CN103441851A - Method for allowing terminal equipment to have access to VPN equipment - Google Patents
Method for allowing terminal equipment to have access to VPN equipment Download PDFInfo
- Publication number
- CN103441851A CN103441851A CN2013103717238A CN201310371723A CN103441851A CN 103441851 A CN103441851 A CN 103441851A CN 2013103717238 A CN2013103717238 A CN 2013103717238A CN 201310371723 A CN201310371723 A CN 201310371723A CN 103441851 A CN103441851 A CN 103441851A
- Authority
- CN
- China
- Prior art keywords
- equipment
- vpn
- terminal equipment
- key
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to the technical field of information safety passwords, in particular to a method for allowing terminal equipment to safely have access to VPN equipment, and aims to solve the access safety problem of the terminal equipment in a VPN and ensure legality of the equipment having access to the VPN. The method for allowing the terminal equipment to safely have access to the VPN equipment includes the steps that when the terminal equipment has access to the VPN, the VPN equipment conducts certification on the terminal equipment having access to the VPN through a symmetric algorithm, so that illegal terminal equipment is prevented from having access to the VPN, and terminal access safety is guaranteed. When the terminal equipment has access to the VPN equipment, the VPN equipment actively conducts safety certification on the terminal equipment, and then the design is achieved. The method is applied to the technical field of the information safety passwords.
Description
Technical field
The present invention relates to information security cryptographic technique field, especially a kind of terminal equipment accesses safely the method for VPN equipment.
Background technology
VPN network by the VPN device build can effectively guarantee the fail safe that data are transmitted in network, along with the information-based industry of China is all-round developing at a high speed, the VPN network is as a kind of effective ensuring method, its application is more extensive, in special occasion, its terminal access has also been proposed to stricter safety requirements.
In network security particularly in the network security of Internet of Things, the safety access of terminal is a very important ring, the place of disposing at internet-of-things terminal, generally in the unattended operation state, unauthorized person can be relatively easy to counterfeit terminal and then access VPN equipment, in this case, VPN equipment can't authenticate the terminal of access and safety problem just easily occur, therefore must carry out authentication to the terminal of access in the applied environment of unattended terminal equipment access VPN network, thereby guarantee access security.
The VPN network can have perfect encryption method, authentication method, log recording etc. in the process of operation, can effectively guarantee reliability and the confidentiality of network data transmission, if but the terminal equipment of access itself is exactly illegal, can't make effective examination to terminal, illegal terminal can access the VPN network network and server are attacked, therefore in this case the terminal equipment accessed is carried out to authentication, can effectively guarantee the access security of network, strengthen the fail safe of system.
Summary of the invention
Technical problem to be solved by this invention is: for solving the access security problem of terminal equipment in above-mentioned VPN network, guarantee the legitimacy of the equipment of access VPN network, the invention provides a kind of its and relate to a kind of method that terminal equipment accesses safely the VPN network, when terminal equipment access VPN network, VPN equipment adopts symmetry algorithm to be authenticated the terminal equipment of access, thereby prevent illegal terminal equipment access VPN network, guarantee the fail safe of terminal access.
The technical solution used in the present invention is as follows:
A kind of method of terminal equipment access VPN equipment comprises:
Step 1: cipher server carries out initialization to the terminal equipment that includes security module, injects master control key to security module, and security module generates unique ciphertext dispersion factor MSi and application key; Cipher server carries out initialization to VPN equipment, injects master control key that terminal equipment is corresponding to VPN equipment;
Step 2: when terminal equipment access VPN equipment, by VPN equipment, initiatively carry out the terminal equipment safety certification.
In described step 1, security module generates unique ciphertext dispersion factor MSi and application key concrete steps are:
Step 11: security module is used master control key to carry out the key dispersion to the dispersion factor Si of the unique correspondence of security module, generates application key PM;
Step 12: security module is used master control key to be encrypted production ciphertext dispersion factor MSi to Si.
In described step 2, when terminal equipment access VPN equipment, initiatively carry out terminal equipment safety certification detailed process by VPN equipment and be:
Step 21:VPN equipment generates random number R and sends to the security module of terminal equipment;
Step 22: security module is used application key PM to carry out the dispersion of n secondary key to random number R and is obtained working key KM, uses described working key KM to be encrypted and to generate MR R;
Step 23: security module sends to VPN equipment by ciphertext dispersion factor MSi and MR;
Step 24:VPN equipment is used master control key to be decrypted MSi, obtains dispersion factor Si '; And by master control key, dispersion factor Si ' is carried out to key and disperse to generate application key PM ';
Step 25:VPN equipment is used application key PM ' and R to carry out the key dispersion and generates working key KM ';
Step 26:VPN equipment is used working key KM ' to be decrypted the MR received, obtains R ';
Step 27: if relatively VPN comparison in equipment R ' and R, during R '=R, allow this terminal equipment access; Otherwise, refuse this terminal equipment access.
It is to adopt XOR algorithm or international algorithm that described key disperses, and described encryption or deciphering adopt international algorithm.
Described encryption or deciphering adopt DES algorithm, aes algorithm, SM1 algorithm or SM4 algorithm.
The dispersion factor Si of described each security module is different:
While sending in described step 5 by wireless or have ray mode to send.
Described cipher server belongs to VPN equipment or does not belong to VPN equipment.
Describedly comprise that its access way of terminal equipment of security module is TF card form or USB form.
In sum, owing to having adopted technique scheme, the invention has the beneficial effects as follows:
1, when terminal equipment accesses, at first VPN equipment carry out authentication work to access device, only in the situation that authentication, by just allowing terminal equipment access VPN network, is then passed through the VPN transmitted data on network.Once terminal equipment and VPN equipment disconnect, and during re-accessing network, need to re-start authentication, guarantee the terminal access security, guarantee terminal legality, prevent the illegal terminal access.
2, provide the interface of connected reference security module on terminal equipment, and the software interface of communicating by letter with security module is provided, in access authentication procedure, terminal equipment need to be by interface and security module interaction data.
3,, in the process of terminal equipment access VPN network, must at first complete and, by authentication, only after by authentication, could successfully access VPN equipment and use the VPN transmitted data on network.
The accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the flow process of the use procedure of this method.
Embodiment
Disclosed all features in this specification, or the step in disclosed all methods or process, except mutually exclusive feature and/or step, all can combine by any way.
Disclosed arbitrary feature in this specification (comprising any accessory claim, summary and accompanying drawing), unless special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is,, unless special narration, each feature is an example in a series of equivalences or similar characteristics.
Related description of the present invention:
1, in the design, terminal equipment needs to increase security module on the prior art basis, and described security module is responsible for key dispersion, crypto-operation, key preservation etc.Disperse to produce working key by key in verification process.Its access way of terminal equipment that comprises security module is not limited by form, can be TF card form, can be other any forms such as USB form etc. yet.
2, the English full name of VPN equipment: VPN is " Virtual Private Network ", it can be by special encryption communications protocol set up a proprietary communication line on Internet between different local two or more intranets being connected to, like being that to have set up a special line the same, but it does not need real going to lay the physical circuit of optical cable and so on.This is like removing telecommunication bureau's application special line, but the expense that need not give laying-out also need not be bought the hardware devices such as router.VPN should provide the interface of third-party product.When the user has disposed the client to the VPN scheme of LAN, VPN equipment should provide characteristic or the disclosed API(application programming interface of standard), can be from company database direct input user profile.
3, operation principle: adopt the technology of the present invention, when terminal equipment accesses, at first VPN equipment carry out authentication work to access terminal equipment, only in the situation that authentication, by just allowing terminal equipment access VPN network, is then passed through the VPN transmitted data on network.Once terminal equipment and VPN equipment disconnect, and during re-accessing network, need to re-start authentication, guarantee the terminal access security, guarantee terminal legality, prevent the illegal terminal access.
3, cipher server is responsible for security module and VPN equipment are carried out to initial work, determines master key in initialization procedure.
Embodiment mono-: a kind of method of terminal equipment access VPN equipment comprises:
Step 1: cipher server carries out initialization to the terminal equipment that includes security module, injects master control key to security module, and security module generates unique ciphertext dispersion factor MSi and application key;
Step 2: security module is used master control key to carry out the key dispersion to the dispersion factor Si of the unique correspondence of security module, generates application key PM;
Step 3: security module is used master control key to be encrypted production ciphertext dispersion factor MSi to Si.
Cipher server carries out initialization to VPN equipment, injects master control key that terminal equipment is corresponding to VPN equipment;
Step 4:VPN equipment generates random number R and sends to the security module of terminal equipment;
Step 5: security module is used application key PM to carry out the dispersion of n secondary key to random number R and is obtained working key KM, uses described working key KM to be encrypted and to generate MR R;
Step 6: security module sends to VPN equipment by ciphertext dispersion factor MSi and MR;
Step 7:VPN equipment is used master control key to be decrypted MSi, obtains dispersion factor Si '; And by master control key, dispersion factor Si ' is carried out to key and disperse to generate application key PM ';
Step 8:VPN equipment is used application key PM ' and R to carry out the key dispersion and generates working key KM ';
Step 9:VPN equipment is used working key KM ' to be decrypted the MR received, obtains R ';
Step 10: if relatively VPN comparison in equipment R ' and R, during R '=R, allow this terminal equipment access; Otherwise, refuse this terminal equipment access.
Embodiment bis-, and on the embodiment basis, it is to adopt XOR algorithm or international algorithm that described key disperses.
Embodiment tri-: on embodiment mono-or two bases, described encryption or deciphering adopt international algorithm DES, AES etc., can be also symmetric cryptographic algorithm SM1, the SM4 etc. of national special use.
Embodiment tetra-: described cipher server belongs to VPN equipment or does not belong to VPN equipment.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination disclosed in this manual, and the arbitrary new method disclosed or step or any new combination of process.
Claims (9)
1. the method for terminal equipment access VPN equipment is characterized in that comprising:
Step 1: cipher server carries out initialization to the terminal equipment that includes security module, injects master control key to security module, and security module generates unique ciphertext dispersion factor MSi and application key; Cipher server carries out initialization to VPN equipment, injects master control key that terminal equipment is corresponding to VPN equipment;
Step 2: when terminal equipment access VPN equipment, by VPN equipment, initiatively carry out the terminal equipment safety certification.
2. the method for a kind of terminal equipment access VPN equipment according to claim 1, is characterized in that in described step 1, and security module generates unique ciphertext dispersion factor MSi and application key concrete steps are:
Step 11: security module is used master control key to carry out the key dispersion to the dispersion factor Si of the unique correspondence of security module, generates application key PM;
Step 12: security module is used master control key to be encrypted production ciphertext dispersion factor MSi to Si.
3. the method for a kind of terminal equipment access VPN equipment according to claim 2, is characterized in that
In described step 2, when terminal equipment access VPN equipment, initiatively carry out terminal equipment safety certification detailed process by VPN equipment and be:
Step 21:VPN equipment generates random number R and sends to the security module of terminal equipment;
Step 22: security module is used application key PM to carry out the key dispersion to random number R and is obtained working key KM, uses described working key KM to be encrypted and to generate MR R;
Step 23: security module sends to VPN equipment by ciphertext dispersion factor MSi and MR;
Step 24:VPN equipment is used master control key to be decrypted MSi, obtains dispersion factor Si '; And by master control key, dispersion factor Si ' is carried out to key and disperse to generate application key PM ';
Step 25:VPN equipment is used application key PM ' and R to carry out the key dispersion and generates working key KM ';
Step 26:VPN equipment is used working key KM ' to be decrypted the MR received, obtains R ';
Step 27: if relatively VPN comparison in equipment R ' and R, during R '=R, allow this terminal equipment access; Otherwise, refuse this terminal equipment access.
4. according to the method for the described a kind of terminal equipment access VPN equipment of one of claims 1 to 3, it is characterized in that it is to adopt XOR algorithm or international algorithm that described key disperses, described encryption or deciphering adopt international algorithm.
5. the method for a kind of terminal equipment access VPN equipment according to claim 4, is characterized in that described encryption or deciphering adopt DES algorithm, aes algorithm, SM1 algorithm or SM4 algorithm.
6. according to the method for the said a kind of terminal equipment access VPN equipment of claim 4, it is characterized in that the dispersion factor Si of described each security module is different.
7. the method for a kind of terminal equipment access VPN equipment according to claim 4, while it is characterized in that in described step 5 sending by wireless or have ray mode to send.
8. the method for a kind of terminal equipment access VPN equipment according to claim 4, is characterized in that described cipher server belongs to VPN equipment or do not belong to VPN equipment.
9. a kind of terminal equipment according to claim 4 accesses the method for VPN equipment, and its access way of terminal equipment that it is characterized in that security module is TF card form or USB form.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310371723.8A CN103441851B (en) | 2013-08-23 | 2013-08-23 | A kind of terminal unit accesses the method for VPN device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310371723.8A CN103441851B (en) | 2013-08-23 | 2013-08-23 | A kind of terminal unit accesses the method for VPN device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103441851A true CN103441851A (en) | 2013-12-11 |
| CN103441851B CN103441851B (en) | 2016-12-28 |
Family
ID=49695520
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310371723.8A Active CN103441851B (en) | 2013-08-23 | 2013-08-23 | A kind of terminal unit accesses the method for VPN device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103441851B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107979458A (en) * | 2016-10-25 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of two-dimensional bar data ciphering method |
| CN109274543A (en) * | 2018-11-23 | 2019-01-25 | 广州市成格信息技术有限公司 | A kind of method of the hot standby protection of user data special line is solved based on VxLan |
| CN109698833A (en) * | 2018-12-28 | 2019-04-30 | 王梅 | A kind of method and system for the collaboration certification carrying out identification information in internet |
| CN111148056A (en) * | 2020-04-03 | 2020-05-12 | 南京华智达网络技术有限公司 | Operable network configuration method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1581805A (en) * | 2004-05-17 | 2005-02-16 | 深圳市深信服电子科技有限公司 | VPN client end safety strategy exchange and storage method |
| CN1588846A (en) * | 2004-09-08 | 2005-03-02 | 中国工商银行 | Dynamic encrypting device in network and its password identification method |
| CN101447907A (en) * | 2008-10-31 | 2009-06-03 | 北京东方中讯联合认证技术有限公司 | VPN secure access method and system thereof |
| US20110296186A1 (en) * | 2010-06-01 | 2011-12-01 | Visto Corporation | System and method for providing secured access to services |
-
2013
- 2013-08-23 CN CN201310371723.8A patent/CN103441851B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1581805A (en) * | 2004-05-17 | 2005-02-16 | 深圳市深信服电子科技有限公司 | VPN client end safety strategy exchange and storage method |
| CN1588846A (en) * | 2004-09-08 | 2005-03-02 | 中国工商银行 | Dynamic encrypting device in network and its password identification method |
| CN101447907A (en) * | 2008-10-31 | 2009-06-03 | 北京东方中讯联合认证技术有限公司 | VPN secure access method and system thereof |
| US20110296186A1 (en) * | 2010-06-01 | 2011-12-01 | Visto Corporation | System and method for providing secured access to services |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107979458A (en) * | 2016-10-25 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of two-dimensional bar data ciphering method |
| CN109274543A (en) * | 2018-11-23 | 2019-01-25 | 广州市成格信息技术有限公司 | A kind of method of the hot standby protection of user data special line is solved based on VxLan |
| CN109698833A (en) * | 2018-12-28 | 2019-04-30 | 王梅 | A kind of method and system for the collaboration certification carrying out identification information in internet |
| CN109698833B (en) * | 2018-12-28 | 2021-08-27 | 北京天易数聚科技有限公司 | Method and system for performing collaborative authentication of identification information in Internet |
| CN111148056A (en) * | 2020-04-03 | 2020-05-12 | 南京华智达网络技术有限公司 | Operable network configuration method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103441851B (en) | 2016-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105072125B (en) | A kind of http communication system and method | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN104219041A (en) | Data transmission encryption method applicable for mobile internet | |
| CN110753344B (en) | NB-IoT-based smart meter secure access system | |
| CN103248479A (en) | Cloud storage safety system, data protection method and data sharing method | |
| CN113849847B (en) | Method, apparatus and medium for encrypting and decrypting sensitive data | |
| CN103916363A (en) | Communication security management method and system for encryption machine | |
| CN104579679A (en) | Wireless public network data forwarding method for rural power distribution network communication equipment | |
| CN103441851B (en) | A kind of terminal unit accesses the method for VPN device | |
| CN111416712B (en) | Quantum secret communication identity authentication system and method based on multiple mobile devices | |
| CN105141629A (en) | Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords | |
| CN104270380A (en) | End-to-end encryption method and system based on mobile network and communication client side | |
| CN106789845A (en) | A kind of method of network data security transmission | |
| CN104618360B (en) | Bypass authentication method and system based on 802.1X agreement | |
| CN105612728A (en) | Secured data channel authentication implying a shared secret | |
| CN110519238B (en) | Internet of things security system and communication method based on cryptographic technology | |
| TWI422241B (en) | Spectrum authorization and related communications methods and apparatus | |
| CN110572392A (en) | Identity authentication method based on HyperLegger network | |
| CN104486322A (en) | Terminal access authentication authorization method and terminal access authentication authorization system | |
| CN104243435A (en) | Communication method for HTTP based on OAuth | |
| KR101709276B1 (en) | Endpoint Security Server Management System | |
| CN104394532A (en) | Anti-brute force safe log-in method for mobile terminal | |
| CN105391691A (en) | Communication control method, device and system based on cloud computing | |
| CN114282189A (en) | Data security storage method, system, client and server | |
| CN111132143B (en) | Integrated multimedia intelligent equipment safety protection system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: No. 333, Yunhua Road, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |
|
| CP03 | Change of name, title or address |