CN102957704B - A kind ofly determine method, Apparatus and system that MITM attacks - Google Patents
A kind ofly determine method, Apparatus and system that MITM attacks Download PDFInfo
- Publication number
- CN102957704B CN102957704B CN201210448821.2A CN201210448821A CN102957704B CN 102957704 B CN102957704 B CN 102957704B CN 201210448821 A CN201210448821 A CN 201210448821A CN 102957704 B CN102957704 B CN 102957704B
- Authority
- CN
- China
- Prior art keywords
- rdp
- rdp connection
- pki
- connection response
- response request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of determine method, Apparatus and system that go-between MITM attacks, the method comprises: when receiving the RDP connection request that client is sent, and described RDP connection request is transmitted to service end; And obtain the RDP connection response request that service end sends, wherein, in a described RDP connection response request, comprise the asymmetric encryption PKI that service end generates; The asymmetric encryption PKI comprised in one RDP connection response request of described acquisition is replaced with the first default identification PKI, form the 2nd RDP connection response request Concurrency and give client, wherein client is according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, and determines whether there is MITM and attacks.Thus active detecting can be carried out to MITM attack, and improve the accuracy determining that MITM attacks preferably, thus improve internet security.
Description
Technical field
The present invention relates to technical field of network security, especially relate to one and determine the method that go-between (MITM, Man-in-themiddle-attacks) attacks, Apparatus and system.
Background technology
RDP (RDP, RomoteDesktopProtocol) is a kind of RDP be widely used in microsoft operation system, and the user in remote desktop function permission network is connected on long-range computer and manages remote computer.
System architecture as shown in Figure 1, comprises client 101, be positioned at the switch of client-side (switch 102 as shown in Figure 1), routing forwarding equipment 103, the switch 104 being positioned at service side and service end.Based on this system architecture, equipment manager carries out operation maintenance management operation by remote desktop to target device.Equipment manager logs on target device (server 105 being positioned at service side as shown in Figure 1) by remote desktop, then manages target device.But in this process, as shown in Figure 2, just may be subject to the threat of man-in-the-middle attack, the session information being subject to the telnet session of man-in-the-middle attack can expose completely, such as key information, echo message etc., go-between also can equipment administrator right, thus illegally log on target device, illegally manipulate target device.Such as equipment manager A is in the process remotely logging on to target device, hacker successfully starts man-in-the-middle attack, this remote desktop session is deciphered completely, obtain login account and the password of this equipment manager, when equipment manager A exits target device, hacker just can learn that equipment manager exits at once, then hacker just can use the account number cipher obtained by man-in-the-middle attack illegally to log on target device with the identity of equipment manager, checks the sensitive information stored in target device.
In prior art, general employing server authentication mode prevents man-in-the-middle attack, the principle of server authentication refers in conversation procedure, server authentication link is added in the link of asymmetric key exchange, in asymmetric negotiation process, client is except the PKI receiving service end and random number, also can receive the server authentication information that service end is sent, this server authentication information can service end identity information, when server authentication is unsuccessful, whole session disconnects by client, thus avoids network to be subject to man-in-the-middle attack.
Adopt server authentication mode only can take precautions against in advance, namely preventive effect is played to man-in-the-middle attack, and cannot find in thing, when there is man-in-the-middle attack in network, which cannot detect already present man-in-the-middle attack, in addition, due to equipment self reason, as the factors such as version is low can cause the generation of flase drop, thus reduce the accuracy of MITM detection.
In sum, the technical scheme proposed in prior art, only can play preventive effect to man-in-the-middle attack, initiatively can not determine in network whether there is man-in-the-middle attack, make the fail safe of network poor.
Summary of the invention
Embodiments provide a kind of method that MITM attacks of determining, Apparatus and system, can attack MITM and carry out active detecting, and improve the accuracy determining that MITM attacks preferably, thus improve internet security.
Determine to comprise the method that MITM attacks: when receiving the RDP RDP connection request that client is sent, described RDP connection request is transmitted to service end; And obtain the RDP connection response request that service end sends, wherein, in a described RDP connection response request, comprise the asymmetric encryption PKI that service end generates; The asymmetric encryption PKI comprised in one RDP connection response request of described acquisition is replaced with the first default identification PKI, form the 2nd RDP connection response request Concurrency and give client, wherein client is according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, and determines whether there is MITM and attacks.
Determining to comprise the device that MITM attacks: forwarding module, for when receiving the RDP RDP connection request that client is sent, described RDP connection request being transmitted to service end; Obtaining module, for obtaining the RDP connection response request that service end is sent, wherein, in a described RDP connection response request, comprising the asymmetric encryption PKI that service end generates; Sending module, for the asymmetric encryption PKI comprised in a RDP connection response request of described acquisition is replaced with the first default identification PKI, form the 2nd RDP connection response request Concurrency and give client, wherein client is according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, and determines whether there is MITM and attacks.
Determining the system that middle MITM attacks, comprise at least one client-server, at least one detects proxy server and at least one service end server, comprising: described client, for sending RDP RDP connection request; And receive the 2nd RDP connection response request detecting proxy server and send, according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, determine whether there is MITM and attack; Described detection proxy server, for when receiving the RDP RDP connection request that client is sent, is transmitted to service end by described RDP connection request; And obtain the RDP connection response request that service end sends, wherein, in a described RDP connection response request, comprise the asymmetric encryption PKI that service end generates; The asymmetric encryption PKI comprised in one RDP connection response request of described acquisition is replaced with the first default identification PKI, forms the 2nd RDP connection response request Concurrency and give client; Described service end server, for receiving the RDP connection request detecting proxy server and forward, and processing a described RDP connection response request, generating the RDP connection response request Concurrency comprising asymmetric encryption PKI and sending.
Adopt technique scheme, the asymmetric encryption PKI comprised in the one RDP connection response request of service end being sent replaces with the first default identification PKI, form the 2nd RDP connection response request Concurrency and give client, subsequent client, according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, determines that whether there is MITM in network attacks.After the asymmetric encryption PKI comprised in the 2nd RDP connection response request of service end being sent initiatively replaces with the first default identification PKI, send to client again, client can according to the first identification PKI parsing asymmetric encryption PKI and preset, determine that whether there is MITM in network attacks, the mode of MITM attack is taken precautions against relative to the server authentication proposed in prior art, the technical scheme that the embodiment of the present invention proposes here, can attack MITM and carry out active detecting, accurately determine whether current network conditions exists man-in-the-middle attack, and when determining that whether there is MITM in network attacks, do not need the session transmissions link disconnecting network, client and service end can carry out normal conversation, thus raising internet security, ensure that confidential information is not revealed.
Accompanying drawing explanation
Fig. 1 is in prior art, the system configuration schematic diagram carrying out transfer of data based on RDP of proposition;
Fig. 2 is in prior art, and the existence of proposition exists system configuration schematic diagram when MITM attacks based on the system that RDP carries out transfer of data;
Fig. 3 is in the embodiment of the present invention one, and the system configuration that the determination MITM of proposition attacks forms schematic diagram;
Fig. 4 is in the embodiment of the present invention two, the method flow diagram of the determination MITM attack of proposition;
Fig. 5 is in the embodiment of the present invention two, the apparatus structure schematic diagram of the determination MITM attack of proposition;
Fig. 6 is in the embodiment of the present invention three, the method flow diagram of the determination MITM attack of proposition.
Embodiment
For the method that the strick precaution MITM existed in prior art attacks, only can play preventive effect to man-in-the-middle attack, initiatively can not determine in network whether there is man-in-the-middle attack, make the problem that the fail safe of network is poor, the technical scheme that the embodiment of the present invention proposes here, the first default identification PKI is initiatively replaced with by the asymmetric encryption PKI comprised in the RDP connection response request of service end being sent, form the 2nd RDP connection response request Concurrency and give client, subsequent client is according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, determine that whether there is MITM in network attacks.Can attack MITM and carry out active detecting; accurately determine whether current network conditions exists man-in-the-middle attack; and when determining that whether there is MITM in network attacks; do not need the session transmissions link disconnecting network; client and service end can carry out normal conversation; thus raising internet security, ensure that confidential information is not revealed.
Below in conjunction with each accompanying drawing, the main of embodiment of the present invention technical scheme is realized principle, embodiment and set forth in detail the beneficial effect that should be able to reach.
Embodiment one
The embodiment of the present invention one proposes a kind of system that MITM attacks of determining here, and wherein, transmit based on RDP in the network of data, the Attack Theory of MITM is:
Transmitting in the network of data based on RDP, in RDP session communication process, transfer of data is through encryption, but at conversation initial, namely, in the negotiations process at the beginning of RDP agreement, need, based on an asymmetric encryption decipherment algorithm, to exchange the symmetric cryptographic key for encryption session.Particularly, negotiations process is: be first that client sends telnet request to service end, service end can send response message to client after receiving request, a PKI response data packet is carried in described response message, the PKI used in rivest, shamir, adelman and symmetric cryptographic key factor 1(is comprised for ease of setting forth and distinguishing in PKI response data packet, identification information is given) by the symmetric cryptographic key factor, hacker is by MITM technology, by catching the PKI response data packet of carrying in response message, obtain the PKI and the symmetric cryptographic key factor 1 that comprise in PKI response data packet, then the PKI comprised in PKI response data packet and the symmetric cryptographic key factor 1 are stored, after storage completes, hacker is based on MITM technology, that use one to pretend and know that the PKI of private key replaces the PKI comprised in PKI response data packet in advance, form the PKI response data packet of forging, the PKI response data packet of forgery is sent to client, after client receives the PKI response data packet of forgery, client generates the symmetric cryptographic key factor 2, then the PKI of the forgery received is used to be encrypted the symmetric cryptographic key factor 2, service end is sent to after encryption, now, network intrusions personnel are based on MITM technology, capture client sends to the data of service end again, owing to storing the private key forging PKI, use the symmetric cryptographic key factor 2 after private key pair encryption to be decrypted and just can obtain the symmetric cryptographic key factor 2 expressly, then the symmetric cryptographic key factor 1 obtained before combining just can calculate RDP session key, whole RDP session just can be deciphered after obtaining RDP session key, or input through keyboard, the information such as user name account number cipher.
Based on the principle that above-mentioned MITM attacks, as shown in Figure 3, in the system that the determination MITM that the embodiment of the present invention one proposes here attacks, comprise at least one client-server 101, be positioned at client-side for transmit data switch 102, for forwarding data routing device 103, be positioned at the switch 104 for transmitting data of service end, and at least one service end server 105, detection proxy server 106, suppose the MITM105 existed in addition.Wherein:
Client, for sending RDP RDP connection request; And receive the 2nd RDP connection response request detecting proxy server and send, according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, determine whether there is MITM and attack.
Particularly, described client, specifically for resolving the 2nd RDP connection response request received, obtains the asymmetric encryption PKI comprised in described 2nd RDP connection response request; Judge to resolve the asymmetric encryption PKI that obtains whether and the first identification public key match preset; If so, determine that there is not MITM in network attacks; If not, determine that there is MITM in network attacks.
Detecting proxy server, for when receiving the RDP RDP connection request that client is sent, described RDP connection request being transmitted to service end; And obtain the RDP connection response request that service end sends, wherein, in a described RDP connection response request, comprise the asymmetric encryption PKI that service end generates; The asymmetric encryption PKI comprised in one RDP connection response request of described acquisition is replaced with the first default identification PKI, forms the 2nd RDP connection response request Concurrency and give client.
Wherein, detect proxy server also for before receiving the RDP connection request sent of client, set up the first socket monitoring RDP application port.Particularly, RDP application port is the default port of RDP, such as 3389 ports.And before RDP connection request is transmitted to service end, the second socket of the service end that connects.
Further, for ensureing the fail safe of transfer of data, detecting proxy server after the RDP connection response request that acquisition service end is sent, disconnecting and being connected with the RDP of service end.
Particularly, the first identification PKI preset obtains according to unsymmetrical key document analysis, and wherein, described unsymmetrical key file generates according to the unsymmetrical key pre-set.The two can match uses, for ease of elaboration, in the technical scheme that the embodiment of the present invention proposes, the two is made differentiation here.
Service end server, for receiving the RDP connection request detecting proxy server and forward, and processing a described RDP connection response request, generating the RDP connection response request Concurrency comprising asymmetric encryption PKI and sending.
Embodiment two
Based on the system architecture of the determination MITM attack that above-described embodiment one proposes, the embodiment of the present invention two proposes a kind of method flow diagram that MITM attacks of determining here, and as shown in Figure 4, concrete handling process is as following:
Step 41, receives the RDP connection request that client is sent.
Wherein, transmitting in the network of data based on RDP, client needs to be connected with service end, and now client sends RDP connection request.
Particularly, before step 41, can also first set up the first socket monitoring RDP application port state RDP application port can the default port of RDP, such as 3389 ports.
Step 42, when receiving the RDP connection request that client is sent, is transmitted to service end by described RDP connection request.
Wherein, before RDP connection request is transmitted to service end, the second socket of the service end that can also connect.
Step 43, obtains the RDP connection response request that service end is sent.
Wherein, after the process that service end responds the RDP connection request received, feedback the one RDP connection response request.Wherein, the asymmetric encryption PKI that service end generates is comprised in a described RDP connection response request.Particularly, asymmetric encryption PKI can be the identification information of service end.
Preferably, for ensureing the fail safe of transfer of data, after step 43, can also disconnect and being connected with the RDP of service end.
Step 44, replaces with the first default identification PKI by the asymmetric encryption PKI comprised in a RDP connection response request of described acquisition, forms the 2nd RDP connection response request Concurrency and gives client.
Step 45, client, according to the 2nd RDP connection response request received, determines whether there is MITM and attacks.
Wherein, client is resolved the 2nd RDP connection response request received, and obtains the first identification PKI comprised in described 2nd RDP connection response request.Judge whether resolve the asymmetric encryption PKI obtained matches with the first identification PKI pre-set; If so, determine that there is not MITM in network attacks; If not, determine that there is MITM in network attacks.
Particularly, described the first default identification PKI can obtain according to unsymmetrical key document analysis, and wherein, described unsymmetrical key file generates according to the unsymmetrical key pre-set.In concrete enforcement, need preparation a pair unsymmetrical key, after generating unsymmetrical key file, follow-up this unsymmetrical key file to be resolved, PKI and private key can be obtained.
Correspondingly, the embodiment of the present invention two also proposes a kind of device that MITM attacks of determining here, as shown in Figure 5, comprising:
Forwarding module 501, for when receiving the RDP RDP connection request that client is sent, is transmitted to service end by described RDP connection request.
Obtaining module 502, for obtaining the RDP connection response request that service end is sent, wherein, in a described RDP connection response request, comprising the asymmetric encryption PKI that service end generates.
Sending module 503, for the asymmetric encryption PKI comprised in a RDP connection response request of described acquisition is replaced with the first default identification PKI, form the 2nd RDP connection response request Concurrency and give client, wherein client is according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, and determines whether there is MITM and attacks.
Particularly, described the first default identification PKI obtains according to unsymmetrical key document analysis, and wherein, described unsymmetrical key file generates according to the unsymmetrical key pre-set.
Particularly, above-mentioned sending module 503, after the 2nd RDP connection response request is sent to client, instruction client is resolved the 2nd RDP connection response request received, and obtains the first identification PKI comprised in described 2nd RDP connection response request; Judge to resolve the asymmetric encryption PKI that obtains whether and the first identification public key match preset; If so, determine that there is not MITM in network attacks; If not, determine that there is MITM in network attacks.
Particularly, said apparatus also comprises:
First sets up module, for setting up the first socket monitoring RDP application port.Wherein, described RDP application port is the default port of RDP.
Particularly, said apparatus also comprises:
Second sets up module, for the second socket of the service end that connects.
Particularly, said apparatus also comprises:
Disconnecting module, being connected with the RDP of service end for disconnecting.
Embodiment three
Further, on the basis of above-described embodiment one and embodiment two, based on the system architecture shown in Fig. 3, the embodiment of the present invention three is made with the method for an instantiation to the determination MITM attack that the embodiment of the present invention proposes here here and being elaborated, as shown in Figure 6, its concrete processing procedure is as following:
Pre-set a pair unsymmetrical key as the authentication information detecting proxy server, after generating unsymmetrical key file, client and detection proxy server all use this unsymmetrical key file, the detection proxy server with this authentication information is legal access device, such as can time server identification information, also can be other coded messages artificially arranged etc.After generating unsymmetrical key file according to the unsymmetrical key arranged, client and detection proxy server all use the key file of this generation, namely client and detection proxy server are when normally working, and resolve, obtain PKI and private key to the key file of this generation.Detecting proxy server and can set up the socket (Socket) that possesses monitor function, for monitoring the default port of RDP, such as, monitoring 3389 ports.In the technical scheme that the determination MITM that the embodiment of the present invention proposes attacks, active detecting is carried out to MITM here, determine that whether there is MITM in network attacks, and therefore in system deployment process, can dispose according to the mode of honey jar.By RDP default port, client sets up a socket for being connected with detection proxy server, after socket is set up, client wants detects proxy server and sends transmission control layer connection request, when client-server and the successful connection of detection proxy server are (namely in specific implementation process, after client-server success ping logical detection proxy server, the connection request packet of client Structural application layer RDP agreement, namely sends RDP connection request.As shown in Figure 6, concrete processing procedure is as following:
Step 61, client sends RDP connection request to detection proxy server.
Wherein, in RDP connection request transmitting procedure, the principle of being attacked from the MITM set forth in above-described embodiment one, this RDP connection request can't be tampered.
Step 62, detection proxy server receives the RDP connection request that client is sent, and detects proxy server and sets up the socket being used for being connected with service end server, complete the connection detected between proxy server and service end server.
Step 63, after socket has been set up, the RDP request that client is sent by detection proxy server sends to service end server.
Step 64, after service end server receives RDP request, carries out respective handling to the RDP request received, and sends result to client.Namely the request of RDP connection response is sent.
Wherein, asymmetric encryption PKI and the random number of the generation of service end server is comprised in the request of RDP connection response.
Step 65, detect proxy server and obtain RDP connection response request that service end server sends (i.e. the embodiment of the present invention propose a RDP connection response request) here, in order to the fail safe of data stored in Deterministic service end server, the connection with service end server can be disconnected.
Particularly, detect proxy server and disconnect the connection with service end server, specific implementation can be, but not limited to adopt following two kinds of modes:
First kind of way: detect proxy server and disconnect message to the transmission of service end server, after service end server receives and disconnects message, disconnects and detects the RDP connection between proxy server.
The second way: detect proxy server after receiving the RDP response message that service end server sends, disconnect and being connected with the RDP of server.
Step 66, detects proxy server and resolves the RDP connection response request received, and obtains the asymmetric encryption PKI of the service end generation comprised in RDP connection response.
Step 67, the asymmetric encryption PKI service end of acquisition generated replaces with the authentication information (i.e. the embodiment of the present invention propose the first authentication identification PKI) that can identify this detection proxy server identity here, using this information as the asymmetric encryption PKI after replacing.
Particularly, due under system initial condition, implant key file, therefore, when doing asymmetric encryption PKI and replacing, preferably, the asymmetric encryption PKI that service end server generates can be replaced with can from the unsymmetrical key file implanted the key that parse, and this key can the identity information of recognition detection proxy server.Such as, the asymmetric encryption PKI that service end generates is replaced with by the first identification PKI parsed in the unsymmetrical key file implanted.
Step 68, sends to client-server by the RDP connection response request after carrying out key replacement.
Wherein, RDP connection response after the asymmetric encryption PKI generated by service end being replaced with the first identification PKI (i.e. the embodiment of the present invention propose here the 2nd RDP connection response request) sends to client-server.If now exist in network MITM attack, according in above-described embodiment one set forth MITM Attack Theory, now, MITM can catch this carry out key replacement after the request of RDP connection response.And after catching, the identity information detecting proxy server is distorted, and then sends to client.Such as, carry out comprising the identification information detecting proxy server in the RDP connection response after key replacement, the information that the RDP connection response namely after key replacement comprises can be: the identification information+random number detecting proxy server.After centre is distorted, become: other identification information+random numbers, then the RDP connection response after distorting is sent to client.
Step 69, after client-server receives the 2nd RDP connection response request, resolves the 2nd RDP connection response request received, judges whether there is MITM in network.
Wherein, after client-server receives the request of RDP connection response, resolve, obtain the authentication information (namely carrying out the first identification PKI after key replacement) comprised in the request of RDP connection response, the authentication information of acquisition and the authentication information pre-set are compared, if comparison result is consistent, then determines that there is not MITM in network attacks, otherwise, determine that there is MITM between client-server and the network detecting server attacks.Particularly, the authentication information that pre-sets, be client-server operationally, the key file implanted is resolved and obtains.
The mode of MITM attack is taken precautions against relative to the server authentication proposed in prior art; the technical scheme that the embodiment of the present invention proposes here; can attack MITM and carry out active detecting; accurately determine whether current network conditions exists man-in-the-middle attack; and when determining that whether there is MITM in network attacks; do not need the session transmissions link disconnecting network, client and service end can carry out normal conversation, ensure that the fail safe of the network transmitting data based on RDP preferably.
It will be understood by those skilled in the art that embodiments of the invention can be provided as method, device (equipment) or computer program.Therefore, the present invention can adopt the form of complete hardware embodiment, completely software implementation or the embodiment in conjunction with software and hardware aspect.And the present invention can adopt in one or more form wherein including the upper computer program implemented of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of computer usable program code.
The present invention describes with reference to according to the flow chart of the method for the embodiment of the present invention, device (equipment) and computer program and/or block diagram.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can being provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computer or other programmable data processing device produce device for realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices is provided for the step realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
Although describe the preferred embodiments of the present invention, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (6)
1. determine to it is characterized in that the method that go-between MITM attacks, comprising:
Set up the first socket monitoring RDP application port;
When receiving the RDP RDP connection request that client is sent, the second socket of the service end that connects;
Described RDP connection request is transmitted to service end; And
Obtain the RDP connection response request that service end is sent, and disconnection is connected with the RDP of service end, wherein, in a described RDP connection response request, comprises the asymmetric encryption PKI that service end generates;
The asymmetric encryption PKI comprised in one RDP connection response request of described acquisition is replaced with the first default identification PKI, form the 2nd RDP connection response request Concurrency and give client, wherein client is according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, determine whether there is MITM to attack, described client is according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, determine whether there is MITM to attack, comprise: client is resolved the 2nd RDP connection response request received, obtain the asymmetric encryption PKI comprised in described 2nd RDP connection response request, judge to resolve the asymmetric encryption PKI that obtains whether and the first identification public key match preset, if so, determine that there is not MITM in network attacks, if not, determine that there is MITM in network attacks.
2. the method for claim 1, is characterized in that, described the first default identification PKI obtains according to unsymmetrical key document analysis, and wherein, described unsymmetrical key file generates according to the unsymmetrical key pre-set.
3. determine to it is characterized in that the device that go-between MITM attacks, comprising:
Forwarding module, for when receiving the RDP RDP connection request that client is sent, is transmitted to service end by described RDP connection request;
Obtaining module, for obtaining the RDP connection response request that service end is sent, wherein, in a described RDP connection response request, comprising the asymmetric encryption PKI that service end generates;
Sending module, for the asymmetric encryption PKI comprised in a RDP connection response request of described acquisition is replaced with the first default identification PKI, form the 2nd RDP connection response request Concurrency and give client, wherein client is according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, and determines whether there is MITM and attacks; Before the RDP connection request receiving client transmission, wherein set up the first socket monitoring RDP application port, and the second socket of the service end that connects after receiving described RDP connection request;
Described sending module, after the 2nd RDP connection response request is sent to client, instruction client is resolved the 2nd RDP connection response request received, and obtains the asymmetric encryption PKI comprised in described 2nd RDP connection response request; Judge to resolve and obtain asymmetric encryption PKI whether and the first identification public key match preset; If so, determine that there is not MITM in network attacks; If not, determine that there is MITM in network attacks.
4. device as claimed in claim 3, it is characterized in that, described the first default identification PKI obtains according to unsymmetrical key document analysis, and wherein, described unsymmetrical key file generates according to the unsymmetrical key pre-set.
5. determine to it is characterized in that the system that middle MITM attacks, comprise at least one client-server, at least one detects proxy server and at least one service end server, comprising:
Described client, for sending RDP RDP connection request; And receive the 2nd RDP connection response request detecting proxy server and send, according to the asymmetric encryption PKI comprised in the 2nd RDP connection response request received and the first identification PKI preset, determine whether there is MITM and attack;
Described detection proxy server, for when receiving the RDP RDP connection request that client is sent, is transmitted to service end by described RDP connection request; And obtain the RDP connection response request that service end sends, wherein, in a described RDP connection response request, comprise the asymmetric encryption PKI that service end generates; The asymmetric encryption PKI comprised in one RDP connection response request of described acquisition is replaced with the first default identification PKI, forms the 2nd RDP connection response request Concurrency and give client;
Described service end server, for receiving the RDP connection request detecting proxy server and forward, and processing a described RDP connection response request, generating the RDP connection response request Concurrency comprising asymmetric encryption PKI and sending;
Wherein, before the RDP RDP connection request receiving client transmission, set up the first socket monitoring RDP application port, and after the RDP connection request that reception client sends, the second socket of the service end that connects;
Described client, specifically for resolving the 2nd RDP connection response request received, obtains the asymmetric encryption PKI comprised in described 2nd RDP connection response request; Judge to resolve the asymmetric encryption PKI that obtains whether and the first identification public key match preset; If so, determine that there is not MITM in network attacks; If not, determine that there is MITM in network attacks.
6. system as claimed in claim 5, it is characterized in that, described the first default identification PKI obtains according to unsymmetrical key document analysis, and wherein, described unsymmetrical key file generates according to the unsymmetrical key pre-set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210448821.2A CN102957704B (en) | 2012-11-09 | 2012-11-09 | A kind ofly determine method, Apparatus and system that MITM attacks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210448821.2A CN102957704B (en) | 2012-11-09 | 2012-11-09 | A kind ofly determine method, Apparatus and system that MITM attacks |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102957704A CN102957704A (en) | 2013-03-06 |
| CN102957704B true CN102957704B (en) | 2016-02-24 |
Family
ID=47765929
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210448821.2A Active CN102957704B (en) | 2012-11-09 | 2012-11-09 | A kind ofly determine method, Apparatus and system that MITM attacks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102957704B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401872B (en) * | 2013-08-05 | 2016-12-28 | 北京工业大学 | The method prevented and detect man-in-the-middle attack based on RDP improved protocol |
| US9716726B2 (en) * | 2014-11-13 | 2017-07-25 | Cleafy S.r.l. | Method of identifying and counteracting internet attacks |
| CN106850690B (en) * | 2017-03-30 | 2020-07-24 | 国家电网有限公司 | Honeypot construction method and system |
| CN110535886B (en) * | 2019-09-30 | 2022-09-16 | 中国工商银行股份有限公司 | Method, apparatus, system, device and medium for detecting man-in-the-middle attacks |
| CN111818070B (en) * | 2020-07-14 | 2021-03-02 | 广州锦行网络科技有限公司 | Screen recording method under windows system |
| WO2022116147A1 (en) * | 2020-12-04 | 2022-06-09 | 华为技术有限公司 | Method and apparatus for detecting bluetooth vulnerability attack |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101385274A (en) * | 2005-09-29 | 2009-03-11 | 高通股份有限公司 | Constrained cryptographic keys |
| CN102270285A (en) * | 2010-06-01 | 2011-12-07 | 华为技术有限公司 | Key authorization information management method and device |
| CN102315933A (en) * | 2011-10-18 | 2012-01-11 | 飞天诚信科技股份有限公司 | Method for updating key and system |
-
2012
- 2012-11-09 CN CN201210448821.2A patent/CN102957704B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101385274A (en) * | 2005-09-29 | 2009-03-11 | 高通股份有限公司 | Constrained cryptographic keys |
| CN102270285A (en) * | 2010-06-01 | 2011-12-07 | 华为技术有限公司 | Key authorization information management method and device |
| CN102315933A (en) * | 2011-10-18 | 2012-01-11 | 飞天诚信科技股份有限公司 | Method for updating key and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102957704A (en) | 2013-03-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104023013B (en) | Data transmission method, server side and client | |
| CN102957704B (en) | A kind ofly determine method, Apparatus and system that MITM attacks | |
| CN109413201B (en) | SSL communication method, device and storage medium | |
| US20080162934A1 (en) | Secure transmission system | |
| WO2018177385A1 (en) | Data transmission method, apparatus and device | |
| WO2014092702A1 (en) | Detecting matched cloud infrastructure connections for secure off-channel secret generation | |
| CN102780698A (en) | User terminal safety communication method in platform of Internet of Things | |
| CN104135494A (en) | Same-account incredible terminal login method and system based on credible terminal | |
| CN110999223A (en) | Secure encrypted heartbeat protocol | |
| CN104980920A (en) | Method and device for establishing communication connection of intelligent terminal | |
| EP2951946B1 (en) | Method and system for protecting data using data passports | |
| CN111082929A (en) | Method for realizing encrypted instant communication | |
| CN104754571A (en) | User authentication realizing method, device and system thereof for multimedia data transmission | |
| CN101637004B (en) | Prefix reachability method for a communication system | |
| Laghari et al. | SECS/GEMsec: A mechanism for detection and prevention of cyber-attacks on SECS/GEM communications in industry 4.0 landscape | |
| CN106302369A (en) | Long-range Activiation method, device and the remote activation system of a kind of network monitoring device | |
| CN108848084B (en) | A kind of safety monitoring network communication method based on safety | |
| KR102322605B1 (en) | Method for setting secret key and authenticating mutual device of internet of things environment | |
| WO2016109404A1 (en) | System and method of authenticating a live video stream | |
| CN102014136B (en) | Peer to peer (P2P) network secure communication method based on random handshake | |
| CN115766119A (en) | Communication method, communication apparatus, communication system, and storage medium | |
| CN111245601B (en) | Communication negotiation method and device | |
| Mahdi et al. | Enhanced security of software-defined network and network slice through hybrid quantum key distribution protocol | |
| KR101730405B1 (en) | Method of managing network route and network entity enabling the method | |
| CN104468595A (en) | Authorization method and device of NAS equipment, NAS equipment and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |