CN105991647A - Data transmission method - Google Patents
Data transmission method Download PDFInfo
- Publication number
- CN105991647A CN105991647A CN201610041107.XA CN201610041107A CN105991647A CN 105991647 A CN105991647 A CN 105991647A CN 201610041107 A CN201610041107 A CN 201610041107A CN 105991647 A CN105991647 A CN 105991647A
- Authority
- CN
- China
- Prior art keywords
- card
- packet
- reading terminal
- control module
- safety control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 80
- 230000005540 biological transmission Effects 0.000 title claims abstract description 30
- 238000001914 filtration Methods 0.000 claims description 25
- 238000012544 monitoring process Methods 0.000 claims description 17
- 238000004140 cleaning Methods 0.000 claims description 16
- 230000002265 prevention Effects 0.000 claims description 16
- 238000001514 detection method Methods 0.000 claims description 13
- 230000002159 abnormal effect Effects 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 10
- 238000013519 translation Methods 0.000 claims description 8
- 238000003062 neural network model Methods 0.000 claims description 4
- 230000008878 coupling Effects 0.000 claims 1
- 238000010168 coupling process Methods 0.000 claims 1
- 238000005859 coupling reaction Methods 0.000 claims 1
- 238000012795 verification Methods 0.000 abstract description 44
- 238000011217 control strategy Methods 0.000 description 34
- 230000004048 modification Effects 0.000 description 32
- 238000012986 modification Methods 0.000 description 32
- 239000000047 product Substances 0.000 description 30
- 230000008569 process Effects 0.000 description 24
- 238000012217 deletion Methods 0.000 description 21
- 230000037430 deletion Effects 0.000 description 21
- 230000001965 increasing effect Effects 0.000 description 17
- 238000003860 storage Methods 0.000 description 16
- 230000006870 function Effects 0.000 description 12
- 238000009826 distribution Methods 0.000 description 11
- 230000009471 action Effects 0.000 description 8
- 206010000117 Abnormal behaviour Diseases 0.000 description 7
- 241000700605 Viruses Species 0.000 description 7
- 238000000465 moulding Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 238000012790 confirmation Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000002955 isolation Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 206010033799 Paralysis Diseases 0.000 description 3
- 201000010099 disease Diseases 0.000 description 3
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000009545 invasion Effects 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 239000002574 poison Substances 0.000 description 3
- 231100000614 poison Toxicity 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 238000005728 strengthening Methods 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000007306 turnover Effects 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 230000018199 S phase Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 239000006227 byproduct Substances 0.000 description 1
- 238000004132 cross linking Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 206010022000 influenza Diseases 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000004064 recycling Methods 0.000 description 1
- 241000894007 species Species 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a data transmission method. The method comprises the steps that border routing receives a data packet transmitted by a card reading terminal and transmits the data packet to a selected border firewall; the selected border firewall transmits the data packet and the identifier of target equipment to a core switch; the core switch transmits the data packet to a scheduling server or a service area firewall according to the identifier of the target equipment; the scheduling server receives the data packet and then selects an idle authentication security control module for the card reading terminal and transmits the corresponding identifier to the card reading terminal; the service area firewall receives the data packet and then transmits the data packet to a first authentication security module; the first authentication security control module transmits the decrypted data packet to a first verification security control module; the first verification security control module returns the corresponding first data packet to the first authentication security control module according to the decrypted data packet; and the first authentication security control module encrypts the first data packet and then transmits the data packet to the card reading terminal.
Description
Technical field
The present invention relates to a kind of electronic technology field, particularly relate to the method for a kind of data transmission.
Background technology
Store in resident's China second-generation identity card is the ciphertext of ID card information, needs the checking security control mould authorizing through the Ministry of Public Security
Block could decipher the ciphertext of the ID card information of storage in resident identification card.Existing front end identity card card-reading terminal has at least two
Individual module, including read through model and residence card verifying safety control module.Owing to each front end card reader of ID card is respectively provided with
Residence card verifying safety control module, therefore, the manufacturing cost of existing front end card reader of ID card is high;Further, one
The resident identification card information that one read through model can only be read by residence card verifying safety control module carry out authentication, therefore,
Existing front end card reader of ID card utilization rate is relatively low, for solving this problem, occurs in that improvement project at present: front end identity card is read
Card device no longer includes residence card verifying safety control module, and residence card verifying safety control module is located at backstage side,
Thus promote the utilization rate of residence card verifying safety control module.
The network environment being in yet with backstage is open network, and any card reader all can ask backstage to make it access resident's body
Part results card safety control module, this is just greatly improved the potential safety hazard of residence card verifying safety control module, once occupies
People's ID card verification safety control module is broken through by illegal card reader, the identity of storage in residence card verifying safety control module
Card root certificate will be stolen by lawless person and even distort, and consequence is hardly imaginable.Further, since backstage side may be equipped with multiple residence
, there is Residents ID card verification security control owing to task distribution inequality also results in people's ID card verification safety control module
The idle Residents ID card verification safety control module then OL situation of module.
Content of the invention
Present invention seek to address that one of the problems referred to above.
Present invention is primarily targeted at the method that the transmission of a kind of data is provided.
For reaching above-mentioned purpose, technical scheme is specifically achieved in that
One aspect of the present invention provides a kind of method according to transmission, comprising: border routing receives the packet that card-reading terminal sends,
Select perimeter firewall to be sent according to routing strategy, send described packet to selected perimeter firewall;Institute
State selected perimeter firewall and receive described packet, determine, according to the content of described packet, the mesh that described card-reading terminal accesses
The mark of equipment, and send the mark of described packet and described purpose equipment to core switch;Described core exchanges
Machine sends described packet to dispatch server according to the mark of described purpose equipment, or, according to the mark of described purpose equipment
Know the mark by described packet and described purpose equipment to send to the service area fire wall of service area;Will at described core switch
In the case that described packet is sent to dispatch server, described dispatch server receives described packet, is described card-reading terminal
Select an idle certification safety control module;And send the mark of the certification safety control module of described free time to described reading
Card terminal;In the case that described core switch sends the mark of described packet and described purpose equipment to service area,
The described service area fire wall of described service area receives described packet, according to default service area firewall filtering policies, it is judged that
Described purpose equipment identify whether allow access, if it is, by described packet send to the first certification security module, institute
State the certification safety control module of the mark instruction that the first certification security module is described purpose equipment;Described first certification is controlled safely
Molding block receives described packet, deciphers described packet, and sends the packet after deciphering to the first checking safety control
Molding block, described first checking safety control module is the checking security control mould being connected with described first certification safety control module
Block;Described first checking safety control module receive described deciphering after packet, carry according to the packet after described deciphering
Data content returns corresponding first packet to described first certification safety control module;Described first certification safety control module
Receive described first packet that the described first checking safety control module returns, and to described first Data Packet Encryption, will encryption
After the first packet send to described card-reading terminal.
Additionally, including at least the public identifier of described purpose equipment in described packet;Described selected perimeter firewall according to
The content of described packet determines the mark of the purpose equipment that described card-reading terminal accesses, comprising: described selected border prevents fires
The public identifier of described purpose equipment is mapped as the mark of corresponding described purpose equipment by the foot of a wall according to network address translation protocol.
Additionally, select perimeter firewall to be sent at described border routing according to routing strategy, described packet is sent
To before selected perimeter firewall, described method also includes: described border routing according to default border routing filtering policy,
Judge whether the public identifier of described purpose equipment allows by described border routing, if it is allowed, then perform described according to path
Selection strategy selects perimeter firewall to be sent, and sends described packet to the step of the described perimeter firewall selected.
Additionally, determine, according to the content of described packet, the purpose that described card-reading terminal accesses at described selected perimeter firewall
Before the mark of equipment, described method also includes: described selected perimeter firewall filters plan according to the perimeter firewall preset
Slightly, it is judged that whether described packet includes invalid data, if it is not, then perform the described content according to described packet and determine
The step of the mark of the purpose equipment that described card-reading terminal accesses.
Additionally, described packet at least also includes: the identification information of described card-reading terminal and the digital certificate of described card-reading terminal;
It is that before described card-reading terminal selects an idle certification safety control module, described method also includes at described dispatch server:
Whether described dispatch server allows described card-reading terminal to access according to the identification information judgment of described card-reading terminal, and judges institute
Whether the digital certificate stating card-reading terminal is abnormal;And the certificate of judgement permission described card-reading terminal access and described card-reading terminal is just
Often.
Additionally, before described first certification safety control module is to the deciphering of described packet, described method also includes: described tune
Degree server according to the identification information of described card-reading terminal, obtains certification key close of described card-reading terminal from authentication database
Literary composition simultaneously sends to described first certification safety control module;Wherein, the ciphertext of the certification key of described card-reading terminal is described for using
The certification key of card-reading terminal described in the protection double secret key of authentication database is encrypted and obtains;Described first certification security control
Described packet is deciphered by module, comprising: described first certification safety control module obtains described protection key, utilizes described guarantor
Protect ciphertext deciphering described in double secret key and obtain the certification key of described card-reading terminal, and utilize packet solution described in described certification double secret key
Close;Described first checking safety control module is pacified to described first certification according to the data content that the packet after described deciphering carries
Full control module returns corresponding first packet, comprising: in the case that described data content is identity card card seeking data, described
First checking safety control module returns described first packet, described first packet to described first certification safety control module
At least include: card seeking response data;In the case that described data content is identity card card selection data, described first checking safety control
Molding block returns described first packet to described first certification safety control module, and described first packet at least includes: with institute
State the related data that the identity card of card-reading terminal reading is authenticated;In the case that described data content is ID card information ciphertext,
Described first checking safety control module obtains ID card information in plain text to the deciphering of described ID card information ciphertext, recognizes to described first
Card safety control module returns described first packet, and described first packet at least includes: described ID card information is in plain text.
Additionally, described method also includes: the flow cleaning monitoring of equipment being connected with described border routing flows through described border routing
Service traffics, if detecting described border routing by distributed refusal according to the described service traffics flowing through described border routing
Service attack, then carry out flow cleaning to the described service traffics flowing through described border routing.
Additionally, described dispatch server includes multiple;Described method also includes: send out described packet at described core switch
In the case of delivering to the plurality of dispatch server, be connected between described core switch and the plurality of dispatch server is negative
Described allocation of packets is given one of the plurality of dispatch server according to balance policy by load balanced device.
Additionally, described method also includes: the intrusion detection device monitoring being connected with described core switch flows through the exchange of described core
The service traffics of machine, historical behavior model according to user, the expertise prestoring and neural network model are to flowing through described core
The service traffics of heart switch are mated, and once the match is successful, then judge there is intrusion behavior.
Additionally, described method also includes: core switch described in the intrusion prevention monitoring of equipment being connected with described core switch connects
The packet receiving, it is judged that whether the packet that described core switch receives is invalid data, if it is, by described core
The data packet discarding that heart switch receives.
As seen from the above technical solution provided by the invention, the invention provides the method for a kind of data transmission, by should
System is divided into linking Internet district, isolated area and three levels of service area, and each level uses different security strategies, passes through
The security perimeter of a lot of, improves the security of whole system on network level, to avoid service area by rogue attacks,
Especially ensure the safety of certification safety control module and checking safety control module.
Brief description
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, the accompanying drawing of required use in embodiment being described below
It is briefly described, it should be apparent that, the accompanying drawing in describing below is only some embodiments of the present invention, for this area
From the point of view of those of ordinary skill, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
The structural representation of the identity card cloud Verification System that Fig. 1 provides for the embodiment of the present invention 1;
The structural representation of the identity card cloud Verification System that Fig. 2 provides for the embodiment of the present invention 1;
The structural representation of the card-reading system that Fig. 3 provides for the embodiment of the present invention 1;
The flow chart of the method for the data transmission that Fig. 4 provides for the embodiment of the present invention 2;
The structural representation of the inner tube server that Fig. 5 provides for the embodiment of the present invention 3;
The flow chart of the identity card read method that Fig. 6 provides for the embodiment of the present invention 4.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described,
Obviously, described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.Reality based on the present invention
Execute example, the every other embodiment that those of ordinary skill in the art are obtained under the premise of not making creative work, broadly fall into
Protection scope of the present invention.
In describing the invention, it is to be understood that term " " center ", " longitudinally ", " laterally ", " on ", D score, " front ",
The orientation of the instruction such as " afterwards ", "left", "right", " vertically ", " level ", " top ", " end ", " interior ", " outward " or position relationship are base
It in orientation shown in the drawings or position relationship, is for only for ease of the description present invention and simplifies description, rather than instruction or hint institute
The device that refers to or element must have specific orientation, with specific azimuth configuration and operation, therefore it is not intended that to the present invention
Restriction.Additionally, term " first ", " second " are only used for describing purpose, and it is not intended that instruction or hint relative importance
Or quantity or position.
In describing the invention, it should be noted that unless otherwise clearly defined and limited, term " install ", " being connected ",
" connect " and should be interpreted broadly, for example, it may be fixing connect, it is also possible to be to removably connect, or be integrally connected;Permissible
It is to be mechanically connected, it is also possible to be electrical connection;Can be to be joined directly together, it is also possible to be indirectly connected to by intermediary, can be two
The connection of individual element internal.For the ordinary skill in the art, above-mentioned term can be understood in the present invention with concrete condition
In concrete meaning.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.
Embodiment 1
Present embodiments provide a kind of identity card cloud Verification System.As it is shown in figure 1, the identity card cloud certification system that the present embodiment provides
System, may include that linking Internet district the 10th, isolated area 20 and 30 3 districts of service area according to functional areas difference, to each district
Take different technical measures, to promote the security of whole system from network level;Wherein, linking Internet district 10 orientates as
The Internet portal of whole identity card cloud Verification System, this linking Internet district 10 at least includes: border routing 101 and border are prevented
Wall with flues 102.This linking Internet district 10 is in open network environment, and major function is responsible for linking Internet, passes through border
Route and perimeter firewall resist unauthorized access, are the first line of defences entering Intranet from internet;Isolated area 20 is to solve
After installing fire wall, external network can not access the problem of internal network server, and set up non-security system with safety is
Buffering area between system.This isolated area 20 is positioned between linking Internet district and service area, is responsible for the isolation of service area and internet,
This isolated area 20 at least includes: core switch the 201st, dispatch server 202;By core switch the 201st, dispatch service
Device 202 can be by the certification safety control module of the packet equilibrium assignment of different card-reading terminal to service area 30.Service area 30
For the core space of identity card cloud Verification System, this region does not directly provide service to internet client (i.e. card-reading terminal).Should
Service area 30 at least includes: service area fire wall the 301st, n certification safety control module 302 and n checking security control
Module 303, certification safety control module 302 and checking safety control module 303 one_to_one corresponding, each verifies security control mould
Block 303 only one of which external interface, this external interface is connected with corresponding certification safety control module 302.Internet client
The data of (i.e. card-reading terminal) also need just can enter core space from isolated area to service area after one service area fire wall 301
LAN, ensures the safety of core space LAN with this.
In the present embodiment, border routing 101, for receiving the packet that card-reading terminal sends, select according to routing strategy
Select perimeter firewall to be sent, send data packets to selected perimeter firewall;Selected perimeter firewall 102,
For receiving packet, determine the mark of the purpose equipment that card-reading terminal accesses according to the content of packet, and by packet and
The mark of purpose equipment sends to core switch 201;Core switch 201, is used for the mark according to purpose equipment by packet
Send to dispatch server 202, or, send the mark of packet and purpose equipment to business according to the mark of purpose equipment
The service area fire wall 301 in district 30;Dispatch server 202, in the case of receiving packet, for card-reading terminal choosing
Select an idle certification safety control module, and send the mark of idle certification safety control module to card-reading terminal;Industry
The service area fire wall 301 in business district, in the case of receiving packet, according to default service area firewall filtering plan
Slightly, it is judged that the identifying whether of purpose equipment allows to access, if it is, send data packets to the first certification security module, the
The certification safety control module 302 of the mark instruction of equipment for the purpose of one certification security module;First certification safety control module
302, it is used for receiving packet, packet is deciphered, and the packet after deciphering is sent to the first checking safety control module,
Wherein, the first checking safety control module is the checking safety control module 303 being connected with the first certification safety control module;The
One checking safety control module 303, for the packet after receiving and deciphering, the data content carrying according to the packet after deciphering
Return corresponding first packet to the first certification safety control module 302;First certification safety control module 302, is additionally operable to
Receive the first packet that the first checking safety control module 303 returns, and to the first Data Packet Encryption, by first after encryption
Packet sends to card-reading terminal.
This system is divided into linking Internet district, isolated area and business by the identity card cloud Verification System being provided by the present embodiment
Three, district level, each level uses different security strategies, by the security perimeter of a lot of, improves on network level
The security of whole system, to avoid service area by rogue attacks, especially ensures certification safety control module and checking safety control
The safety of molding block.
In order to prevent Single Point of Faliure from promoting the stability of whole system server, the network in each district in the system that the present embodiment provides
Equipment can include multiple, and for example, border routing may include that one or more;Perimeter firewall includes: one or many
Individual;Core switch 201 includes: one or more;Service area fire wall 202 includes: one or more.For the ease of retouching
State, in the present embodiment as a example by each network equipment is 2, as in figure 2 it is shown, use the mode of two-node cluster hot backup, prevent single-point
Fault promotes the stability of whole system server.Two border routing are simultaneously in work, and whichever border routing receives reading
Card terminal send packet, all forward the packet to according to routing strategy select perimeter firewall to be sent, two
Individual core switch also simultaneously in work, all can be received the packet (service traffics) that perimeter firewall sends, whichever core
The packet that heart switch receives perimeter firewall transmission can forward according to the mark of purpose equipment, two-node cluster hot backup
Main purpose is exactly to prevent a certain network equipment from breaking down and affecting the properly functioning of system, once has a network equipment paralysis,
Another can also normally work.
In the present embodiment, in order to prevent Single Point of Faliure, perimeter firewall can be disposed multiple, when there is multiple perimeter firewall,
Border routing is accomplished by selecting a path sending data packets to core switch 201, i.e. selects by which border to be prevented fires
Wall sends to core switch 201, and in the present embodiment, border routing selects border fire prevention to be sent according to routing strategy
Wall, this routing strategy can for for example, randomly choose a perimeter firewall, chosen distance border routing recently, data
Strong perimeter firewall of the perimeter firewall of transmission shortest time, selection traffic handing capacity etc..
Border routing is the access point of internet external network access identity card cloud Verification System, as the bridge between intranet and extranet,
Its safe operation is related to the safe operation of identity card cloud Verification System.Therefore, border routing stands in the breach is assault
Emphasis.Based on this, border routing ought to become the object that network manager emphasis is safeguarded.Optional as the one in the present embodiment
Embodiment, border routing, it is additionally operable to according to the border routing filtering policy preset, it is judged that the public identifier (example of purpose equipment
As the access IP address of public network can be) whether allow by border routing, if it is allowed, then perform to send data packets to
The operation of selected perimeter firewall.Thus, border routing is as the first line of defence of identity card cloud Verification System, can be by
The unauthorized access not meeting border routing filtering policy keeps off outside identity card cloud Verification System, improves whole on network level
The security of system.
Wherein, as one optional border routing filtering policy, can permit for configuring on border routing in advance when being embodied as
Permitted the network segment accessing, it is judged that whether the public identifier (for example, it is possible to being the access IP address of public network) of purpose equipment is at this network segment
Within the scope of, if it is, allow packet to pass through border routing, and packet is forwarded up, otherwise abandon this Card Reader
The packet that terminal sends.Additionally, in order to prevent other unauthorized access, border routing filtering policy can also include in the following manner
At least one:
Mode one: modification default password: the default password of border routing is revised as the password without Special Significance.
Mode two: close IP and directly broadcast (IP Directed Broadcast), after closedown IP directly broadcasts, can effectively prevent
Smurf attack.
Mode three: HTTP (HyperText Transfer Protocol, the HTTP) service of closure of border router.
Mode four: block ICMPping (Internet Control Message Protocol, Internet control message agreement) request,
Can be to make system be easier to avoid those unmanned scanning activities noting by blocking ping, make system reduce the possibility being hacked
Property.
Mode five: block unnecessary port, in addition to the port that service area normally externally services, closes other all ports.
Thus, by the unauthorized access passed through being allowed to keep off at body by not meeting border routing filtering policy the maintenance on border road
Outside part card cloud Verification System, it is ensured that the safety of identity card cloud Verification System.
The major function of perimeter firewall 102 is the access to internal network for the external network from internet for the control, and protection is internal
Network is not subjected to the attack of internet card-reading terminal (being primarily referred to as illegal hacker).Perimeter firewall 102 passes through the network address
Switch technology is by whole host addresses (i.e. purpose IP address and destination interface, dispatch server or peace of shielded internal network
The private IP address of full control module and port) a few effective public network IP address of being mapped on fire wall arrange (i.e. visits
Ask IP address and access port), so, the equipment (card-reading terminal) of external network can only get access IP address and access
Port, and real IP address and the port (i.e. purpose IP address and destination interface) of the equipment being actually subjected to access cannot be got,
The safety of internal network thus to external shield internal network structure and IP address, can be protected.Therefore, in the present embodiment, data
Including at least the public identifier of purpose equipment in bag;Selected perimeter firewall, for determining Card Reader according to the content of packet
The mark of the purpose equipment of terminal access, comprising: selected perimeter firewall according to network address translation protocol by purpose equipment
Public identifier be mapped as the mark of corresponding purpose equipment.Wherein, the public identifier of purpose equipment is the access IP ground of public network
Location and access port, and the mark of purpose equipment is the Intranet equipment being actually subjected to access (as dispatch server and certification are controlled safely
Molding block) purpose IP address and destination interface.After perimeter firewall 102 receives packet, first have to according to network ground
Location translation-protocol (Network Address Translation, be called for short NAT) is by the public identifier of purpose equipment (that is, public network
Access IP address and access port) map out the mark (that is, purpose IP address and destination interface) of corresponding purpose equipment, and mesh
IP address and destination interface be only the actual address of internal network devices, carry out data according to purpose IP address and destination interface
The forwarding of bag.
Perimeter firewall is built upon internal-external network borderline filtration lock-out facility, internal network (i.e. identity card cloud Verification System)
Being considered as safe and believable, external network is considered as then dangerous and untrustworthy.The effect of fire wall is to prevent not
The protected internal network of communication turnover desired, unwarranted, by the security of boundary Control strengthening internal network.Cause
This, as the optional embodiment of the one in the present embodiment, perimeter firewall 102, be additionally operable to according to the perimeter firewall preset
Filtering policy, it is judged that whether packet includes invalid data, if it is not, then perform to determine Card Reader eventually according to the content of packet
The operation of the mark of the purpose equipment that end accesses, i.e. performs to map out corresponding purpose IP according to access IP address and access port
Address and the operation of destination interface.Thus, the management of overall network Security Construction can be greatly reduced by perimeter firewall to become
This, improve the safety of identity card cloud Verification System.
Wherein, as one optional perimeter firewall filtering policy, can be in advance in perimeter firewall configuration when being embodied as
DDoS (Distributed Denial of service, distributed denial of service) property data base, this class database is similar to disease
Poison storehouse, be stored with DDoS characteristic value, and perimeter firewall will receive the content of packet and the DDoS in DDoS property data base
Characteristic value is mated, if it is possible to match, then specification packet is invalid data bag, and perimeter firewall is by DDoS
Attack, then by this data packet discarding, will not continue to be forwarded to core switch.Generally, the form of invalid data bag is varied,
Not having the data of card-reading terminal in some invalid data bags, and being only made up of some attack messages, some invalid data bags can
A part of valid data, a part of attack message can be comprised, no longer describe in detail herein.
As the optional embodiment of the one in the present embodiment, as in figure 2 it is shown, linking Internet district 10 also includes: with border road
By the flow cleaning equipment 103 connecting, flow through the service traffics of border routing for monitoring, if according to flowing through border routing
Service traffics detect that the service traffics flowing through border routing by distributed Denial of Service (DDOS) attack, are then entered by border routing
Row flow cleaning.
In the present embodiment, the data (packet that i.e. border routing receives) to linking Internet for the flow cleaning equipment 103
Monitor in real time, in time abnormal flow including distributed denial of service ddos attack for the discovery.When abnormal flow reaches
Or when exceeding default security baseline, unlatching is cleaned filtering process by flow cleaning equipment.Native system passes through flow cleaning equipment,
Alleviate and come from the pressure that internal network is caused by ddos attack flow, promote the validity of bandwidth usage;Protection in-house network
Network, from the attack from internet, improves network performance.
Thus, the linking Internet district 10 in native system can refuse the illegal of absolute system by border routing and perimeter firewall
Ensure the normal access to system for the card-reading terminal while access, internet incoming data can be entered by flow cleaning equipment
Row monitoring in real time, washes abnormal flow while not affecting regular traffic, and protection internal network is from attacking from internet
Hit, improve network performance.
The base network device that core switch 201 is whole identity card cloud Verification System, needs to forward very huge flow,
Because card-reading terminal can be distributed throughout the country, having thousands of, therefore, core switch is to redundant ability, reliable
Property and transmission speed aspect require higher.In the present embodiment, core switch 201 receives the data that perimeter firewall sends
The mark of the purpose equipment that bag and the card-reading terminal determining access (the purpose IP address of equipment and purpose for the purpose of for example, it is possible to
Port), and the packet receiving is forwarded to purpose IP address and the actual access equipment of destination interface sensing.And native system
The equipment that middle card-reading terminal is actually needed access mainly includes two kinds: the certification security control mould of dispatch server 202 and service area
Block 302.The necessary first access scheduling server 202 of card-reading terminal, needs dispatch server 202 to distribute idle recognizing for it
Card safety control module 302, and the mark of the certification safety control module 302 that dispatch server is its distribution is received in card-reading terminal
Knowing after (i.e. access port), card-reading terminal just can direct access registrar safety control module 302.Therefore, the present embodiment
In, core switch 201, it is used for sending data packets to dispatch server 202 according to the mark of purpose equipment, or according to mesh
The mark of equipment send the mark of packet and purpose equipment to service area 30, comprising:
The mark to purpose equipment for the core switch 201 judges, if the mark instruction dispatch server of purpose equipment, then
Send data packets to dispatch server, if the certification safety control module of the mark instruction service area of purpose equipment, then by number
Send to the service area fire wall of service area according to the mark of bag and purpose equipment, specifically, if purpose equipment be designated scheduling
The IP address of server 202 and port, then send data packets to dispatch server 202;If purpose equipment be designated industry
The IP address of the certification safety control module 302 in business district and port, then send the mark of packet and purpose equipment to business
The service area fire wall 301 in district.Thus, core switch completes the forwarding of substantial amounts of data.
Actually one computer for forwarding packet to optimize of core switch 201, but computer just have be hacked can
Can, such as illegally obtain the control of core switch 201, cause network paralysis, on the other hand also can be by ddos attack.
For preventing core switch 201 by illegal infringement, as in figure 2 it is shown, the isolated area 20 that the present embodiment provides also includes: with core
The intrusion detection device 203 of heart switch 201 connection and intrusion prevention equipment 204.Wherein, intrusion detection device 203 is used for
In real time monitoring flows through the service traffics of core switch 201, historical behavior model according to user, the expertise prestoring and
The service traffics flowing through core switch 201 are mated by neural network model, and once the match is successful, then judge there is invasion row
For disconnecting the connection of card-reading terminal and the equipment of access immediately, and collecting evidence and implement data recovery, can be combined with different in addition
The strategy monitoring of often detection flows through the service traffics of core switch 201.By intrusion detection device 203 to core switch 201
Operation conditions monitor, find various attack attempt, attack or attack result as far as possible, to ensure network system
The confidentiality, integrity, and availability of resource.
Wherein, intrusion prevention equipment 204, for monitoring the packet that core switch 201 receives, it is judged that core switch
Whether 201 packets receiving are invalid data, if it is, the data packet discarding that core switch 201 is received.
Wherein, intrusion prevention equipment 204 judges whether the packet that core switch 201 receives is invalid data, can by with
In under type: such as, the packet that core switch 201 is received by intrusion prevention equipment 204 and preset virus database
Virus characteristic mate, if it is possible to match, it is determined that this packet matching is invalid data, additionally, also may be used
To consider the abnormal conditions in application program or network transmission, such as, user or user program violate regulation for safety, packet exists
The period that should not occur occurs, the gap of operating system or application program weakness is being utilized etc. phenomenon, assists in identifying
Invasion and attack.Although intrusion prevention equipment is also contemplated for known viruse feature, but it not relies solely on known viruse feature.
Intrusion prevention equipment is to supplement anti-virus software and fire wall, to improve the security of system.
As the optional embodiment of one of the present embodiment, as in figure 2 it is shown, the identity card cloud Verification System providing at the present embodiment
In also include: inner tube server 205, for receiving the configuration to identity card cloud Verification System for the user, inner tube server 205 can
Being connected with core switch 201, and sent configuration information to cloud authentication data library storage, body by core switch 201
Each network equipment of part card cloud Verification System can be transferred configuration information from cloud authentication database and carry out relevant configuration.Internally
The description of pipe server 205 can specifically refer to the description in embodiment 3.
Dispatch server 202 provides the dispatch service of idle certification safety control module 302 for card-reading terminal, in service area 30
Certification safety control module 302 by dispatch server 202 United Dispatching.When card-reading terminal asks identity card Card Reader business every time,
Dispatch server 202 all can select an idle certification safety control module for card-reading terminal, and controls safely idle certification
The mark of molding block sends to card-reading terminal;Specifically, dispatch server 202 can obtain from the authentication database of service area and adjust
Port status list in the compass of competency of degree server, the corresponding certification safety control module of each port, and according to work
The principle of task balance, from port status list select an idle port as card-reading terminal access port (i.e.
The mark of idle certification safety control module), and send access port to card-reading terminal, hereby it is achieved that service area is multiple
The United Dispatching of certification safety control module 302.
In identity card cloud Verification System, in order to avoid dispatch server 202 Single Point of Faliure causes the loss of data traffic, scheduling
Server 202 can be deployed as trunking mode, disposes the dispatch server of different quantity according to the difference of service ability requirement
202.In order to efficiently solve the problem that data traffic is excessive, network load is overweight of single dispatch server 202, the present embodiment
The identity card cloud Verification System providing also increases load equalizer 206 before multiple dispatch servers 202, as in figure 2 it is shown, negative
Carry balanced device 206 to be connected on intrusion prevention equipment 204, realize the dispatch server 202 to cluster by core switch
United Dispatching, load equalizer can reasonably distribute to packet each dispatch server in cluster according to balance policy
202, effectively solve the problem that dispatch server 202 loads inequality, and be prevented from Single Point of Faliure, improve stablizing of system service
Property.
The present embodiment additionally provides a kind of card-reading system, and this card-reading system includes: above-mentioned identity card cloud Verification System and Card Reader are eventually
End 40, based on Fig. 2, Fig. 3 is the structural representation of card-reading system, card-reading terminal 40, is used for testing at service area 30
In the flow process of card safety control module 303 reading identity card information, from identity card, read the data related to ID card information,
And generate packet transmission to border routing 201;It is additionally operable to receive the first number of the encryption that certification safety control module 302 returns
According to bag, and the first packet deciphering to encryption obtains the first packet after deciphering.Card-reading terminal 40 in this card-reading system can
Thinking multiple, being distributed throughout the country, thus, being distributed in that the information of identity card reads by the card-reading terminal of all parts of the country can
It is uniformly processed by the identity card cloud Verification System in this card-reading system, substantially increase the work of the checking safety control module of service area
Make efficiency.
As the optional embodiment of one of the present embodiment, packet is that card-reading terminal needs dispatch server distribution idle first
In the case of the packet of certification safety control module, the packet that card-reading terminal 40 is sent to border routing at least also includes: read
The digital certificate of the identification information of card terminal 40 and card-reading terminal 40 identification information of card-reading terminal (digital certificate also can be considered);
Dispatch server 202 can also carry out access authentication according to the information in packet to card-reading terminal, if allowing to access, just looks into
Asking port status, distribution idle port, to card-reading terminal, if not allowing to access, then directly abandons this packet, and to Card Reader
Terminal returns the response message not allowing to access.Specifically, dispatch server 202, are additionally operable to the mark according to card-reading terminal 40
Information determines whether that card-reading terminal 40 accesses, and whether extremely to judge the digital certificate of card-reading terminal 40;Judging to permit
Permitted card-reading terminal 40 access and the certificate of card-reading terminal 40 normal in the case of, perform the authentication database from service area 30 and obtain
Take the operation of port status list in the compass of competency of dispatch server 202.Thus, at dispatch server 202 for Card Reader eventually
Before end 40 distribution idle port, first card-reading terminal 40 is authenticated, if certification is passed through, then illustrates that card-reading terminal 40 is
Legal terminal, thus ensure the legitimacy of the outer net equipment of the certification safety control module 302 in access service district.
Wherein, whether dispatch server 202 allows card-reading terminal 40 to access according to the identification information judgment of card-reading terminal 40, bag
Include: judge that the identification information of card-reading terminal 40, whether in blacklist or management and control list, wherein, have recorded in blacklist and do not allows
The identification information of the card-reading terminal 40 accessing, have recorded needs and controls its access according to default management and control strategy in management and control list
The identification information of the card-reading terminal 40 of system;In the case of judging the identification information of card-reading terminal 40 in blacklist, do not allow
Card-reading terminal 40 accesses;In the case of judging the identification information of card-reading terminal 40 in management and control list, dispatch server 202
Determine whether that the card-reading terminal 40 that request accesses accesses according to default management and control strategy, thus may determine that dispatch server
Whether 202 allow card-reading terminal 40 to access.
Wherein, according to default management and control strategy, dispatch server 202 determines whether that card-reading terminal 40 accesses, at least include with
One of lower:
According to default management and control strategy, it is judged that whether card-reading terminal 40 is currently in the on-position scope of permission, if it is,
Allow card-reading terminal 40 to access, otherwise, do not allow card-reading terminal 40 to access, wherein, the management and control strategy preset have recorded reading
The on-position scope that card terminal 40 allows;
According to default management and control strategy, it is judged that current time whether in the time range allowing card-reading terminal 40 to access, if it is,
Then allow card-reading terminal 40 to access, otherwise, do not allow card-reading terminal 40 to access, wherein, the management and control strategy preset have recorded
Allow the time range that card-reading terminal 40 accesses;
According to default management and control strategy, it is judged that in preset time period, the history of card-reading terminal 40 accesses whether number of times exceedes default
Frequency threshold value, if it is, do not allow card-reading terminal 40 to access, otherwise, it is allowed to card-reading terminal 40 accesses, wherein, presets
Management and control strategy in have recorded duration and the preset times threshold value of preset time period;
According to default management and control strategy, it is judged that in preset time period, between the on-position of the double access of card-reading terminal 40
Distance whether exceed predeterminable range, if it is, do not allow card-reading terminal 40 to access, otherwise, it is allowed to card-reading terminal 40 connects
Enter, wherein, the management and control strategy preset have recorded duration and the predeterminable range of preset time period.
As the optional embodiment of the one in the present embodiment, as in figure 2 it is shown, service area 30 also includes: authentication database 304,
For the port status list of authentication storage safety control module 302, and the ciphertext of the certification key of card-reading terminal 40, wherein,
The ciphertext of the certification key of card-reading terminal 40 is for using the certification key of the protection double secret key card-reading terminal 40 of authentication database 304
It is encrypted and obtain;
Dispatch server 202, is additionally operable to the identification information according to card-reading terminal 40, obtains card-reading terminal 40 from authentication database
The ciphertext of certification key and send to the first certification safety control module 302;First certification safety control module 302, it is right to be used for
Packet is deciphered, comprising: the first certification safety control module 302 obtains protection key, utilizes protection double secret key ciphertext to decipher
To the certification key of card-reading terminal 40, and certification data key bag is utilized to decipher.
In actual applications, the information of card-reading terminal reading identity card generally comprises 3 stages: the card seeking stage, the card selection stage and
The Card Reader stage.In the card seeking stage, card-reading terminal can outwards broadcast card seeking instruction, if there being identity card to have response to card seeking instruction,
Then returning card seeking data to card-reading terminal, card-reading terminal needs through linking Internet district 10 and isolated area 20 card seeking number the most at last
According to the first checking safety control module 303 being sent to service area, (the first checking safety control module 303 is and card-reading terminal quilt
The checking safety control module that the first certification safety control module 302 that the idle port of distribution points to is connected), the first checking safety
Control module 303 can return card seeking response data to card-reading terminal;In the card selection stage, card-reading terminal can read one from identity card
A little configuration informations (such as identity card card sequence, identity card application data and identity card presupposed information etc.), and by these configuration informations
Be eventually sent to through linking Internet district 10 and isolated area 20 service area 30 first checking safety control module 303, first
Checking safety control module 303 initiates the flow process being mutually authenticated with identity card, and card-reading terminal forwards the interaction data in this flow process,
After the first checking safety control module 303 completes to be mutually authenticated with identity card, enter the Card Reader stage;At Card Reader stage, Card Reader
Terminal can read ID card information ciphertext from identity card, and is finally forwarded to through linking Internet district 10 and isolated area 20
First checking safety control module 303 of service area 30, it is special that the first checking safety control module 303 uses that the Ministry of Public Security specifies
Product, meets GA467-2013 " residence card verifying security control SAM module 303 Technical Interface Specification ", can be right
The deciphering of ID card information ciphertext obtains ID card information plaintext, and is sent to reading by the first certification safety control module 302 encryption
Card terminal, card-reading terminal obtains ID card information in plain text to the ciphertext deciphering after being encrypted by the first certification safety control module 302.
Therefore, in the present embodiment, the first checking safety control module 303, in the data that the packet after being used for according to deciphering carries
Hold and return corresponding first packet to the first certification safety control module 302, comprising:
In the case that data content is identity card card seeking data, the first checking safety control module 303 is to the first certification security control
Module 302 returns the first packet, and the first packet at least includes: card seeking response data;
Data content is that identity card card selection data are (such as needs such as the identity card configuration information of identity card, signed data, digital certificates
First checking the data to authentication ids for the safety control module 303) in the case of, first checking safety control module 303 to
First certification safety control module 302 returns the first packet, and the first packet at least includes: the body reading with card-reading terminal 40
The related data that part card is authenticated is (as first verifies that the signed data of safety control module 303, digital certificate etc. need identity
The data to the first checking safety control module 303 certification for the card);
In the case that data content is ID card information ciphertext, the first checking safety control module 303 is to ID card information ciphertext solution
Close obtaining ID card information in plain text, returning the first packet to the first certification safety control module 302, the first packet at least wraps
Include: ID card information is in plain text.
In the present embodiment, the first certification safety control module 302 is receiving the first data that the first checking safety control module returns
After bag, in order to ensure to transmit safety, in addition it is also necessary to returning again to card-reading terminal after the first Data Packet Encryption, optional as one
Embodiment, the first certification safety control module, be additionally operable to utilize certification double secret key first Data Packet Encryption of card-reading terminal 40,
Send the first packet after encryption to card-reading terminal 40, after card-reading terminal 40 can utilize the certification key pair encryption of oneself
First packet deciphering obtain the first packet;Thus, can realize that ciphertext is transmitted by certification key encrypted primary data bag,
Ensure that transmission security.Even if additionally, intercepting and capturing the first number after this encryption without with card-reading terminal corresponding certification key
Also cannot decipher according to bag, this ciphertext could be deciphered by the card-reading terminal 40 only having corresponding certification key, therefore, even if should
Ciphertext is trapped, and interceptor also cannot further ensure the transmission safety of ID card information plaintext ask to crack.
As the optional embodiment of another kind, easily broken to avoid further always reusing same key encryption and decryption
The drawback of decryption key, the first certification safety control module 302, it is additionally operable to, according to generating random number session key, utilize session close
Key obtains the first packet ciphertext to the first Data Packet Encryption;And utilize the PKI of the digital certificate for encryption of card-reading terminal 40
Session ciphertext is generated to the first packet ciphertext and session key, or, utilize the digital certificate of the encryption of card-reading terminal 40
PKI to session key generate session ciphertext, it will words ciphertext and the first packet ciphertext send to card-reading terminal 40;Read
Card terminal 40, is additionally operable to utilize and locally stored obtains the to the deciphering of session ciphertext with the corresponding private key of digital certificate for encryption
One packet ciphertext and session key, or, utilize private key to obtain session key to the deciphering of session ciphertext, and utilize session key
Obtain the plaintext of the first packet to the first packet ciphertext deciphering.This optional embodiment and the difference of a upper optional embodiment
It is: certification safety control module 302 is not continuing with the certification key of card-reading terminal, but according to generating random number session
Key, this session key is random, utilizes this session key Billy higher by the reliability of fixing transmission key encryption,
It more difficult is decrypted.
Embodiment 2
Present embodiments providing the method for a kind of data transmission, the method can use the system providing in embodiment 1.Such as Fig. 4 institute
Showing, the method comprises the following steps S101~S110:
S101: border routing receives the packet that card-reading terminal sends, and selects border fire prevention to be sent according to routing strategy
Wall, sends data packets to selected perimeter firewall;
In the present embodiment, in order to prevent Single Point of Faliure, perimeter firewall can be disposed multiple, when there is multiple perimeter firewall,
Border routing is accomplished by selecting a path sending data packets to core switch, i.e. selects by which perimeter firewall to be sent out
Delivering to core switch, in the present embodiment, border routing selects perimeter firewall to be sent, this road according to routing strategy
Footpath selection strategy can for for example, randomly choose a perimeter firewall, chosen distance border routing recently, data transmission period
The shortest perimeter firewall, select perimeter firewall that traffic handing capacity is strong etc..
In the present embodiment, the packet that card-reading terminal sends at least includes: the public identifier of purpose equipment, i.e. card-reading terminal please
When seeking access internet, need an address accessing equipment, and the public identifier of purpose equipment can be for example this purpose equipment
The IP address of public network and IP port.Border routing sends data packets to perimeter firewall, is determined purpose by perimeter firewall
The privately owned mark of equipment, to determine the address of real access equipment.
Border routing is the access point of internet external network access identity card cloud Verification System, as the bridge between intranet and extranet,
Its safe operation is related to the safe operation of identity card cloud Verification System.Therefore, border routing stands in the breach is assault
Emphasis.Based on this, border routing ought to become the object that network manager emphasis is safeguarded.Optional as the one in the present embodiment
Embodiment, border routing is selecting perimeter firewall to be sent according to routing strategy, is sending data packets to be chosen
Perimeter firewall before, this step also includes: border routing according to preset border routing filtering policy, it is judged that purpose equipment
The public identifier access IP address of public network (for example, it is possible to for) whether allow by border routing, if it is allowed, then perform
Send data packets to the operation of selected perimeter firewall.Thus, border routing is as the first of identity card cloud Verification System
Defence line, road, can keep off the unauthorized access not meeting border routing filtering policy outside identity card cloud Verification System, in Internet
The security of whole system is improved on face.
Wherein, as one optional border routing filtering policy, can permit for configuring on border routing in advance when being embodied as
Permitted the network segment accessing, it is judged that whether the public identifier (for example, it is possible to being the access IP address of public network) of purpose equipment is at this network segment
Within the scope of, if it is, allow packet to pass through border routing, and packet is forwarded up, otherwise abandon this Card Reader
The packet that terminal sends.Additionally, in order to prevent other unauthorized access, border routing filtering policy can also include in the following manner
At least one:
Mode one: modification default password: the default password of border routing is revised as the password without Special Significance.
Mode two: close IP and directly broadcast (IP Directed Broadcast), after closedown IP directly broadcasts, can effectively prevent
Smurf attack.
Mode three: HTTP (HyperText Transfer Protocol, the HTTP) service of closure of border router.
Mode four: block ICMPping (Internet Control Message Protocol, Internet control message agreement) request,
Can be to make system be easier to avoid those unmanned scanning activities noting by blocking ping, make system reduce the possibility being hacked
Property.
Mode five: block unnecessary port, in addition to the port that service area normally externally services, closes other all ports.
Thus, by the unauthorized access passed through being allowed to keep off at body by not meeting border routing filtering policy the maintenance on border road
Outside part card cloud Verification System, it is ensured that the safety of identity card cloud Verification System.
S102: selected perimeter firewall receives packet, determines that the purpose that card-reading terminal accesses sets according to the content of packet
Standby mark, and send the mark of packet and purpose equipment to core switch;
In the present embodiment, the major function of perimeter firewall is the access to internal network for the external network from internet for the control,
Protection internal network is not subjected to the attack of internet card-reading terminal (being primarily referred to as illegal hacker).Perimeter firewall passes through network
Address translation technique is by whole host addresses (i.e. purpose IP address and destination interface, the dispatch server of shielded internal network
Or the private IP address of safety control module and port) it is mapped on fire wall a few effective public network IP address of arranging (i.e.
Access IP address and access port), so, the equipment (card-reading terminal) of external network can only get access IP address and visit
Ask port, and real IP address and the port (i.e. purpose IP address and destination interface) of the equipment being actually subjected to access cannot be got,
The safety of internal network thus to external shield internal network structure and IP address, can be protected.Therefore, in the present embodiment, selected
The perimeter firewall selected determines the mark of purpose equipment that card-reading terminal accesses according to the content of packet, comprising: selected limit
The public identifier of purpose equipment is mapped as the mark of corresponding purpose equipment by boundary's fire wall according to network address translation protocol.Wherein,
The public identifier of purpose equipment is access IP address and the access port of public network, and the mark of purpose equipment is and is actually subjected to access
The purpose IP address of Intranet equipment (such as dispatch server and certification safety control module) and destination interface.Work as perimeter firewall
After receiving packet, first have to according to network address translation protocol (Network Address Translation is called for short NAT)
The public identifier of purpose equipment (that is, the access IP address of public network and access port) is mapped out the mark of corresponding purpose equipment
(that is, purpose IP address and destination interface), and purpose IP address and destination interface are only the actual address of internal network devices,
Carry out the forwarding of packet according to purpose IP address and destination interface.
Perimeter firewall is built upon internal-external network borderline filtration lock-out facility, internal network (i.e. identity card cloud Verification System)
Being considered as safe and believable, external network is considered as then dangerous and untrustworthy.The effect of fire wall is to prevent not
The protected internal network of communication turnover desired, unwarranted, by the security of boundary Control strengthening internal network.Cause
This, as the optional embodiment of the one in the present embodiment, in step s 102, perimeter firewall is in the content according to packet
Before determining the mark of the purpose equipment that card-reading terminal accesses, this method also includes: according to default perimeter firewall filtering policy,
Judge whether packet includes invalid data, if it is not, then perform to determine, according to the content of packet, the mesh that card-reading terminal accesses
The operation of mark of equipment, i.e. according to accessing IP address and access port maps out corresponding purpose IP address and destination interface
Operation.Thus, the management cost of overall network Security Construction can be greatly reduced by perimeter firewall, improve identity card
The safety of cloud Verification System.
Wherein, as one optional perimeter firewall filtering policy, can be in advance in perimeter firewall configuration when being embodied as
DDoS (Distributed Denial of service, distributed denial of service) property data base, this class database is similar to disease
Poison storehouse, be stored with DDoS characteristic value, and perimeter firewall will receive the content of packet and the DDoS in DDoS property data base
Characteristic value is mated, if it is possible to match, then specification packet is invalid data bag, and perimeter firewall is by DDoS
Attack, then by this data packet discarding, will not continue to be forwarded to core switch.Generally, the form of invalid data bag is varied,
Not having the data of card-reading terminal in some invalid data bags, and being only made up of some attack messages, some invalid data bags can
A part of valid data, a part of attack message can be comprised, no longer describe in detail herein.
S103: core switch sends data packets to dispatch server according to the mark of purpose equipment, or, set according to purpose
Standby mark sends the mark of packet and purpose equipment to the service area fire wall of service area;
Specifically, the mark (i.e. purpose IP address and destination interface) to purpose equipment for the core switch judges, if mesh
IP address and destination interface point to dispatch server, then step S104, if purpose IP address and destination interface point to
The certification safety control module of service area, then step S106;
And card-reading terminal is actually needed the equipment of access and mainly includes two kinds in native system: the certification peace of dispatch server and service area
Full control module.The necessary first access scheduling server of card-reading terminal, needs dispatch server to be its one idle certification of distribution
Safety control module, and receive, in card-reading terminal, the mark that dispatch server is its certification safety control module distributing and (i.e. access
Port) after, card-reading terminal just can direct access registrar safety control module.
S104: core switch sends data packets to dispatch server;
In the present embodiment, core switch is the base network device of whole identity card cloud Verification System, needs forwarding very huge
Big flow, because card-reading terminal can be distributed throughout the country, has thousands of, and therefore, core switch is to redundancy
Ability, reliability and transmission speed aspect require higher.In the present embodiment, core switch receives perimeter firewall transmission
Packet and mark (the purpose IP address of equipment for the purpose of for example, it is possible to of the purpose equipment that accesses of the card-reading terminal of determination
And destination interface), and the packet receiving is forwarded to purpose IP address and the actual access equipment of destination interface sensing.
S105: dispatch server receives packet, selects an idle certification safety control module for card-reading terminal;And by sky
The mark of not busy certification safety control module sends to card-reading terminal;
In this step, specifically include: dispatch server obtains the compass of competency of dispatch server from the authentication database of service area
Interior port status list, the corresponding certification safety control module of each port;And according to task equalize principle, from
Port status list selects access port (the i.e. idle certification security control as card-reading terminal for the port of an idle
The mark of module), and send access port to card-reading terminal;
In the present embodiment, dispatch server provides the dispatch service of idle certification safety control module, service area for card-reading terminal
Interior certification safety control module is by dispatch server United Dispatching.When card-reading terminal asks identity card Card Reader business every time, scheduling
Port status list in the cloud authentication database in server Dou Hui inquiry business district, the principle equalizing according to task, from end
Mouth status list selects the access port as card-reading terminal for the port of an idle, and sends access port to Card Reader
Terminal, hereby it is achieved that the United Dispatching of multiple certification safety control modules of service area.
As the optional embodiment of one of the present embodiment, packet is that card-reading terminal needs dispatch server distribution idle first
In the case of the packet of certification safety control module, the packet that card-reading terminal is sent to border routing at least also includes: Card Reader
The digital certificate of the identification information of terminal and the card-reading terminal identification information of card-reading terminal (digital certificate also can be considered);Scheduling clothes
Business device can also carry out access authentication according to the information in packet to card-reading terminal, if allowing to access, just inquires about port status,
Distribution idle port is to card-reading terminal, if not allowing to access, then directly abandons this packet, and does not permits to card-reading terminal return
Permitted the response message accessing.Specifically, the administration model of dispatch server is obtained at dispatch server from the authentication database of service area
Before port status list in enclosing, the method that the present embodiment provides also includes: dispatch server is believed according to the mark of card-reading terminal
Breath determines whether that card-reading terminal accesses, and whether extremely to judge the digital certificate of card-reading terminal;And judge to allow Card Reader eventually
Terminate into and the certificate of card-reading terminal normal.Thus, before dispatch server is card-reading terminal distribution idle port, first right
Card-reading terminal is authenticated, if certification is passed through, then illustrates that card-reading terminal is legal terminal, thus ensures recognizing of access service district
The legitimacy of the outer net equipment of card safety control module.
Wherein, whether dispatch server allows card-reading terminal to access according to the identification information judgment of card-reading terminal, comprising: judge to read
Whether the identification information of card terminal is in blacklist or management and control list, wherein, have recorded and do not allow the Card Reader accessing whole in blacklist
The identification information of end, have recorded in management and control list and needs to access, to it, the card-reading terminal being controlled according to default management and control strategy
Identification information;In the case of judging the identification information of card-reading terminal in blacklist, card-reading terminal is not allowed to access;Judging
In the case that the identification information of card-reading terminal is in management and control list, dispatch server determines whether according to default management and control strategy
The card-reading terminal that request accesses accesses, and thus may determine that whether dispatch server allows card-reading terminal to access.
Wherein, according to default management and control strategy, dispatch server determines whether that card-reading terminal accesses, at least includes one below:
According to default management and control strategy, it is judged that whether card-reading terminal is currently in the on-position scope of permission, if it is, permit
Permitted card-reading terminal to access, otherwise, do not allow card-reading terminal to access, wherein, the management and control strategy preset have recorded card-reading terminal and permit
The on-position scope permitted;
According to default management and control strategy, it is judged that current time whether in the time range allowing card-reading terminal to access, if it is,
Then allow card-reading terminal to access, otherwise, do not allow card-reading terminal to access, wherein, the management and control strategy preset have recorded permission and read
The time range that card terminal accesses;
According to default management and control strategy, it is judged that in preset time period, the history of card-reading terminal accesses whether number of times exceedes default time
Number threshold value, if it is, do not allow card-reading terminal to access, otherwise, it is allowed to card-reading terminal accesses, wherein, and default management and control plan
Duration and the preset times threshold value of preset time period is have recorded in slightly;
According to default management and control strategy, it is judged that in preset time period, between the on-position of the double access of card-reading terminal
Whether distance exceedes predeterminable range, if it is, do not allow card-reading terminal to access, otherwise, it is allowed to card-reading terminal accesses, wherein,
The management and control strategy preset have recorded duration and the predeterminable range of preset time period.
S106: core switch sends the mark of packet, purpose equipment to the service area fire wall of service area;
Wherein, the mark of purpose equipment for example can for the purpose of the purpose IP address of equipment and destination interface, this purpose equipment is permissible
For the idle certification safety control module that dispatch server is card-reading terminal distribution, therefore, in this step, need packet
It is transmitted to service area fire wall together with the mark of purpose equipment, in order to service area fire wall can be incited somebody to action according to the mark of purpose equipment
Packet is forwarded to corresponding certification safety control module.
The service area fire wall of S107: service area receives packet, according to default service area firewall filtering policies, it is judged that mesh
Equipment identify whether belong to permission access, if it is, send data packets to the first certification security module, the first certification
The certification safety control module that for the purpose of security module, port and purpose IP address are pointed to;
In the present embodiment, service area fire wall be outside network device access service district nucleus equipment (certification safety control module and
Checking safety control module) last line of defense, for example, service area fire wall can preset allow access port table,
After receiving packet, can arrive the port table inquiry allowing to access, if destination interface is present in this table, meaning that can be by
Packet sends to certification safety control module, thus, falls, by the ports filter judging access equipment, the data not allowing to pass through
Bag, protects security of system, the especially peace of protection certification safety control module and checking safety control module from network level further
Entirely.
S108: the first certification safety control module receives packet, deciphers packet, and sends the packet after deciphering
To the first checking safety control module, the first checking safety control module is the checking peace being connected with the first certification safety control module
Full control module;
In the present embodiment, before the first certification safety control module is to packet deciphering, the method that the present embodiment provides also is wrapped
Include: dispatch server, according to the identification information of card-reading terminal, obtains the ciphertext of the certification key of card-reading terminal from authentication database
And send to the first certification safety control module;Wherein, the ciphertext of the certification key of card-reading terminal is for using the guarantor of authentication database
Protect the certification key of double secret key card-reading terminal to be encrypted and obtain;
In this step, packet is deciphered by the first certification safety control module, comprising: the first certification safety control module obtains
Protection key, utilizes protection double secret key ciphertext deciphering to obtain the certification key of card-reading terminal, and utilizes certification data key bag solution
Close;
Packet after S109: the first checking safety control module receiving and deciphering, according in the data that the packet after deciphering carries
Hold and return corresponding first packet to the first certification safety control module;
In actual applications, the information of card-reading terminal reading identity card generally comprises 3 stages: the card seeking stage, the card selection stage and
The Card Reader stage.In the card seeking stage, card-reading terminal can outwards broadcast card seeking instruction, if there being identity card to have response to card seeking instruction,
Then returning card seeking data to card-reading terminal, card-reading terminal needs to send through linking Internet district and isolated area card seeking data the most at last
To the first checking safety control module of service area, (the first checking safety control module is the idle port allocated with card-reading terminal
The checking safety control module that the first certification safety control module pointing to is connected), the first checking safety control module can to Card Reader eventually
End returns card seeking response data;In the card selection stage, card-reading terminal can read some configuration informations (such as the ID card from identity card
Piece sequence, identity card application data and identity card presupposed information etc.), and by these configuration informations through linking Internet district and isolation
District is eventually sent to the first checking safety control module of service area, and the first checking safety control module initiates to recognize each other with identity card phase
The flow process of card, card-reading terminal forwards the interaction data in this flow process, treats that the first checking safety control module and identity card complete mutually
After certification, enter the Card Reader stage;In the Card Reader stage, card-reading terminal can read ID card information ciphertext, and warp from identity card
Cross linking Internet district and isolated area is finally forwarded to the first checking safety control module of service area, the first checking security control mould
Block uses the special product that the Ministry of Public Security specifies, and meets GA467-2013 " residence card verifying security control SAM module interface
Technical specification ", ID card information can be obtained in plain text to the deciphering of ID card information ciphertext, and pass through the first certification safety control module
Encryption sends to card-reading terminal, and card-reading terminal obtains identity card letter to by the ciphertext deciphering after the first certification safety control module encryption
Breath is in plain text.Therefore, in the present embodiment, the data content that the first checking safety control module carries according to the packet after deciphering
Return corresponding first packet to the first certification safety control module, comprising:
In the case that data content is identity card card seeking data, the first checking safety control module is to the first certification safety control module
Returning the first packet, the first packet at least includes: card seeking response data;
Data content is that identity card card selection data are (such as needs such as the identity card configuration information of identity card, signed data, digital certificates
The first checking data to authentication ids for the safety control module) in the case of, the first checking safety control module is to the first certification
Safety control module returns the first packet, and the first packet at least includes: the identity card reading with card-reading terminal is authenticated
Related data is (as first verifies that the signed data of safety control module, digital certificate etc. need identity card to the first checking safety control
The data of module authentication processed);
In the case that data content is ID card information ciphertext, ID card information ciphertext is deciphered by the first checking safety control module
To ID card information in plain text, returning the first packet to the first certification safety control module, the first packet at least includes: identity
Card information is in plain text.
S110: the first certification safety control module receives the first packet that the first checking safety control module returns, and to first
Data Packet Encryption, sends the first packet after encryption to card-reading terminal.
In the present embodiment, the first certification safety control module receive first checking safety control module return the first packet it
After, in order to ensure to transmit safety, in addition it is also necessary to returning again to card-reading terminal after the first Data Packet Encryption, optionally real as one
Executing mode, the first certification safety control module, to the first Data Packet Encryption, sends the first packet after encryption to card-reading terminal,
Specifically include: the first certification safety control module utilizes certification double secret key first Data Packet Encryption of card-reading terminal, after encryption
First packet sends to card-reading terminal, and the first packet after card-reading terminal can utilize the certification key pair encryption of oneself is deciphered
Obtain the first packet;Thus, can realize that ciphertext is transmitted by certification key encrypted primary data bag, it is ensured that transmission safety
Property.Even if additionally, also cannot decipher without the first packet after intercepting and capturing this encryption with card-reading terminal corresponding certification key,
This ciphertext could be deciphered by the card-reading terminal only having corresponding certification key, therefore, even if this ciphertext is trapped, and interceptor
Also the transmission safety of ID card information plaintext cannot be further ensured ask to crack.
As the optional embodiment of another kind, easily broken to avoid further always reusing same key encryption and decryption
The drawback of decryption key, the first certification safety control module, to the first Data Packet Encryption, sends the first packet after encryption to reading
Card terminal, specifically includes: the first certification safety control module, according to generating random number session key, utilizes session key to first
Data Packet Encryption obtains the first packet ciphertext;And utilize the PKI of digital certificate for encryption of card-reading terminal to the first data
Bag ciphertext and session key generate session ciphertext, or, utilize the PKI of digital certificate of the encryption of card-reading terminal to session
Key encryption generates session ciphertext, it will words ciphertext and the first packet ciphertext send to card-reading terminal;Card-reading terminal, is additionally operable to
Locally stored and for encryption the corresponding private key of digital certificate is utilized to obtain the first packet ciphertext and meeting to the deciphering of session ciphertext
Words key, or, utilize private key to obtain session key to the deciphering of session ciphertext, and utilize session key to the first packet ciphertext
Deciphering obtains the plaintext of the first packet.This optional embodiment is with the difference of a upper optional embodiment: certification is controlled safely
Molding block is not continuing with the certification key of card-reading terminal, but according to generating random number session key, this session key be with
Machine, utilize this session key Billy higher by the reliability of fixing transmission key encryption, more difficult be decrypted.
The present embodiment provide data transmission method whole during, as the optional embodiment of the one in the present embodiment,
The method that the present embodiment provides also includes: the flow cleaning monitoring of equipment being connected with border routing flows through the service traffics of border routing,
If according to the service traffics flowing through border routing detect border routing by distributed denial of service attack, then to flowing through border
The service traffics of route carry out flow cleaning.
In the present embodiment, the data (packet that i.e. border routing receives) to linking Internet for the flow cleaning equipment are carried out
Monitoring in real time, in time abnormal flow including distributed denial of service ddos attack for the discovery.When abnormal flow reaches or super
When crossing the security baseline preset, unlatching is cleaned filtering process by flow cleaning equipment.Native system passes through flow cleaning equipment, mitigates
Come from pressure that internal network is caused by ddos attack flow, promote the validity of bandwidth usage;Protection internal network is exempted from
Attacked by from internet, improved network performance.
Thus, the linking Internet district in native system can refuse the illegal visit of absolute system by border routing and perimeter firewall
Ensure the normal access to system for the card-reading terminal while asking, internet incoming data can be carried out by flow cleaning equipment
Monitoring in real time, washes abnormal flow while not affecting regular traffic, protects internal network from the attack from internet,
Improve network performance.
In the present embodiment, core switch is actually a computer for forwarding packet to optimize, but computer just has
The possibility being hacked, such as illegally obtains the control of core switch, causes network paralysis, on the other hand also can be by DDoS
Attack.Therefore, for preventing core switch by illegal infringement, in above-mentioned steps, the method that the present embodiment provides also includes:
The intrusion detection device monitoring being connected with core switch flows through the service traffics of core switch, the historical behavior mould according to user
The service traffics flowing through core switch are mated by type, the expertise prestoring and neural network model, once mate into
Work(, then judge there is intrusion behavior, disconnects the connection of card-reading terminal and the equipment of access immediately, and collects evidence and implement data recovery,
In addition the strategy monitoring that can be combined with abnormality detection flows through the service traffics of core switch.By intrusion detection device to core
The operation conditions of switch monitors, finds various attack attempt, attack or attack result as far as possible, to ensure net
The confidentiality, integrity, and availability of network system resource.Additionally, for preventing core switch by illegal infringement, further,
The method that the present embodiment provides also includes: the number that the intrusion prevention monitoring of equipment core switch being connected with core switch receives
According to bag, it is judged that whether the packet that core switch receives is invalid data, if it is, core switch is received
Data packet discarding.Wherein, intrusion prevention equipment judges whether the packet that core switch receives is invalid data, Ke Yitong
Cross in the following manner: such as, the packet that core switch is received by intrusion prevention equipment and the disease in preset virus database
Poison feature is mated, if it is possible to match, it is determined that this packet matching is invalid data, further, it is also possible to examine
Considering the abnormal conditions in application program or network transmission, such as, user or user program violate regulation for safety, packet should not
Period of this appearance occurs, the gap of operating system or application program weakness is being utilized etc. phenomenon, assists in identifying invasion
And attack.Although intrusion prevention equipment is also contemplated for known viruse feature, but it not relies solely on known viruse feature.Enter
Invading defensive equipment is to supplement anti-virus software and fire wall, to improve the security of system.
By the method for the data transmission that the present embodiment provides, by this system is divided into linking Internet district, isolated area and industry
Three, district of business level, each level uses different security strategies, by the security perimeter of a lot of, promotes on network level
The security of whole system, to avoid service area by rogue attacks, especially ensures certification safety control module and checking safety
The safety of control module.
Embodiment 3
Present embodiments provide a kind of inner tube server, as it is shown in figure 5, this inner tube server can be a centralized service
Device, in order to centralized management, inner tube server also can be a distributed server, in order to integration networks resource.This inner tube
Server includes: safe access unit, display unit, the first input interface, safe processor, main control processor, system pipes
Reason unit, parameter configuration unit and the second input interface.
Safe access unit, is used for detecting user's request, when detecting that user asks as user's logging request, obtains and user
The corresponding information of logging request, and will be prompted to information transmission to display unit.
Concrete, safe access unit is by timing or sporadically refreshes or detects whether to receive user's request, when connecing
Receive user when asking, it is judged that the type of this user request, judge whether it is user's logging request according to the feature of request,
For example, safe access unit can be by the Web page of inner tube server, and Web page is provided with login button, once safety
Access unit and detect that login button is pressed, be then judged to user's logging request be detected;Or the Web page of inner tube server
Face directly displays log-on message input frame, and when light timestamp being detected in log-on message input frame, then safe access unit is judged to
User's logging request detected.
Certainly, user's logging request of inner tube server can be provided with different logging request according to different users, for example, and can
Log in distinguish administrator, domestic consumer logs in, operation user logs in, run user's login etc., for different users
Logging request arranges different login interfaces, thus carries out management and control respectively.
When safe access unit detects that user asks as user's logging request, perform subsequent operation, i.e. obtain and log in user
Ask corresponding information, and the information that will be prompted to sends to display unit;Log in when safe access unit is not detected by user
When asking or invalidation request detected, then repeat the operation of detection user's request.
When user's logging request being detected, inner tube server also obtains the type of user's logging request, steps on when taking similar triggering
When record button logs in, the logging request for above-mentioned different user gets the corresponding login prompt letter with different user
Breath, for example, when user be administrator, operation user or when running user, user name and close can be ejected in information
While the input frame of code, also prompting " insert safety means or electronic signature token " etc.;When user is for domestic consumer, carry
Show that information can simply be the input frame ejecting username and password.Corresponding information when being logged in by arranging different users,
The user making different stage can perform different login processes, thus takes into account the security of different user and the demand of convenience.
Certainly, the invention is not restricted to the species of above-mentioned information, any information that user can be pointed out to log in, be all this
The protection domain of invention.
Display unit, is used for display reminding information, wherein: information is used for pointing out user to log in;Concrete, display
Unit can be integrated in inner tube server, it is also possible to is external display.
First input interface, for receiving and the corresponding authentication information of information, authentication information at least includes user
Identity information and information to be verified, send to safe processor to major general's authentication information;Concrete, user can pass through
Wireline interface (USB interface, COBBAIF etc.), wave point (WiFi, NFC, RFID etc.), keyboard, touch screen etc. set
Standby input equipment input and the corresponding authentication information of information, at least include in this authentication information and can represent use
The information of family identity, this subscriber identity information can be the information such as user's sequence number, class of subscriber, user name, ID,
Further comprises information to be verified (such as user certificate, digital signature, customer identification information etc.) in this authentication information, this is to be tested
Card information can be the information being able to verify that user validation, verifies for the legitimacy that user is logged in by inner tube server.
Safe processor, is used for obtaining checking information, and obtains information to be verified from the authentication information receiving, and utilization is tested
Information to be verified is verified by card information, if the verification passes, then sends subscriber identity information to main control processor, otherwise,
Send login failure information to display unit, and reacquire and the corresponding information of user's logging request;Specifically,
Checking information is the information that prestores of inner tube server or the letter being obtained by the identity equipment such as safety means or electronic signature token
Breath, and the information to be verified information that to be user input.
The mode that safe processor carries out authentication in the present embodiment can be one or several modes following, certainly this
It bright is not limited to following several ways:
Mode the first, the first input interface is USB interface, COBBAIF or wave point;First input interface is connected to safety and sets
Standby, receive the user certificate storing and sending in safety means;Safe processor obtains the root certificate prestoring, and from the body receiving
Part checking information obtains user certificate, utilizes the legitimacy to user certificate for the root certificate prestoring to verify.Concrete enforcement
In mode, when user utilizes safety means to verify identity, this safety means are stored with and represent the digital certificate of user identity,
And safe processor is stored with and signs and issues the root certificate (checking information) of this digital certificate, when safe processor receives the peace of connection
After full equipment sends the user certificate (information to be verified) coming, the root certificate prestoring is utilized to carry out legitimacy school to this digital certificate
Test, if checking legitimacy is passed through, then it is assumed that be verified.Certainly, during verifying, when safe processor needs
When verifying, can first pass through the first input interface and send instructions to safety means, safety means are receiving finger accordingly
Just user certificate is sent to safe processor after order, it is ensured that checking properly and timely performs.Process with regard to certificate verification belongs to
Existing procedure, no longer goes to live in the household of one's in-laws on getting married herein and chats.By the verification mode of the manner, utilize the user certificate of safety means to verify login,
Realize physical isolation, it is ensured that the security of login.
Mode the 2nd, the first input interface includes USB interface, COBBAIF or wave point;First input interface is connected to electronics
Signed tokens, receives the signing messages that electronic signature token generates and sends, and signing messages includes: presupposed information and electronics label
Name token carries out, according to presupposed information, the signature value obtaining of signing;Safe processor obtains the PKI of electronic signature token, utilizes electricity
Signing messages is verified by the PKI of sub-signed tokens;In specific embodiment, user utilizes electronic signature token to verify
During identity, this electronic signature token is stored with and represents digital certificate and the private key of user's unique identities, it is possible to generate presupposed information,
This presupposed information can be the identification information of the random number of stochastic generation or user, and electronic signature token can utilize private key
Carrying out signature to presupposed information and obtaining signature value, safe processor sends, in the electronic signature token receiving connection, the default letter of coming
After breath and signature value (information to be verified), safe processor can obtain the PKI (checking information) of electronic signature token to label
Name information is verified, if checking signature is correct, thinks and is verified.The PKI (checking information) of this electronic signature token
Safe processor can prestore, or safe processor obtains to other servers, or receive electronic signature token and send out
The digital certificate that send obtain (i.e. electronic signature token also sends the numeral card of electronic signature token while sending signing messages
Book, includes the PKI of electronic signature token in this digital certificate).Certainly, during verifying, safe processor is worked as
When needs are verified, can first pass through the first input interface and send instructions to electronic signature token, electronic signature token is receiving
After corresponding instruction, just signing messages is sent to safe processor, it is ensured that checking properly and timely performs.By the manner
Verification mode, utilizes electronic signature token to verify login, and electronic signature token deposits the digital certificate representing user's unique identities
And private key for user, by verifying the signature verification identity of user, prevent other illegal logins, it is ensured that the security of login.
Mode the 3rd, the first input interface includes keyboard, touch screen or information input equipment;First input interface receives user's input
Customer identification information;Safe processor obtains the checking identification information prestoring, and utilizes the use to input for the checking identification information prestoring
Family identifies that information is verified;In specific embodiment, identification information can be that username and password, biological information (refer to
Line, iris etc.) etc., safe processor prestores the checking identification information (checking information) of user, utilizes the checking identification prestoring
The customer identification information (information to be verified) to input for the information is compared, and comparison is unanimously then thought and is verified.Pass through user
Identification information verify, demonstrate the identity of user, it is ensured that the security of login.
In concrete implementation, multiple simultaneously guarantee the in aforesaid way can be taked to log in, for example, can use mode one He
The combination of mode three, it would however also be possible to employ the combination of mode two and mode three, utilizes various ways to ensure to log in, can be further
Ensure the security logging in.Above-mentioned first input interface is according to the demand of login mode, and the first input interface can be only that USB connects
The interface of mouth, COBBAIF or wireless interface type, it is also possible to be the interface including keyboard, touch screen or information input equipment type,
Can also is that the input interface being provided simultaneously with above two style interface.
Additionally, in above-mentioned three kinds of implementations, all use safe processor to carry out the process to authentication for the independent process, permissible
With main control processor isolation, utilize the Independent Safety of safe processor to be further ensured that the safety that user logs in.
Main control processor, is used for receiving subscriber identity information, determines the operating right of user, operating rights according to subscriber identity information
It is limited to the first authority and/or the second authority;Specifically, the first authority and the second authority can be to process different instruction and visit
Asking the authority of different units (System Management Unit and parameter configuration unit), in the present embodiment, the first authority can be can
Carrying out the authority of the process of system management directive, the second authority can be the authority of the process that can carry out parameter configuration instruction;
One user identity can only possess the first authority, it is also possible to only possesses the second authority, it is also possible to is provided simultaneously with the first authority and
Two authorities.In being embodied as, can be by subscriber identity information (such as user's sequence number, class of subscriber, user name, user
Mark) determine the classification of user, determined the operating right of user by the classification of user, for example, according to the identity of user
Information determines that the user is administrator, then this administrator is provided simultaneously with the first authority and the second authority, i.e. this keeper
Can be with processing system management instruction and parameter configuration instruction;Or determine that the user is operator user according to the identity information of user,
Then this operator user possesses the first authority, i.e. this operator can be with processing system management instruction;Or the identity letter according to user
Breath determines that the user is operation person user, then this operation person possesses the second authority, i.e. this operation person can be with processing parameter configuration-direct.
Certainly, in actual system, a kind of user can be only had, be i.e. only provided simultaneously with the first authority and the management of the second authority
Member user.By after logging in system by user, impart different operating rights according to the difference of its user identity, at inner tube system
Internal architecture a lot of wall, makes the user can only access its system resource being authorized to.
Second input interface, is additionally operable to receive the operation requests of user, sends operation requests to main control processor;Specifically,
User can be by input through keyboard or input operation request by way of the web page of inner tube server selects, and second is defeated herein
Incoming interface and the first input interface can be that (the such as first input interface is USB interface to different two interface, and the second input connects
Mouth is keyboard), it is also possible to it is that same interface realizes the first input interface and the function of the second input interface.
Main control processor, is additionally operable to judge the type of operation requests, if operation requests includes system management directive, and determine
The corresponding operating right of user is the first authority or when the corresponding operating right of user is the first authority and the second authority, will operation
Request sends to System Management Unit;If operation requests includes that parameter configuration instructs, and the corresponding operating right of user determining
It is the second authority or when the corresponding operating right of user is the first authority and the second authority, send operation requests to parameter configuration
Unit: concrete, at least includes operational order in operation requests, this operational order can be system management directive or parameter configuration
Instruction, when matching the operating right of this operational order and user, then main control processor calls different unit and completes difference
Operation.
System Management Unit, for after receiving operation requests, obtains system management directive corresponding system administration entry, root
According to system management directive, corresponding operation is performed to system administration entry;Specifically, now operation requests includes system administration
Instruction, this system management directive is for realizing the management to inner tube server info, and this system management directive can be to include inquiry
Instruction, modification instruction, increase instruction or delete the instruction such as instruction, it is achieved to the inquiry of each management entry in inner tube server,
The functions such as modification, increase, deletion, when needs carry out system administration, then it needs to be determined that user possesses corresponding authority just allows
It is managed, and for example, possesses keeper or system can be managed by the user of operator's authority.System administration entry
It is that inner tube server is available for the entry that user modifies, user, role, client, product, report can be included but is not limited to
Table, blacklist etc., system administration entry can be included in operation requests, it is also possible to is that user passes through input through keyboard or inner tube
Server web page selects the corresponding system administration entry of input system management instruction, if desired, in addition it is also necessary to input
Management parameters realizes management function.
Parameter configuration unit, is used for after receiving operation requests, the corresponding entry to be configured of the configuration-direct that gets parms and renewal
Parameter, configures according to the parameter to entry to be configured for the undated parameter;Specifically, now operation requests includes parameter and joins
Putting instruction, the instruction of this parameter configuration, for realizing the configuration to inner tube server parameter, when needs carry out parameter configuration, then needs
User to be determined possesses corresponding authority and just allows it to be managed, and for example, possesses user's ability of keeper or operation person's authority
Parameter can be configured.The corresponding entry to be configured of parameter configuration instruction may include that inner tube parameter of any subsystem, certification peace
Full control module parameter, card-reading terminal APP parameter, blacklist strategy, frequency management and control strategy etc., inner tube server is by updating
Above-mentioned entry to be configured is configured by parameter, and undated parameter may be embodied in operation requests, it is also possible to be that user passes through keyboard
Input or inner tube server web page select to input undated parameter.
Specifically, when determining that the corresponding operating right of the corresponding authority of user is the first authority and the second authority, i.e. user is pipe
During reason person's authority, system management directive and parameter configuration can be instructed and process by this user, and concrete process is with reference to aforementioned.
By the inner tube server of the present embodiment, it is possible to achieve by an inner tube server to subsystems in cloud authentication platform
Parts effectively manage, and provide the user with visualized management interface, promote the experience of user, and it is right to also allow in maintenance work
Systematic parameter configures.Additionally, management is scheduling to whole cloud authentication platform by inner tube server, part resource is entered
Row limited access, by arranging different access rights, it is ensured that the security of access to different user.
In one embodiment of the invention, when user logs in, login can also be protected by identifying code: prompting
Information also includes with reference to identifying code;Safe access unit, is additionally operable to generate random code, generates with reference to identifying code according to random code,
Obtain with reference to identifying code, and will send to display unit and safe processor with reference to identifying code;Specifically, step on user
The interface of record, can point out input validation code to verify simultaneously, it is also possible to carry out prompting input before or after authentication
Identifying code is verified, inner tube server generation random code is as with reference to identifying code, and this random code can be the lattice such as numeral, picture
Formula.
Display unit, is additionally operable to display with reference to identifying code;When showing other login prompt information, can also show with reference to checking
Code, in order to user inputs.
Information to be verified also includes login authentication code;First input interface, is additionally operable to receive login authentication code;Safe processor,
It is additionally operable to obtain with reference to identifying code, and login authentication code is compared checking with reference to identifying code.Specifically, inner tube service
Device, after obtaining the identifying code that user is inputted by keyboard or other modes, utilizes self storage or the reference identifying code generating
The identifying code of input is compared, determines that when comparison is consistent identifying code passes through.
The mode using login authentication code is possible to prevent to log in Replay Attack, it is to avoid cause the waste of system resource, it is ensured that system is transported
The security of row.
In an embodiment of the invention, system management directive includes query statement, modification instruction, increases instruction and/or delete
Except instruction;Main control processor, specifically for acquisition system management directive corresponding system administration entry, and judges that system administration refers to
The type of order;If the system management directive that the type instruction of system management directive obtains is query statement, then System Management Unit
Operate specifically for inquiry being performed to system administration entry according to query statement;If the type instruction of system management directive obtains
System management directive is modification instruction, then System Management Unit is specifically for performing modification according to modification instruction to system administration entry
Operation;If the system management directive that the type instruction of system management directive obtains is for increasing instruction, then System Management Unit is concrete
For performing to increase operation to system administration entry according to increase instruction;If the system that the type instruction of system management directive obtains
Manage instruction to instruct for deleting, then System Management Unit is specifically for performing deletion action according to deletion instruction to system administration entry.
In an embodiment of the invention, system administration entry includes: user, role, client, product, form and/or black
List;
When System Management Unit carries out performing inquiry operation according to query statement to system administration entry: if system administration entry
For user, System Management Unit is specifically for inquiring about user according to query statement, defeated according to default inquiry output rule
Go out user profile;If or system administration entry is role, System Management Unit is specifically for carrying out to role according to query statement
Inquiry, according to default inquiry output rule output Role Information;If or system administration entry is client, System Management Unit
Specifically for client being inquired about according to query statement, according to default inquiry output rule output customer information;If or being
Reason entry under the overall leadership is product, and System Management Unit is specifically for inquiring about to product according to query statement, according to default inquiry
Output rule output products information;Or if system administration entry is form, System Management Unit is specifically for according to query statement
Form is inquired about, according to default inquiry output rule output report information;If or system administration entry is blacklist,
System Management Unit is specifically for inquiring about to blacklist according to query statement, according to the default black name of inquiry output rule output
Single information;
When System Management Unit performs modification operation according to modification instruction to system administration entry: if system administration entry is for using
Family, System Management Unit is specifically for modifying to user profile according to modification instruction, and storage user profile changes result;Or
If system administration entry is role, System Management Unit, specifically for modifying Role Information according to modification instruction, stores
Role Information changes result;If or system administration entry is client, System Management Unit is specifically for instructing to visitor according to modification
Family information is modified, storage customer information modification result;Or if system administration entry is product, System Management Unit is concrete
For product information being modified according to modification instruction, storage product information modification result;If or system administration entry is report
Table, System Management Unit is specifically for modifying to report messages according to modification instruction, and storage report messages changes result;Or
If system administration entry is blacklist, black list information is modified by System Management Unit specifically for instructing according to modification,
Storage black list information modification result;
When System Management Unit is according to when increasing instruction to the execution increase operation of system administration entry: if system administration entry is for using
Family, System Management Unit is specifically for according to increasing instruction increase user, storing the user profile increasing;If or system administration
Entry is role, and System Management Unit is specifically for according to increasing instruction increase role, storing the Role Information increasing;If or
System administration entry is client, and System Management Unit is specifically for according to increasing instruction increase client, storing the customer information increasing;
If or system administration entry is product, System Management Unit is specifically for according to increasing instruction increase product, storing the product increasing
Product information;If or system administration entry is form, System Management Unit is specifically for according to increasing instruction increase form, storing
The report messages increasing;If or system administration entry is blacklist, System Management Unit is specifically for increasing according to increase instruction
Blacklist, the black list information that storage increases;
When System Management Unit is according to when deleting instruction to system administration entry execution deletion action: if system administration entry is for using
Family, System Management Unit is specifically for deleting user according to deletion instruction;If or system administration entry is role, system administration
Unit is specifically for deleting role according to deletion instruction;If or system administration entry is client, System Management Unit specifically for
Delete client according to deleting instruction;If or system administration entry is product, System Management Unit is specifically for according to deletion instruction
Delete product;If or system administration entry is form, System Management Unit is specifically for deleting form according to deletion instruction;Or
If system administration entry is blacklist, System Management Unit is specifically for deleting blacklist according to deletion instruction.
Operation to each system administration entry below is described in detail respectively:
When system administration entry is user, logs in the keeper of inner tube server or the information of user can be looked into by operator
Inquiry, modification, increase, deletion etc. operate.For example, when keeper or operator need to inquire about user profile, permissible
User is inquired about by the unique identification information (such as ID, name etc.) of input user, it is also possible to carry out default query, then permissible
Inquire all user profile that can log in this inner tube server, and Query Result is shown by display unit;Equally
, when keeper or operator need to modify, increase, deletion action when, can according to the unique identification information of user (as
ID, name etc.) determine user, the information of user is modified, increases, is deleted, and store modification, increase, delete
Result.
When system administration entry is role, logs in the keeper of inner tube server or the information of role can be looked into by operator
Inquiry, modification, increase, deletion etc. operate.Inner tube server sets different roles for different users, every kind of role's
Authority is different, such as keeper, operator, operation person etc..When keeper or operator need to inquire about the information of role
When, can be by the title of role or number information etc. to information inquiries such as the authorities under role, it is also possible to carry out default query,
Then can inquire all Role Informations of inner tube server, and Query Result is shown by display unit;Equally, when
When keeper or operator need to modify role, with used role's title or number information etc., Role Information can be carried out
Modification, for example, can change the authority etc. of certain role;When role is needed to carry out increasing and deletion action by keeper or operator
When, then carry out increasing or deletion action to role according to role's title or number information, and store modification, increase, delete
Result.
When system administration entry is client, logs in the keeper of inner tube server or the information of client can be looked into by operator
Inquiry, modification, increase, deletion etc. operate.Client in inner tube server can be the client of different industries in cloud Verification System,
Such as bank, trade company, telecommunications etc..Internet identity card cloud Verification System can provide authentication ids to take for the client of different industries
Business, the card-reading terminal production code member used by different clients and product type may be different, obtain ID card information also not
With this is accomplished by being managed different clients by inner tube server.Management for client also can based on client only
One identification information (such as ID, title etc.), the unique information mark according to client determines client, carry out to the information of client increasing,
Modification, deletion, inquiry operation, and show Query Result, storage modification, increase, the result deleted.For example, by inquiry
During instructions query client, after client unique information input being detected identifies, find out in inner tube server and this client's phase
The information closed, output is simultaneously shown by display unit.
When system administration entry is product, logs in the keeper of inner tube server or the information of product can be looked into by operator
Inquiry, modification, increase, deletion etc. operate.Product in inner tube server corresponds to card-reading terminal, and product bar records Card Reader now
Terminal type and card-reading terminal numbering, card-reading terminal sequence number is the unique identification information of product, and meanwhile, each product entry is also
Bind customer information.When keeper or operator inquire about this product entry, can to the card-reading terminal type of product entry,
The information such as card-reading terminal sequence number, affiliated client are inquired about, of course, it is possible to carry out default query or according to unique mark letter
Breath is inquired about, and shows Query Result by display unit;Same, when keeper or operator need to modify, increase
Add, deletion action when, product can be determined according to the unique identification information of product, the information of product modified, increase,
Delete, and store modification, increase, the result deleted.Additionally, when needs increase product information, can also be believed by product
Breath management carries out batch and increases operation.
When system administration entry is form, logs in the keeper of inner tube server or form can be carried out inquiring about, repair by operator
Change, increase, the operation such as deletion.Keeper or operator can generate form to every entry state of inner tube server admin,
Also can inquire about, change, increase, delete form, additionally can classify with the data item of system administration, provide for client
The data item form of customization.The content of form can cover the information of all management entries of inner tube server and all configurable
Parameter information, and information that other and transaction are related.
When system administration entry is blacklist, log in the keeper of inner tube server or blacklist can be carried out inquiring about by operator,
Modification, increase, deletion etc. operate.Inner tube server can maintain a series of blacklist, for example, it is possible to (Card Reader is eventually to product
End) take blacklist mechanism, the card-reading terminal of abnormality is joined in blacklist, it is also possible to by the Card Reader of system erroneous judgement eventually
End is deleted from blacklist, thus safeguards black list information.Certainly, when keeper or operator need to enter blacklist
During row inquiry, with input inquiry key element, blacklist can be inquired about, it is also possible to carry out default query, then can inquire all
Black list information, and Query Result is shown by display unit;Same, when keeper or operator need to repair
Change, increase, deletion action when, black list information can be modified, increase, delete according to usually to determine, and deposit
Storage modification, the result increasing, deleting.
In one embodiment of the invention, entry to be configured includes: inner tube parameter of any subsystem, certification safety control module parameter,
Card-reading terminal APP parameter, blacklist strategy and/or frequency management and control strategy;Parameter configuration unit refers to specifically for the configuration that gets parms
Make corresponding entry to be configured and undated parameter, and judge the type of entry to be configured;If entry to be configured is interior tube system
Parameter, then parameter configuration unit is specifically for according to undated parameter, and the parameter of internal tube system configures;If it is to be configured
Entry is certification safety control module parameter, then parameter configuration unit is specifically for according to undated parameter, to certification security control mould
The parameter of block configures;If entry to be configured is card-reading terminal APP parameter, then parameter configuration unit is specifically for according to more
New parameter, configures to card-reading terminal APP parameter;If entry to be configured is blacklist strategy, then parameter configuration unit tool
Blacklist strategy, for according to undated parameter, is configured by body;If entry to be configured is frequency management and control strategy, then parameter is joined
Put unit specifically for according to undated parameter, configuring frequency management and control strategy.
When the user signing in inner tube server needs to perform parameter configuration instruction, then this user needs possess keeper or fortune
Office staff's authority, when the permission match verifying this login user passes through, could allow this login user to carry out parameter configuration instruction
Process.Operation to each entry to be configured below is described in detail respectively:
It when entry to be configured is inner tube parameter of any subsystem, is mainly accomplished that the operational factor of internal tube system configures,
As arranged authentication code create-rule, arranging certification safety control module detection time interval etc..Specifically, inner tube server connects
Receive parameter configuration instruction, instruct according to parameter configuration and determine entry to be configured, it is judged that the type of entry to be configured is interior tube system
During parameter, jump to the flow process of inner tube parameter of any subsystem configuration, obtain, by keyboard or other input equipments, the inner tube subsystem determining
The system corresponding undated parameter of parameter configuration, for example, keeper or operation person enter for certification safety control module detection time interval
During row configuration, then by input through keyboard time interval to be set as undated parameter.The inner tube parameter of any subsystem having configured is permissible
There is provided unified parameter to arrange for cloud authentication platform, facilitate other system to get interior tube system easily by inner tube server
Parameter information.
When entry to be configured is certification safety control module parameter, the parameters of certification safety control module is joined by main realization
Put, and send the parameter information updating to certification safety control module, in order to certification safety control module can perform.Specifically
For, inner tube server receives parameter configuration instruction, instructs according to parameter configuration and determines entry to be configured, it is judged that entry to be configured
Type when being certification safety control module parameter, jump to the flow process of certification safety control module parameter configuration, by keyboard or
Other input equipments obtain the corresponding undated parameter of certification safety control module parameter configuration determining, utilize this undated parameter to recognizing
Card safety control module configures, and the certification safety control module parameter information after will updating sends to certification security control mould
Block is so that it performs.
When entry to be configured is card-reading terminal APP parameter, the main version updating realizing safeguarding client software and issue are read
Card terminal APP software.When card-reading terminal APP needs to update, keeper or operation person can be joined by inner tube server
Put card-reading terminal APP parameter, for example, the version number of card-reading terminal APP is updated, in order to client detects new edition
Carry out automatically updating of software after Ben.Additionally, when needs carry out version updating, inner tube server is also stored with the Card Reader updating
Terminal APP software, to facilitate client to be downloaded renewal.
It when entry to be configured is blacklist strategy, is mainly accomplished that and blacklist strategy is configured, judge Card Reader for system
Whether abnormal behaviour provides foundation to terminal.Blacklist strategy can be that the abnormal behaviour for card-reading terminal sets threshold, exceedes default
The card-reading terminal of threshold is judged as there occurs abnormal behaviour, can be included in blacklist;Can also set from black name simultaneously
The strategy of release in list, for example, arrange the judgment standard that abnormal behaviour eliminates, when judging that abnormal behaviour eliminates, then and can be by
It discharges from blacklist.Of course, it is possible to arrange different blacklist strategies according to the actual requirements in terms of other.Specifically
For, inner tube server receives parameter configuration instruction, instructs according to parameter configuration and determines entry to be configured, it is judged that entry to be configured
Type when being interior list strategy, jump to the flow process of blacklist strategy configuration, obtained by keyboard or other input equipments and determine
The corresponding undated parameter of blacklist strategy, utilize this undated parameter to configure blacklist strategy.
It when entry to be configured is frequency management and control strategy, is mainly accomplished that the access time interval that card-reading terminal is set, for scheduling
System carries out frequency management and control provides foundation.Owing to card-reading terminal frequent visit can cause the collapse of background system, it is therefore desirable to right
The access time interval of card-reading terminal is reasonably arranged, and once the access time interval of card-reading terminal is less than the legal visit preset
When asking time interval, the behavior of this card-reading terminal can be judged as abnormal behaviour.Specifically, inner tube server receives parameter
Configuration-direct, instructs according to parameter configuration and determines entry to be configured, it is judged that when the type of entry to be configured is frequency management and control strategy,
Jump to the flow process of frequency management and control strategy configuration, obtained the frequency management and control strategy configuration determining by keyboard or other input equipments right
The undated parameter answered, utilizes this undated parameter to configure frequency management and control strategy.For example, when determination 0.1s is minimum access
During frequency, abnormal behaviour will be considered less than the access at 0.1s interval, then can pass through keyboard or other input equipments input ginseng
Number 0.1s, configuring frequency management and control strategy, it is, of course, also possible to from the opening time of frequency management and control, rank etc. in terms of other to frequency
Degree management and control strategy is configured.
Embodiment 4
Present embodiments provide a kind of identity card read method, as shown in Figure 6, the method comprising the steps of S201~S212:
S201: card-reading terminal sends access request by linking Internet district to dispatch server, carries Card Reader in access request
In identification information;
Wherein, the identification information of card-reading terminal includes: the digital certificate of card-reading terminal.
S202: after dispatch server receives access request, obtains the identification information of card-reading terminal, according to mark from access request
Knowledge information determines whether card-reading terminal reading identity card, if it is allowed, then step S203, otherwise, to card-reading terminal
Return the feedback information not allowing to access;
Wherein, dispatch server determines whether that card-reading terminal reading identity card includes:
Judge that whether the digital certificate of card-reading terminal is abnormal, if it is, determine and do not allow card-reading terminal reading identity card, otherwise
Judge that the digital certificate of card-reading terminal, whether in blacklist or management and control list, wherein, have recorded in blacklist and do not allows access
The digital certificate of card-reading terminal, have recorded in management and control list and needs to access, to it, the Card Reader being controlled according to default management and control strategy
The digital certificate of terminal;
In the case of judging the digital certificate of card-reading terminal in blacklist, not allowing card-reading terminal reading identity card, refusal is read
The request of card terminal;
In the case of judging the digital certificate of card-reading terminal in management and control list, determine whether according to default management and control strategy
Card-reading terminal reading identity card.
S203: in the case of determining permission card-reading terminal reading identity card, dispatch server inquires about port status list, according to
The principle of task equilibrium, selects an idle corresponding port numbers of certification safety control module as the access of card-reading terminal
Port;
The port numbers of the certification safety control module of selection is sent to card-reading terminal by S204: dispatch server;
S205: card-reading terminal is sought to the certification safety control module transmission that this port numbers is pointed to by linking Internet district and isolated area
Card request;
Wherein, in order to ensure to transmit safety, the card seeking request that card-reading terminal sends can be ciphertext form, and card-reading terminal utilizes certainly
Oneself certification double secret key card seeking request encryption generates ciphertext.
The certification safety control module that S206: this port numbers is pointed to receives the card seeking request that card-reading terminal sends, and asks card seeking
It is sent to checking safety control module corresponding with the certification safety control module that this port numbers is pointed to;
In this step, when certification safety control module receives card seeking request for ciphertext, it is possible to use the certification of card-reading terminal is close
This ciphertext is deciphered by key, is sent to verify safety control module by the plaintext of card seeking request.
S207: this corresponding checking safety control module receives card seeking request, confirms card seeking request, will confirm that result is believed
Breath is sent to the certification safety control module selecting;
The certification safety control module that S208: this port numbers is pointed to obtains session key, uses session key to confirmation object information
It is encrypted, the confirmation object information of encryption is sent to card-reading terminal;
Wherein, this session key can be consulted to obtain by certification safety control module and card-reading terminal, or, generated by a side,
And send after session key to the other side.
S209: card-reading terminal passes through certification safety control module transmission that linking Internet district and isolated area point to this port numbers the
One packet;
Wherein, first the session key deciphering to encryption session key can be obtained after card-reading terminal receives the confirmation result of encryption,
The confirmation result deciphering to encryption for the recycling session key is confirmed result.
Wherein, the first packet includes: card-reading terminal is encrypted, to the identity card original cipher text information reading, the identity obtaining
Card ciphertext;
The certification safety control module that S210: this port numbers is pointed to receives the first packet that card-reading terminal sends, and uses session close
First packet is decrypted by key, obtains identity card original cipher text information, is sent to corresponding by identity card original cipher text information
Checking security module;
S211: identity card original cipher text information is decrypted by corresponding checking security module, obtains identity card cleartext information, will
Identity card cleartext information returns to the certification safety control module that this port numbers is pointed to;
The certification safety control module that S212: this port numbers is pointed to uses session key to be encrypted identity card cleartext information, will
Second packet is sent to card-reading terminal, and wherein, the second packet includes: the identity card cleartext information of encryption;
S213: card-reading terminal receives the second packet, and uses session key to obtain identity card in plain text to the second packet deciphering
Information.
Above-mentioned flow process all allows the access of card-reading terminal in linking Internet district and service area perimeter firewall, and intrusion detection sets
Standby and intrusion prevention equipment be not detected by system under attack when in the case of perform, card-reading terminal and checking safety control module
Between interaction data be all transmitted by the web-transporting device of linking Internet, core space and service area.
Any process described otherwise above or method describe and are construed as in flow chart or at this, represent include one or
More are for realizing module, fragment or the part of the code of the executable instruction of the step of specific logical function or process, and
The scope of the preferred embodiment of the present invention includes other realization, wherein can not press order that is shown or that discuss, including root
According to involved function while basic in the way of or in the opposite order, perform function, this should be by embodiments of the invention institute
Belong to those skilled in the art to be understood.
It should be appreciated that each several part of the present invention can be realized by hardware, software, firmware or combinations thereof.In above-mentioned enforcement
In mode, software that multiple steps or method can be performed in memory and by suitable instruction execution system by storage or firmware
Realize.For example, if realized with hardware, and the same in another embodiment, can use following technology well known in the art
In any one or their combination realize: have and patrol for the discrete of logic gates realizing logic function to data-signal
Collect circuit, there is the special IC of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate
Array (FPGA) etc..
Those skilled in the art are appreciated that and realize that all or part of step that above-described embodiment method is carried is permissible
Instruct related hardware by program to complete, program can be stored in a kind of computer-readable recording medium, this program exists
During execution, including one or a combination set of step of embodiment of the method.
Additionally, each functional unit in each embodiment of the present invention can be integrated in a processing module, it is also possible to be each
Unit is individually physically present, it is also possible to two or more unit are integrated in a module.Above-mentioned integrated module is both permissible
The form using hardware realizes, it would however also be possible to employ the form of software function module realizes.If integrated module is with software function mould
The form of block realizes and as independent production marketing or when using, it is also possible to be stored in a computer read/write memory medium.
Storage medium mentioned above can be read-only storage, disk or CD etc..
In the description of this specification, reference term " embodiment ", " some embodiments ", " example ", " specific example ",
Or specific features, structure, material or the feature that the description of " some examples " etc. means to combine this embodiment or example describes comprises
In at least one embodiment or example of the present invention.In this manual, the schematic representation of above-mentioned term is not necessarily referred to
It is identical embodiment or example.And, the specific features of description, structure, material or feature can at any one or
Multiple embodiments or example combine in an appropriate manner.
Although above it has been shown and described that embodiments of the invention, it is to be understood that above-described embodiment is exemplary,
Being not considered as limiting the invention, those of ordinary skill in the art is in the case of without departing from the principle of the present invention and objective
Above-described embodiment can be changed within the scope of the invention, change, replace and modification.The scope of the present invention is by appended power
Profit requires and equivalent restriction.
Claims (10)
1. the method for a data transmission, it is characterised in that include:
Border routing receives the packet that card-reading terminal sends, and selects perimeter firewall to be sent according to routing strategy, will
Described packet sends to selected perimeter firewall;
Described selected perimeter firewall receives described packet, determines that described card-reading terminal is visited according to the content of described packet
The mark of the purpose equipment asked, and send the mark of described packet and described purpose equipment to core switch;
Described core switch sends described packet to dispatch server according to the mark of described purpose equipment, or, according to
The mark of described purpose equipment sends the mark of described packet and described purpose equipment to the service area fire wall of service area;
In the case that described packet is sent to dispatch server by described core switch, described dispatch server receives described
Packet, is that described card-reading terminal selects an idle certification safety control module;And by the certification security control of described free time
The mark of module sends to described card-reading terminal;
In the case that described core switch sends the mark of described packet and described purpose equipment to service area, described
The described service area fire wall of service area receives described packet, according to default service area firewall filtering policies, it is judged that described
The identifying whether of purpose equipment allows to access, if it is, send described packet to the first certification security module, and described the
One certification security module is the certification safety control module of the mark instruction of described purpose equipment;
Described first certification safety control module receives described packet, deciphers described packet, and by the data after deciphering
Bag sends to the first checking safety control module, and described first checking safety control module is and described first certification security control mould
The checking safety control module that block connects;
Described first checking safety control module receive described deciphering after packet, carry according to the packet after described deciphering
Data content returns corresponding first packet to described first certification safety control module;
Described first certification safety control module receives described first packet that the described first checking safety control module returns, and
To described first Data Packet Encryption, send the first packet after encryption to described card-reading terminal.
2. the method for claim 1, it is characterised in that:
Including at least the public identifier of described purpose equipment in described packet;
Described selected perimeter firewall determines the mark of purpose equipment that described card-reading terminal accesses according to the content of described packet
Know, comprising:
The public identifier of described purpose equipment is mapped as correspondence according to network address translation protocol by described selected perimeter firewall
The mark of described purpose equipment.
3. method as claimed in claim 2, it is characterised in that:
Select perimeter firewall to be sent at described border routing according to routing strategy, described packet is sent extremely selected
Before the perimeter firewall selected, described method also includes:
Described border routing is according to the border routing filtering policy preset, it is judged that whether the public identifier of described purpose equipment allows to lead to
Cross described border routing, if it is allowed, then perform the described perimeter firewall to be sent according to routing strategy selection, by institute
State packet to send to the step of the described perimeter firewall selected.
4. the method as described in any one of claims 1 to 3, it is characterised in that:
Determine purpose equipment that described card-reading terminal accesses at described selected perimeter firewall according to the content of described packet
Before mark, described method also includes:
Described selected perimeter firewall is according to the perimeter firewall filtering policy preset, it is judged that it is non-whether described packet includes
Method data, if it is not, then perform described to determine purpose equipment that described card-reading terminal accesses according to the content of described packet
The step of mark.
5. the method as described in any one of Claims 1-4, it is characterised in that:
Described packet at least also includes: the identification information of described card-reading terminal and the digital certificate of described card-reading terminal;
It is that before described card-reading terminal selects an idle certification safety control module, described method is also at described dispatch server
Including:
Whether described dispatch server allows described card-reading terminal to access according to the identification information judgment of described card-reading terminal, and sentences
Whether the digital certificate of described card-reading terminal of breaking is abnormal;And judge to allow described card-reading terminal to access and the card of described card-reading terminal
Book is normal.
6. the method as described in any one of claim 1 to 5, it is characterised in that:
Before described first certification safety control module is to the deciphering of described packet, described method also includes: described dispatch service
Device is according to the identification information of described card-reading terminal, and the ciphertext of the certification key obtaining described card-reading terminal from authentication database is concurrent
Deliver to described first certification safety control module;Wherein, the ciphertext of the certification key of described card-reading terminal is for using described certification number
It is encrypted according to the certification key of card-reading terminal described in the protection double secret key in storehouse and to obtain;
Described packet is deciphered by described first certification safety control module, comprising: described first certification safety control module obtains
Described protection key, utilizes ciphertext deciphering described in described protection double secret key to obtain the certification key of described card-reading terminal, and utilizes institute
State packet deciphering described in certification double secret key;
Described first checking safety control module is pacified to described first certification according to the data content that the packet after described deciphering carries
Full control module returns corresponding first packet, comprising:
In the case that described data content is identity card card seeking data, described first checking safety control module is to described first certification
Safety control module returns described first packet, and described first packet at least includes: card seeking response data;
In the case that described data content is identity card card selection data, described first checking safety control module is to described first certification
Safety control module returns described first packet, and described first packet at least includes: the identity reading with described card-reading terminal
The related data that card is authenticated;
In the case that described data content is ID card information ciphertext, described identity card is believed by described first checking safety control module
Breath ciphertext deciphering obtains ID card information in plain text, returns described first packet to described first certification safety control module, described
First packet at least includes: described ID card information is in plain text.
7. the method as described in any one of claim 1 to 6, it is characterised in that: described method also includes:
The flow cleaning monitoring of equipment being connected with described border routing flows through the service traffics of described border routing, if according to described
The service traffics flowing through described border routing detect that described border routing by distributed denial of service attack, then flows through to described
The service traffics of described border routing carry out flow cleaning.
8. the method as described in any one of claim 1 to 7, it is characterised in that:
Described dispatch server includes multiple;
Described method also includes: in the case that described core switch sends described packet to the plurality of dispatch server,
The load equalizer being connected between described core switch and the plurality of dispatch server according to balance policy by described packet
Distribute to one of the plurality of dispatch server.
9. the method as described in any one of claim 1 to 8, it is characterised in that: described method also includes:
The intrusion detection device monitoring being connected with described core switch flows through the service traffics of described core switch, according to user
Historical behavior model, the service traffics flowing through described core switch carry out by the expertise prestoring and neural network model
Coupling, once the match is successful, then judge there is intrusion behavior.
10. the method as described in any one of claim 1 to 9, it is characterised in that: described method also includes:
The packet that core switch described in the intrusion prevention monitoring of equipment being connected with described core switch receives, it is judged that described
Whether the packet that core switch receives is invalid data, if it is, the packet that described core switch is received
Abandon.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610041107.XA CN105991647B (en) | 2016-01-21 | 2016-01-21 | A kind of method of data transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610041107.XA CN105991647B (en) | 2016-01-21 | 2016-01-21 | A kind of method of data transmission |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105991647A true CN105991647A (en) | 2016-10-05 |
| CN105991647B CN105991647B (en) | 2019-06-28 |
Family
ID=57039910
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610041107.XA Active CN105991647B (en) | 2016-01-21 | 2016-01-21 | A kind of method of data transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105991647B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107481372A (en) * | 2017-08-16 | 2017-12-15 | 广州甩手电子商务有限公司 | Dual redundant Intelligent storage device, dual redundant Internet of Things storage system and its implementation |
| CN107948199A (en) * | 2017-12-27 | 2018-04-20 | 北京奇安信科技有限公司 | A kind of method and device being used for quickly detecting to terminal shared access |
| CN108696541A (en) * | 2018-07-20 | 2018-10-23 | 国家电网公司 | The method and device of safe processing of communication network |
| CN109639580A (en) * | 2019-02-03 | 2019-04-16 | 新华三信息安全技术有限公司 | A kind of message forwarding method and device |
| CN109992940A (en) * | 2019-03-29 | 2019-07-09 | 北京金山云网络技术有限公司 | Auth method, device, system and proof of identity server |
| CN110199286A (en) * | 2017-01-24 | 2019-09-03 | 微软技术许可有限责任公司 | The seal data in area is surrounded using sealing |
| CN110428510A (en) * | 2019-08-23 | 2019-11-08 | 深圳市金溢科技股份有限公司 | PSAM card manages method, apparatus and safe cloud box system concentratedly |
| CN111277660A (en) * | 2020-01-22 | 2020-06-12 | 中国银联股份有限公司 | System and method for forming DMZ (digital multiplex) area |
| CN111600866A (en) * | 2020-05-12 | 2020-08-28 | 福建龙净环保股份有限公司 | Data transmission method and system based on Internet |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN2702376Y (en) * | 2004-05-16 | 2005-05-25 | 苏明儒 | Document information checking machine |
| CN103593634A (en) * | 2013-11-08 | 2014-02-19 | 国家电网公司 | Network centralized decoding system and method of identity card identifier |
| CN104993954A (en) * | 2015-06-24 | 2015-10-21 | 深圳市金正方科技股份有限公司 | Method and system for identifying terminal by intelligent electric meter |
-
2016
- 2016-01-21 CN CN201610041107.XA patent/CN105991647B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN2702376Y (en) * | 2004-05-16 | 2005-05-25 | 苏明儒 | Document information checking machine |
| CN103593634A (en) * | 2013-11-08 | 2014-02-19 | 国家电网公司 | Network centralized decoding system and method of identity card identifier |
| CN104993954A (en) * | 2015-06-24 | 2015-10-21 | 深圳市金正方科技股份有限公司 | Method and system for identifying terminal by intelligent electric meter |
Non-Patent Citations (1)
| Title |
|---|
| 吴兴勇: "《实用网络技术》", 31 May 2015 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110199286B (en) * | 2017-01-24 | 2023-04-14 | 微软技术许可有限责任公司 | Method and system for data sealing using a seal enclosure |
| CN110199286A (en) * | 2017-01-24 | 2019-09-03 | 微软技术许可有限责任公司 | The seal data in area is surrounded using sealing |
| CN107481372B (en) * | 2017-08-16 | 2021-04-23 | 广州甩手技术有限公司 | Dual-redundancy intelligent storage device, dual-redundancy Internet of things storage system and implementation method thereof |
| CN107481372A (en) * | 2017-08-16 | 2017-12-15 | 广州甩手电子商务有限公司 | Dual redundant Intelligent storage device, dual redundant Internet of Things storage system and its implementation |
| CN107948199A (en) * | 2017-12-27 | 2018-04-20 | 北京奇安信科技有限公司 | A kind of method and device being used for quickly detecting to terminal shared access |
| CN107948199B (en) * | 2017-12-27 | 2021-05-25 | 北京奇安信科技有限公司 | Method and device for rapidly detecting terminal shared access |
| CN108696541A (en) * | 2018-07-20 | 2018-10-23 | 国家电网公司 | The method and device of safe processing of communication network |
| CN109639580A (en) * | 2019-02-03 | 2019-04-16 | 新华三信息安全技术有限公司 | A kind of message forwarding method and device |
| CN109639580B (en) * | 2019-02-03 | 2021-05-14 | 新华三信息安全技术有限公司 | Message forwarding method and device |
| CN109992940A (en) * | 2019-03-29 | 2019-07-09 | 北京金山云网络技术有限公司 | Auth method, device, system and proof of identity server |
| CN110428510A (en) * | 2019-08-23 | 2019-11-08 | 深圳市金溢科技股份有限公司 | PSAM card manages method, apparatus and safe cloud box system concentratedly |
| CN111277660A (en) * | 2020-01-22 | 2020-06-12 | 中国银联股份有限公司 | System and method for forming DMZ (digital multiplex) area |
| CN111277660B (en) * | 2020-01-22 | 2021-09-14 | 中国银联股份有限公司 | System and method for forming DMZ (digital multiplex) area |
| CN111600866A (en) * | 2020-05-12 | 2020-08-28 | 福建龙净环保股份有限公司 | Data transmission method and system based on Internet |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105991647B (en) | 2019-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106027463B (en) | A kind of method of data transmission | |
| Kimani et al. | Cyber security challenges for IoT-based smart grid networks | |
| CN105991647B (en) | A kind of method of data transmission | |
| Case | Analysis of the cyber attack on the Ukrainian power grid | |
| US20230035336A1 (en) | Systems and methods for mitigating and/or preventing distributed denial-of-service attacks | |
| CN106027476B (en) | A kind of identity card cloud Verification System and card-reading system | |
| CN106027466B (en) | A kind of identity card cloud Verification System and card-reading system | |
| Goel et al. | Security challenges in smart grid implementation | |
| CN109729180A (en) | Entirety is intelligence community platform | |
| Coates et al. | A trust system architecture for SCADA network security | |
| CN109564603B (en) | System and method for securely altering network configuration settings of a multiplexer in an industrial control system | |
| Patwary et al. | Authentication, access control, privacy, threats and trust management towards securing fog computing environments: A review | |
| US20140337951A1 (en) | Security management system including multiple relay servers and security management method | |
| CN110855707A (en) | Internet of things communication pipeline safety control system and method | |
| CN106506491B (en) | Network safety system | |
| DesRuisseaux | Practical overview of implementing IEC 62443 security levels in industrial control applications | |
| Miloslavskaya et al. | Ensuring information security for internet of things | |
| Yan et al. | The research and design of cloud computing security framework | |
| Jena et al. | A Pragmatic Analysis of Security Concerns in Cloud, Fog, and Edge Environment | |
| CN113365277A (en) | Wireless network safety protection system | |
| Li et al. | Research on security issues of military Internet of Things | |
| CN106027477A (en) | Identity card reading response method | |
| Varadharajan et al. | Techniques for Enhancing Security in Industrial Control Systems | |
| Pleiter et al. | Security in an evolving European HPC Ecosystem | |
| Rocha | Cybersecurity analysis of a SCADA system under current standards, client requisites, and penetration testing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220413 Address after: Tiantianrong building, No. 1, Zhongguancun, Beiqing Road, Haidian District, Beijing 100094 Patentee after: TENDYRON Corp. Address before: 100086 room 603, building 12, taiyueyuan, Haidian District, Beijing Patentee before: Li Ming |
|
| TR01 | Transfer of patent right |