CN101521675A - User certification method and device - Google Patents
User certification method and device Download PDFInfo
- Publication number
- CN101521675A CN101521675A CN200910106340A CN200910106340A CN101521675A CN 101521675 A CN101521675 A CN 101521675A CN 200910106340 A CN200910106340 A CN 200910106340A CN 200910106340 A CN200910106340 A CN 200910106340A CN 101521675 A CN101521675 A CN 101521675A
- Authority
- CN
- China
- Prior art keywords
- client
- tcp
- server
- message
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the invention provides a user certification method. The user certification method comprises the following steps: receiving a TCP synchronous message sent to a server by a client; establishing a source address as an address of the server and a synchronous response message according to the TCP synchronous message sent by the client and sending the synchronous response message to the client; receiving a confirming response message sent by the client aiming at the synchronous response message; and sending a certification request message to the client to carry out user certification. The embodiment of the invention also provides a user certification device. The embodiment of the invention realizes the connection request of the TCP synchronous message of the client by acting for the server and carries out user certification for the client on the basis of acting, thereby effectively preventing the TCP service of a disabled user and realizing the certification of the TCP service.
Description
Technical field
The present invention relates to the network security technology field, relate in particular to a kind of user authen method and device.
Background technology
How to stop disabled user's accesses network is the problem that the network manager relatively pays close attention to always.At present a lot of application layer protocols all provide the authentification of user function, and for example HTTP itself provides user authentication feature, can carry out authentication to the user, has only checking by just visiting the HTTP resource.
HTTP provide a kind of simple " challenge-response " (challenge-response) authentication mechanism the user is authenticated." challenge " is the challenge of server end to client, promptly requires client to send authentication information; " replying " is the response of client to " challenge ", promptly sends the HTTP request that has authentication information to server.
Therefore when client was asked a URL for the first time, not knowing whether needed authentication, and always not with authentication information, server end causes authentification failure owing to can not find authentication information, so server sends one " challenge " to client.Client according to the certification mode in " challenge ", generates " the replying " of oneself after receiving " challenge ", send to server, finishes authentication.
RFC2617 has described two kinds of certification modes: Basic Authentication pattern and summary pattern.Certification mode indicates in server sends to " challenge " of client.Fundamental mode is after username and password is encoded through base64, to add in " replying " sending to server to.This authentication mode is directly propagated with clear-text way username and password on the networking, have very big potential safety hazard.Then the Basic Authentication pattern is safe relatively for the summary pattern, the summary pattern calculates eap-message digest with information such as user name, passwords through the MD5 computing, then summary is added to " replying " and send to server, because the irreversible property of MD5, promptly can't release password, so the summary pattern can effectively prevent network interception by summary.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art:
The authentification of user function that http protocol provides can prevent effectively that the disabled user from visiting, but this authentication method only is confined to the HTTP business, and is powerless for other TCP business.In addition, because authentication is to finish, when a large number of users is visited simultaneously, may increase the weight of the server burden on server.When if multiple servers all needs the user authenticated, then need by platform configuration, emphasis network work of maintenance personnel amount.
Summary of the invention
The embodiment of the invention provides a kind of user authen method and device, can authenticate the TCP business.
The embodiment of the invention provides a kind of user authen method, comprising:
Receive the TCP sync message that client is sent to server;
The TCP sync message structure source address that sends according to described client is that address, the window of server is zero syn ack message, and is sent to described client;
Receive the affirmation response message that described client sends at described syn ack message;
Send authentication request packet and carry out authentification of user to described client.
The embodiment of the invention also provides a kind of user authentication device, comprising:
Interface unit is used to receive the TCP sync message that client is sent to server;
Agent unit, the TCP sync message structure source address that is used for sending according to described client are that address, the window of described server is zero syn ack message, are sent to described client by described interface unit;
Authentication unit is used for sending authentication request packet and carrying out authentification of user to described client behind the affirmation response message at described syn ack message that receives described client transmission.
The embodiment of the invention is carried out authentification of user to client by the connection request of the described server realization of agency client TCP on the basis of realizing the agency, can effectively prevent disabled user's TCP business, has realized the authentication to the TCP business.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below only is some embodiment of the method invention of this transmission log information, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of the embodiment of the invention one user authen method;
Fig. 2 is the schematic flow sheet of the embodiment of the invention two user's authentication methods;
Fig. 3 is the signaling process schematic diagram of embodiment of the invention user authen method;
Fig. 4 is the structural representation of embodiment of the invention customer certification system.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and the embodiments.Should be appreciated that embodiment described herein only is used to explain the present invention, and be not used in qualification the present invention.
Please refer to Fig. 1, be the schematic flow sheet of the embodiment of the invention one user authen method, this method will connect originating end and be called client, and the opposite end is called server, and described client and described server can communicate by the relaying of fire compartment wall.Described authentication method can realize that specifically described authentication method comprises by fire compartment wall:
Step S30: receive the TCP sync message that client is sent to server;
Step S32: the TCP sync message structure source address that sends according to described client is that address, the window of server is zero syn ack message, and is sent to described client;
Step S34: receive the affirmation response message that described client sends at described syn ack message; So far, described fire compartment wall replaces described server to finish the process of three-way handshake for the first time.
Step S36: send authentication request packet and carry out authentification of user to described client.
After the three-way handshake of above-mentioned fire compartment wall and client was finished, described fire compartment wall did not carry out three-way handshake with server at once, but sent described authentication request packet to client, and requesting client authenticates (for example challenge of HTTP).
The embodiment of the invention is acted on behalf of the connection request that described server is realized client TCP by described fire compartment wall, on the basis of realizing the agency client is carried out authentification of user, can effectively prevent disabled user's TCP business, has realized the authentication to the TCP business.
Please refer to Fig. 2, be the schematic flow sheet of the embodiment of the invention two user's authentication methods, the difference of itself and the embodiment of the invention one is: also comprise after step S36:
Step S38: judge whether authentication is passed through; Concrete, after step S36 fire compartment wall sends to described client with described authentication request packet, described client structure message identifying sends to described fire compartment wall and authenticates, described fire compartment wall carries out authentification of user according to the message identifying that described end sends, if authentication success is acted on behalf of flow process, i.e. execution in step S40 before then fire compartment wall continues.
Step S40: set up TCP with described server and be connected.Concrete, fire compartment wall structure TCP sync message also is sent to described server, server returns the syn ack message of described TCP sync message to fire compartment wall, after fire compartment wall receives the syn ack message of described server transmission, return the affirmation response message of described syn ack message to server, so far, described fire compartment wall is finished secondary three-way handshake.
Further, described method can also comprise: fire compartment wall structure destination address is that client, source address are the affirmation response message ACK of the window non-zero of server, and sends it to described client.This step is equivalent to described fire compartment wall and upgrades message to described client send window, and client receives window and upgrades after the message, recovers to send datagram.
The embodiment of the invention is acted on behalf of the connection request that described server is realized client TCP by described fire compartment wall, on the basis of realizing the agency client is carried out authentification of user, can effectively prevent disabled user's TCP business, has realized the authentication to the TCP business; In addition the authentication of TCP business is all concentrated on the described fire compartment wall and realize, can finish the management of server, do not need server to be configured, alleviated network maintenance staff's workload by platform by the fire compartment wall unification.
Please refer to Fig. 3, signaling process schematic diagram for embodiment of the invention user authen method, fire compartment wall is arranged between client and the server, this method will connect originating end and be called client, the opposite end is called server, and described client and described server communicate by the relaying of described fire compartment wall.Described authentication method comprises:
Step S101: client sends TCP sync message SYN to server;
Step S102: after fire compartment wall receives described TCP sync message SYN, replace described server to return the TCP syn ack message SYN+ACK of zero window to described client.
Described fire compartment wall is behind the TCP sync message SYN that receives described client transmission, constructing a source address is that server address, window are zero syn ack message SYN+ACK, and described fire compartment wall is sent to described client with described syn ack message SYN+ACK.It is in order to indicate described client temporarily not send datagram, can to stop client to send datagram immediately after setting up three-way handshake that the window of syn ack message is made as zero.
Step S103: client sends the affirmation response message ACK of described syn ack message SYN+ACK to fire compartment wall.So far, described fire compartment wall replaces described server to finish the process of three-way handshake for the first time.
Step S104: fire compartment wall sends authentication request packet to client.
After the three-way handshake of above-mentioned fire compartment wall and client was finished, described fire compartment wall did not carry out three-way handshake with server at once, but sent described authentication request packet to client, and requesting client authenticates (for example challenge of HTTP).Concrete, described fire compartment wall can indicate certification mode in described authentication request packet, for example Basic Authentication pattern or summary pattern.
The necessary multiplexing TCP session of described authentication request packet, in order to make authentication request packet to arrive client by cross-over NAT equipment, the data message that the TCP that authentication request packet must be disguised oneself as connects, the authentication authorization and accounting request message is the TCP message, source port is the serve port of server, source IP is the IP address of server, and destination address is the IP address of client, and destination interface is that client is initiated the source port that TCP connects.
Step S105: after client receives described authentication request packet, message identifying is sent to described fire compartment wall.
The TCP message because the authentication request packet that fire compartment wall sends disguises oneself as, so client must be separated authentication request packet and tcp data message.Separate authentication request message and tcp data method of message have a variety of, the network-driven interface specification for example is installed on client is driven (Network DriverInterface Specification, NDIS), intercept and capture each TCP message, if find the feature of this message coupling authentication request packet, then start identifying procedure.The feature of authentication request packet can use fixing Magic number (magic number) to identify.
If the discovery authentication request packet then abandons this message, and start identifying procedure,, then submit to TCP if not authentication request.Identifying procedure can adopt any common authentication agreement, also can be self-defined.Message identifying does not need the TCP message that disguises oneself as.
In order to simplify verification process, the user can be saved to configuration file with username and password, and when fire compartment wall request authentification of user, client can be finished authentication automatically.
Step S106: after client received the authentication request packet of described fire compartment wall transmission, the structure message identifying sent to described fire compartment wall.
Described client just username and password adds sending to fire compartment wall in the described message identifying and carry out authentification of user to through behind the base64 coding.
Step S107: fire compartment wall carries out authentification of user according to the message identifying that client sends, if authentication success is acted on behalf of flow process before then fire compartment wall continues.
Step S108: fire compartment wall structure TCP sync message also is sent to described server.
Port when described fire compartment wall uses the client of front process recording to initiate the TCP connection, destination address is made as server, and source address is made as client, and structure TCP sync message SYN is sent to described server, and request is set up TCP and is connected.
Step S109: server returns the syn ack message SYN+ACK of described TCP sync message SYN to fire compartment wall, and the window size of described syn ack message SYN+ACK is the real window size of described server.
Step S110: after fire compartment wall receives the syn ack message SYN+ACK of described server transmission, return the affirmation response message ACK of described syn ack message SYN+ACK to server.So far, described fire compartment wall is finished secondary three-way handshake.
Step S120: fire compartment wall structure destination address is that client, source address are the affirmation response message ACK of the window non-zero of server, and sends it to described client.
This step is equivalent to described fire compartment wall and upgrades message to described client send window, and client receives window and upgrades after the message, recovers to send datagram.
The embodiment of the invention is acted on behalf of the connection request that described server is realized client TCP by described fire compartment wall, on the basis of realizing the agency client is carried out authentification of user, can effectively prevent disabled user's TCP business, has realized the authentication to the TCP business; In addition the authentication of TCP business is all concentrated on the described fire compartment wall and realize, can finish the management of server, do not need server to be configured, alleviated network maintenance staff's workload by platform by the fire compartment wall unification.
Please refer to Fig. 4, be the structural representation of embodiment of the invention customer certification system, described customer certification system comprises client 100, user authentication device 200 and server 300.In the embodiment of the invention, described client 100 is as the originating end of session connection, described server 300 is as the opposite end of session connection, described user authentication device 200 is arranged between described client 100 and the described server 300, and described client 100 and described server 300 communicate by the relaying of described user authentication device 200.Described user authentication device 200 comprises agent unit 202, interface unit 204 and authentication unit 206.
Described interface unit 204 is used to receive the TCP sync message that described client 100 is sent to server;
The TCP sync message structure source address that described agent unit 202 is used for sending according to described client 100 is that address, the window of described server 300 is zero syn ack message, is sent to described client 100 by described interface unit;
Described authentication unit 206 is used for sending authentication request packet and carrying out authentification of user to described client 100 behind the affirmation response message at described syn ack message that receives described client 100 transmissions.
The necessary multiplexing TCP session of described authentication request packet, in order to make authentication request packet to arrive client by cross-over NAT equipment, described authentication unit 206 is with the authentication request packet data message that TCP connects that disguises oneself as, the authentication authorization and accounting request message is the TCP message, source port is the serve port of server 300, source IP is the IP address of server 300, and destination address is the IP address of client 100, and destination interface is that client 100 is initiated the source port that TCP connects.
Described agent unit 202 is set up TCP by described interface unit 204 with described server 300 in the described client of described authentication unit 206 checkings 100 legal backs and is connected.
Concrete, port when described agent unit 202 uses the client 100 of front process recording to initiate the TCP connection, destination address is made as server 300, and source address is made as client 100, structure TCP sync message SYN is sent to described server 300, and request is set up TCP and connected;
Described server 300 returns the syn ack message SYN+ACK of described TCP sync message SYN to described agent unit 202, and the window size of described syn ack message SYN+ACK is the real window size of described server 300;
After described agent unit 202 receives the syn ack message SYN+ACK of described server 300 transmissions, return the affirmation response message ACK of described syn ack message SYN+ACK to server 300.
Described agent unit 202 also is used in after described server 300 is set up TCP and is connected, the structure destination address is that client 100, source address are the affirmation response message ACK of the window non-zero of server 300, and send it to described client 100, described client 100 receives the confirmation after the response message ACK, recovers to send datagram.
Described user authentication device 200 specific implementations of the embodiment of the invention can be firewall device.
The embodiment of the invention is by the connection request of described agent unit 202 realizations with client 100TCP, on the basis of realizing the agency, carry out authentification of user by 206 pairs of clients of described authentication unit 100, can effectively prevent disabled user's TCP business, realize authentication the TCP business; In addition the authentication of TCP business is all concentrated on the authentication unit 206 of described user authentication device 200 and realize, can be by the described user authentication device 200 unified management of finishing server, do not need server to be configured, alleviated network maintenance staff's workload by platform.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in the computer read/write memory medium, and described storage medium is ROM/RAM, magnetic disc, CD etc.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (10)
1, a kind of user authen method comprises:
Receive the TCP sync message that client is sent to server;
The TCP sync message structure source address that sends according to described client is that address, the window of server is zero syn ack message, and is sent to described client;
Receive the affirmation response message that described client sends at described syn ack message;
Send authentication request packet and carry out authentification of user to described client.
2, the method for claim 1 is characterized in that: the described authentication request packet TCP message that disguises oneself as is sent to described client and carries out authentification of user.
3, method as claimed in claim 2, it is characterized in that: the source port of described authentication request packet is the serve port of described server, source IP is the IP address of described server, and destination address is the IP address of described client, and destination interface is that described client is initiated the source port that TCP connects.
4, the method for claim 1 is characterized in that: also comprise:
Judge whether authentication is passed through, if be connected by then setting up TCP with described server.
5, method as claimed in claim 4, it is characterized in that: described and described server is set up TCP and is connected and comprises: structure TCP sync message also is sent to described server, the syn ack message of the described TCP sync message that reception is returned returns the affirmation response message of described syn ack message to described server.
6, a kind of user authentication device comprises:
Interface unit is used to receive the TCP sync message that client is sent to server;
Agent unit, the TCP sync message structure source address that is used for sending according to described client are that address, the window of described server is zero syn ack message, are sent to described client by described interface unit;
Authentication unit is used for sending authentication request packet and carrying out authentification of user to described client behind the affirmation response message at described syn ack message that receives described client transmission.
7, device as claimed in claim 6 is characterized in that: described authentication unit is sent to the described authentication request packet TCP message that disguises oneself as described client and carries out authentification of user.
8, device as claimed in claim 7, it is characterized in that: the source port of described authentication request packet is the serve port of described server, source IP is the IP address of described server, and destination address is the IP address of described client, and destination interface is that described client is initiated the source port that TCP connects.
9, device as claimed in claim 6 is characterized in that: described agent unit also is used for verifying that at described authentication unit the legal back of described client sets up TCP by described interface unit with described server and be connected.
10, device as claimed in claim 9, it is characterized in that: describedly set up TCP by described interface unit and described server and be connected and comprise: described agent unit structure TCP sync message also is sent to described server, receive the syn ack message of the described TCP sync message that described server returns, return the affirmation response message of described syn ack message to described server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101063401A CN101521675B (en) | 2009-03-23 | 2009-03-23 | User certification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101063401A CN101521675B (en) | 2009-03-23 | 2009-03-23 | User certification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101521675A true CN101521675A (en) | 2009-09-02 |
| CN101521675B CN101521675B (en) | 2012-11-07 |
Family
ID=41082048
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101063401A Active CN101521675B (en) | 2009-03-23 | 2009-03-23 | User certification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101521675B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108881425A (en) * | 2018-06-07 | 2018-11-23 | 中国科学技术大学 | A kind of data package processing method and system |
| CN113765893A (en) * | 2021-08-13 | 2021-12-07 | 成都安恒信息技术有限公司 | Protocol proxy password penetration authentication method applied to MySQL system |
| WO2022100002A1 (en) * | 2020-11-10 | 2022-05-19 | 华为技术有限公司 | Network security protection method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1630248A (en) * | 2003-12-19 | 2005-06-22 | 北京航空航天大学 | SYN flooding attack defence method based on connection request authentication |
| CN101296223B (en) * | 2007-04-25 | 2011-02-02 | 北京天融信网络安全技术有限公司 | Method for implementing fire wall chip participation in SYN proxy |
-
2009
- 2009-03-23 CN CN2009101063401A patent/CN101521675B/en active Active
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108881425A (en) * | 2018-06-07 | 2018-11-23 | 中国科学技术大学 | A kind of data package processing method and system |
| WO2022100002A1 (en) * | 2020-11-10 | 2022-05-19 | 华为技术有限公司 | Network security protection method and device |
| CN113765893A (en) * | 2021-08-13 | 2021-12-07 | 成都安恒信息技术有限公司 | Protocol proxy password penetration authentication method applied to MySQL system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101521675B (en) | 2012-11-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5010608B2 (en) | Creating a secure interactive connection with a remote resource | |
| CN102047262B (en) | Authentication for distributed secure content management system | |
| CN108881308B (en) | User terminal and authentication method, system and medium thereof | |
| CN105516163B (en) | A kind of login method and terminal device and communication system | |
| EP3286893A1 (en) | Secure transmission of a session identifier during service authentication | |
| US9344417B2 (en) | Authentication method and system | |
| US20160373431A1 (en) | Method to enroll a certificate to a device using scep and respective management application | |
| CN102271133B (en) | Authentication method, device and system | |
| CN102984045B (en) | The cut-in method and Virtual Private Network client of Virtual Private Network | |
| JP5239341B2 (en) | Gateway, relay method and program | |
| CN102271134B (en) | Method and system for configuring network configuration information, client and authentication server | |
| CN109120620A (en) | A kind of server management method and system | |
| JP2012533792A (en) | Managing instant messaging sessions | |
| US11140149B2 (en) | Zero-touch bootstrap of an endpoint without admin pre-provisioning | |
| CN107180172A (en) | A kind of IPSAN access control methods and device based on USBKey digital certificate authentications | |
| CN101521675B (en) | User certification method and device | |
| CN102075567B (en) | Authentication method, client, server, feedthrough server and authentication system | |
| JP6185934B2 (en) | Integrate server applications with many authentication providers | |
| CN112751870A (en) | NFS (network file system) safety transmission device and method based on proxy forwarding | |
| JP2009217722A (en) | Authentication processing system, authentication device, management device, authentication processing method, authentication processing program and management processing program | |
| JP2013061709A (en) | Printer server, printer control method and program | |
| CN102325164A (en) | Method for managing file transfer protocol (FTP) user and method and device for logging in by FTP user | |
| JP5920891B2 (en) | Communication service authentication / connection system and method thereof | |
| EP4358473A1 (en) | System and method for safely relaying and filtering kerberos authentication and authorization requests across network boundaries | |
| US20240137355A1 (en) | System and method for safely relaying and filtering kerberos authentication and authorization requests across network boundaries |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221010 Address after: No. 1899 Xiyuan Avenue, high tech Zone (West District), Chengdu, Sichuan 610041 Patentee after: Chengdu Huawei Technologies Co.,Ltd. Address before: 611731 Qingshui River District, Chengdu hi tech Zone, Sichuan, China Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. |