CN105099930A - Method and device for controlling traffic of encrypted data flow - Google Patents
Method and device for controlling traffic of encrypted data flow Download PDFInfo
- Publication number
- CN105099930A CN105099930A CN201410217872.3A CN201410217872A CN105099930A CN 105099930 A CN105099930 A CN 105099930A CN 201410217872 A CN201410217872 A CN 201410217872A CN 105099930 A CN105099930 A CN 105099930A
- Authority
- CN
- China
- Prior art keywords
- list item
- encrypting traffic
- data flow
- address
- data stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for controlling traffic of an encrypted data flow. The method and the device are applied on bandwidth management equipment. The method comprises the steps of extracting the client IP address, the server end IP address and the target port number of an authentication message when the authentication message which carries authentication certificate using body information; inquiring whether the data flow item of the client IP address, the server end IP address and the target port number exists in a data flow table, and if not, creating a corresponding data flow item and adding the created data flow item into the data flow table; and if the encrypted data flow with the data flow item in the data flow table is detected, performing traffic control on the encrypted data flow. The method and the device realize traffic control for the authenticated encrypted data flow through identifying an authentication process.
Description
Technical field
The present invention relates to network communication technology field, particularly relate to a kind of encrypting traffic flow control methods and device.
Background technology
The application protected by SSL (SecureSocketsLayer, SSL)/TLS (TransportLayerSecurity, Transport Layer Security) at present gets more and more, and comprises the application of sing on web and non-sing on web.SSL/TLS is for network service provides the security protocol of safety and data integrity, to connect be encrypted in transport layer to network.TLS is the successor of SSL, and TLSv1 is the first version of tls protocol.
In enterprise's application, in the face of the data of more and more TLSv1 agreement encryption, by bandwidth management equipment, effective identification is carried out to these enciphered datas and seem particularly important.The transmission of the TLSv1 flow in enterprise's limiting network can be helped, and pass through the identification of the office service to TLSv1 encryption, office service can be preferably and distribute bandwidth, ensure that enterprise handles official business demand normally, and for the identification of non-office service enciphered data, the effect blocking flow or limited flow can be played.
At present, also do not have ripe recognition methods to the identification of TLSv1 agreement enciphered data, protocal analysis personnel are active dodge TLSv1 agreement often, does not carry out protocol identification analysis to the application or software that use this agreement.Even if there is the identifying and analyzing method of only a few, its recognition methods also not system, does not have versatility, can not be widely used in the discriminance analysis that other use the application of TLSv1 agreement.
Summary of the invention
In view of this, the invention provides a kind of encrypting traffic flow control methods, the method is applied on bandwidth management equipment, and the method comprises:
When the message identifying carrying certificate of certification the main consuming body information being detected, extract the client ip address of this message identifying, IP at server end address and destination slogan;
Whether there is the data flow list item of described client ip address, IP at server end address and destination slogan in data query stream table, if do not exist, then create corresponding data stream list item, add in data stream list;
Meet the encrypting traffic that there is list item in data stream list if detect, then flow control is carried out to this encrypting traffic.
Present invention also offers a kind of encrypting traffic volume control device, this application of installation is on bandwidth management equipment, and this device comprises:
Main body recognition unit, during for the message identifying carrying certificate of certification the main consuming body information being detected, extracts the client ip address of this message identifying, IP at server end address and destination slogan;
List item sets up unit, for whether there is the data flow list item of described client ip address, IP at server end address and destination slogan in data query stream table, if do not exist, then creates corresponding data stream list item, adds in data stream list;
Flow controlling unit, if for the encrypting traffic meeting and there is list item in data stream list being detected, then carry out flow control to this encrypting traffic.
The present invention, by the identification to verification process, realizes the flow control of the encrypting traffic after to certification.
Accompanying drawing explanation
Fig. 1 is TLSv1 agreement single data stream and multiple data stream transmission schematic diagram in one embodiment of the present invention.
Fig. 2 is the flow chart of encrypting traffic flow control methods in one embodiment of the present invention.
Fig. 3 is the structural representation of encrypting traffic volume control device in one embodiment of the present invention.
Fig. 4 is the underlying hardware schematic diagram of encrypting traffic volume control device in one embodiment of the present invention.
Embodiment
For making object of the present invention, technical scheme and advantage clearly understand, referring to accompanying drawing, scheme of the present invention is described in further detail.
The present invention, by identifying the verification process of cryptographic protocol, reaches the object identifying encrypting traffic, thus realizes the flow control to encrypting traffic.The present invention, for TLSv1 agreement, introduces the identifying to this cryptographic protocol, to complete the control to this agreement encrypting traffic.
TLSv1 agreement comprises two protocol groups: record protocol and Handshake Protocol.In Handshake Protocol, comprise certificate verification part.As shown in Figure 1, when adopting TLSv1 agreement to carry out single data stream transmission, the information transmission of client (client) and server end (server) is completed by same data flow all the time, even ask multiple file transfer to be also sequential delivery simultaneously, only have previous file end of transmission just can carry out the transmission of next file.Such as, the system user of TLSv1 agreement is used to log on as single data stream transmission.When single data stream transmits, only need to block the data flow at certificate verification place, current limliting or ensure the object that can realize Bandwidth Management.
When multiple data stream transmits, as some net dish file synchronization, system only carries out a certificate verification, can open multiple data flow simultaneously and carry out information transmission.In this case, owing to not being that each data flow comprises certification authentication process, therefore, adopt the band width control method of single data stream can only carry out current limliting or guarantee to the data flow at certification authentication process place, other data flow owing to just initiating after client certificate success, these data flow are not with verification process, and its transfer of data is obviously unaffected.For multiple data stream flow control problems, specific implementation process is as follows.
The invention provides a kind of encrypting traffic flow control methods, the method is applied on bandwidth management equipment.See Fig. 2, the method comprises the following steps:
Step 101, when the message identifying carrying certificate of certification the main consuming body information being detected, extracts the client ip address of this message identifying, IP at server end address and destination slogan;
Whether step 102, exist the data flow list item of described client ip address, IP at server end address and destination slogan in data query stream table, if do not exist, then create corresponding data stream list item, add in data stream list;
Step 103, meets the encrypting traffic that there is list item in data stream list if detect, then carry out flow control to this encrypting traffic.
Bandwidth management equipment is used for control of network flow quantity, for different business demands provides the different network bandwidths.Preserve feature database in bandwidth management equipment, this feature database can for the Partial Feature of the certificate of certification the main consuming body identified for depositing.This can be defined by bandwidth management equipment manufacturer for the certificate of certification the main consuming body identified, manufacturer can analyze the certificate of certification needing to identify, the Partial Feature extracting the main consuming body in certificate of certification is added in feature database.Manufacturer regularly publishes new feature database version, and bandwidth management equipment obtains feature database version and upgrades.The user of bandwidth management equipment, selecting to need which certificate of certification the main consuming body to carry out flow control to according to business demand, forming the feature database of user oneself, for carrying out characteristic matching during follow-up flow control.
TLSv1 agreement carries out X.509v3 certificate verification in Handshake Protocol part, and X.509v3 server, in the Hello message of TLSv1 agreement, the information such as certificate of certification, cipher key change will send to client, and require that client carries out certification.X.509v3, client upon receiving the message, certificate of certification, encryption key will send to server, and complete the negotiation of encryption key, use this encryption key to carry out data encryption in subsequent data transmission.Bandwidth management equipment by detect client send message in whether carry X.509v3 certificate of certification to carry out the identification of message identifying.
Whether identical with the main consuming body information of the X.509v3 certificate preserved in bandwidth management equipment feature database especially by the main consuming body information detecting this X.509v3 certificate, save all the main consuming body information needing to carry out flow control in bandwidth management equipment feature database.If testing result is that X.509v3 certificate the main consuming body information is identical, then extract the client ip address in this message identifying, IP at server end address and destination slogan.Because the main consuming body information in X.509v3 certificate is the feature that this certificate must comprise, and the main consuming body information of each user is globally unique, therefore, is encrypted the identification of data flow by this information.Such as, the bandwidth management equipment of certain enterprise needs to carry out current limliting to the encrypting traffic of access Yunio net dish, to avoid a large amount of non-office service to occupy bandwidth, affects the use of normal office work business.When enterprise staff uses office computer access Yunio net dish to download movies, first message identifying is sent to Yunio net dish server, certificate of certification is carried in this message identifying, the main consuming body of this certificate of certification is that Yunio net dish is (in practical application, this the main consuming body can be specifically a segment identification information, for representing Yunio net dish), after bandwidth management equipment detects this message identifying, find that the main consuming body of certificate of certification in this message is Yunio net dish, and Yunio Wang Panshi enterprise office service does not need use, therefore, bandwidth management equipment extracts the IP address of the office computer that this employee uses in message identifying, the IP address of Yunio net dish server and destination slogan, in order to follow-up, flow control use is carried out to encrypting traffic.
Bandwidth management equipment is after obtaining the IP address and destination slogan needing the client and server of flow control, the data stream list that inquiry is inner, be confirmed whether to exist the data flow list item of described client ip address, IP at server end address and destination slogan, if do not exist, then create corresponding data stream list item, add in data stream list.The multiple data stream transmission that is established as of this list item provides flow control foundation, carries out flow control to the data flow meeting each list item IP corresponding relation in tables of data.Such as, when enterprise staff access Yunio net dish downloads movies, first set up the corresponding relation list item of this employee's office computer IP address, Yunio net dish server ip address and destination slogan, in subsequent download process, the data flow meeting this list item is limited.
Bandwidth management equipment detects each data flow, and mate with the list item in data stream list, if this encrypting traffic client ip address, IP at server end address and destination slogan are identical with a certain list item, then perform the flow control policy that this list item is corresponding.This is due to when multiple data stream transmits, and message identifying only occurs in first data flow, therefore, only cannot control the multiple data flow transmitted after certification according to certificate the main consuming body.And all data flow are all initiated by client, therefore, the data flow utilizing that this Characteristics Detection is initiated by client, server ip address and destination slogan all to mate with the corresponding list item preserved in data stream list, carries out flow control to this data flow.Such as, when the data flow of employee access Yunio net dish being detected, owing to establishing list item in authentication phase, therefore, follow-up data flow can be mated with this list item, if coupling, then carries out flow control according to the control strategy of enterprise's configured in advance.
The effect of flow control can be played by the above-mentioned identification to certificate the main consuming body to a certain extent, but might not be all non-office service to the access of a certain the main consuming body.In order to make flow control more accurate, after above-mentioned list item coupling, by the total capacity of M message before statistics stream, when this capacity is greater than default capability value N, this data flow is controlled.Wherein, the experience configuration of M and N can use similar approach estimation: such as, M is 30 (M message herein does not comprise ACK message), deduct possible handshake message 3, other message loads are on average by 500 byte estimations, 27 general 13.5k of message, so now N can be configured to 13k, M suggestion is herein 25 to 40.This judgement mainly make use of the larger feature of non-office service data volume, controls this partial data stream.
Bandwidth management equipment, when setting up list item, should arrange the ageing time of corresponding list item.When ageing time then, delete corresponding list item, to save the memory space of bandwidth management equipment.
Corresponding with said method embodiment, the embodiment of the present invention also provides a kind of encrypting traffic volume control device 60, and this application of installation is on bandwidth management equipment.See Fig. 3, this device 60 comprises:
Main body recognition unit 61, during for the message identifying carrying certificate of certification the main consuming body information being detected, extracts the client ip address of this message identifying, IP at server end address and destination slogan;
List item sets up unit 62, for whether there is the data flow list item of described client ip address, IP at server end address and destination slogan in data query stream table, if do not exist, then creates corresponding data stream list item, adds in data stream list;
Flow controlling unit 63, if for the encrypting traffic meeting and there is list item in data stream list being detected, then carry out flow control to this encrypting traffic.
Further, described flow controlling unit 63, for adding up the total capacity of M message before this encrypting traffic, if when this total capacity is greater than preset capacity N, carries out flow control to this encrypting traffic.
Further, described encrypting traffic is the data flow adopting the encryption of TLSv1 agreement.
Further, described the main consuming body information is the subject information X.509v3 in certificate.
Further, described list item sets up unit 62 for arranging the ageing time of this data flow list item.
The encrypting traffic volume control device 60 that the embodiment of the present invention provides can realize the flow control to encrypting traffic, and its specific implementation process see the explanation of said method embodiment, can not repeat them here.
Refer to Fig. 4, the embodiment of the present invention also provides a kind of encrypting traffic volume control device, comprise CPU, internal memory, nonvolatile memory and various hardware, CPU runs by program corresponding in reading non-volatile storage or instruction and realizes the function of each module of each step of said method embodiment or above-mentioned Fig. 3 shown device in internal memory.Specifically comprise:
CPU, by reading corresponding program or instruction, when the message identifying carrying certificate of certification the main consuming body information being detected, extracts the client ip address of this message identifying, IP at server end address and destination slogan;
Whether CPU, by reading corresponding program or instruction, exists the data flow list item of described client ip address, IP at server end address and destination slogan, if do not exist, then creates corresponding data stream list item, add in data stream list in data query stream table;
CPU, by reading corresponding program or instruction, meets the encrypting traffic that there is list item in data stream list, then carries out flow control to this encrypting traffic if detect.
The present invention according to the main consuming body identification verification process of certificate of certification, and then realizes the flow control to encrypting traffic.The identification of this verification process also has a kind of more feasible method, because most system can carry the expansion of domain name DNSName in the ServerHello of Handshake Protocol, the DNSName of different certificate the main consuming body is different, therefore identifies verification process by DNSName.
The present invention effectively can identify encrypting traffic, and protection customer network flow normal allocation, the network traffics irrelevant to customer demand block or limited flow transmission speed, carry out flow guarantee, prioritised transmission to the business-critical of customer demand.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (10)
1. an encrypting traffic flow control methods, the method is applied on bandwidth management equipment, it is characterized in that, the method comprises:
When the message identifying carrying certificate of certification the main consuming body information being detected, extract the client ip address of this message identifying, IP at server end address and destination slogan;
Whether there is the data flow list item of described client ip address, IP at server end address and destination slogan in data query stream table, if do not exist, then create corresponding data stream list item, add in data stream list;
Meet the encrypting traffic that there is list item in data stream list if detect, then flow control is carried out to this encrypting traffic.
2. the method for claim 1, is characterized in that, described in the encrypting traffic meeting and there is list item in data stream list detected, flow control is carried out to this encrypting traffic, specifically comprises:
Add up the total capacity of M message before this encrypting traffic, if when this total capacity is greater than preset capacity N, flow control is carried out to this encrypting traffic.
3. the method for claim 1, is characterized in that:
Described encrypting traffic is the data flow adopting the encryption of TLSv1 agreement.
4. the method for claim 1, is characterized in that:
Described the main consuming body information is the subject information X.509v3 in certificate.
5. the method for claim 1, is characterized in that, during described establishment corresponding data stream list item, also comprises:
The ageing time of this data flow list item is set.
6. an encrypting traffic volume control device, this application of installation, on bandwidth management equipment, is characterized in that, this device comprises:
Main body recognition unit, during for the message identifying carrying certificate of certification the main consuming body information being detected, extracts the client ip address of this message identifying, IP at server end address and destination slogan;
List item sets up unit, for whether there is the data flow list item of described client ip address, IP at server end address and destination slogan in data query stream table, if do not exist, then creates corresponding data stream list item, adds in data stream list;
Flow controlling unit, if for the encrypting traffic meeting and there is list item in data stream list being detected, then carry out flow control to this encrypting traffic.
7. device as claimed in claim 6, is characterized in that:
Described flow controlling unit is further used for adding up the total capacity of M message before this encrypting traffic, if when this total capacity is greater than preset capacity N, carries out flow control to this encrypting traffic.
8. device as claimed in claim 6, is characterized in that:
Described encrypting traffic is the data flow adopting the encryption of TLSv1 agreement.
9. device as claimed in claim 6, is characterized in that:
Described the main consuming body information is the subject information X.509v3 in certificate.
10. device as claimed in claim 6, is characterized in that:
Described list item sets up the ageing time that unit is further used for arranging this data flow list item.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410217872.3A CN105099930B (en) | 2014-05-21 | 2014-05-21 | Encrypting traffic flow control methods and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410217872.3A CN105099930B (en) | 2014-05-21 | 2014-05-21 | Encrypting traffic flow control methods and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105099930A true CN105099930A (en) | 2015-11-25 |
CN105099930B CN105099930B (en) | 2019-07-09 |
Family
ID=54579515
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410217872.3A Active CN105099930B (en) | 2014-05-21 | 2014-05-21 | Encrypting traffic flow control methods and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105099930B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019075608A1 (en) * | 2017-10-16 | 2019-04-25 | Oppo广东移动通信有限公司 | Method and device for identifying encrypted data stream, storage medium, and system |
CN110225013A (en) * | 2019-05-30 | 2019-09-10 | 世纪龙信息网络有限责任公司 | The monitoring of certificate of service and more new system |
CN117938544A (en) * | 2024-03-19 | 2024-04-26 | 杭州海康威视数字技术股份有限公司 | Flow control method, device and equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1477823A (en) * | 2003-07-31 | 2004-02-25 | CPU message flow control method of distributed exchange router system | |
CN101958842A (en) * | 2010-10-28 | 2011-01-26 | 神州数码网络(北京)有限公司 | Flow control method based on user |
CN101980500A (en) * | 2010-11-08 | 2011-02-23 | 中国电信股份有限公司 | Digital signature-based point-to-point flow control method and system |
CN102404347A (en) * | 2011-12-28 | 2012-04-04 | 南京邮电大学 | Mobile internet access authentication method based on public key infrastructure |
-
2014
- 2014-05-21 CN CN201410217872.3A patent/CN105099930B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1477823A (en) * | 2003-07-31 | 2004-02-25 | CPU message flow control method of distributed exchange router system | |
CN101958842A (en) * | 2010-10-28 | 2011-01-26 | 神州数码网络(北京)有限公司 | Flow control method based on user |
CN101980500A (en) * | 2010-11-08 | 2011-02-23 | 中国电信股份有限公司 | Digital signature-based point-to-point flow control method and system |
CN102404347A (en) * | 2011-12-28 | 2012-04-04 | 南京邮电大学 | Mobile internet access authentication method based on public key infrastructure |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019075608A1 (en) * | 2017-10-16 | 2019-04-25 | Oppo广东移动通信有限公司 | Method and device for identifying encrypted data stream, storage medium, and system |
US11418951B2 (en) | 2017-10-16 | 2022-08-16 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method for identifying encrypted data stream, device, storage medium and system |
CN110225013A (en) * | 2019-05-30 | 2019-09-10 | 世纪龙信息网络有限责任公司 | The monitoring of certificate of service and more new system |
CN110225013B (en) * | 2019-05-30 | 2021-11-09 | 世纪龙信息网络有限责任公司 | Service certificate monitoring and updating system |
CN117938544A (en) * | 2024-03-19 | 2024-04-26 | 杭州海康威视数字技术股份有限公司 | Flow control method, device and equipment |
CN117938544B (en) * | 2024-03-19 | 2024-06-07 | 杭州海康威视数字技术股份有限公司 | Flow control method, device and equipment |
Also Published As
Publication number | Publication date |
---|---|
CN105099930B (en) | 2019-07-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11483143B2 (en) | Enhanced monitoring and protection of enterprise data | |
US20220210203A1 (en) | System and method for cybersecurity reconnaissance, analysis, and score generation using distributed systems | |
US9467477B2 (en) | Method and system for automatically managing secrets in multiple data security jurisdiction zones | |
CN104348914B (en) | A kind of tamper resistant systems file syn chronizing system and its method | |
Trenwith et al. | Digital forensic readiness in the cloud | |
US9781109B2 (en) | Method, terminal device, and network device for improving information security | |
US9425956B2 (en) | Method and system for transferring firmware or software to a plurality of devices | |
US10341367B1 (en) | System and method for inquiring IOC information by P2P protocol | |
US20150347773A1 (en) | Method and system for implementing data security policies using database classification | |
KR101453379B1 (en) | Method of securely downloading from distributed download sources | |
AU2015201355A1 (en) | Method and system for testing cloud based applications in a production environment using fabricated user data | |
US20230037520A1 (en) | Blockchain schema for secure data transmission | |
CN106778229B (en) | VPN-based malicious application downloading interception method and system | |
CN102932391A (en) | Method and device for processing data in peer to server/peer (P2SP) system, and P2SP system | |
US11989329B2 (en) | System and method for privacy policy enforcement | |
CN105119928A (en) | Data transmission method, device and system for Android intelligent terminal | |
CN105099930A (en) | Method and device for controlling traffic of encrypted data flow | |
CN113259347B (en) | Equipment safety system and equipment behavior management method in industrial Internet | |
CN113949432B (en) | Unmanned aerial vehicle block chain establishing method, system, equipment and terminal for flight tasks | |
Quinn et al. | Forensic analysis and remote evidence recovery from syncthing: An open source decentralised file synchronisation utility | |
CN113987475A (en) | Distributed resource management system, distributed resource management method, credential information management system, and medium | |
CN111222860A (en) | Data asset processing method and device | |
Gardasu et al. | A fog computing solution for advanced security, storage techniques for platform infrastructure | |
KR101490227B1 (en) | Method and apparatus for controlling traffic | |
US11929990B1 (en) | Dynamic management of servers based on environmental events |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |