment wall.Described authentication method comprises:
Step S101: client sends TCP sync message SYN to server;
Step S102: after fire compartment wall receives described TCP sync message SYN, replace described server to return the TCP syn ack message SYN+ACK of zero window to described client.
Described fire compartment wall is behind the TCP sync message SYN that receives described client transmission, constructing a source address is that server address, window are zero syn ack message SYN+ACK, and described fire compartment wall is sent to described client with described syn ack message SYN+ACK.It is in order to indicate described client temporarily not send datagram, can to stop client to send datagram immediately after setting up three-way handshake that the window of syn ack message is made as zero.
Step S103: client sends the affirmation response message ACK of described syn ack message SYN+ACK to fire compartment wall.So far, described fire compartment wall replaces described server to finish the process of three-way handshake for the first time.
Step S104: fire compartment wall sends authentication request packet to client.
After the three-way handshake of above-mentioned fire compartment wall and client was finished, described fire compartment wall did not carry out three-way handshake with server at once, but sent described authentication request packet to client, and requesting client authenticates (for example challenge of HTTP).Concrete, described fire compartment wall can indicate certification mode in described authentication request packet, for example Basic Authentication pattern or summary pattern.
The necessary multiplexing TCP session of described authentication request packet, in order to make authentication request packet to arrive client by cross-over NAT equipment, the data message that the TCP that authentication request packet must be disguised oneself as connects, the authentication authorization and accounting request message is the TCP message, source port is the serve port of server, source IP is the IP address of server, and destination address is the IP address of client, and destination interface is that client is initiated the source port that TCP connects.
Step S105: after client receives described authentication request packet, message identifying is sent to described fire compartment wall.
The TCP message because the authentication request packet that fire compartment wall sends disguises oneself as, so client must be separated authentication request packet and tcp data message.Separate authentication request message and tcp data method of message have a variety of, the network-driven interface specification for example is installed on client is driven (Network DriverInterface Specification, NDIS), intercept and capture each TCP message, if find the feature of this message coupling authentication request packet, then start identifying procedure.The feature of authentication request packet can use fixing Magic number (magic number) to identify.
If the discovery authentication request packet then abandons this message, and start identifying procedure,, then submit to TCP if not authentication request.Identifying procedure can adopt any common authentication agreement, also can be self-defined.Message identifying does not need the TCP message that disguises oneself as.
In order to simplify verification process, the user can be saved to configuration file with username and password, and when fire compartment wall request authentification of user, client can be finished authentication automatically.
Step S106: after client received the authentication request packet of described fire compartment wall transmission, the structure message identifying sent to described fire compartment wall.
Described client just username and password adds sending to fire compartment wall in the described message identifying and carry out authentification of user to through behind the base64 coding.
Step S107: fire compartment wall carries out authentification of user according to the message identifying that client sends, if authentication success is acted on behalf of flow process before then fire compartment wall continues.
Step S108: fire compartment wall structure TCP sync message also is sent to described server.
Port when described fire compartment wall uses the client of front process recording to initiate the TCP connection, destination address is made as server, and source address is made as client, and structure TCP sync message SYN is sent to described server, and request is set up TCP and is connected.
Step S109: server returns the syn ack message SYN+ACK of described TCP sync message SYN to fire compartment wall, and the window size of described syn ack message SYN+ACK is the real window size of described server.
Step S110: after fire compartment wall receives the syn ack message SYN+ACK of described server transmission, return the affirmation response message ACK of described syn ack message SYN+ACK to server.So far, described fire compartment wall is finished secondary three-way handshake.
Step S120: fire compartment wall structure destination address is that client, source address are the affirmation response message ACK of the window non-zero of server, and sends it to described client.
This step is equivalent to described fire compartment wall and upgrades message to described client send window, and client receives window and upgrades after the message, recovers to send datagram.
The embodiment of the invention is acted on behalf of the connection request that described server is realized client TCP by described fire compartment wall, on the basis of realizing the agency client is carried out authentification of user, can effectively prevent disabled user's TCP business, has realized the authentication to the TCP business; In addition the authentication of TCP business is all concentrated on the described fire compartment wall and realize, can finish the management of server, do not need server to be configured, alleviated network maintenance staff's workload by platform by the fire compartment wall unification.
Please refer to Fig. 4, be the structural representation of embodiment of the invention customer certification system, described customer certification system comprises client 100, user authentication device 200 and server 300.In the embodiment of the invention, described client 100 is as the originating end of session connection, described server 300 is as the opposite end of session connection, described user authentication device 200 is arranged between described client 100 and the described server 300, and described client 100 and described server 300 communicate by the relaying of described user authentication device 200.Described user authentication device 200 comprises agent unit 202, interface unit 204 and authentication unit 206.
Described interface unit 204 is used to receive the TCP sync message that described client 100 is sent to server;
The TCP sync message structure source address that described agent unit 202 is used for sending according to described client 100 is that address, the window of described server 300 is zero syn ack message, is sent to described client 100 by described interface unit;
Described authentication unit 206 is used for sending authentication request packet and carrying out authentification of user to described client 100 behind the affirmation response message at described syn ack message that receives described client 100 transmissions.
The necessary multiplexing TCP session of described authentication request packet, in order to make authentication request packet to arrive client by cross-over NAT equipment, described authentication unit 206 is with the authentication request packet data message that TCP connects that disguises oneself as, the authentication authorization and accounting request message is the TCP message, source port is the serve port of server 300, source IP is the IP address of server 300, and destination address is the IP address of client 100, and destination interface is that client 100 is initiated the source port that TCP connects.
Described agent unit 202 is set up TCP by described interface unit 204 with described server 300 in the described client of described authentication unit 206 checkings 100 legal backs and is connected.
Concrete, port when described agent unit 202 uses the client 100 of front process recording to initiate the TCP connection, destination address is made as server 300, and source address is made as client 100, structure TCP sync message SYN is sent to described server 300, and request is set up TCP and connected;
Described server 300 returns the syn ack message SYN+ACK of described TCP sync message SYN to described agent unit 202, and the window size of described syn ack message SYN+ACK is the real window size of described server 300;
After described agent unit 202 receives the syn ack message SYN+ACK of described server 300 transmissions, return the affirmation response message ACK of described syn ack message SYN+ACK to server 300.
Described agent unit 202 also is used in after described server 300 is set up TCP and is connected, the structure destination address is that client 100, source address are the affirmation response message ACK of the window non-zero of server 300, and send it to described client 100, described client 100 receives the confirmation after the response message ACK, recovers to send datagram.
Described user authentication device 200 specific implementations of the embodiment of the invention can be firewall device.
The embodiment of the invention is by the connection request of described agent unit 202 realizations with client 100TCP, on the basis of realizing the agency, carry out authentification of user by 206 pairs of clients of described authentication unit 100, can effectively prevent disabled user's TCP business, realize authentication the TCP business; In addition the authentication of TCP business is all concentrated on the authentication unit 206 of described user authentication device 200 and realize, can be by the described user authentication device 200 unified management of finishing server, do not need server to be configured, alleviated network maintenance staff's workload by platform.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in the computer read/write memory medium, and described storage medium is ROM/RAM, magnetic disc, CD etc.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.