CN103441851B - A kind of terminal unit accesses the method for VPN device - Google Patents
A kind of terminal unit accesses the method for VPN device Download PDFInfo
- Publication number
- CN103441851B CN103441851B CN201310371723.8A CN201310371723A CN103441851B CN 103441851 B CN103441851 B CN 103441851B CN 201310371723 A CN201310371723 A CN 201310371723A CN 103441851 B CN103441851 B CN 103441851B
- Authority
- CN
- China
- Prior art keywords
- terminal unit
- vpn
- key
- vpn device
- accesses
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to information security art of cryptography, a kind of method of terminal unit secure accessing VPN device.The present invention is directed to the access safety problem of terminal unit in VPN, ensure to access the legitimacy of the equipment of VPN, the present invention provides its a kind of method relating to terminal unit secure accessing VPN a kind of, when terminal unit accesses VPN, VPN device uses symmetry algorithm to be authenticated the terminal unit accessed, thus prevent illegal terminal unit from accessing VPN, it is ensured that the safety that terminal accesses.The present invention, by when terminal unit accesses VPN device, is actively carried out terminal unit safety certification process and realizes design by VPN device.The present invention is applied to information security art of cryptography.
Description
Technical field
The present invention relates to information security art of cryptography, the side of a kind of terminal unit secure accessing VPN device
Method.
Background technology
The VPN built by VPN device can effectively ensure that the safety that data are transmitted in a network, along with China
Information-based industry is the most all-round developing, and VPN is as the effective ensuring method of one, and it is more widely applied, special
Its terminal is accessed and it is also proposed stricter safety requirements by occasion.
In network security in the network security of particularly Internet of Things, the secure accessing of terminal is a very important ring,
In the place that internet-of-things terminal is disposed, being typically in unmanned state, it is right that unauthorized person can be relatively easy to counterfeit terminal
Rear access VPN device, in this case, the terminal accessed cannot be authenticated being easy for safety problem occur by VPN device,
Therefore access at unattended terminal unit in the applied environment of VPN and the terminal accessed must be carried out authentication,
Thus ensure to access safety.
VPN can have perfect encryption method, authentication method, log recording etc. during running, it is possible to has
The reliability of guarantees network data transmission of effect and confidentiality, if but the terminal unit of access is the most illegal, then without
Terminal is made effective examination by method, and illegal terminal has access to VPN and attacks network and server, therefore at this
In the case of Zhong, the terminal unit accessed is carried out authentication, it is possible to the effective access safety ensureing network, strengthen system
Safety.
Summary of the invention
The technical problem to be solved is: for solving the access safety problem of terminal unit in above-mentioned VPN,
Ensureing to access the legitimacy of the equipment of VPN, the present invention provides a kind of its to relate to a kind of terminal unit secure accessing VPN
Method, terminal unit access VPN time, VPN device use symmetry algorithm to access terminal unit be authenticated, from
And prevent illegal terminal unit from accessing VPN, it is ensured that the safety that terminal accesses.
The technical solution used in the present invention is as follows:
A kind of terminal unit accesses the method for VPN device and includes:
Step 1: the terminal unit including security module is initialized by cipher server, injects master control key to peace
Full module, security module generates unique ciphertext dispersion factor MSi and application key;At the beginning of VPN device is carried out by cipher server
Beginningization, injects master control key corresponding to terminal unit to VPN device;
Step 2: when terminal unit accesses VPN device, VPN device actively carry out terminal unit safety certification.
In described step 1, security module generates unique ciphertext dispersion factor MSi and application key comprises the concrete steps that:
Step 11: the dispersion factor Si of security module use master control key correspondence unique to security module carries out key and divides
Dissipate, generate application key PM;
Step 12: security module uses master control key that Si is encrypted production ciphertext dispersion factor MSi.
In described step 2, when terminal unit accesses VPN device, VPN device actively carry out terminal unit safety certification
Detailed process is:
Step 21:VPN equipment generates random number R and is sent to the security module of terminal unit;
Step 22: security module use application key PM carries out the dispersion of n secondary key and obtains working key KM random number R,
Use described working key KM that R is encrypted generation MR;
Step 23: ciphertext dispersion factor MSi and MR is sent to VPN device by security module;
Step 24:VPN equipment uses master control key to be decrypted MSi, obtains dispersion factor Si ';And it is close by master control
Key carries out key dispersion and generates application key PM ' dispersion factor Si ';
Step 25:VPN equipment uses application key PM ' and R to carry out key dispersion and generates working key KM ';
Step 26:VPN equipment uses working key KM ' to be decrypted the MR received, and obtains R ';
Step 27: compare VPN device and compare R ' and R, if during R '=R, it is allowed to this terminal unit accesses;Otherwise, refusal should
Terminal unit accesses.
The dispersion of described key is to use XOR algorithm or international algorithm, and described encryption or deciphering use the world logical
Use algorithm.
Described encryption or deciphering use DES algorithm, aes algorithm, SM1 algorithm or SM4 algorithm.
The dispersion factor Si of described each security module is different:
Sent by wireless or wireline mode when described step 5 sends.
Described cipher server belongs to VPN device or is not belonging to VPN device.
Described its access way of terminal unit including security module is TF card form or USB form.
In sum, owing to have employed technique scheme, the invention has the beneficial effects as follows:
1, when terminal unit accesses, first VPN device carries out authentication work to access device, only leads in certification
Just allow terminal unit to access VPN in the case of crossing, then transmit data by VPN.Once terminal unit and VPN
Equipment disconnects, and needs to re-start certification during re-accessing network, it is ensured that terminal accesses safety, it is ensured that terminal legality, prevents
Illegal terminal accesses.
2, the interface of connected reference security module is provided on the terminal device, and provides the software communicated with security module to connect
Mouthful, in access authentication procedure, terminal unit needs by interface and security module interaction data.
3, during terminal unit accesses VPN, it is necessary to first complete and pass through authentication, only passing through
Just can be successfully accessed VPN device after certification and use VPN to transmit data.
Accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the flow process of the use process of this method.
Detailed description of the invention
All features disclosed in this specification, or disclosed all methods or during step, except mutually exclusive
Feature and/or step beyond, all can combine by any way.
Any feature disclosed in this specification (including any accessory claim, summary and accompanying drawing), unless chatted especially
State, all can be by other equivalences or there is the alternative features of similar purpose replaced.I.e., unless specifically stated otherwise, each feature is only
It it is an example in a series of equivalence or similar characteristics.
Related description of the present invention:
1, in the design, terminal unit needs to increase security module on the basis of prior art, and described security module is responsible for close
Key disperses, crypto-operation, key preservation etc..Verification process produces working key by key dispersion.Including security module
Its access way of terminal unit is not limited by form, can be to be TF card form, it is also possible to be other any forms such as USB form
Deng.
The English full name of 2, VPN device: VPN is " Virtual Private Network ", it can be by special
The communications protocol of encryption is connecting foundation between different local two or more intranets on internet
Article one, proprietary communication line, like being that to have set up a special line the same, but it is not required to real going and lays optical cable
Etc physical circuit.This is like going to telecommunication bureau to apply for special line, but need not give the expense of laying-out, without buying road
By hardware devices such as devices.VPN should provide the interface of third-party product.When user deploys client to the VPN scheme of LAN, VPN
Equipment should provide the characteristic of standard or disclosed API(application programming interface), can directly input from company database
User profile.
3, operation principle: using the technology of the present invention, when terminal unit accesses, VPN device is first to access terminal equipment
Carry out authentication work, only just allow terminal unit to access VPN in the case of certification is passed through, then pass through VPN
Transmitted data on network.Once terminal unit and VPN device disconnect, and need to re-start certification during re-accessing network, it is ensured that eventually
Terminate into safety, it is ensured that terminal legality, prevent illegal terminal from accessing.
3, cipher server is responsible for security module and VPN device are carried out initial work, determines in initialization procedure
Master key.
Embodiment one: a kind of terminal unit accesses the method for VPN device and includes:
Step 1: the terminal unit including security module is initialized by cipher server, injects master control key to peace
Full module, security module generates unique ciphertext dispersion factor MSi and application key;
Step 2: security module uses the dispersion factor Si of master control key correspondence unique to security module to carry out key dispersion,
Generate application key PM;
Step 3: security module uses master control key that Si is encrypted production ciphertext dispersion factor MSi.
VPN device is initialized by cipher server, injects master control key corresponding to terminal unit to VPN device;
Step 4:VPN equipment generates random number R and is sent to the security module of terminal unit;
Step 5: security module use application key PM carries out the dispersion of n secondary key and obtains working key KM random number R, makes
With described working key KM, R is encrypted generation MR;
Step 6: ciphertext dispersion factor MSi and MR is sent to VPN device by security module;
Step 7:VPN equipment uses master control key to be decrypted MSi, obtains dispersion factor Si ';And pass through master control key
Dispersion factor Si ' is carried out key dispersion and generates application key PM ';
Step 8:VPN equipment uses application key PM ' and R to carry out key dispersion and generates working key KM ';
Step 9:VPN equipment uses working key KM ' to be decrypted the MR received, and obtains R ';
Step 10: compare VPN device and compare R ' and R, if during R '=R, it is allowed to this terminal unit accesses;Otherwise, refusal should
Terminal unit accesses.
Embodiment two, on the basis of embodiment, the dispersion of described key is to use XOR algorithm or international algorithm.
Embodiment three: on the basis of embodiment one or two, described encryption or deciphering use international algorithm DES, AES
Deng, it is also possible to it is symmetric cryptographic algorithm SM1, SM4 etc. of country spy.
Embodiment four: described cipher server belongs to VPN device or is not belonging to VPN device.
The invention is not limited in aforesaid detailed description of the invention.The present invention expands to any disclose in this manual
New feature or any new combination, and the arbitrary new method that discloses or the step of process or any new combination.
Claims (7)
1. the method that a terminal unit accesses VPN device, it is characterised in that including:
Step 1: the terminal unit including security module is initialized by cipher server, injects master control key to safe mould
Block, security module generates unique ciphertext dispersion factor MSi and application key;VPN device is initialized by cipher server,
Inject master control key corresponding to terminal unit to VPN device;
Step 2: when terminal unit accesses VPN device, VPN device actively carry out terminal unit safety certification;
In described step 2, when terminal unit accesses VPN device, VPN device actively carry out terminal unit safety certification concrete
Process is:
Step 21:VPN equipment generates random number R and is sent to the security module of terminal unit;
Step 22: security module use application key PM carries out key dispersion and obtains working key KM random number R, uses described
Working key KM is encrypted generation MR to R;
Step 23: ciphertext dispersion factor MSi and MR is sent to VPN device by security module;
Step 24:VPN equipment uses master control key to be decrypted MSi, obtains dispersion factor Si ';And by master control key pair
Dispersion factor Si ' carries out key dispersion and generates application key PM ';
Step 25:VPN equipment uses application key PM ' and R to carry out key dispersion and generates working key KM ';
Step 26:VPN equipment uses working key KM ' to be decrypted the MR received, and obtains R ';
Step 27: compare VPN device and compare R ' and R, if during R '=R, it is allowed to this terminal unit accesses;Otherwise, this terminal is refused
Equipment accesses.
A kind of terminal unit the most according to claim 1 accesses the method for VPN device, it is characterised in that in described step 1,
Security module generates unique ciphertext dispersion factor MSi and application key comprises the concrete steps that:
Step 11: security module uses the dispersion factor Si of master control key correspondence unique to security module to carry out key dispersion, raw
Become application key PM;
Step 12: security module uses master control key that Si is encrypted generation ciphertext dispersion factor MSi.
A kind of terminal unit the most according to claim 1 and 2 accesses the method for VPN device, it is characterised in that described key
Dispersion is to use international algorithm, encrypts or decipher the international algorithm of employing.
A kind of terminal unit the most according to claim 3 access VPN device method, it is characterised in that described encryption or
Deciphering uses DES algorithm, aes algorithm, SM1 algorithm or SM4 algorithm.
A kind of terminal unit the most according to claim 3 accesses the method for VPN device, it is characterised in that described each safety
The dispersion factor Si of module is different.
A kind of terminal unit the most according to claim 3 accesses the method for VPN device, it is characterised in that pass through nothing during transmission
Line or wireline mode send.
A kind of terminal unit the most according to claim 3 accesses the method for VPN device, it is characterised in that the end of security module
Its access way of end equipment is TF card form or USB form.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310371723.8A CN103441851B (en) | 2013-08-23 | 2013-08-23 | A kind of terminal unit accesses the method for VPN device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310371723.8A CN103441851B (en) | 2013-08-23 | 2013-08-23 | A kind of terminal unit accesses the method for VPN device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103441851A CN103441851A (en) | 2013-12-11 |
| CN103441851B true CN103441851B (en) | 2016-12-28 |
Family
ID=49695520
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310371723.8A Active CN103441851B (en) | 2013-08-23 | 2013-08-23 | A kind of terminal unit accesses the method for VPN device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103441851B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107979458A (en) * | 2016-10-25 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of two-dimensional bar data ciphering method |
| CN109274543A (en) * | 2018-11-23 | 2019-01-25 | 广州市成格信息技术有限公司 | A kind of method of the hot standby protection of user data special line is solved based on VxLan |
| CN109698833B (en) * | 2018-12-28 | 2021-08-27 | 北京天易数聚科技有限公司 | Method and system for performing collaborative authentication of identification information in Internet |
| CN111148056B (en) * | 2020-04-03 | 2020-12-01 | 南京华智达网络技术有限公司 | Operable network configuration method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1581805A (en) * | 2004-05-17 | 2005-02-16 | 深圳市深信服电子科技有限公司 | VPN client end safety strategy exchange and storage method |
| CN1588846A (en) * | 2004-09-08 | 2005-03-02 | 中国工商银行 | Dynamic encrypting device in network and its password identification method |
| CN101447907A (en) * | 2008-10-31 | 2009-06-03 | 北京东方中讯联合认证技术有限公司 | VPN secure access method and system thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9350708B2 (en) * | 2010-06-01 | 2016-05-24 | Good Technology Corporation | System and method for providing secured access to services |
-
2013
- 2013-08-23 CN CN201310371723.8A patent/CN103441851B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1581805A (en) * | 2004-05-17 | 2005-02-16 | 深圳市深信服电子科技有限公司 | VPN client end safety strategy exchange and storage method |
| CN1588846A (en) * | 2004-09-08 | 2005-03-02 | 中国工商银行 | Dynamic encrypting device in network and its password identification method |
| CN101447907A (en) * | 2008-10-31 | 2009-06-03 | 北京东方中讯联合认证技术有限公司 | VPN secure access method and system thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103441851A (en) | 2013-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109309565B (en) | Security authentication method and device | |
| CN102970299B (en) | File safe protection system and method thereof | |
| CN108494811B (en) | Data transmission security authentication method and device | |
| CN105072125B (en) | A kind of http communication system and method | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN104506534A (en) | Safety communication secret key negotiation interaction scheme | |
| CN108259407B (en) | Symmetric encryption method and system based on timestamp | |
| CN104219041A (en) | Data transmission encryption method applicable for mobile internet | |
| CN103973736A (en) | Data sharing method and device | |
| CN103595721A (en) | Safe sharing method, sharing device and sharing system for files of network disk | |
| CN105612728B (en) | The safe data channel authentication of implicit shared key | |
| CN103916363A (en) | Communication security management method and system for encryption machine | |
| CN103441851B (en) | A kind of terminal unit accesses the method for VPN device | |
| CN103701787A (en) | User name password authentication method implemented on basis of public key algorithm | |
| CN104579679A (en) | Wireless public network data forwarding method for rural power distribution network communication equipment | |
| CN111416712B (en) | Quantum secret communication identity authentication system and method based on multiple mobile devices | |
| GB2522445A (en) | Secure mobile wireless communications platform | |
| CN104270380A (en) | End-to-end encryption method and system based on mobile network and communication client side | |
| CN106789845A (en) | A kind of method of network data security transmission | |
| CN110730071A (en) | Power distribution communication equipment safety access authentication method, device and equipment | |
| CN110012467A (en) | The packet authentication method of narrowband Internet of Things | |
| KR20200099873A (en) | HMAC-based source authentication and secret key sharing method and system for Unnamed Aerial vehicle systems | |
| CN101094060A (en) | Authorization method for point-to-point network | |
| CN105391691A (en) | Communication control method, device and system based on cloud computing | |
| CN108809656A (en) | A kind of Key Exchange Protocol building method based on double authentication protection signature |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: No. 333, Yunhua Road, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |