Summary of the invention
For overcoming above-mentioned defect, the invention provides a kind of safety access system for C/S framework business and relevant cut-in method, the data transmission security that can solve service server and teleaction service terminal room does not ensure, the problem being easily stolen and distorting.
For achieving the above object, the invention provides a kind of safety access system for C/S framework business, it comprises: safe access gateway server and terminal security access unit; Its improvements are, between original service server and teleaction service terminal equipment, be connected in series access security connecting system.
Safe access gateway server in the present invention comprises authentication module 1, data encrypting and deciphering module 1, access control module, access monitoring module and data forwarding module; At key agreement phase, described safe access gateway server receives the data coming from described terminal security access unit, carry out identity verify by described authentication module 1 pair of terminal security access unit and consult, to the key of transfer of data protection, to consult to enter the service communication stage successfully; In the service communication stage, service terminal is mail to the data of service server, described safe access gateway receives the data that described terminal security access unit sends, by described data encrypting and deciphering module 1 pair of decrypt data, data after deciphering are given described service server according to described access control module to the result of determination of teleaction service terminal access authority by described data forwarding module; In the service communication stage, service server is mail to the data of teleaction service terminal, described safe access gateway receives the data that described service server sends, be encrypted by described data encrypting and deciphering module 1 pair of communication data, the data after encryption are given described terminal security access unit by described data forwarding module; Described access monitoring module monitors the access state of terminal security access unit registered in safe access gateway server.
Terminal security access unit in the present invention comprises: authentication module 2, data encrypting and deciphering module 2 and data transmission module; At key agreement phase, described terminal security access unit carries out certification and arranging key by described authentication module 1 with described safe access gateway server, consults to enter the service communication stage successfully; In the service communication stage, teleaction service terminal is mail to the data of service server, described secure accessing unit receives the data that teleaction service terminal sends, be encrypted by described data encrypting and deciphering module 2 pairs of data, the data after encryption are transferred to described safe access gateway server by described data transmission module; In the service communication stage, service server is mail to the data of teleaction service terminal, terminal security access unit receives the data that safe access gateway sends, by described data encrypting and deciphering module 2 pairs of decrypt data, the data after deciphering are transferred to described teleaction service terminal by described data transmission module.
Described safe access gateway in the present invention and terminal security access unit are supported based on the authentication mode of certificate and the authentication mode based on preset public private key pair.
The present invention also provides a kind of safety access method of the safety access system for C/S framework business, the mode of operation of the method is divided into authentication stage, service communication stage and symmetrical authentication phase, its improvements are, safety access method comprises the steps:
1). first terminal security access unit enters the authentication stage, and in the authentication stage, terminal security access unit initiates certification to safe access gateway server;
2). in the authentication stage, certification uses the agreement based on the challenge-response of PKI system;
3). in the authentication stage, consult the symmetric key being used for transfer of data protection, after being successfully completed, enter the service communication stage;
4). in the service communication stage, after terminal security access unit receives the data of teleaction service terminal, data are encrypted, then enciphered data is sent to safe access gateway server, after safe access gateway server receives the data coming from terminal security access unit, to decrypt data, and be transmitted to service server;
5). in the service communication stage, safe access gateway server is encrypted data after getting service server data, is then transmitted to terminal security access unit; After terminal security access unit will receive and come from safe access gateway server data, to decrypt data, and be transmitted to teleaction service terminal;
6). enter symmetrical authentication phase when terminal security access unit communicates provisional interruption or data generation encryption and decryption mistake with safe access gateway, in symmetrical authentication phase, terminal security access unit initiates certification to safe access gateway server;
7). in symmetrical authentication phase, certification uses the agreement based on the challenge-response of PKI system, enters the service communication stage after completing;
8). reenter the authentication stage reaching symmetrical authentification failure threshold values or arrive after asymmetric certification completes threshold time; Wherein, symmetrical authentification failure threshold values and asymmetric certification complete threshold time and can arrange in safe access gateway.
Compared with the prior art, a kind of safety access system for C/S framework business provided by the invention and relevant cut-in method, all kinds of terminal equipments can be applied to and use Ethernet interface communication, being connected GPRS module communication etc. by serial ports; The bidirectional identification solving service server and teleaction service terminal room differentiates problem; Ensure that communicating pair confirms mutually the other side's identity by authentication, with the trust preventing unauthorized remote terminal equipment from gaining service server by cheating, thus steal and distort the information of application server or illegal traffic server controls teleaction service terminal, carry out the problem of malicious sabotage; Solve the safety issue of data between teleaction service terminal and service server; After authentication, system data to be encrypted, integrity protection, thus to ensure that data are not stolen and distort; And under the prerequisite of the system architecture and few change configuration that do not change original system, provide the protection of " transparent "; Safety access system supports multiple cryptographic algorithm adapted; Meanwhile, monitor by the access situation of safe access gateway to terminal security access unit registered in a gateway.
Embodiment
As shown in Figure 1, deployment secure connecting system between teleaction service terminal and service server, the identity between teleaction service terminal and service server and all business datums carry out identity verify and transmit protecting by this system.
In a first aspect of the present invention, provide a kind of system being applicable to strengthen various RTU (remote terminal unit) fail safe for C/S framework business.Safe access gateway server is used for authentication terminal equipment identities, coordinates terminal equipment, makes it and transmission data safe between service server; Terminal security access unit is for expanding RTU (remote terminal unit) authentication ability and safe transmission ability.
Wherein, terminal security access unit can be respectively the equipment being received teleaction service terminal data by Ethernet interface, RS232 serial ports or optical fiber interface, built in hardware cryptographic algorithm chip, terminal security access unit carries out certification and arranging key by authentication module and safe access gateway server; Consult encryption and decryption and the forwarding of being carried out data successfully by data encrypting and deciphering module and transport module, realize the safety function of teleaction service end side safety access system.
Safe access gateway server can be the server of Dual-Ethernet interface, cryptographic algorithm can be realized by built in hardware encrypted card, safe access gateway server by authentication module to terminal security access unit carry out identity verify and consult to transfer of data protection key; Consult encryption and decryption and the forwarding of being carried out data successfully by data encrypting and deciphering module and data transmission module; Meanwhile, safe access gateway server can monitor the access state of registered terminal security access unit, realizes the safety function of service server side safety access system.
Terminal security access unit can support that all kinds of terminal equipments being realized tcp/ip communication by Ethernet interface, RS232 serial ports, optical fiber interface are connected; The support of safe access gateway server is connected with service server by routing mode.The safety access system be made up of safe access gateway server and terminal security access unit can be serially connected with between service server and teleaction service terminal; do not changing the system architecture of original system and and under the prerequisite of few change configuration, providing the protection of " transparent ".
As shown in Figure 2, propose a kind of safety access method of the safety access system for C/S framework business, comprise step as follows:
1). first terminal security access unit enters the authentication stage, and in the authentication stage, terminal security access unit initiates certification to safe access gateway server;
2). in the authentication stage, certification uses the agreement based on the challenge-response of PKI system;
3). in the authentication stage, consult the symmetric key being used for transfer of data protection, after being successfully completed, enter the service communication stage;
4). in the service communication stage, after terminal security access unit receives the data of teleaction service terminal, data are encrypted, then enciphered data is sent to safe access gateway server, after safe access gateway server receives the data coming from terminal security access unit, to decrypt data, and be transmitted to service server;
5). in the service communication stage, safe access gateway server is encrypted data after getting service server data, is then transmitted to terminal security access unit; After terminal security access unit will receive and come from safe access gateway server data, to decrypt data, and be transmitted to teleaction service terminal.
6). enter symmetrical authentication phase when terminal security access unit communicates provisional interruption or data generation encryption and decryption mistake with safe access gateway, in symmetrical authentication phase, terminal security access unit initiates certification to safe access gateway server.
7). in symmetrical authentication phase, certification uses the agreement based on the challenge-response of PKI system, enters the service communication stage after completing;
8). reach symmetrical authentification failure threshold values or arrive asymmetric certification complete threshold time after (symmetrical authentification failure threshold values and asymmetric certification complete threshold time and can arrange in safe access gateway), reenter the authentication stage.
9) in whole process, safe access gateway can monitor the access state of registered terminals secure accessing unit, and records detailed audit information for inquiring about afterwards.
The concrete steps of described safety access method are as follows:
1. authentication, identification authentication mode has two kinds of modes:
Based on the PKI authentication mode of certificate;
Based on the PKI authentication mode of preset public private key pair;
PKI authentication mode step based on certificate:
1) terminal security access unit A sends authentication request clientHello message to safe access gateway server B, contains the authentication mode of A, the algorithm of A support and the random number challenge of A generation in clientHello message;
2) B confirms algorithm after receiving the clientHello message of A, signature response is carried out to the random number challenge that A produces, and produce a random number challenge and form serverHello message together with signature response and send to A, the certificate of oneself is sent to A by B simultaneously;
3), after the certificate receiving B as A and serverHello message, following sub-process is comprised:
A) certificate of B is verified;
B) from the certificate be verified, extract the signature value of PKI to random number verify;
C) private key is used to carry out signature response to the random number that B produces;
D) produce a symmetric key, and with the PKI of B, protection is encrypted to key;
E) send to B by signature response and by the key formation ClientKeyExchange message of B PKI protection, the certificate of oneself is sent to B by A simultaneously;
4), after the certificate receiving A as B and ClientKeyExchange message, following sub-process is comprised:
A) certificate of A is verified;
B) from the certificate be verified, extract the signature value of PKI to random number verify;
C), after the success of certifying signature value, private key is used to be decrypted the key that A produces;
D) finally the Finish message of authentication success is sent to A;
PKI authentication mode step based on preset public private key pair:
1) terminal security access unit A sends authentication request clientHello message to safe access gateway server B, contains the authentication mode of A, the algorithm of A support and the random number challenge of A generation in clientHello message;
2) B confirms algorithm after receiving the clientHello message of A, carries out signature response to the random number challenge that A produces, and produces a random number challenge and send to A together with signature response formation serverHello message;
3), after the certificate receiving B as A and serverHello message, following sub-process is comprised:
A) from the certificate of preset B, extract the signature value of PKI to random number to verify;
B) private key is used to carry out signature response to the random number that B produces;
C) produce a symmetric key, and with the PKI of B, protection is encrypted to key;
D) by signature response and form ClientKeyExchange message by the key of B PKI protection and send to B, while A by oneself ID value mode in B corresponding to pre-arranged public to A;
4), after the certificate receiving A as B and ClientKeyExchange message, following sub-process is comprised:
A) the ID value taking-up A sent according to A is preset at the PKI in B;
B), after taking out PKI success, verify by the signature value of this PKI to random number;
C), after the success of certifying signature value, private key is used to be decrypted the key that A produces;
D) finally the Finish message of authentication success is sent to A;
5) after completing asymmetric certification, terminal security access unit and safe access gateway send change_cipher_spec message mutually, notify that the key that the other side consults is encrypted deciphering.Then, initiate agent way negotiation message by terminal security access unit A to safe access gateway server B, B confirms agent way after receiving message and replys A.
2. unidirectional authentication
1) symmetrical authentication phase is entered when terminal security access unit communicates provisional interruption or data generation encryption and decryption mistake with safe access gateway, in symmetrical authentication phase, terminal security access unit initiates certification to safe access gateway server, and certification adopts the mode using the symmetric key consulted in above-mentioned steps to do MAC computing to carry out.
2) after completing symmetrical certification, terminal security access unit and safe access gateway send change_cipher_spec message mutually, notify that the key that the other side consults is encrypted deciphering.Then, initiate agent way negotiation message by terminal security access unit A to safe access gateway server B, B confirms agent way after receiving message and replys A.
3. service communication
When agent way is consulted successfully, terminal security access unit A receives the application data of teleaction service terminal C, safe access gateway server B will be transmitted to after data encryption, after B receives the data coming from A, data deciphering be transmitted to service server S.B gets the data of S, is transmitted to A by after data encryption, after A receives the data coming from B, data deciphering is transmitted to C.
The invention solves the secure access problem between client and server under the business model using C/S framework, mainly contain following advantage:
1) the bidirectional identity authentication problem of client and server is solved.Confirm mutually the other side's identity by authentication teleaction service terminal and application server, falsely used to have prevented side's identity.
2) data security sex chromosome mosaicism between teleaction service terminal equipment and service server is solved.All protected through confidentiality and integrity by the business datum of safety access system, thus ensure that data are not monitored and distort.
3) system architecture of original operation system is maintained.The safety access system that safe access gateway server and terminal security access unit are formed can be serially connected with between service server and client, under the prerequisite of the system architecture and few change configuration that do not change original system, provides the protection of " transparent ".
It is to be understood that content of the present invention and embodiment are intended to the practical application proving technical scheme provided by the present invention, should not be construed as limiting the scope of the present invention.Those skilled in the art inspired by the spirit and principles of the present invention, can do various amendment, equivalent replacement or improve.But these changes or amendment are all in the protection range that application is awaited the reply.