CN106027463A - Data transmission method - Google Patents
Data transmission method Download PDFInfo
- Publication number
- CN106027463A CN106027463A CN201610040635.3A CN201610040635A CN106027463A CN 106027463 A CN106027463 A CN 106027463A CN 201610040635 A CN201610040635 A CN 201610040635A CN 106027463 A CN106027463 A CN 106027463A
- Authority
- CN
- China
- Prior art keywords
- card
- packet
- control module
- reading terminal
- safety control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 230000005540 biological transmission Effects 0.000 title claims abstract description 29
- 238000001914 filtration Methods 0.000 claims abstract description 27
- 238000012544 monitoring process Methods 0.000 claims description 17
- 238000004140 cleaning Methods 0.000 claims description 16
- 230000002265 prevention Effects 0.000 claims description 16
- 230000002159 abnormal effect Effects 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 13
- 230000004044 response Effects 0.000 claims description 10
- 238000003062 neural network model Methods 0.000 claims description 4
- 238000013507 mapping Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 abstract description 44
- 238000011217 control strategy Methods 0.000 description 34
- 239000000047 product Substances 0.000 description 30
- 238000003860 storage Methods 0.000 description 23
- 230000008569 process Effects 0.000 description 22
- 238000002955 isolation Methods 0.000 description 19
- 238000012217 deletion Methods 0.000 description 18
- 230000037430 deletion Effects 0.000 description 18
- 230000006399 behavior Effects 0.000 description 13
- 238000009826 distribution Methods 0.000 description 11
- 241000700605 Viruses Species 0.000 description 7
- 230000009471 action Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000013519 translation Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 238000000465 moulding Methods 0.000 description 4
- 206010033799 Paralysis Diseases 0.000 description 3
- 238000012790 confirmation Methods 0.000 description 3
- 201000010099 disease Diseases 0.000 description 3
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000009545 invasion Effects 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 239000002574 poison Substances 0.000 description 3
- 231100000614 poison Toxicity 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 206010001488 Aggression Diseases 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 2
- 230000016571 aggressive behavior Effects 0.000 description 2
- 208000012761 aggressive behavior Diseases 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 238000005728 strengthening Methods 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 208000031481 Pathologic Constriction Diseases 0.000 description 1
- 230000018199 S phase Effects 0.000 description 1
- 239000006227 byproduct Substances 0.000 description 1
- 238000004132 cross linking Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 206010022000 influenza Diseases 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000013011 mating Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000004064 recycling Methods 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 210000001215 vagina Anatomy 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K7/00—Methods or arrangements for sensing record carriers, e.g. for reading patterns
- G06K7/10—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
- G06K7/10009—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
- G06K7/10257—Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves arrangements for protecting the interrogation against piracy attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K7/00—Methods or arrangements for sensing record carriers, e.g. for reading patterns
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Toxicology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- General Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a data transmission method, and the method comprises the steps that an edge router receives a data package transmitted by a card reading terminal, and transmits the data package to a selected edge firewall; the selected edge firewall transmits the data package to a core switcher; the core switcher transmits the data package to a dispatch server or to a business region firewall of a business region; the dispatch server selects an idle port to transmit the data package to a card reading terminal; the business region firewall judges that a target port belongs to a port allowed to be visited according to a preset business region firewall filtering strategy, and transmits the data package to a first authentication safety module; a first authentication safety control module enables a decrypted data package to be transmitted to a first verification safety control module; the first verification safety control module returns a corresponding first data package to the first authentication safety control module according to a data content carried by the decrypted data package; the first authentication safety control module carries out the decryption of the first data package, and transmits the encrypted first data package to the card reading terminal.
Description
Technical field
The present invention relates to a kind of electronic technology field, particularly relate to data transmission method.
Background technology
Store in resident's China second-generation identity card is the ciphertext of ID card information, needs the checking security control mould authorized through the Ministry of Public Security
Block could decipher the ciphertext of the ID card information of storage in resident identification card.Existing front end identity card card-reading terminal has at least two
Individual module, including read through model and residence card verifying safety control module.Owing to each front end card reader of ID card is respectively provided with
Residence card verifying safety control module, therefore, the manufacturing cost of existing front end card reader of ID card is high;Further, one
Residence card verifying safety control module can only carry out authentication to the resident identification card information that read through model reads, therefore,
Existing front end card reader of ID card utilization rate is relatively low, for solving this problem, occurs in that improvement project at present: front end identity card is read
Card device no longer includes residence card verifying safety control module, and residence card verifying safety control module is located at side, backstage,
Thus promote the utilization rate of residence card verifying safety control module.
The network environment being in yet with backstage is open network, and any card reader all can ask backstage to make it access resident's body
Part results card safety control module, this is just greatly improved the potential safety hazard of residence card verifying safety control module, once occupies
People's ID card verification safety control module is broken through by illegal card reader, the identity of storage in residence card verifying safety control module
Card root certificate will be stolen by lawless person and even distort, and consequence is hardly imaginable.Additionally, due to side, backstage may be equipped with multiple residences
, there is Residents ID card verification security control owing to task distribution inequality also results in people's ID card verification safety control module
The idle Residents the most OL situation of ID card verification safety control module of module.
Summary of the invention
Present invention seek to address that one of the problems referred to above.
A kind of data transmission method of offer is provided.
For reaching above-mentioned purpose, technical scheme is specifically achieved in that
One aspect of the present invention provides a kind of data transmission method, including: border routing receives the packet that card-reading terminal sends,
Including at least accessing IP address and access port in packet;Perimeter firewall to be sent is selected according to routing strategy, will
Packet sends to selected perimeter firewall;Selected perimeter firewall receives packet, according to accessing IP address and visit
Ask that port mapping goes out corresponding purpose IP address and destination interface, and packet, purpose IP address and destination interface are sent extremely
Core switch;Core switch sends data packets to dispatch server according to purpose IP address and destination interface, or, root
According to purpose IP address and destination interface, packet, purpose IP address and destination interface are sent the service area fire wall to service area;
In the case of core switch delivers a packet to dispatch server, dispatch server receives packet, recognizing from service area
Card data base obtains the port status list in the compass of competency of dispatch server, the corresponding certification security control mould of each port
Block;And select from port status list the port of an idle as the access port of card-reading terminal, and by access port
Send to card-reading terminal;At core switch, packet, purpose IP address and destination interface are sent to service area,
The service area fire wall of service area receives packet, according to default service area firewall filtering policies, it is judged that whether destination interface
Belonging to the port allowing to access, if it is, send data packets to the first certification security module, the first certification security module is
The certification safety control module that destination interface and purpose IP address are pointed to;First certification safety control module receives packet, right
Packet is deciphered, and is sent by the packet after deciphering to the first checking safety control module, and the first checking safety control module is
The checking safety control module being connected with the first certification safety control module;Number after first checking safety control module receiving and deciphering
According to bag, return the first corresponding packet according to the data content that the packet after deciphering carries to the first certification safety control module;
First certification safety control module receives the first packet that the first checking safety control module returns, and to the first Data Packet Encryption,
The first packet after encryption is sent to card-reading terminal.
Alternatively, select perimeter firewall to be sent at border routing according to routing strategy, send data packets to selected
Before the perimeter firewall selected, method also includes: border routing is according to the border routing filtering policy preset, it is judged that access IP ground
Whether location allows by border routing, if it is allowed, then perform to select perimeter firewall to be sent according to routing strategy,
Send data packets to the step of the perimeter firewall selected.
Alternatively, the purpose IP address of correspondence is mapped out at selected perimeter firewall according to access IP address and access port
Before destination interface, method also includes: selected perimeter firewall is according to the perimeter firewall filtering policy preset, it is judged that
Whether packet includes invalid data, if it is not, then perform to map out the purpose of correspondence according to access IP address and access port
IP address and the step of destination interface.
Alternatively, core switch sends data packets to dispatch server according to purpose IP address and destination interface, or according to
Packet, purpose IP address and destination interface are sent to service area by purpose IP address and destination interface, including: if purpose
IP address and IP address that destination interface is dispatch server and port, then core switch sends data packets to dispatch server;
If the IP address that purpose IP address and destination interface are the safety certification control module in service area and port, then core exchange
Packet, purpose IP address and destination interface are sent the service area fire wall to service area by machine.
Alternatively, packet the most also includes: the identification information of card-reading terminal and the digital certificate of card-reading terminal;At scheduling clothes
Business device is before the port status list that the authentication database of service area obtains in the compass of competency of dispatch server, and method also includes:
Whether dispatch server allows card-reading terminal to access according to the identification information judgment of card-reading terminal, and judges the numeral of card-reading terminal
Certificate is the most abnormal;And judge that the certificate allowing card-reading terminal access and card-reading terminal is normal.
Alternatively, before packet is deciphered by the first certification safety control module, method also includes: dispatch server is according to reading
The identification information of card terminal, obtains the ciphertext of the certification key of card-reading terminal from authentication database and sends to the first certification safety
Control module;Wherein, the ciphertext of the certification key of card-reading terminal is to use protection the recognizing of double secret key card-reading terminal of authentication database
Card key is encrypted and obtains;Packet is deciphered by the first certification safety control module, including: the first certification security control mould
Block obtains protection key, utilizes protection double secret key ciphertext deciphering to obtain the certification key of card-reading terminal, and utilizes certification key logarithm
According to bag deciphering;First checking safety control module according to the data content that carries of packet after deciphering to the first certification security control
Module returns the first corresponding packet, including: in the case of data content is identity card card seeking data, the first checking safety control
Molding block returns the first packet to the first certification safety control module, and the first packet at least includes: card seeking response data;Number
In the case of being identity card card selection data according to content, the first checking safety control module returns the to the first certification safety control module
One packet, the first packet at least includes: the related data being authenticated with the identity card of card-reading terminal reading;Data content
In the case of ID card information ciphertext, the first checking safety control module obtains ID card information to the deciphering of ID card information ciphertext
In plain text, returning the first packet to the first certification safety control module, the first packet at least includes: ID card information is in plain text.
Alternatively, also include: the flow cleaning monitoring of equipment being connected with border routing flows through the service traffics of border routing, if
According to the service traffics flowing through border routing detect border routing by distributed denial of service attack, then to flowing through border routing
Service traffics carry out flow cleaning.
Alternatively, dispatch server includes multiple;Method also includes: send data packets to multiple scheduling clothes at core switch
In the case of business device, it is connected to the load equalizer between core switch and multiple dispatch server according to balance policy by data
Bag distributes to one in multiple dispatch server.
Alternatively, also include: the intrusion detection device monitoring being connected with core switch flows through the service traffics of core switch,
Historical behavior model according to user, the expertise prestored and the neural network model service traffics to flowing through core switch
Mating, once the match is successful, then judge there is intrusion behavior.
Alternatively, also include: the packet that the intrusion prevention monitoring of equipment core switch being connected with core switch receives,
Judge whether the packet that core switch receives is invalid data, if it is, the packet that core switch is received
Abandon.
As seen from the above technical solution provided by the invention, the method that the invention provides the transmission of a kind of data, by should
System is divided into linking Internet district, isolation area and three levels of service area, and each level uses different security strategies, passes through
The security perimeter of a lot of, improves the safety of whole system on network level, with avoid service area by rogue attacks,
Especially ensure the safety of certification safety control module and checking safety control module.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, the required accompanying drawing used in embodiment being described below
It is briefly described, it should be apparent that, the accompanying drawing in describing below is only some embodiments of the present invention, for this area
From the point of view of those of ordinary skill, on the premise of not paying creative work, it is also possible to obtain other accompanying drawings according to these accompanying drawings.
The structural representation of the identity card cloud Verification System that Fig. 1 provides for the embodiment of the present invention 1;
The structural representation of the identity card cloud Verification System that Fig. 2 provides for the embodiment of the present invention 1;
The structural representation of the card-reading system that Fig. 3 provides for the embodiment of the present invention 1;
The flow chart of the method for the data transmission that Fig. 4 provides for the embodiment of the present invention 2;
The structural representation of the inner tube server that Fig. 5 provides for the embodiment of the present invention 3;
The flow chart of the identity card read method that Fig. 6 provides for the embodiment of the present invention 4.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described,
Obviously, described embodiment is only a part of embodiment of the present invention rather than whole embodiments.Reality based on the present invention
Execute example, the every other embodiment that those of ordinary skill in the art are obtained under not making creative work premise, broadly fall into
Protection scope of the present invention.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.
Embodiment 1
Present embodiments provide a kind of identity card cloud Verification System.As it is shown in figure 1, the identity card cloud certification system that the present embodiment provides
System, may include that linking Internet district 10, isolation area 20 and 30 3 districts of service area according to functional areas difference, to each district
Take different technical measures, to promote the safety of whole system from network level;Wherein, linking Internet district 10 orientates as
The Internet portal of whole identity card cloud Verification System, this linking Internet district 10 at least includes: border routing 101 and border are prevented
Wall with flues 102.This linking Internet district 10 is in open network environment, and major function is responsible for linking Internet, passes through border
Route and perimeter firewall resist unauthorized access, are the first line of defences entering Intranet from the Internet;Isolation area 20 is to solve
After installing fire wall, external network can not access the problem of internal network server, and set up non-security system with safety is
Relief area between system.The isolation of service area and the Internet, between linking Internet district and service area, is responsible in this isolation area 20,
This isolation area 20 at least includes: core switch 201, dispatch server 202;By core switch 201, dispatch service
Device 202 can be by the certification safety control module of the packet equilibrium assignment of different card-reading terminal to service area 30.Service area 30
For the core space of identity card cloud Verification System, this region the most directly provides service to internet client (i.e. card-reading terminal).Should
Service area 30 at least includes: service area fire wall 301, n certification safety control module 302 and n checking security control
Module 303, certification safety control module 302 and checking safety control module 303 one_to_one corresponding, each checking security control mould
Block 303 only one of which external interface, this external interface connects with corresponding certification safety control module 302.Internet client
The data of (i.e. card-reading terminal) also need just can enter core space from isolation area to service area after one service area fire wall 301
LAN, ensures the safety of core space LAN with this.
In the present embodiment, border routing 101, for receiving the packet that card-reading terminal sends, including at least visiting in packet
Ask IP address and access port;Select perimeter firewall to be sent according to routing strategy, send data packets to be chosen
Perimeter firewall;Selected perimeter firewall 102, is used for receiving packet, reflects according to access IP address and access port
The purpose IP address of injection correspondence and destination interface, and packet, purpose IP address and destination interface are sent to core exchange
Machine 201;Core switch 201, for sending data packets to dispatch server 202 according to purpose IP address and destination interface,
Or, according to purpose IP address and destination interface, packet, purpose IP address and destination interface are sent the industry to service area 30
Business district fire wall 301;Dispatch server 202, is used for receiving packet, obtains scheduling clothes from the authentication database of service area 30
Port status list in the compass of competency of business device, the corresponding certification safety control module of each port;And according to task
The principle of equilibrium, selects the port access port as card-reading terminal of an idle from port status list, and will visit
Ask that port sends to card-reading terminal;The service area fire wall 301 of service area, is used for receiving packet, according to default service area
Firewall filtering policies, it is judged that whether destination interface belongs to the port allowing to access, if it is, send data packets to first
Certification security module, the certification safety control module 302 that for the purpose of the first certification security module, port and purpose IP address are pointed to;
First certification safety control module 302, is used for receiving packet, deciphers packet, and is sent by the packet after deciphering
To the first checking safety control module, the first checking safety control module is the checking peace being connected with the first certification safety control module
Full control module 303;First checking safety control module 303, the packet after receiving and deciphering, according to the data after deciphering
The data content that bag carries returns the first packet of correspondence to the first certification safety control module 302;First certification security control
Module 302, is additionally operable to receive the first packet that the first checking safety control module 303 returns, and to the first Data Packet Encryption,
The first packet after encryption is sent to card-reading terminal.
The identity card cloud Verification System provided by the present embodiment, is divided into linking Internet district, isolation area and business by this system
Three, district level, each level uses different security strategies, by the security perimeter of a lot of, improves on network level
The safety of whole system, to avoid service area by rogue attacks, especially ensures certification safety control module and checking safety control
The safety of molding block.
In order to prevent Single Point of Faliure from promoting the stability of whole system server, the network in each district in the system that the present embodiment provides
Equipment can include multiple, and such as, border routing may include that one or more;Perimeter firewall includes: one or many
Individual;Core switch 201 includes: one or more;Service area fire wall 202 includes: one or more.For the ease of retouching
State, in the present embodiment as a example by each network equipment is 2, as in figure 2 it is shown, use the mode of two-node cluster hot backup, prevent single-point
Fault promotes the stability of whole system server.Two border routing are simultaneously in work, and whichever border routing receives reading
Card terminal send packet, all forward the packet to according to routing strategy select perimeter firewall to be sent, two
Individual core switch also simultaneously in work, all can receive the packet (service traffics) that perimeter firewall sends, whichever core
Heart switch receives the packet of perimeter firewall transmission and can forward according to the mark of purpose equipment, two-node cluster hot backup
Main purpose is exactly to prevent a certain network equipment from breaking down and affecting the properly functioning of system, once has a network equipment paralysis,
Another can also normally work.
In the present embodiment, in order to prevent Single Point of Faliure, perimeter firewall can be disposed multiple, when there is multiple perimeter firewall,
Border routing is accomplished by selecting a path sending data packets to core switch 201, i.e. selects by which border to be prevented fires
Wall sends to core switch 201, and in the present embodiment, border routing selects border fire prevention to be sent according to routing strategy
Wall, this routing strategy can be such as, randomly choose a perimeter firewall, chosen distance border routing recently, data
Transmit the perimeter firewall of shortest time, select perimeter firewall that traffic handing capacity is strong etc..
Border routing is the access point of the Internet external network access identity card cloud Verification System, as the bridge between intranet and extranet,
Its safe operation is related to the safe operation of identity card cloud Verification System.Therefore, border routing stands in the breach is assault
Emphasis.Based on this, border routing ought to become the object that network manager emphasis is safeguarded.Optional as the one in the present embodiment
Embodiment, border routing, it is additionally operable to selecting perimeter firewall to be sent according to routing strategy, sends the packet within
Before selected perimeter firewall, according to default border routing filtering policy, it is judged that access whether IP address allows to pass through
Border routing, if it is allowed, then perform to send data packets to the operation of selected perimeter firewall.Thus, border routing
As the first line of defence of identity card cloud Verification System, the unauthorized access not meeting border routing filtering policy can be kept off in identity
Outside card cloud Verification System, network level improves the safety of whole system.
Wherein, as one optional border routing filtering policy, can be that on border routing, configuration is permitted in advance when being embodied as
Permitted the network segment accessed, it is judged that access IP address is whether within this network segment, if it is, allow packet to pass through border routing,
And packet is forwarded up, otherwise abandon the packet that this card-reading terminal sends.Additionally, in order to prevent other unauthorized access,
Border routing filtering policy can also include at least one in the following manner:
Mode one: amendment default password: the default password of border routing is revised as the password without Special Significance.
Mode two: close IP and directly broadcast (IP Directed Broadcast), after closedown IP directly broadcasts, can effectively prevent
Smurf attack.
Mode three: HTTP (HyperText Transfer Protocol, the HTML (Hypertext Markup Language)) service of closure of border router.
Mode four: block ICMPping (Internet Control Message Protocol, Internet control message agreement) request, by envelope
Lock ping can be to make system be easier to avoid those unmanned scanning activities noted, makes system reduce the probability being hacked.
Mode five: block unnecessary port, in addition to the port that service area the most externally services, closes other all ports.
Thus, by the unauthorized access passed through being allowed to keep off at body by not meeting border routing filtering policy the maintenance on border road
Outside part card cloud Verification System, it is ensured that the safety of identity card cloud Verification System.
The major function of perimeter firewall 102 is the access to internal network of the control external network from the Internet, and protection is internal
Network is not subjected to the attack of the Internet card-reading terminal (being primarily referred to as illegal hacker).Perimeter firewall 102 passes through the network address
Switch technology is by whole host addresses (i.e. purpose IP address and destination interface, dispatch server or peace of shielded internal network
The private IP address of full control module and port) a few effective public network IP address of being mapped on fire wall arrange (i.e. visits
Ask IP address and access port), so, the equipment (card-reading terminal) of external network can only get access IP address and access
Port, and real IP address and the port (i.e. purpose IP address and destination interface) of the equipment being actually subjected to access cannot be got,
The safety of internal network thus to external shield internal network structure and IP address, can be protected.Therefore, when perimeter firewall 102
After receiving packet, first have to according to network address translation protocol (Network Address Translation is called for short NAT)
IP address and access port will be accessed map out purpose IP address and the destination interface of correspondence, and purpose IP address and destination interface
It is only the actual address of internal network devices, carries out the forwarding of packet according to purpose IP address and destination interface.
Perimeter firewall is built upon internal-external network borderline filtration lock-out facility, internal network (i.e. identity card cloud Verification System)
Being considered as safe and believable, external network is considered as then dangerous and untrustworthy.The effect of fire wall is to prevent not
Communication desired, unwarranted passes in and out protected internal network, by the safety of boundary control strengthening internal network.Cause
This, as the optional embodiment of the one in the present embodiment, perimeter firewall 102, be additionally operable to according to accessing IP address and visit
Before asking that port mapping goes out corresponding purpose IP address and destination interface, according to default perimeter firewall filtering policy, it is judged that number
Whether invalid data is included, if it is not, then perform to map out purpose IP of correspondence according to access IP address and access port according to bag
Address and the operation of destination interface.Thus, the management of overall network Security Construction can be greatly reduced by perimeter firewall to become
This, improve the safety of identity card cloud Verification System.
Wherein, as one optional perimeter firewall filtering policy, can configure at perimeter firewall in advance when being embodied as
DDoS (Distributed Denial of service, distributed denial of service) property data base, this class database is similar to disease
Poison storehouse, storage has DDoS eigenvalue, and perimeter firewall will receive content and the DDoS in DDoS property data base of packet
Eigenvalue mates, if it is possible to match, then description packet is invalid data bag, and perimeter firewall is by DDoS
Attack, then by this data packet discarding, will not continue to be forwarded to core switch.Generally, the form of invalid data bag is varied,
Not having the data of card-reading terminal in some invalid data bags, and be only made up of some attack messages, some invalid data bags can
A part of valid data, a part of attack message can be comprised, the most no longer describe in detail.
As the optional embodiment of the one in the present embodiment, as in figure 2 it is shown, linking Internet district 10 also includes: with border road
By the flow cleaning equipment 103 connected, flow through the service traffics of border routing for monitoring, if according to flowing through border routing
Service traffics detect that the service traffics flowing through border routing by distributed Denial of Service (DDOS) attack, are then entered by border routing
Row flow cleaning.
In the present embodiment, the flow cleaning equipment 103 data (packet that i.e. border routing receives) to linking Internet
Monitor in real time, find the abnormal flow including distributed denial of service ddos attack in time.When abnormal flow reaches
Or when exceeding default security baseline, unlatching is cleaned filtering process by flow cleaning equipment.Native system passes through flow cleaning equipment,
Alleviate and come from the pressure that internal network is caused by ddos attack flow, promote the effectiveness of bandwidth usage;Protection in-house network
Network, from the attack from the Internet, improves network performance.
Thus, the linking Internet district 10 in native system can refuse the illegal of absolute system by border routing and perimeter firewall
Ensure the card-reading terminal normal access to system while access, the Internet incoming data can be entered by flow cleaning equipment
Row monitoring in real time, washes abnormal flow while not affecting regular traffic, and protection internal network is from attacking from the Internet
Hit, improve network performance.
Core switch 201 is the base network device of whole identity card cloud Verification System, needs to forward the hugest flow,
Because card-reading terminal can be distributed throughout the country, having thousands of, therefore, core switch is to redundant ability, reliable
Property and transmission speed aspect require higher.In the present embodiment, core switch 201 receives the data that perimeter firewall sends
Bag and the actual access equipment that maps out, and the packet received is forwarded to purpose IP address and destination interface points to
Actual access equipment.And card-reading terminal is actually needed the equipment of access and mainly includes two kinds in native system: dispatch server 202 He
The certification safety control module 302 of service area.Card-reading terminal necessary access scheduling server 202 first, needs dispatch server
202 distribute an idle certification safety control module 302 for it, and receiving dispatch server in card-reading terminal is recognizing of its distribution
After the access port of card safety control module 302, card-reading terminal just can direct access registrar safety control module 302.Cause
This, in the present embodiment, core switch 201, for sending data packets to scheduling clothes according to purpose IP address and destination interface
Business device 202, or according to purpose IP address and destination interface, packet, purpose IP address and destination interface are sent to service area
30, including:
If purpose IP address and IP address that destination interface is dispatch server 202 and port, then send data packets to adjust
Degree server 202;If the IP address that purpose IP address and destination interface are the certification safety control module 302 in service area and
Port, then send the service area fire wall 301 to service area by packet, purpose IP address and destination interface.Thus, core
Switch completes substantial amounts of data and forwards.
Actually one computer be to forward packet optimization of core switch 201, but computer just have be hacked can
Can, the most illegally obtain the control of core switch 201, cause network paralysis, on the other hand also can be by ddos attack.
For prevent core switch 201 by illegal infringement, as in figure 2 it is shown, the isolation area 20 that the present embodiment provides also includes: with core
The intrusion detection device 203 of heart switch 201 connection and intrusion prevention equipment 204.Wherein, intrusion detection device 203 is used for
In real time monitoring flows through the service traffics of core switch 201, according to the historical behavior model of user, the expertise prestored and
The service traffics flowing through core switch 201 are mated by neural network model, and once the match is successful, then judge there is invasion row
For, disconnect the connection of card-reading terminal and the equipment of access immediately, and collect evidence and implement data recovery, can be combined with different in addition
The strategy monitoring of often detection flows through the service traffics of core switch 201.By intrusion detection device 203 to core switch 201
Operation conditions monitor, find various attack attempt, aggressive behavior or attack result as far as possible, to ensure network system
The confidentiality, integrity, and availability of resource.
Wherein, intrusion prevention equipment 204, for monitoring the packet that core switch 201 receives, it is judged that core switch
Whether 201 packets received are invalid data, if it is, the data packet discarding that core switch 201 is received.
Wherein, intrusion prevention equipment 204 judges whether the packet that core switch 201 receives is invalid data, can by with
In under type: such as, the packet that core switch 201 is received by intrusion prevention equipment 204 and preset virus database
Virus characteristic mate, if it is possible to match, it is determined that this packet matched is invalid data, additionally, also may be used
To consider the abnormal conditions in application program or network transmission, such as, user or user program violate regulation for safety, packet exists
The period that should not occur occurs, the gap of operating system or application program weakness is being utilized etc. phenomenon, assists in identifying
Invasion and attack.Although intrusion prevention equipment is also contemplated for known viruse feature, but it not relies solely on known viruse feature.
Intrusion prevention equipment is to supplement anti-virus software and fire wall, to improve the safety of system.
As the optional embodiment of one of the present embodiment, as in figure 2 it is shown, the identity card cloud Verification System provided at the present embodiment
In also include: inner tube server 205, for receiving user's configuration to identity card cloud Verification System, inner tube server 205 can
To be connected with core switch 201, and by core switch 201, configuration information is sent to cloud authentication data library storage, body
Each network equipment of part card cloud Verification System can be transferred configuration information from cloud authentication database and carry out relevant configuration.Internally
The description of pipe server 205 can specifically refer to the description in embodiment 3.
Dispatch server 202 provides the dispatch service of the certification safety control module 302 of free time for card-reading terminal, in service area 30
Certification safety control module 302 by dispatch server 202 United Dispatching.When card-reading terminal asks identity card Card Reader business every time,
Dispatch server 202 all can be according to the principle of task equilibrium, the port status in the cloud authentication database in inquiry business district 30
List, selects the port access port as card-reading terminal of an idle from port status list, and by access port
Send to card-reading terminal, hereby it is achieved that the United Dispatching of multiple certification safety control modules 302 of service area.
In identity card cloud Verification System, in order to avoid dispatch server 202 Single Point of Faliure causes the loss of data traffic, scheduling
Server 202 can be deployed as trunking mode, and the difference required according to service ability disposes the dispatch server of different quantity
202.In order to efficiently solve the problem that data traffic is excessive, network load is overweight of single dispatch server 202, the present embodiment
The identity card cloud Verification System provided also increases load equalizer 206 before multiple dispatch servers 202, as in figure 2 it is shown, negative
Carry equalizer 206 to be connected on intrusion prevention equipment 204, realize the dispatch server 202 to cluster by core switch
United Dispatching, load equalizer can reasonably distribute to packet each dispatch server in cluster according to balance policy
202, effectively solve dispatch server 202 and load the problem of inequality, and be prevented from Single Point of Faliure, improve stablizing of system service
Property.
The present embodiment additionally provides a kind of card-reading system, and Fig. 3 is the structural representation of card-reading system, as it is shown on figure 3, this Card Reader
System includes: above-mentioned identity card cloud Verification System and card-reading terminal 40, and wherein, card-reading terminal 40, at service area 30
Checking safety control module 303 reading identity card information flow process in, from identity card, read the number relevant to ID card information
According to, and generate packet transmission to border routing 201;It is additionally operable to receive the of the encryption that certification safety control module 302 returns
One packet, and to the first packet after the first packet deciphering acquisition deciphering of encryption.Card-reading terminal in this card-reading system
40 can be multiple, is distributed throughout the country, and thus, the information of identity card is read all by the card-reading terminal being distributed in all parts of the country
Can be uniformly processed by the identity card cloud Verification System in this card-reading system, substantially increase the checking safety control module of service area
Work efficiency.
As the optional embodiment of one of the present embodiment, packet is that card-reading terminal needs dispatch server distribution idle first
In the case of the packet of certification safety control module, card-reading terminal 40 is sent to the packet of border routing and the most also includes: read
The digital certificate of the identification information of card terminal 40 and card-reading terminal 40 identification information of card-reading terminal (digital certificate also can be considered);
Dispatch server 202 can also carry out access authentication according to the information in packet to card-reading terminal, if allowing to access, just looks into
Asking port status, distribution idle port, to card-reading terminal, if not allowing to access, the most directly abandons this packet, and to Card Reader
Terminal returns the response message not allowing to access.Specifically, dispatch server 202, it is additionally operable to the mark according to card-reading terminal 40
Information determines whether that card-reading terminal 40 accesses, and judges that the digital certificate of card-reading terminal 40 is the most abnormal;Permit in judgement
Permitted card-reading terminal 40 access and the certificate of card-reading terminal 40 normal in the case of, perform the authentication database from service area 30 and obtain
Take the operation of port status list in the compass of competency of dispatch server 202.Thus, dispatch server 202 be Card Reader eventually
Before end 40 distribution idle port, being first authenticated card-reading terminal 40, if certification is passed through, then explanation card-reading terminal 40 is
Legal terminal, thus ensure the legitimacy of the outer net equipment of the certification safety control module 302 in access service district.
Wherein, whether dispatch server 202 allows card-reading terminal 40 to access according to the identification information judgment of card-reading terminal 40, bag
Include: judge that the identification information of card-reading terminal 40, whether in blacklist or management and control list, wherein, have recorded in blacklist and do not allows
The identification information of the card-reading terminal 40 accessed, have recorded needs and controls its access according to default management and control strategy in management and control list
The identification information of the card-reading terminal 40 of system;In the case of judging that the identification information of card-reading terminal 40 is in blacklist, do not allow
Card-reading terminal 40 accesses;In the case of judging that the identification information of card-reading terminal 40 is in management and control list, dispatch server 202
Determine whether that the card-reading terminal 40 that request accesses accesses according to default management and control strategy, thus may determine that dispatch server
Whether 202 allow card-reading terminal 40 to access.
Wherein, according to default management and control strategy, dispatch server 202 determines whether that card-reading terminal 40 accesses, at least include with
One of lower:
According to default management and control strategy, it is judged that whether card-reading terminal 40 is currently in the on-position scope of permission, if it is,
Allow card-reading terminal 40 to access, otherwise, do not allow card-reading terminal 40 to access, wherein, the management and control strategy preset have recorded reading
The on-position scope that card terminal 40 allows;
According to default management and control strategy, it is judged that current time whether in the time range allowing card-reading terminal 40 to access, if it is,
Then allow card-reading terminal 40 to access, otherwise, do not allow card-reading terminal 40 to access, wherein, the management and control strategy preset have recorded
Allow the time range that card-reading terminal 40 accesses;
According to default management and control strategy, it is judged that in preset time period, the history of card-reading terminal 40 accesses whether number of times exceedes default
Frequency threshold value, if it is, do not allow card-reading terminal 40 to access, otherwise, it is allowed to card-reading terminal 40 accesses, wherein, presets
Management and control strategy in have recorded duration and the preset times threshold value of preset time period;
According to default management and control strategy, it is judged that in preset time period, between the on-position of the double access of card-reading terminal 40
Distance whether exceed predeterminable range, if it is, do not allow card-reading terminal 40 to access, otherwise, it is allowed to card-reading terminal 40 connects
Enter, wherein, the management and control strategy preset have recorded duration and the predeterminable range of preset time period.
As the optional embodiment of the one in the present embodiment, as in figure 2 it is shown, service area 30 also includes: authentication database 304,
For the port status list of authentication storage safety control module 302, and the ciphertext of the certification key of card-reading terminal 40, wherein,
The ciphertext of the certification key of card-reading terminal 40 is the certification key of the protection double secret key card-reading terminal 40 using authentication database 304
It is encrypted and obtains;
Dispatch server 202, is additionally operable to the identification information according to card-reading terminal 40, obtains card-reading terminal 40 from authentication database
The ciphertext of certification key and send to the first certification safety control module 302;First certification safety control module 302, for right
Packet is deciphered, including: the first certification safety control module 302 obtains protection key, utilizes protection double secret key ciphertext to decipher
To the certification key of card-reading terminal 40, and certification data key bag is utilized to decipher.
In actual applications, the information of card-reading terminal reading identity card generally comprises 3 stages: the card seeking stage, the card selection stage and
The Card Reader stage.In the card seeking stage, card-reading terminal can outwards broadcast card seeking instruction, if there being identity card that card seeking instruction is had response,
Then returning card seeking data to card-reading terminal, card-reading terminal needs through linking Internet district 10 and isolation area 20 card seeking number the most at last
According to the first checking safety control module 303 being sent to service area, (the first checking safety control module 303 is and card-reading terminal quilt
The checking safety control module that the first certification safety control module 302 that the idle port of distribution points to is connected), the first checking safety
Control module 303 can return card seeking response data to card-reading terminal;In the card selection stage, card-reading terminal can read one from identity card
A little configuration informations (such as identity card card sequence, identity card application data and identity card presupposed information etc.), and by these configuration informations
Be eventually sent to through linking Internet district 10 and isolation area 20 service area 30 first checking safety control module 303, first
Checking safety control module 303 initiates the flow process being mutually authenticated with identity card, and card-reading terminal forwards the interaction data in this flow process,
After the first checking safety control module 303 completes to be mutually authenticated with identity card, enter the Card Reader stage;At Card Reader stage, Card Reader
Terminal can read ID card information ciphertext from identity card, and is finally forwarded to through linking Internet district 10 and isolation area 20
First checking safety control module 303 of service area 30, it is special that the first checking safety control module 303 uses that the Ministry of Public Security specifies
Product, meets GA 467-2013 " residence card verifying safety control module 303 Technical Interface Specification ", can be to identity card
The deciphering of information ciphertext obtains ID card information in plain text, and is sent to card-reading terminal by the first certification safety control module 302 encryption,
Ciphertext after being encrypted by the first certification safety control module 302 is deciphered and is obtained ID card information in plain text by card-reading terminal.Therefore, exist
In the present embodiment, the first checking safety control module 303, the data content that the packet after being used for according to deciphering carries is to first
Certification safety control module 302 returns the first packet of correspondence, including:
In the case of data content is identity card card seeking data, the first checking safety control module 303 is to the first certification security control
Module 302 returns the first packet, and the first packet at least includes: card seeking response data;
Data content is that identity card card selection data are (such as needs such as the identity card configuration information of identity card, signed data, digital certificates
First checking the safety control module 303 data to authentication ids) in the case of, first checking safety control module 303 to
First certification safety control module 302 returns the first packet, and the first packet at least includes: the body read with card-reading terminal 40
The related data that part card is authenticated is (as the first the checking signed data of safety control module 303, digital certificate etc. need identity
Demonstrate,prove the data to the first checking safety control module 303 certification);
In the case of data content is ID card information ciphertext, the first checking safety control module 303 is to ID card information ciphertext solution
Close obtaining ID card information in plain text, return the first packet to the first certification safety control module 302, the first packet at least wraps
Include: ID card information is in plain text.
In the present embodiment, the first certification safety control module 302 is receiving the first data that the first checking safety control module returns
After bag, in order to ensure to transmit safety, in addition it is also necessary to returning again to card-reading terminal after the first Data Packet Encryption, optional as one
Embodiment, the first certification safety control module, be additionally operable to utilize certification double secret key first Data Packet Encryption of card-reading terminal 40,
The first packet after encryption is sent to card-reading terminal 40, after card-reading terminal 40 can utilize the certification key pair encryption of oneself
First packet deciphering obtain the first packet;Thus, ciphertext can be realized by certification key encrypted primary data bag and transmit,
Ensure that transmission security.Even if additionally, intercepting and capturing the first number after this encryption without the certification key corresponding with card-reading terminal
Also cannot decipher according to bag, this ciphertext could be deciphered by the card-reading terminal 40 of the certification key only having correspondence, therefore, even if should
Ciphertext is trapped, and interceptor also cannot further ensure ID card information transmission safety in plain text ask to crack.
As the optional embodiment of another kind, easily broken to avoid further always reusing same key encryption and decryption
The drawback of decryption key, the first certification safety control module 302, it is additionally operable to, according to generating random number session key, utilize session close
Key obtains the first packet ciphertext to the first Data Packet Encryption;And utilize the PKI of the digital certificate for encryption of card-reading terminal 40
First packet ciphertext and session key are generated session ciphertext, or, utilize the digital certificate of the encryption of card-reading terminal 40
PKI to session key generate session ciphertext, it will words ciphertext and the first packet ciphertext send to card-reading terminal 40;Read
Card terminal 40, is additionally operable to utilize the locally stored private key corresponding with the digital certificate for encryption that the deciphering of session ciphertext obtains the
One packet ciphertext and session key, or, utilize private key that the deciphering of session ciphertext is obtained session key, and utilize session key
First packet ciphertext deciphering is obtained the plaintext of the first packet.This optional embodiment and the difference of a upper optional embodiment
It is: certification safety control module 302 is not continuing with the certification key of card-reading terminal, but according to generating random number session
Key, this session key is random, utilizes this session key Billy higher by the reliability of fixing transmission key encryption,
More difficult it is decrypted.
Embodiment 2
The method present embodiments providing the transmission of a kind of data, the method can use the system provided in embodiment 1.Such as Fig. 4 institute
Showing, the method comprises the following steps S101~S110:
S101: border routing receives the packet that card-reading terminal sends, including at least accessing IP address and access port in packet;
Select perimeter firewall to be sent according to routing strategy, send data packets to selected perimeter firewall;
In the present embodiment, in order to prevent Single Point of Faliure, perimeter firewall can be disposed multiple, when there is multiple perimeter firewall,
Border routing is accomplished by selecting a path sending data packets to core switch, i.e. selects by which perimeter firewall to be sent out
Delivering to core switch, in the present embodiment, border routing selects perimeter firewall to be sent, this road according to routing strategy
Footpath selection strategy can be such as, randomly choose a perimeter firewall, chosen distance border routing recently, data transmission period
The shortest perimeter firewall, select perimeter firewall that traffic handing capacity is strong etc..
Border routing is the access point of the Internet external network access identity card cloud Verification System, as the bridge between intranet and extranet,
Its safe operation is related to the safe operation of identity card cloud Verification System.Therefore, border routing stands in the breach is assault
Emphasis.Based on this, border routing ought to become the object that network manager emphasis is safeguarded.Optional as the one in the present embodiment
Embodiment, border routing is selecting perimeter firewall to be sent according to routing strategy, is sending data packets to be chosen
Perimeter firewall before, this step also includes: according to default border routing filtering policy, it is judged that access IP address whether permit
Permitted by border routing, if it is allowed, then perform to send data packets to the operation of selected perimeter firewall.Thus, limit
The unauthorized access not meeting border routing filtering policy, as the first line of defence of identity card cloud Verification System, can be kept off by boundary's route
Outside identity card cloud Verification System, network level improves the safety of whole system.
Wherein, as one optional border routing filtering policy, can be that on border routing, configuration is permitted in advance when being embodied as
Permitted the network segment accessed, it is judged that access IP address is whether within the scope of this network segment, if it is, allow packet to pass through border
Route, and packet is forwarded up, otherwise abandon the packet that this card-reading terminal sends.Additionally, in order to prevent other illegal
Accessing, border routing filtering policy can also include at least one in the following manner:
Mode one: amendment default password: the default password of border routing is revised as the password without Special Significance.
Mode two: close IP and directly broadcast (IP Directed Broadcast), after closedown IP directly broadcasts, can effectively prevent
Smurf attack.
Mode three: HTTP (HyperText Transfer Protocol, the HTML (Hypertext Markup Language)) service of closure of border router.
Mode four: block ICMPping (Internet Control Message Protocol, Internet control message agreement) request,
Can be to make system be easier to avoid those unmanned scanning activities noted by block ping, make system reduce the possibility being hacked
Property.
Mode five: block unnecessary port, in addition to the port that service area the most externally services, closes other all ports.
Thus, by the unauthorized access passed through being allowed to keep off at body by not meeting border routing filtering policy the maintenance on border road
Outside part card cloud Verification System, it is ensured that the safety of identity card cloud Verification System.
S102: selected perimeter firewall receives packet, maps out the purpose of correspondence according to access IP address and access port
IP address and destination interface, and packet, purpose IP address and destination interface are sent to core switch;
In the present embodiment, the major function of perimeter firewall is the access to internal network of the control external network from the Internet,
Protection internal network is not subjected to the attack of the Internet card-reading terminal (being primarily referred to as illegal hacker).Perimeter firewall passes through network
Address translation technique is by whole host addresses (i.e. purpose IP address and destination interface, dispatch server of shielded internal network
Or the private IP address of safety control module and port) it is mapped on fire wall a few effective public network IP address of arranging (i.e.
Access IP address and access port), so, the equipment (card-reading terminal) of external network can only get access IP address and visit
Ask port, and real IP address and the port (i.e. purpose IP address and destination interface) of the equipment being actually subjected to access cannot be got,
The safety of internal network thus to external shield internal network structure and IP address, can be protected.Therefore, receive when perimeter firewall
After packet, first have to will visit according to network address translation protocol (Network Address Translation is called for short NAT)
Ask that IP address and access port map out corresponding purpose IP address and destination interface, and purpose IP address and destination interface are only
The actual address of internal network devices, carries out the forwarding of packet according to purpose IP address and destination interface.
Perimeter firewall is built upon internal-external network borderline filtration lock-out facility, internal network (i.e. identity card cloud Verification System)
Being considered as safe and believable, external network is considered as then dangerous and untrustworthy.The effect of fire wall is to prevent not
Communication desired, unwarranted passes in and out protected internal network, by the safety of boundary control strengthening internal network.Cause
This, as the optional embodiment of the one in the present embodiment, in step s 102, perimeter firewall is according to accessing IP address
Map out purpose IP address and the destination interface of correspondence with access port before, this method also includes: according to default border fire prevention
Wall filtering policy, it is judged that whether packet includes invalid data, if it is not, then perform according to accessing IP address and access port
Map out purpose IP address and the operation of destination interface of correspondence.Thus, integral net can be greatly reduced by perimeter firewall
The management cost of network Security Construction, improves the safety of identity card cloud Verification System.
Wherein, as one optional perimeter firewall filtering policy, can configure at perimeter firewall in advance when being embodied as
DDoS (Distributed Denial of service, distributed denial of service) property data base, this class database is similar to disease
Poison storehouse, storage has DDoS eigenvalue, and perimeter firewall will receive content and the DDoS in DDoS property data base of packet
Eigenvalue mates, if it is possible to match, then description packet is invalid data bag, and perimeter firewall is by DDoS
Attack, then by this data packet discarding, will not continue to be forwarded to core switch.Generally, the form of invalid data bag is varied,
Not having the data of card-reading terminal in some invalid data bags, and be only made up of some attack messages, some invalid data bags can
A part of valid data, a part of attack message can be comprised, the most no longer describe in detail.
S103: core switch sends data packets to dispatch server according to purpose IP address and destination interface, or, according to
Packet, purpose IP address and destination interface are sent the service area fire wall to service area by purpose IP address and destination interface;
Specifically, purpose IP address and destination interface are judged by core switch, if purpose IP address and destination interface
Point to dispatch server, then perform step S104, if the certification that purpose IP address and destination interface point to service area is controlled safely
Molding block, then perform step S106;
And card-reading terminal is actually needed the equipment of access and mainly includes two kinds in native system: the certification peace of dispatch server and service area
Full control module.Card-reading terminal necessary access scheduling server first, needing dispatch server is that it distributes an idle certification
Safety control module, and after card-reading terminal receives the access port of the certification safety control module that dispatch server is its distribution,
Card-reading terminal just can direct access registrar safety control module.
S104: core switch sends data packets to dispatch server;
In the present embodiment, core switch is the base network device of whole identity card cloud Verification System, needs forwarding the hugest
Big flow, because card-reading terminal can be distributed throughout the country, has thousands of, and therefore, core switch is to redundancy
Ability, reliability and transmission speed aspect require higher.In the present embodiment, core switch receives perimeter firewall transmission
Packet and the purpose IP address of actual access equipment mapped out and destination interface, and the packet received is forwarded to
The actual access equipment that purpose IP address and destination interface point to.
S105: dispatch server receives packet, obtains in the compass of competency of dispatch server from the authentication database of service area
Port status list, the corresponding certification safety control module of each port;And according to the principle of task equilibrium, from port
Status list selects the port access port as card-reading terminal of an idle, and access port is sent to Card Reader eventually
End;
In the present embodiment, dispatch server provides the dispatch service of the certification safety control module of free time, service area for card-reading terminal
Interior certification safety control module is by dispatch server United Dispatching.When card-reading terminal asks identity card Card Reader business every time, scheduling
Server all can be according to the principle of task equilibrium, and the port status list in the cloud authentication database in inquiry business district, from end
Mouth status list selects the port access port as card-reading terminal of an idle, and access port is sent to Card Reader
Terminal, hereby it is achieved that the United Dispatching of multiple certification safety control modules of service area.
As the optional embodiment of one of the present embodiment, packet is that card-reading terminal needs dispatch server distribution idle first
In the case of the packet of certification safety control module, card-reading terminal is sent to the packet of border routing and the most also includes: Card Reader
The digital certificate of the identification information of terminal and the card-reading terminal identification information of card-reading terminal (digital certificate also can be considered);Scheduling clothes
Business device can also carry out access authentication according to the information in packet to card-reading terminal, if allowing to access, and just inquiry port status,
Distribution idle port is to card-reading terminal, if not allowing to access, the most directly abandoning this packet, and not permitting to card-reading terminal return
Permitted the response message accessed.Specifically, the administration model of dispatch server is obtained at dispatch server from the authentication database of service area
Before enclosing interior port status list, the method that the present embodiment provides also includes: dispatch server is believed according to the mark of card-reading terminal
Breath determines whether that card-reading terminal accesses, and judges that the digital certificate of card-reading terminal is the most abnormal;And judge to allow Card Reader eventually
Terminate into and the certificate of card-reading terminal normal.Thus, before dispatch server is card-reading terminal distribution idle port, the most right
Card-reading terminal is authenticated, if certification is passed through, then explanation card-reading terminal is legal terminal, thus ensures recognizing of access service district
The legitimacy of the outer net equipment of card safety control module.
Wherein, whether dispatch server allows card-reading terminal to access according to the identification information judgment of card-reading terminal, including: judge to read
Whether the identification information of card terminal is in blacklist or management and control list, wherein, have recorded and do not allow the Card Reader accessed whole in blacklist
The identification information of end, have recorded in management and control list and needs according to default management and control strategy the card-reading terminal that its access is controlled
Identification information;In the case of judging that the identification information of card-reading terminal is in blacklist, card-reading terminal is not allowed to access;Judging
In the case of the identification information of card-reading terminal is in management and control list, dispatch server determines whether according to default management and control strategy
The card-reading terminal that request accesses accesses, and thus may determine that whether dispatch server allows card-reading terminal to access.
Wherein, according to default management and control strategy, dispatch server determines whether that card-reading terminal accesses, and at least includes one below:
According to default management and control strategy, it is judged that the most whether card-reading terminal is in the on-position scope of permission, if it is, permit
Permitted card-reading terminal to access, otherwise, do not allow card-reading terminal to access, wherein, the management and control strategy preset have recorded card-reading terminal and permit
The on-position scope permitted;
According to default management and control strategy, it is judged that current time whether in the time range allowing card-reading terminal to access, if it is,
Then allow card-reading terminal to access, otherwise, do not allow card-reading terminal to access, wherein, the management and control strategy preset have recorded permission and read
The time range that card terminal accesses;
According to default management and control strategy, it is judged that in preset time period, the history of card-reading terminal accesses whether number of times exceedes default time
Number threshold value, if it is, do not allow card-reading terminal to access, otherwise, it is allowed to card-reading terminal accesses, wherein, and the management and control plan preset
Duration and the preset times threshold value of preset time period is have recorded in slightly;
According to default management and control strategy, it is judged that in preset time period, between the on-position of the double access of card-reading terminal
Whether distance exceedes predeterminable range, if it is, do not allow card-reading terminal to access, otherwise, it is allowed to card-reading terminal accesses, wherein,
The management and control strategy preset have recorded duration and the predeterminable range of preset time period.
Packet, purpose IP address and destination interface are sent the service area fire wall to service area by S106: core switch;
Wherein, the network equipment that the purpose IP address of purpose equipment and destination interface point to can be dispatch server be card-reading terminal
The idle certification safety control module of distribution, therefore, in this step, needs packet and purpose IP address and destination interface
It is transmitted to service area fire wall together, in order to packet can be forwarded by service area fire wall according to purpose IP address and destination interface
To corresponding certification safety control module.
The service area fire wall of S107: service area receives packet, according to default service area firewall filtering policies, it is judged that mesh
Port whether belong to allow access port, if it is, send data packets to the first certification security module, the first certification
The certification safety control module that for the purpose of security module, port and purpose IP address are pointed to;
In the present embodiment, service area fire wall be outside network device access service district nucleus equipment (certification safety control module and
Checking safety control module) last line of defense, such as, service area fire wall can preset allow access port table,
After receiving packet, can arrive the port table inquiry allowing to access, if destination interface is present in this table, just mark can be by
Packet sends to certification safety control module, thus, is fallen the data not allowing to pass through by the ports filter judging access equipment
Bag, protects the peace of security of system, especially protection certification safety control module and checking safety control module further from network level
Entirely.
S108: the first certification safety control module receives packet, deciphers packet, and is sent by the packet after deciphering
To the first checking safety control module, the first checking safety control module is the checking peace being connected with the first certification safety control module
Full control module;
In the present embodiment, before packet is deciphered by the first certification safety control module, the method that the present embodiment provides also is wrapped
Include: dispatch server, according to the identification information of card-reading terminal, obtains the ciphertext of the certification key of card-reading terminal from authentication database
And send to the first certification safety control module;Wherein, the ciphertext of the certification key of card-reading terminal is to use the guarantor of authentication database
Protect the certification key of double secret key card-reading terminal to be encrypted and obtain;
In this step, packet is deciphered by the first certification safety control module, including: the first certification safety control module obtains
Protection key, utilizes protection double secret key ciphertext deciphering to obtain the certification key of card-reading terminal, and utilizes certification data key bag solution
Close;
Packet after S109: the first checking safety control module receiving and deciphering, according in the data that the packet after deciphering carries
Hold and return the first corresponding packet to the first certification safety control module;
In actual applications, the information of card-reading terminal reading identity card generally comprises 3 stages: the card seeking stage, the card selection stage and
The Card Reader stage.In the card seeking stage, card-reading terminal can outwards broadcast card seeking instruction, if there being identity card that card seeking instruction is had response,
Then returning card seeking data to card-reading terminal, card-reading terminal needs to send through linking Internet district and isolation area card seeking data the most at last
To the first checking safety control module of service area, (the first checking safety control module is the idle port allocated with card-reading terminal
The checking safety control module that the first certification safety control module pointed to is connected), the first checking safety control module can to Card Reader eventually
End returns card seeking response data;In the card selection stage, card-reading terminal can read some configuration informations (such as the ID card from identity card
Sheet sequence, identity card application data and identity card presupposed information etc.), and by these configuration informations through linking Internet district and isolation
District is eventually sent to the first checking safety control module of service area, and the first checking safety control module initiates to recognize each other mutually with identity card
The flow process of card, card-reading terminal forwards the interaction data in this flow process, treats that the first checking safety control module and identity card complete mutually
After certification, enter the Card Reader stage;In the Card Reader stage, card-reading terminal can read ID card information ciphertext, and warp from identity card
Cross linking Internet district and isolation area to be finally forwarded to the first of service area and verify safety control module, the first checking security control mould
Block uses the special product that the Ministry of Public Security specifies, and meets GA 467-2013 " residence card verifying safety control module interfacing
Specification ", the deciphering of ID card information ciphertext can be obtained ID card information in plain text, and be encrypted by the first certification safety control module
Sending to card-reading terminal, card-reading terminal is bright to being obtained ID card information by the ciphertext deciphering after the first certification safety control module encryption
Literary composition.Therefore, in the present embodiment, the first checking safety control module according to the data content that carries of packet after deciphering to the
One certification safety control module returns the first corresponding packet, including:
In the case of data content is identity card card seeking data, the first checking safety control module is to the first certification safety control module
Returning the first packet, the first packet at least includes: card seeking response data;
Data content is that identity card card selection data are (such as needs such as the identity card configuration information of identity card, signed data, digital certificates
The first checking safety control module data to authentication ids) in the case of, the first checking safety control module is to the first certification
Safety control module returns the first packet, the first packet at least includes: the identity card read with card-reading terminal is authenticated
Related data is (as the first the checking signed data of safety control module, digital certificate etc. need identity card to the first checking safety control
The data of module authentication processed);
In the case of data content is ID card information ciphertext, ID card information ciphertext is deciphered by the first checking safety control module
To ID card information in plain text, returning the first packet to the first certification safety control module, the first packet at least includes: identity
Card information is in plain text.
S110: the first certification safety control module receives the first packet that the first checking safety control module returns, and to first
Data Packet Encryption, sends the first packet after encryption to card-reading terminal.
In the present embodiment, the first certification safety control module receive first checking safety control module return the first packet it
After, in order to ensure to transmit safety, in addition it is also necessary to returning again to card-reading terminal after the first Data Packet Encryption, optionally real as one
Executing mode, the first packet after encryption, to the first Data Packet Encryption, is sent to card-reading terminal by the first certification safety control module,
Specifically include: the first certification safety control module utilizes certification double secret key first Data Packet Encryption of card-reading terminal, after encryption
First packet sends to card-reading terminal, and card-reading terminal can utilize the first packet deciphering after the certification key pair encryption of oneself
Obtain the first packet;Thus, ciphertext can be realized by certification key encrypted primary data bag to transmit, it is ensured that transmission safety
Property.Even if additionally, the first packet after intercepting and capturing this encryption without the certification key corresponding with card-reading terminal also cannot be deciphered,
This ciphertext could be deciphered by the card-reading terminal of the certification key only having correspondence, therefore, even if this ciphertext is trapped, and interceptor
Also ID card information transmission safety in plain text cannot be further ensured ask to crack.
As the optional embodiment of another kind, easily broken to avoid further always reusing same key encryption and decryption
The drawback of decryption key, the first packet after encryption, to the first Data Packet Encryption, is sent to reading by the first certification safety control module
Card terminal, specifically includes: the first certification safety control module, according to generating random number session key, utilizes session key to first
Data Packet Encryption obtains the first packet ciphertext;And utilize the PKI of digital certificate for encryption of card-reading terminal to the first data
Bag ciphertext and session key generate session ciphertext, or, utilize the PKI of digital certificate of the encryption of card-reading terminal to session
Key encryption generates session ciphertext, it will words ciphertext and the first packet ciphertext send to card-reading terminal;Card-reading terminal, is additionally operable to
Utilize the locally stored private key corresponding with the digital certificate for encryption that the deciphering of session ciphertext is obtained the first packet ciphertext and meeting
Words key, or, utilize private key that the deciphering of session ciphertext is obtained session key, and utilize session key to the first packet ciphertext
Deciphering obtains the plaintext of the first packet.This optional embodiment is with the difference of a upper optional embodiment: certification is controlled safely
Molding block is not continuing with the certification key of card-reading terminal, but according to generating random number session key, this session key be with
Machine, utilize this session key Billy higher by the reliability of fixing transmission key encryption, more difficult be decrypted.
The present embodiment provide data transmission method whole during, as the optional embodiment of the one in the present embodiment,
The method that the present embodiment provides also includes: the flow cleaning monitoring of equipment being connected with border routing flows through the service traffics of border routing,
If according to the service traffics flowing through border routing detect border routing by distributed denial of service attack, then to flowing through border
The service traffics of route carry out flow cleaning.
In the present embodiment, the data (packet that i.e. border routing receives) of linking Internet are carried out by flow cleaning equipment
Monitoring in real time, finds the abnormal flow including distributed denial of service ddos attack in time.When abnormal flow reaches or super
When crossing the security baseline preset, unlatching is cleaned filtering process by flow cleaning equipment.Native system passes through flow cleaning equipment, alleviates
Come from pressure that internal network is caused by ddos attack flow, promote the effectiveness of bandwidth usage;Protection internal network is exempted from
Attacked by from the Internet, improved network performance.
Thus, the linking Internet district in native system can refuse the illegal visit of absolute system by border routing and perimeter firewall
Ensure the card-reading terminal normal access to system while asking, the Internet incoming data can be carried out by flow cleaning equipment
In real time monitoring, washes abnormal flow while not affecting regular traffic, protection internal network from the attack from the Internet,
Improve network performance.
In the present embodiment, core switch is actually a computer optimized for forwarding packet, but computer just has
The possibility being hacked, the most illegally obtains the control of core switch, causes network paralysis, on the other hand also can be by DDoS
Attack.Therefore, for preventing core switch by illegal infringement, in above-mentioned steps, the method that the present embodiment provides also includes:
The intrusion detection device monitoring being connected with core switch flows through the service traffics of core switch, according to the historical behavior mould of user
The service traffics flowing through core switch are mated by type, the expertise prestored and neural network model, once mate into
Merit, then judge there is intrusion behavior, disconnects the connection of card-reading terminal and the equipment of access immediately, and collects evidence and implement data recovery,
In addition the strategy monitoring that can be combined with abnormality detection flows through the service traffics of core switch.By intrusion detection device to core
The operation conditions of switch monitors, finds various attack attempt, aggressive behavior or attack result as far as possible, to ensure net
The confidentiality, integrity, and availability of network system resource.Additionally, for prevent core switch by illegal infringement, further,
The method that the present embodiment provides also includes: the number that the intrusion prevention monitoring of equipment core switch being connected with core switch receives
According to bag, it is judged that whether the packet that core switch receives is invalid data, if it is, core switch is received
Data packet discarding.Wherein, intrusion prevention equipment judges whether the packet that core switch receives is invalid data, Ke Yitong
Cross in the following manner: such as, the packet that core switch is received by intrusion prevention equipment and the disease in preset virus database
Poison feature is mated, if it is possible to match, it is determined that this packet matched is invalid data, further, it is also possible to examine
Considering the abnormal conditions in application program or network transmission, such as, user or user program violate regulation for safety, packet should not
Period of this appearance occurs, the gap of operating system or application program weakness is being utilized etc. phenomenon, assists in identifying invasion
And attack.Although intrusion prevention equipment is also contemplated for known viruse feature, but it not relies solely on known viruse feature.Enter
Invading defensive equipment is to supplement anti-virus software and fire wall, to improve the safety of system.
By the method for the data transmission that the present embodiment provides, by this system is divided into linking Internet district, isolation area and industry
Three, district of business level, each level uses different security strategies, by the security perimeter of a lot of, promotes on network level
The safety of whole system, to avoid service area by rogue attacks, especially ensures certification safety control module and checking safety
The safety of control module.
Embodiment 3
Present embodiments provide a kind of inner tube server, as it is shown in figure 5, this inner tube server can be a centralized service
Device, in order to centralized management, inner tube server can also be a distributed server, in order to integration networks resource.This inner tube
Server includes: safe access unit, display unit, the first input interface, safe processor, main control processor, system pipes
Reason unit, parameter configuration unit and the second input interface.
Safe access unit, is used for detecting user's request, when detecting that user asks as user's logging request, obtains and user
The information that logging request is corresponding, and will be prompted to information transmission to display unit.
Concrete, safe access unit is by timing or sporadically refreshes or detects whether that receiving user asks, when connecing
Receive user when asking, it is judged that the type of this user request, judge whether it is user's logging request according to the feature of request,
Such as, safe access unit can be by the Web page of inner tube server, and Web page is provided with login button, once safety
Access unit and detect that login button is pressed, be then judged to user's logging request be detected;Or the Web page of inner tube server
Face directly displays log-on message input frame, and when light timestamp being detected in log-on message input frame, then safe access unit is judged to
User's logging request detected.
Certainly, user's logging request of inner tube server can be provided with different logging request according to different users, such as, and can
To distinguish administrator's login, domestic consumer logs in, operation user logs in, run user's login etc., for different users
Logging request arranges different login interfaces, thus carries out management and control respectively.
When safe access unit detects that user asks as user's logging request, perform subsequent operation, i.e. obtain and log in user
The information that request is corresponding, and will be prompted to information transmission to display unit;Log in when safe access unit is not detected by user
When asking or invalidation request detected, then repeat the operation of detection user's request.
When user's logging request being detected, inner tube server also obtains the type of user's logging request, steps on when taking similar triggering
When record button logs in, the logging request for above-mentioned different user gets the login prompt letter corresponding with different user
Breath, such as, when user be administrator, operation user or operation user, can eject user name and close in information
While the input frame of code, also prompting " inserts safety equipment or electronic signature token ";When user is domestic consumer, carry
Show that information can simply be the input frame ejecting username and password.Information corresponding when logging in by arranging different users,
The user making different stage can perform different login processes, thus takes into account the safety of different user and the demand of convenience.
Certainly, the invention is not restricted to the kind of above-mentioned information, any user can be pointed out to carry out the information logged in, be all this
The protection domain of invention.
Display unit, for display reminding information, wherein: information is used for pointing out user to log in;Concrete, display
Unit can be integrated in inner tube server, it is also possible to is external display.
First input interface, for receiving the authentication information corresponding with information, authentication information at least includes user
Identity information and information to be verified, send to safe processor to major general's authentication information;Concrete, user can pass through
Wireline interface (USB interface, audio interface etc.), wave point (WiFi, NFC, RFID etc.), keyboard, touch screen etc. set
The authentication information that standby input equipment input is corresponding with information, at least includes in this authentication information and can represent use
The information of family identity, this subscriber identity information can be the information such as user's serial number, class of subscriber, user name, ID,
Further comprises information to be verified (such as user certificate, digital signature, customer identification information etc.) in this authentication information, this is to be tested
Card information can be the information being able to verify that user validation, and the legitimacy logged in user for inner tube server is verified.
Safe processor, is used for obtaining checking information, and obtains information to be verified from the authentication information received, and utilization is tested
Information to be verified is verified by card information, if the verification passes, then sends subscriber identity information to main control processor, otherwise,
Login failure information is sent to display unit, and reacquires the information corresponding with user's logging request;Specifically,
Checking information is the information that inner tube server prestores or the letter obtained by the identity equipment such as safety equipment or electronic signature token
Breath, and the information to be verified information that to be user input.
In the present embodiment safe processor carry out authentication mode can be one or several modes following, certainly this
Bright it is not limited to following several ways:
Mode the one, first input interface is USB interface, audio interface or wave point;First input interface is connected to safety and sets
Standby, receive the user certificate storing and sending in safety equipment;Safe processor obtains the root certificate prestored, and from the body received
Part checking information obtains user certificate, utilizes the root certificate prestored that the legitimacy of user certificate is verified.Concrete enforcement
In mode, when user utilizes safety equipment to verify identity, in these safety equipment, storage has the digital certificate representing user identity,
And storage has the root certificate (checking information) signing and issuing this digital certificate, when safe processor receives the peace of connection in safe processor
After full equipment sends the user certificate (information to be verified) come, utilize the root certificate prestored that this digital certificate is carried out legitimacy school
Test, if checking legitimacy is passed through, then it is assumed that be verified.Certainly, during verifying, when safe processor needs
When verifying, can first pass through the first input interface and send instructions to safety equipment, safety equipment are receiving finger accordingly
Just user certificate is sent to safe processor after order, it is ensured that checking properly and timely performs.Process about certificate verification belongs to
Existing procedure, the most no longer goes to live in the household of one's in-laws on getting married and chats.By the verification mode of the manner, utilize the user certificate of safety equipment to verify login,
Realize physical isolation, it is ensured that the safety of login.
Mode the two, first input interface includes USB interface, audio interface or wave point;First input interface is connected to electronics
Signed tokens, receives the signing messages that electronic signature token generates and sends, and signing messages includes: presupposed information and electronics label
Name token carries out, according to presupposed information, the signature value obtained of signing;Safe processor obtains the PKI of electronic signature token, utilizes electricity
Signing messages is verified by the PKI of sub-signed tokens;In specific embodiment, user utilizes electronic signature token to verify
During identity, this electronic signature token storage has digital certificate and the private key representing user's unique identities, it is possible to generate presupposed information,
This presupposed information can be random number or the identification information of user of stochastic generation, and electronic signature token can utilize private key
Presupposed information carrying out signature and obtains signature value, safe processor sends, in the electronic signature token receiving connection, the default letter of coming
After breath and signature value (information to be verified), safe processor can obtain the PKI (checking information) of electronic signature token to label
Name information is verified, if checking signature is correct, thinks and is verified.The PKI (checking information) of this electronic signature token
Can be safe processor prestores, or safe processor obtains to other servers, or receive electronic signature token and send out
The digital certificate that send obtain (i.e. electronic signature token also sends the numeral card of electronic signature token while sending signing messages
Book, includes the PKI of electronic signature token in this digital certificate).Certainly, during verifying, work as safe processor
When needs are verified, can first pass through the first input interface and send instructions to electronic signature token, electronic signature token is receiving
After corresponding instruction, just signing messages is sent to safe processor, it is ensured that checking properly and timely performs.By the manner
Verification mode, utilizes electronic signature token to verify login, and electronic signature token deposits the digital certificate representing user's unique identities
And private key for user, by verifying the signature verification identity of user, prevent other illegally to log in, it is ensured that the safety of login.
Mode the three, first input interface includes keyboard, touch screen or information input equipment;First input interface receives user's input
Customer identification information;Safe processor obtains the checking identification information prestored, and utilizes the checking identification information the prestored use to input
Family identifies that information is verified;In specific embodiment, identification information can be that username and password, biological information (refer to
Stricture of vagina, iris etc.) etc., safe processor prestores the checking identification information (checking information) of user, utilizes the checking identification prestored
The customer identification information (information to be verified) of input is compared by information, and comparison is the most then thought and is verified.Pass through user
Identification information verify, demonstrate the identity of user, it is ensured that the safety of login.
In concrete implementation, multiple simultaneously guarantee the in aforesaid way can be taked to log in, such as can be to use mode one He
The combination of mode three, it would however also be possible to employ mode two and the combination of mode three, utilizes various ways to ensure to log in, can be further
Ensure the safety logged in.Above-mentioned first input interface is according to the demand of login mode, and the first input interface can be only that USB connects
Mouth, audio interface or the interface of wireless interface type, it is also possible to be to include keyboard, touch screen or the interface of information input equipment type,
Can also is that the input interface being provided simultaneously with above two style interface.
Additionally, in above-mentioned three kinds of implementations, all use safe processor to carry out the independent process process to authentication, permissible
Isolate with main control processor, utilize the Independent Safety of safe processor to be further ensured that the safety that user logs in.
Main control processor, is used for receiving subscriber identity information, determines the operating right of user, operating rights according to subscriber identity information
It is limited to the first authority and/or the second authority;Specifically, the first authority and the second authority can be to process different instruction and visit
Asking the authority of different units (System Management Unit and parameter configuration unit), in the present embodiment, the first authority can be can
Carrying out the authority of the process of system management directive, the second authority can be the authority of the process that can carry out parameter configuration instruction;
One user identity can only possess the first authority, it is also possible to only possesses the second authority, it is also possible to is provided simultaneously with the first authority and
Two authorities.In being embodied as, subscriber identity information can be passed through (such as user's serial number, class of subscriber, user name, user
Mark) determine the classification of user, determined the operating right of user by the classification of user, such as, according to the identity of user
Information determines that the user is administrator, then this administrator is provided simultaneously with the first authority and the second authority, i.e. this manager
Can instruct with processing system management instruction and parameter configuration;Or the identity information according to user determines that the user is operator user,
Then this operator user possess the first authority, i.e. this operator can with processing system management instruction;Or the identity letter according to user
Breath determines that the user is operation person user, then this operation person possess the second authority, i.e. this operation person can be with processing parameter configuration-direct.
Certainly, in actual system, a kind of user can be only had, be the most only provided simultaneously with the first authority and the management of the second authority
Member user.By after logging in system by user, impart different operating rights according to the difference of its user identity, unite in inner tube
Internal architecture a lot of wall, makes the user can only access its system resource being authorized to.
Second input interface, is additionally operable to receive the operation requests of user, sends operation requests to main control processor;Specifically,
User can be by input through keyboard or input operation request by the way of the web page of inner tube server selects, and second is defeated herein
Incoming interface and the first input interface can be that (the such as first input interface is USB interface to different two interface, and the second input connects
Mouth is keyboard), it is also possible to it is that same interface realizes the first input interface and the function of the second input interface.
Main control processor, is additionally operable to judge the type of operation requests, if operation requests includes system management directive, and determine
Operating right corresponding to user is the first authority or time operating right corresponding to user is the first authority and the second authority, will operation
Request sends to System Management Unit;If operation requests includes that parameter configuration instructs, and the operating right that the user that determines is corresponding
It is the second authority or time operating right corresponding to user is the first authority and the second authority, operation requests is sent to parameter configuration
Unit: concrete, at least includes operational order in operation requests, this operational order can be system management directive or parameter configuration
Instruction, when being matched by the operating right of this operational order Yu user, then main control processor calls different unit and completes difference
Operation.
System Management Unit, for after receiving operation requests, obtains the system administration entry that system management directive is corresponding, root
According to system management directive, system administration entry is performed corresponding operation;Specifically, now operation requests includes system administration
Instruction, this system management directive is for realizing the management to inner tube server info, and this system management directive can be to include inquiry
Instruction, amendment instruction, increase instruction or delete the instruction such as instruction, it is achieved to the inquiry of each management entry in inner tube server,
Revise, increase, the function such as deletion, when needs carry out system administration, then it needs to be determined that user possesses corresponding authority just allows
It is managed, and such as, system can be managed by the user possessing manager or operator's authority.System administration entry
It is that inner tube server is available for the entry that user modifies, user, role, client, product, report can be included but not limited to
Table, blacklist etc., system administration entry can be included in operation requests, it is also possible to is that user passes through input through keyboard or inner tube
Server web page selects the system administration entry corresponding to input system management instruction, if desired, in addition it is also necessary to input
Management parameters realizes management function.
Parameter configuration unit, for after receiving operation requests, entry to be configured that the configuration-direct that gets parms is corresponding and renewal
Parameter, configures the parameter of entry to be configured according to undated parameter;Specifically, now operation requests includes parameter and joins
Putting instruction, the instruction of this parameter configuration, for realizing the configuration to inner tube server parameter, when needs carry out parameter configuration, then needs
User to be determined possesses corresponding authority and just allows it to be managed, and such as, possesses the user of manager or operation person's authority
Parameter can be configured.The entry to be configured of parameter configuration instruction correspondence may include that inner tube parameter of any subsystem, certification peace
Full control module parameter, card-reading terminal APP parameter, blacklist strategy, frequency management and control strategy etc., inner tube server is by updating
Above-mentioned entry to be configured is configured by parameter, and undated parameter may be embodied in operation requests, it is also possible to be that user passes through keyboard
Input or inner tube server web page select to input undated parameter.
Specifically, when determining that operating right corresponding to authority corresponding to user is the first authority and the second authority, i.e. user are pipe
During reason person's authority, system management directive and parameter configuration can be instructed and process by this user, and concrete process is with reference to aforementioned.
By the inner tube server of the present embodiment, it is possible to achieve by an inner tube server to subsystems in cloud authentication platform
Parts effectively manage, and provide the user with visualized management interface, promote the experience of user, and it is right to also allow in maintenance work
Systematic parameter configures.Additionally, whole cloud authentication platform is scheduling management by inner tube server, part resource is entered
Row limited access, by arranging different access rights, it is ensured that the safety of access to different user.
In one embodiment of the invention, when user logs in, it is also possible to protect login by identifying code: prompting
Information also includes with reference to identifying code;Safe access unit, is additionally operable to generate random code, generates with reference to identifying code according to random code,
Obtain with reference to identifying code, and will send to display unit and safe processor with reference to identifying code;Specifically, step on user
The interface of record, can point out input validation code to verify simultaneously, it is also possible to carry out prompting input before or after authentication
Identifying code is verified, inner tube server generation random code is as with reference to identifying code, and this random code can be the lattice such as numeral, picture
Formula.
Display unit, is additionally operable to display with reference to identifying code;When showing other login prompt information, it is also possible to display is with reference to checking
Code, in order to user inputs.
Information to be verified also includes login authentication code;First input interface, is additionally operable to receive login authentication code;Safe processor,
It is additionally operable to obtain with reference to identifying code, and login authentication code is compared checking with reference to identifying code.Specifically, inner tube service
Device, after obtaining the identifying code that user is inputted by keyboard or other modes, utilizes self storage or the reference identifying code generated
The identifying code of input is compared, determines that when comparison is consistent identifying code passes through.
The mode using login authentication code is possible to prevent to log in Replay Attack, it is to avoid cause the waste of system resource, it is ensured that system is transported
The safety of row.
In an embodiment of the invention, system management directive includes query statement, amendment instruction, increases instruction and/or delete
Except instruction;Main control processor, the system administration entry corresponding specifically for obtaining system management directive, and judge that system administration refers to
The type of order;If the system management directive that the type instruction of system management directive obtains is query statement, then System Management Unit
Operate specifically for system administration entry being performed inquiry according to query statement;If the type instruction of system management directive obtains
System management directive is amendment instruction, then System Management Unit is specifically for performing amendment according to amendment instruction to system administration entry
Operation;If the system management directive that the type instruction of system management directive obtains is for increasing instruction, then System Management Unit is concrete
For according to increasing instruction to the execution increase operation of system administration entry;If the system that the type instruction of system management directive obtains
Management instruction is to delete instruction, then System Management Unit is specifically for according to deleting instruction to system administration entry execution deletion action.
In an embodiment of the invention, system administration entry includes: user, role, client, product, form and/or black
List;
When System Management Unit carries out performing inquiry operation according to query statement to system administration entry: if system administration entry
For user, System Management Unit is specifically for inquiring about user according to query statement, defeated according to default inquiry output rule
Go out user profile;Or if system administration entry is role, System Management Unit is specifically for carrying out role according to query statement
Inquiry, according to default inquiry output rule output Role Information;If or system administration entry is client, System Management Unit
Specifically for client being inquired about according to query statement, according to default inquiry output rule output customer information;If or being
Reason entry under the overall leadership is product, and System Management Unit is specifically for inquiring about product according to query statement, according to default inquiry
Output rule output products information;Or if system administration entry is form, System Management Unit is specifically for according to query statement
Form is inquired about, according to default inquiry output rule output report information;If or system administration entry is blacklist,
System Management Unit, specifically for inquiring about blacklist according to query statement, exports black name according to default inquiry output rule
Single information;
When System Management Unit performs amendment operation according to amendment instruction to system administration entry: if system administration entry is for using
Family, System Management Unit is specifically for modifying to user profile according to amendment instruction, and storage user profile revises result;Or
If system administration entry is role, System Management Unit, specifically for modifying Role Information according to amendment instruction, stores
Role Information amendment result;If or system administration entry is client, System Management Unit is specifically for instructing visitor according to amendment
Family information is modified, storage customer information amendment result;Or if system administration entry is product, System Management Unit is concrete
For product information being modified according to amendment instruction, storage product information amendment result;If or system administration entry is report
Table, System Management Unit is specifically for modifying to report messages according to amendment instruction, and storage report messages revises result;Or
If system administration entry is blacklist, black list information is modified by System Management Unit specifically for instructing according to amendment,
Storage black list information amendment result;
When System Management Unit is according to when increasing instruction to the execution increase operation of system administration entry: if system administration entry is for using
Family, System Management Unit is specifically for according to increasing instruction increase user, the user profile that storage increases;If or system administration
Entry is role, and System Management Unit is specifically for according to increasing instruction increase role, the Role Information that storage increases;If or
System administration entry is client, and System Management Unit is specifically for according to increasing instruction increase client, the customer information that storage increases;
If or system administration entry is product, System Management Unit is specifically for according to increasing instruction increase product, the product that storage increases
Product information;If or system administration entry is form, System Management Unit is specifically for according to increasing instruction increase form, storage
The report messages increased;If or system administration entry is blacklist, System Management Unit is specifically for according to increasing instruction increase
Blacklist, the black list information that storage increases;
When System Management Unit is according to when deleting instruction to system administration entry execution deletion action: if system administration entry is for using
Family, System Management Unit is specifically for according to deleting instruction deletion user;If or system administration entry is role, system administration
Unit is specifically for according to deleting instruction deletion role;If or system administration entry is client, System Management Unit specifically for
Client is deleted according to deleting instruction;If or system administration entry is product, System Management Unit is specifically for according to deleting instruction
Delete product;If or system administration entry is form, System Management Unit is specifically for according to deleting instruction deletion form;Or
If system administration entry is blacklist, System Management Unit is specifically for according to deleting instruction deletion blacklist.
Operation to each system administration entry is described in detail respectively below:
When system administration entry is user, the information of user can be looked into by the manager or the operator that log in inner tube server
Ask, revise, increase, the operation such as deletion.Such as, when manager or operator need to inquire about user profile, permissible
User is inquired about by the unique identification information (such as ID, name etc.) of input user, it is also possible to carry out default query, the most permissible
Inquire all user profile that can log in this inner tube server, and Query Result is shown by display unit;Equally
, when manager or operator need to modify, increase, deletion action time, can according to the unique identification information of user (as
ID, name etc.) determine user, the information of user modified, increases, deletes, and stores amendment, increase, delete
Result.
When system administration entry is role, the information of role can be looked into by the manager or the operator that log in inner tube server
Ask, revise, increase, the operation such as deletion.Inner tube server sets different roles for different users, every kind of role's
Authority is different, such as manager, operator, operation person etc..When manager or operator need to inquire about the information of role
Time, can be by the title of role or number information etc. to information inquiries such as the authorities under role, it is also possible to carry out default query,
Then can inquire all Role Informations of inner tube server, and Query Result is shown by display unit;Equally, when
When manager or operator need to modify role, with crossing role's title or number information etc., Role Information can be carried out
Amendment, such as, can revise the authority etc. of certain role;When role is needed to increase and deletion action by manager or operator
Time, then according to role's title or number information, role is increased or deletion action, and store amendment, increase, delete
Result.
When system administration entry is client, the information of client can be looked into by the manager or the operator that log in inner tube server
Ask, revise, increase, the operation such as deletion.Client in inner tube server can be the client of different industries in cloud Verification System,
Such as bank, trade company, telecommunications etc..The Internet identity card cloud Verification System can provide authentication ids to take for the client of different industries
Business, card-reading terminal production code member and product type used by different clients may be different, obtain ID card information the most not
With, this is accomplished by being managed different clients by inner tube server.Management for client can also based on client only
One identification information (such as ID, title etc.), identifies according to the unique information of client and determines client, the information of client is increased,
Revise, delete, inquire about operation, and show Query Result, the result that storage is revised, increased, deletes.Such as, by inquiry
During instructions query client, after client unique information input being detected identifies, find out in inner tube server and this client's phase
The information closed, is exported and is shown by display unit.
When system administration entry is product, the information of product can be looked into by the manager or the operator that log in inner tube server
Ask, revise, increase, the operation such as deletion.Product in inner tube server corresponds to card-reading terminal, and product bar records Card Reader now
Terminal type and card-reading terminal numbering, card-reading terminal serial number is the unique identification information of product, and meanwhile, each product entry is also
Bind customer information.When manager or operator inquire about this product entry, can to the card-reading terminal type of product entry,
The information such as card-reading terminal serial number, affiliated client are inquired about, of course, it is possible to carry out default query or according to uniquely identifying letter
Breath is inquired about, and shows Query Result by display unit;Same, when manager or operator need to modify, increase
Add, deletion action time, product can be determined according to the unique identification information of product, the information of product modified, increase,
Delete, and store amendment, the result increasing, deleting.Additionally, when needs increase product information, it is also possible to believed by product
Breath management carries out batch and increases operation.
When system administration entry is form, form can be inquired about, repair by the manager or the operator that log in inner tube server
Change, increase, the operation such as deletion.Manager or operator can generate form to every entry state of inner tube server admin,
Can also inquire about, revise, increase, delete form, additionally can classify with the data item of system administration, provide for client
The data item form of customization.The content of form can cover the information of all management entries of inner tube server and all configurable
Parameter information, and information that other and transaction are relevant.
When system administration entry is blacklist, log in inner tube server manager or blacklist can be inquired about by operator,
Revise, increase, the operation such as deletion.Inner tube server can maintain a series of blacklist, for example, it is possible to (Card Reader is eventually to product
End) take blacklist mechanism, the card-reading terminal of abnormality is joined in blacklist, it is also possible to Card Reader system judged by accident is eventually
End is deleted from blacklist, thus safeguards black list information.Certainly, need blacklist is entered as manager or operator
During row inquiry, with input inquiry key element, blacklist can be inquired about, it is also possible to carry out default query, then can inquire all
Black list information, and Query Result is shown by display unit;Same, when manager or operator need to repair
Change, increase, deletion action time, black list information can be modified, increase, delete according to usually to determine, and deposit
The result that storage is revised, increased, deletes.
In one embodiment of the invention, entry to be configured includes: inner tube parameter of any subsystem, certification safety control module parameter,
Card-reading terminal APP parameter, blacklist strategy and/or frequency management and control strategy;Parameter configuration unit refers to specifically for the configuration that gets parms
The entry to be configured of order correspondence and undated parameter, and judge the type of entry to be configured;If entry to be configured is interior tube system
Parameter, then parameter configuration unit is specifically for according to undated parameter, and the parameter of internal tube system configures;If it is to be configured
Entry is certification safety control module parameter, then parameter configuration unit is specifically for according to undated parameter, to certification security control mould
The parameter of block configures;If entry to be configured is card-reading terminal APP parameter, then parameter configuration unit is specifically for according to more
New parameter, configures card-reading terminal APP parameter;If entry to be configured is blacklist strategy, then parameter configuration unit tool
Blacklist strategy, for according to undated parameter, is configured by body;If entry to be configured is frequency management and control strategy, then parameter is joined
Put unit specifically for according to undated parameter, frequency management and control strategy being configured.
When the user signing in inner tube server needs to perform parameter configuration instruction, then this user needs possess manager or fortune
Office staff's authority, when the permission match verifying this login user passes through, could allow this login user to carry out parameter configuration instruction
Process.Operation to each entry to be configured is described in detail respectively below:
When entry to be configured is inner tube parameter of any subsystem, mainly it is accomplished that the operational factor of internal tube system configures,
As arranged authentication code create-rule, arranging certification safety control module detection time interval etc..Specifically, inner tube server connects
Receipts parameter configuration instructs, and determines entry to be configured according to parameter configuration instruction, it is judged that the type of entry to be configured is interior tube system
During parameter, jump to the flow process of inner tube parameter of any subsystem configuration, obtain, by keyboard or other input equipments, the inner tube subsystem determined
The undated parameter that system parameter configuration is corresponding, such as, manager or operation person enter for certification safety control module detection time interval
During row configuration, then pass through input through keyboard time interval to be set as undated parameter.The inner tube parameter of any subsystem configured is permissible
There is provided unified parameter to arrange for cloud authentication platform, facilitate other system to pass through inner tube server and get interior tube system easily
Parameter information.
When entry to be configured is certification safety control module parameter, the parameters of certification safety control module is joined by main realization
Put, and the parameter information updated is sent to certification safety control module, in order to certification safety control module can perform.Specifically
For, inner tube server receives parameter configuration instruction, determines entry to be configured according to parameter configuration instruction, it is judged that entry to be configured
Type when being certification safety control module parameter, jump to the flow process of certification safety control module parameter configuration, by keyboard or
Other input equipments obtain the undated parameter that the certification safety control module parameter configuration determined is corresponding, utilize this undated parameter to recognizing
Card safety control module configures, and the certification safety control module parameter information after will updating sends to certification security control mould
Block is so that it performs.
When entry to be configured is card-reading terminal APP parameter, the main version updating realizing safeguarding client software and issue are read
Card terminal APP software.When card-reading terminal APP needs to update, manager or operation person can be joined by inner tube server
Put card-reading terminal APP parameter, such as, the version number of card-reading terminal APP is updated, in order to client detects new edition
Automatically updating of software is carried out after Ben.Additionally, when needs carry out version updating, inner tube server also stores the Card Reader of renewal
Terminal APP software, to facilitate client to be downloaded renewal.
When entry to be configured is blacklist strategy, mainly it is accomplished that and blacklist strategy is configured, judge Card Reader for system
Whether Deviant Behavior provides foundation to terminal.Blacklist strategy can be the Deviant Behavior setting threshold for card-reading terminal, exceedes default
The card-reading terminal of threshold is judged as there occurs Deviant Behavior, can be included in blacklist;Can also set from black name simultaneously
The strategy of release in list, such as, arrange the judgment standard that Deviant Behavior eliminates, when judging that Deviant Behavior eliminates, then and can be by
It discharges from blacklist.Of course, it is possible to arrange different blacklist strategies according to the actual requirements in terms of other.Specifically
For, inner tube server receives parameter configuration instruction, determines entry to be configured according to parameter configuration instruction, it is judged that entry to be configured
Type when being interior list strategy, jump to the flow process of blacklist strategy configuration, obtained by keyboard or other input equipments and determine
Undated parameter corresponding to blacklist strategy, utilize this undated parameter that blacklist strategy is configured.
When entry to be configured is frequency management and control strategy, mainly it is accomplished that the access time interval that card-reading terminal is set, for scheduling
System carries out frequency management and control provides foundation.Owing to card-reading terminal frequent visit can cause the collapse of background system, it is therefore desirable to right
The access time interval of card-reading terminal is reasonably arranged, and once the access time interval of card-reading terminal is less than the legal visit preset
When asking time interval, the behavior of this card-reading terminal can be judged as Deviant Behavior.Specifically, inner tube server receives parameter
Configuration-direct, determines entry to be configured according to parameter configuration instruction, it is judged that when the type of entry to be configured is frequency management and control strategy,
Jump to the flow process of frequency management and control strategy configuration, obtained the frequency management and control strategy configuration determined by keyboard or other input equipments right
The undated parameter answered, utilizes this undated parameter to configure frequency management and control strategy.Such as, when determining that 0.1s is minimum access
During frequency, Deviant Behavior will be considered less than the access at 0.1s interval, then can be by keyboard or other input equipments input ginseng
Number 0.1s, to configure frequency management and control strategy, it is, of course, also possible to from the opening time of frequency management and control, rank etc. in terms of other to frequency
Degree management and control strategy is configured.
Embodiment 4
Present embodiments provide a kind of identity card read method, as shown in Figure 6, the method comprising the steps of S201~S212:
S201: card-reading terminal sends access request by linking Internet district to dispatch server, carries Card Reader in access request
In identification information;
Wherein, the identification information of card-reading terminal includes: the digital certificate of card-reading terminal.
S202: after dispatch server receives access request, obtains the identification information of card-reading terminal, according to mark from access request
Knowledge information determines whether card-reading terminal reading identity card, if it is allowed, then perform step S203, otherwise, to card-reading terminal
Return the feedback information not allowing to access;
Wherein, dispatch server determines whether that card-reading terminal reading identity card includes:
Judge that the digital certificate of card-reading terminal is the most abnormal, if it is, determine and do not allow card-reading terminal reading identity card, otherwise
Judge that the digital certificate of card-reading terminal, whether in blacklist or management and control list, wherein, have recorded in blacklist and do not allows access
The digital certificate of card-reading terminal, have recorded in management and control list and needs, according to default management and control strategy, it is accessed the Card Reader being controlled
The digital certificate of terminal;
In the case of judging that the digital certificate of card-reading terminal is in blacklist, card-reading terminal reading identity card, refusal is not allowed to read
The request of card terminal;
In the case of judging that the digital certificate of card-reading terminal is in management and control list, determine whether according to default management and control strategy
Card-reading terminal reading identity card.
S203: in the case of determining permission card-reading terminal reading identity card, dispatch server inquiry port status list, according to
The principle of task equilibrium, selects port that idle certification safety control module is corresponding as the access end of card-reading terminal
Mouthful;
The port numbers of the certification safety control module of selection is sent to card-reading terminal by S204: dispatch server;
The certification safety control module transmission that S205: card-reading terminal is pointed to this port numbers by linking Internet district and isolation area is sought
Card request;
The certification safety control module that S206: this port numbers is pointed to receives the card seeking request that card-reading terminal sends, and card seeking is asked
It is sent to the checking safety control module that the certification safety control module that points to this port numbers is corresponding;
In this step, when certification safety control module receives card seeking request for ciphertext, it is possible to use the certification of card-reading terminal is close
This ciphertext is deciphered by key, is sent to verify safety control module by the plaintext that card seeking is asked.
The checking safety control module of S207: this correspondence receives card seeking request, confirms card seeking request, will confirm that result is believed
Breath is sent to the certification safety control module selected;
The certification safety control module that S208: this port numbers is pointed to obtains session key, uses session key to confirming object information
It is encrypted, the confirmation object information of encryption is sent to card-reading terminal;
Wherein, this session key can be consulted to obtain by certification safety control module and card-reading terminal, or, a side generate,
And send after session key to the other side.
S209: card-reading terminal sends the by linking Internet district and isolation area to the certification safety control module that this port numbers is pointed to
One packet;
Wherein, card-reading terminal first session key deciphering to encryption can obtain session key after receiving the confirmation result of encryption,
Recycling session key is confirmed result to the confirmation result deciphering of encryption.
Wherein, the first packet includes: card-reading terminal is encrypted, to the identity card original cipher text information read, the identity obtained
Card ciphertext;
The certification safety control module that S210: this port numbers is pointed to receives the first packet that card-reading terminal sends, and uses session close
First packet is decrypted by key, obtains identity card original cipher text information, and identity card original cipher text information is sent to correspondence
Checking security module;
S211: identity card original cipher text information is decrypted by corresponding checking security module, obtains identity card cleartext information, will
Identity card cleartext information returns to the certification safety control module that this port numbers is pointed to;
The certification safety control module that S212: this port numbers is pointed to uses session key to be encrypted identity card cleartext information, will
Second packet is sent to card-reading terminal, and wherein, the second packet includes: the identity card cleartext information of encryption;
S212: card-reading terminal receives the second packet, and uses session key that the second packet deciphering is obtained identity card in plain text
Information.
Above-mentioned flow process all allows the access of card-reading terminal in linking Internet district and service area perimeter firewall, and intrusion detection sets
Standby and intrusion prevention equipment be not detected by system under attack time in the case of perform, card-reading terminal and checking safety control module
Between interaction data be all transmitted by the web-transporting device of linking Internet, core space and service area.
Although above it has been shown and described that embodiments of the invention, it is to be understood that above-described embodiment is exemplary,
Being not considered as limiting the invention, those of ordinary skill in the art is in the case of without departing from the principle of the present invention and objective
Above-described embodiment can be changed within the scope of the invention, revise, replace and modification.The scope of the present invention is by appended power
Profit requires and equivalent limits.
Claims (10)
1. the method for a data transmission, it is characterised in that including:
Border routing receives the packet that card-reading terminal sends, including at least accessing IP address and access port in described packet;Select perimeter firewall to be sent according to routing strategy, described packet is sent to selected perimeter firewall;
Described selected perimeter firewall receives described packet, map out purpose IP address and the destination interface of correspondence according to described access IP address and described access port, and described packet, described purpose IP address and described destination interface are sent to core switch;
Described packet is sent to dispatch server by described core switch according to described purpose IP address and described destination interface, or, according to described purpose IP address and described destination interface, described packet, described purpose IP address and described destination interface are sent the service area fire wall to service area;
In the case of described packet is sent to dispatch server by described core switch, described dispatch server receives described packet, the port status list in the compass of competency of described dispatch server is obtained, the corresponding certification safety control module of each port from the authentication database of described service area;And select the port of an idle as the access port of described card-reading terminal from described port status list, and described access port is sent to described card-reading terminal;
At described core switch, described packet, described purpose IP address and described destination interface are sent to service area, the described service area fire wall of described service area receives described packet, according to default service area firewall filtering policies, judge whether described destination interface belongs to the port allowing to access, if, then sending described packet to the first certification security module, described first certification security module is described destination interface and the certification safety control module of described purpose IP address sensing;
Described first certification safety control module receives described packet, described packet is deciphered, and the packet after deciphering is sent to the first checking safety control module, described first checking safety control module is the checking safety control module being connected with described first certification safety control module;
Described first checking safety control module receives the packet after described deciphering, returns the first corresponding packet according to the data content that the packet after described deciphering carries to described first certification safety control module;
Described first certification safety control module receives described first packet that described first checking safety control module returns, and to described first Data Packet Encryption, sends the first packet after encryption to described card-reading terminal.
2. the method for claim 1, it is characterised in that:
Selecting perimeter firewall to be sent at described border routing according to routing strategy, sent before selected perimeter firewall by described packet, described method also includes:
Described border routing is according to the border routing filtering policy preset, judge whether described access IP address allows by described border routing, if allowed, then perform the described perimeter firewall to be sent according to routing strategy selection, described packet is sent the step to the described perimeter firewall selected.
3. method as claimed in claim 1 or 2, it is characterised in that:
Before described selected perimeter firewall maps out purpose IP address and the destination interface of correspondence according to described access IP address and described access port, described method also includes:
Described selected perimeter firewall is according to the perimeter firewall filtering policy preset, judge whether described packet includes invalid data, if it is not, then perform described purpose IP address and the step of destination interface mapping out correspondence according to described access IP address and described access port.
4. the method as described in any one of claims 1 to 3, it is characterised in that:
Described packet is sent to described dispatch server by described core switch according to described purpose IP address and described destination interface, or according to described purpose IP address and described destination interface, described packet, described purpose IP address and described destination interface are sent extremely described service area, including:
If described purpose IP address and IP address that described destination interface is described dispatch server and port, described packet is sent to described dispatch server by the most described core switch;
If the IP address that described purpose IP address and described destination interface are the described safety certification control module in described service area and port, described packet, described purpose IP address and described destination interface are sent the service area fire wall to described service area by the most described core switch.
5. the method as described in any one of Claims 1-4, it is characterised in that:
Described packet the most also includes: the identification information of described card-reading terminal and the digital certificate of described card-reading terminal;
At described dispatch server before the authentication database of described service area obtains the port status list in the compass of competency of described dispatch server, described method also includes:
Whether described dispatch server allows described card-reading terminal to access according to the identification information judgment of described card-reading terminal, and judges that the digital certificate of described card-reading terminal is the most abnormal;And judge that the certificate allowing the access of described card-reading terminal and described card-reading terminal is normal.
6. the method as described in any one of claim 1 to 5, it is characterised in that:
Before described packet is deciphered by described first certification safety control module, described method also includes: described dispatch server, according to the identification information of described card-reading terminal, obtains the ciphertext of the certification key of described card-reading terminal from authentication database and sends to described first certification safety control module;Wherein, the ciphertext of the certification key of described card-reading terminal is that the certification key of card-reading terminal described in the protection double secret key using described authentication database is encrypted and obtains;
Described packet is deciphered by described first certification safety control module; including: described first certification safety control module obtains described protection key; utilize ciphertext deciphering described in described protection double secret key to obtain the certification key of described card-reading terminal, and utilize packet deciphering described in described certification double secret key;
The data content that described first checking safety control module carries according to the packet after described deciphering returns the first corresponding packet to described first certification safety control module, including:
In the case of described data content is identity card card seeking data, described first checking safety control module returns described first packet to described first certification safety control module, and described first packet at least includes: card seeking response data;
In the case of described data content is identity card card selection data, described first checking safety control module returns described first packet to described first certification safety control module, and described first packet at least includes: the related data that the identity card read with described card-reading terminal is authenticated;
In the case of described data content is ID card information ciphertext, described first checking safety control module obtains ID card information in plain text to the deciphering of described ID card information ciphertext, returning described first packet to described first certification safety control module, described first packet at least includes: described ID card information is in plain text.
7. the method as described in any one of claim 1 to 6, it is characterised in that: described method also includes:
The flow cleaning monitoring of equipment being connected with described border routing flows through the service traffics of described border routing, if detecting that described border routing by distributed denial of service attack, then carries out flow cleaning to the described service traffics flowing through described border routing according to the described service traffics flowing through described border routing.
8. the system as described in any one of claim 1 to 7, it is characterised in that:
Described dispatch server includes multiple;
Described method also includes: being sent to the plurality of dispatch server by described packet at described core switch, described allocation of packets is given in the plurality of dispatch server according to balance policy by the load equalizer being connected between described core switch and the plurality of dispatch server.
9. the method as described in any one of claim 1 to 8, it is characterised in that: described method also includes:
The intrusion detection device monitoring being connected with described core switch flows through the service traffics of described core switch, the service traffics flowing through described core switch are mated by the historical behavior model according to user, the expertise prestored and neural network model, once the match is successful, then judge there is intrusion behavior.
10. the method as described in any one of claim 1 to 9, it is characterised in that: described method also includes:
The packet that core switch described in the intrusion prevention monitoring of equipment being connected with described core switch receives, it is judged that whether the packet that described core switch receives is invalid data, if it is, the data packet discarding that described core switch is received.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610040635.3A CN106027463B (en) | 2016-01-21 | 2016-01-21 | A kind of method of data transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610040635.3A CN106027463B (en) | 2016-01-21 | 2016-01-21 | A kind of method of data transmission |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106027463A true CN106027463A (en) | 2016-10-12 |
| CN106027463B CN106027463B (en) | 2019-10-01 |
Family
ID=57082754
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610040635.3A Active CN106027463B (en) | 2016-01-21 | 2016-01-21 | A kind of method of data transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106027463B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108156240A (en) * | 2017-12-25 | 2018-06-12 | 深圳市智物联网络有限公司 | A kind of method and system of industry adapter access server |
| CN108600185A (en) * | 2018-03-29 | 2018-09-28 | 武汉虹旭信息技术有限责任公司 | A kind of data security transmission network system and its method |
| CN108696541A (en) * | 2018-07-20 | 2018-10-23 | 国家电网公司 | The method and device of safe processing of communication network |
| CN109347885A (en) * | 2018-12-05 | 2019-02-15 | 华北理工大学 | A kind of network authentication system and its authentication method |
| CN109743326A (en) * | 2019-01-10 | 2019-05-10 | 新华三云计算技术有限公司 | Flow transmission method and device |
| CN110324826A (en) * | 2019-06-10 | 2019-10-11 | 平安科技(深圳)有限公司 | A kind of Intranet access method and relevant apparatus |
| CN110769010A (en) * | 2019-11-03 | 2020-02-07 | 长沙豆芽文化科技有限公司 | Data management authority processing method and device and computer equipment |
| CN111698789A (en) * | 2019-03-15 | 2020-09-22 | 华为技术有限公司 | Scheduling method, device and storage medium in communication system |
| CN112364360A (en) * | 2020-11-11 | 2021-02-12 | 南京信息职业技术学院 | Financial data safety management system |
| CN113422783A (en) * | 2021-07-09 | 2021-09-21 | 深圳市高德信通信股份有限公司 | Network attack protection method |
| CN115118674A (en) * | 2022-06-22 | 2022-09-27 | 深圳市沃特沃德信息有限公司 | Application program networking monitoring method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841543A (en) * | 2010-05-10 | 2010-09-22 | 秦野 | Intelligent verification system of second-generation resident identification card |
| CN103593634A (en) * | 2013-11-08 | 2014-02-19 | 国家电网公司 | Network centralized decoding system and method of identity card identifier |
| CN104639538A (en) * | 2015-01-15 | 2015-05-20 | 李明 | Identity card information obtaining method and system |
-
2016
- 2016-01-21 CN CN201610040635.3A patent/CN106027463B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841543A (en) * | 2010-05-10 | 2010-09-22 | 秦野 | Intelligent verification system of second-generation resident identification card |
| CN103593634A (en) * | 2013-11-08 | 2014-02-19 | 国家电网公司 | Network centralized decoding system and method of identity card identifier |
| CN104639538A (en) * | 2015-01-15 | 2015-05-20 | 李明 | Identity card information obtaining method and system |
Non-Patent Citations (1)
| Title |
|---|
| 吴兴勇: "《实用网络技术》", 31 May 2015 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108156240A (en) * | 2017-12-25 | 2018-06-12 | 深圳市智物联网络有限公司 | A kind of method and system of industry adapter access server |
| CN108600185A (en) * | 2018-03-29 | 2018-09-28 | 武汉虹旭信息技术有限责任公司 | A kind of data security transmission network system and its method |
| CN108696541A (en) * | 2018-07-20 | 2018-10-23 | 国家电网公司 | The method and device of safe processing of communication network |
| CN109347885B (en) * | 2018-12-05 | 2020-12-08 | 华北理工大学 | Authentication method of network authentication system |
| CN109347885A (en) * | 2018-12-05 | 2019-02-15 | 华北理工大学 | A kind of network authentication system and its authentication method |
| CN109743326A (en) * | 2019-01-10 | 2019-05-10 | 新华三云计算技术有限公司 | Flow transmission method and device |
| CN111698789A (en) * | 2019-03-15 | 2020-09-22 | 华为技术有限公司 | Scheduling method, device and storage medium in communication system |
| CN111698789B (en) * | 2019-03-15 | 2022-05-13 | 华为技术有限公司 | Scheduling method, apparatus and storage medium in communication system |
| CN110324826A (en) * | 2019-06-10 | 2019-10-11 | 平安科技(深圳)有限公司 | A kind of Intranet access method and relevant apparatus |
| CN110324826B (en) * | 2019-06-10 | 2022-08-16 | 平安科技(深圳)有限公司 | Intranet access method and related device |
| CN110769010A (en) * | 2019-11-03 | 2020-02-07 | 长沙豆芽文化科技有限公司 | Data management authority processing method and device and computer equipment |
| CN110769010B (en) * | 2019-11-03 | 2020-04-03 | 长沙豆芽文化科技有限公司 | Data management authority processing method and device and computer equipment |
| CN112364360A (en) * | 2020-11-11 | 2021-02-12 | 南京信息职业技术学院 | Financial data safety management system |
| CN113422783A (en) * | 2021-07-09 | 2021-09-21 | 深圳市高德信通信股份有限公司 | Network attack protection method |
| CN115118674A (en) * | 2022-06-22 | 2022-09-27 | 深圳市沃特沃德信息有限公司 | Application program networking monitoring method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106027463B (en) | 2019-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106027463B (en) | A kind of method of data transmission | |
| Kimani et al. | Cyber security challenges for IoT-based smart grid networks | |
| CN105991647B (en) | A kind of method of data transmission | |
| Aujla et al. | Blocksdn: Blockchain-as-a-service for software defined networking in smart city applications | |
| CN106027466B (en) | A kind of identity card cloud Verification System and card-reading system | |
| CN106027476B (en) | A kind of identity card cloud Verification System and card-reading system | |
| Andrea et al. | Internet of Things: Security vulnerabilities and challenges | |
| CN102859934B (en) | Access-in management and safety system and the method for the accessible Computer Service of network | |
| CN109729180A (en) | Entirety is intelligence community platform | |
| Coates et al. | A trust system architecture for SCADA network security | |
| CN110324287A (en) | Access authentication method, device and server | |
| US20120151565A1 (en) | System, apparatus and method for identifying and blocking anomalous or improper use of identity information on computer networks | |
| CN109564603B (en) | System and method for securely altering network configuration settings of a multiplexer in an industrial control system | |
| CN101355459B (en) | Method for monitoring network based on credible protocol | |
| Patwary et al. | Authentication, access control, privacy, threats and trust management towards securing fog computing environments: A review | |
| CN108259432A (en) | A kind of management method of API Calls, equipment and system | |
| CN103455763A (en) | Internet surfing log recording system and method capable of protecting personal privacies of users | |
| CN106027467B (en) | A kind of identity card reading response system | |
| CN110855707A (en) | Internet of things communication pipeline safety control system and method | |
| CN106506491B (en) | Network safety system | |
| CN102333068A (en) | SSH and SFTP (Secure Shell and Ssh File Transfer Protocol)-based tunnel intelligent management and control system and method | |
| Li et al. | Research on security issues of military Internet of Things | |
| Rathinavel et al. | Security concerns and countermeasures in IoT-integrated smart buildings | |
| Miloslavskaya et al. | Ensuring information security for internet of things | |
| Jena et al. | A Pragmatic Analysis of Security Concerns in Cloud, Fog, and Edge Environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220414 Address after: Tiantianrong building, No. 1, Zhongguancun, Beiqing Road, Haidian District, Beijing 100094 Patentee after: TENDYRON Corp. Address before: 100086 room 603, building 12, taiyueyuan, Haidian District, Beijing Patentee before: Li Ming |
|
| TR01 | Transfer of patent right |