CN107277044B - The method and device of publication and access network encryption lock service - Google Patents
The method and device of publication and access network encryption lock service Download PDFInfo
- Publication number
- CN107277044B CN107277044B CN201710602119.XA CN201710602119A CN107277044B CN 107277044 B CN107277044 B CN 107277044B CN 201710602119 A CN201710602119 A CN 201710602119A CN 107277044 B CN107277044 B CN 107277044B
- Authority
- CN
- China
- Prior art keywords
- network encryption
- encryption lock
- network
- service
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/16—Arrangements for providing special services to substations
- H04L12/18—Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
Abstract
The invention discloses publications and the method for access network encryption lock service and corresponding device.The method of the delivery network encryption lock service includes: to generate and send the multicast packet comprising network encryption lock serve port to the multicast group with agreement multicast address;The connection request of the network encryption lock client computer in the multicast group is received via network encryption lock serve port;The communication connection of safety is established with network encryption lock client computer to service to provide network encryption lock for network encryption lock client computer.The solution of the present invention can be perfectly suitable for the needs under the complicated network environment such as cross-network segment or cross-region using network encryption lock service.
Description
Technical field
The present invention relates to network encryption lock technology fields, and in particular to publication with access network encryption lock service method with
And corresponding device.
Background technique
Encryption lock, also known as dongle, softdog are a kind of intelligent software cryptography works provided for software developer
Tool, it is the hardware circuit being mounted on the interfaces such as computer parallel port, serial ports, while being had a set of suitable for various language
Interface software and tool software.Network encryption lock is suitble to work in client-server (client-server) network environment
In, it can safely protect software not to be illegally used and issue.Network encryption lock, refers to that encryption lock can count one or more
Calculation machine provides the usage scenario of product function, when in use, network encryption can be locked on the parallel port being inserted on network server
Or on USB interface, network encryption can also either be locked and be inserted on parallel port or the USB interface of any client, passed through
Request without lock client can be sent to network encryption lock by network technology, and encryption lock function postbacks result after being finished
It is each that network encryption lock is all allowed more client access to client.By above form realization one encryption lock to more
Platform computer provides service, improves the utilization rate of encryption lock.
In use environment, each client is required to configuration server-side IP address for current network encryption lock service.
And internal management of a company's IP address usually all can distribute one newly by the way of dynamically distributing after each computer starting
IP, server-side IP address are also tended to restart with computer and be changed, and when server-side IP address changes, all clients are all
It needs to reset, brings extra workload.Currently, networking plan is relative complex inside large enterprises, for convenience management and
Safety, generally according to functional department's subnet division, group company can generally build the internal office work network of cross-region, and strange land is done
Public affairs become a part of routine work.Therefore, it produces and uses network encryption under the complicated network environment such as cross-network segment, cross-region
Lock the needs of service.And currently, proposing to be under the complicated network environment such as cross-network segment, cross-region not yet using network encryption lock clothes
The scheme of business.
Summary of the invention
For above-mentioned defect in the prior art, the purpose of the present invention is to provide a kind of delivery network encryption lock services
Method, the method for access network encryption lock service and corresponding device, can be perfectly suitable in cross-network segment or cross-region
Deng the needs under complicated network environment using network encryption lock service.
The first aspect of scheme according to the present invention provides a kind of method of delivery network encryption lock service, comprising: raw
There is Cheng Bingxiang the multicast group of agreement multicast address to send the multicast packet comprising network encryption lock serve port;Via described
Network encryption locks the connection request for the network encryption lock client computer that serve port receives in the multicast group;With the network
Encryption lock client computer establishes the communication connection of safety and provides network encryption lock service to lock client computer for the network encryption.
Preferably, described to generate and send to the multicast group with agreement multicast address comprising network encryption lock serve port
Multicast packet specifically include: creation web socket, and for created web socket binding arrange port;Generate to
To the multicast packet comprising network encryption lock serve port that the multicast group transmission with the agreement multicast address is added
Packet;The multicast packet is sent to multicast group via the agreement port.
Preferably, the multicast packet further includes the verifying number for verifying the data integrity of the multicast packet
According to.
Preferably, the communication connection for establishing safety with network encryption lock client computer specifically includes: via described
Network encryption locks serve port and network encryption lock client computer is established and communicated to connect;To network encryption lock client computer hair
SCN Space Cable Network encryption lock service profile information;Key agreement, which is carried out, with network encryption lock client computer generates encryption lock service key
For being used in the process with network encryption lock client computer subsequent communications.
The second aspect of scheme according to the present invention provides a kind of method of access network encryption lock service, comprising: logical
The multicast group for being added and there is agreement multicast address is crossed, receives and locks server-side comprising network encryption from network encryption lock server
The multicast packet of mouth, and record the network address of the network encryption lock server;According to the network encryption lock recorded
The network address of server locks serve port via the network encryption and issues connection request to network encryption lock server;With
Network encryption lock server establishes the communication connection of safety to obtain network encryption lock service.
Preferably, the multicast group by being added with agreement multicast address, receives and locks server from network encryption
Comprising network encryption lock serve port multicast packet include: creation web socket, and monitor agreement port;Using institute
It states web socket and is received via the agreement port and lock serve port comprising network encryption from network encryption lock server
Multicast packet.
Preferably, the multicast packet further includes the verifying number for verifying the data integrity of the multicast packet
According to, and the method also includes: it is verified by data integrity of the verify data to the multicast packet.
Preferably, the communication connection for establishing safety with network encryption lock server specifically includes: via the network
Encryption lock serve port and network encryption lock server are established and are communicated to connect;It receives and locks server from the network encryption
Network encryption lock service profile information;Key agreement, which is carried out, with network encryption lock server generates encryption lock service key
For being used in the process with network encryption lock server subsequent communications.
Preferably, further includes: check whether the network address of recorded network encryption lock server is already recorded in
It was found that in encryption lock service list, if it is, to described it has been found that the network encryption in encryption lock service list locks service
Last time renewal time refreshed;Otherwise, the network encryption recorded lock service is added to described it has been found that encryption
Lock service list.
Preferably, this method further include: according to described it has been found that the network encryption lock clothes recorded in encryption lock service list
The last time renewal time of business determines whether network encryption lock service is expired, if it is determined that and the non-mistake of network encryption lock service
Phase then refreshes the service of network encryption lock in the last time renewal time having found in encryption lock service list.
A kind of network encryption lock server is provided in another scheme of the invention, the network encryption lock server includes place
Device is managed, the processor is configured to execute computer program code to realize: generating and to the multicast for arranging multicast address
Group sends the multicast packet comprising network encryption lock serve port;It is received via network encryption lock serve port and comes from institute
State the connection request of the network encryption lock client computer in multicast group;The communication link of safety is established with network encryption lock client computer
It connects to lock client computer for the network encryption and provide network encryption lock service.
A present invention also scheme provides a kind of network encryption lock client computer, and the network encryption lock client computer includes processing
Device, the processor are configured to execute computer program code to realize: there is the multicast group of agreement multicast address by being added,
The multicast packet comprising network encryption lock serve port from network encryption lock server is received, and records the network
The network address of encryption lock server;According to the network address of the network encryption lock server recorded, add via the network
Close lock serve port issues connection request to network encryption lock server;The communication link of safety is established with network encryption lock server
It connects to obtain network encryption lock service.
The solution of the present invention enables the network encryption lock client computer in multicast group to obtain automatically by multicast packet
Network encryption locks the network address of server and network encryption locks serve port, and is established by locking client computer with network encryption
The communication connection of safety provides network encryption lock service to lock client computer for network encryption.Even if server ip address dynamic becomes
Change, manually changes server ip address without in network encryption lock client computer, and add in multicast packet comprising network
Close lock serve port, network lock client computer can automatically access network lock service.The present invention is able to solve traditional network lock as a result,
The cumbersome work that fixed IP is needed to configure in use process is reduced suitable for the LAN environment of dynamic IP address allocation
The workload for configuring service, improves applicability.
Detailed description of the invention
Fig. 1 is that the network encryption of the embodiment of the present invention locks the network architecture schematic diagram of server and client computer;
Fig. 2 is that a kind of network encryption of the embodiment of the present invention locks the method for server delivery network encryption lock service.
Fig. 3 is the method that a kind of network encryption corresponding with the embodiment of Fig. 2 locks the encryption lock service of client access networks network.
Fig. 4 is that the network encryption of one embodiment of the present invention locks the method for server delivery network encryption lock service.
Fig. 5 is the method that a kind of network encryption corresponding with the embodiment of Fig. 4 locks the encryption lock service of client access networks network.
Specific embodiment
The attached drawing being included in the description and forms part of the description shows embodiment of the disclosure, and with it is upper
What face provided is used to explain the disclosure together to substantially description and the detailed description given below to embodiment of the disclosure
Principle.
Fig. 1 is that the network encryption of the embodiment of the present invention locks the network architecture schematic diagram of server and client computer.Such as Fig. 1 institute
Show, subnet 10 and subnet 11, network encryption lock server 101, (the support multicast of router 102,112,122 are shown in Fig. 1
Function), subnet 10 include network encryption lock client computer 103,104 and 105, subnet 11 include network encryption lock client computer 113,
114 and 115.Three network encryptions lock client computer only are shown to each subnet in figure as an example, can be with actually in subnet
There are more platform network encryption lock client computer, and there can be multiple subnets.
Network encryption, which is locked, is equipped with network encryption lock service, energy on server (for convenience of description, referred to as server) 101
Enough requests in response to each network encryption lock client computer provide network encryption lock service.Network encryption lock 11 by USB interface or
Parallel or serial port on server 101 is connect with server 101, and network encryption lock 11 can also be that bluetooth-type network encryption is locked,
It is connected and communicated by Bluetooth communication protocol and the foundation of server 101.A network encryption lock 11 is illustrated only in figure, actually
Can have that multiple network encryptions lock 11 is connect simultaneously with multiple communication interfaces of server 101 and server 101 is based on each net
The request of network encryption lock client computer provides multiple network encryption lock services.Add in this way, more client computer can share several networks
Close lock saves the quantity of network encryption lock.As an example, network encryption lock client computer (referred to as client computer) 103,104 with
And protected software is installed on 113, which is the support for needing network encryption to lock at runtime, without network encryption
The support of lock is then unable to complete execution, so that software be made to be protected.Protected software in client computer 103,104 and 113 is matched
It is set to when needing network encryption lock service, the request of access network encryption lock service, waiting for server is issued to server 101
Response, and after establishing safe communication connection with server 101, service is locked using the network encryption needed for it.
The network architecture of the lock server of network encryption shown in embodiment shown in FIG. 1 and client computer is merely illustrative
, it is not as a limitation of the invention.For example, support routing function three-tier switch can be used to alternate router 102,
112 or 122;In another example an only router in the path of network encryption lock server and client interconnection, routes at one
Multiple mutually independent subnet network segments are marked off in device, the client computer in multiple subnet network segments can be by being added identical multicast
Sending and receiving data in being grouped;For another example when in the wide area network use multicast discovery service when, must between wide area network there are two or
Data forwarding is completed in routing more than person, and identical multicast group, which is added, in the network that can be connected to can be realized data transmit-receive;In addition,
Further for example, matching when on the network (such as Internet) or firewall for not supporting multicast across one between multiple multicast network segments
When having set NAT or IPSec VPN, firewall cannot establish PIM neighborhood with opposite equip. and generate Multicast Routing, this
In the case of, each isolated multicast network segment can be connected for example, by configuring GRE tunnel, realize the application of multicast.
Fig. 2 is that a kind of network encryption of the embodiment of the present invention locks the method for server delivery network encryption lock service, comprising:
Step S201: generating and sends the multicast comprising network encryption lock serve port to the multicast group with agreed address
Data packet.
Multicast (also referred to as " multicast ") refers to information while passing to one group of destination address.The strategy that it is used is high
Effect, because message need to only be transmitted once on every network link, and only when link bifurcated, message can just be answered
System.Multicast is one-to-one group between network host of communication mode, that is, joined same group of host and can receive
All data in this group, interchanger and router in network are only to having demander to replicate and forward data needed for it.It can
The host complexes that reception is sent to a specific Multicast group address data are known as multicast group.Host can to router solicitation be added or
Some multicast group (group) is exited, the router and interchanger in network selectively replicate and transmit data, i.e., will only count in group
Add enrolled host according to those are transferred to.Can once transfer data to so multiple (addition groups) in need host and
It can guarantee other communications for the host for not influencing that other do not need and (group are not added).The advantages of multicast: 1) same data stream is needed
Client an identical group of shared data stream is added, save the load of server.Has the advantages of broadcast is had.2)
Due to multicast protocol be need to carry out duplication forwarding to data stream according to recipient, so the service total bandwidth of server-side not by
The limitation of client's incoming end bandwidth.The router that multicast protocol can be run is known as multicast router.Multicast router can be
One individual router is also possible to run the ordinary router of multicast software.In addition, certain three layers for supporting routing function
Interchanger also has Multicast function.In an ip network, multicast can generally be realized by multicast ip address.Multicast ip address is exactly
Class D IP address, i.e. 224.0.0.0 are to the IP address between 239.255.255.255.
In the network using ICP/IP protocol stack, multicast is carried out using UDP in transport layer.Below by taking udp protocol as an example
To describe to generate and send to multicast group the detailed process S2011- of the multicast packet comprising network encryption lock serve port
2013 (not shown).
Step S2011: creation web socket socket, and the web socket binding agreement port to be created.
Arranging port is server and the port that client computer is made an appointment, and for example, about determines port-for-port 10010.
Step S2012: it generates and locks server-side comprising network encryption to what is sent to the multicast group with agreement multicast address
The multicast packet of mouth.
Udp data packet have defined format, it includes source port number, destination slogan, UDP length, verification and
The fields such as data.Network encryption can wherein be locked in serve port filling data field.In multicast packet generated not
Only include network encryption lock serve port, can also include agreement characteristic value, the type of multicast message (as request or response),
Verify and wait contents.Arrange characteristic value and verification and the data integrity for guaranteeing the received multicast packet of client computer, group
Multicast data receiving end, that is, client can carry out checksum validation to multicast packet, prevent from being tampered in data transmission procedure or pseudo-
It makes.
Step S2013: after generating multicast packet defined above, multicast number is sent to multicast group via agreement port
According to packet.If network encryption lock client computer joined the multicast group, the multicast packet can be received.
It is generated after step S201 and locks server-side comprising network encryption to having the multicast group of agreement multicast address to have sent
After the multicast packet of mouth, next, executing step S202.
Step S202: the company of the network encryption lock client computer in multicast group is received via network encryption lock serve port
Connect request.
Network encryption lock serve port is that server 101 provides the predetermined port of network encryption lock service.Client computer 103,
104 or 105, which lock serve port by the network encryption, obtains the network encryption lock service that server 101 provides.
In view of the reliability of communication, which usually can use point-to-point TCP communication technology.Client computer is via net
Network encryption lock serve port sends TCP request, and server, which is received, to be sent from client computer via network encryption lock serve port
TCP request.
Later, enter step S203: the communication connection for establishing safety with network encryption lock client computer thinks that network encryption is locked
Client computer provides network encryption lock service.
There are many modes to realize the method that network encryption lock server and client computer establish the communication connection of safety.For example,
Utilize SSH agreement (safety shell protocol), https agreement etc..In one embodiment, step S203 can pass through three sub-steps
Rapid S2031-S2033 is (not shown) to be realized.
It in step S2031, is requested according to the TCP connection from client computer received, establishes TCP with client computer and connect
It connects.
Then, in step S2032, network encryption is sent to network encryption lock client computer and locks service profile information.Network
Encryption lock service profile information can specifically include: 1. service host information.As MAC Address, main frame name, IP address,
Port.2. service configuration parameters information.Such as: multicast address, service type, operating mode, connection time-out, message time-out etc. are remote
Journey server-side configuration parameter.Next, executing step S2033.
In step S2033, key agreement is carried out to generate encryption lock service key with network encryption lock client computer.It gives birth to
At encryption lock service key will be used during server is with client computer subsequent communications, with the clothes of encryption lock used in ensuring
The safety of business.
Key agreement refers to that two or more entities are negotiated, and establishes the process of session key jointly.
The effect of key agreement is: even if having attacker in the network transmission for peeping client and server, client according to
It so can use " key agreement mechanisms " and server end negotiate the key (also referred to as " meeting for being used to encrypt application layer data
Talk about key ").Key exchange/negotiation mechanism has several types: 1) utilizing rivest, shamir, adelman.Principle is: taking public key
One side first generates random session key, then using public key encryption it;Encrypted result is issued other side, other side's private key solution again
It is close;Then both sides have obtained session key.For example, RSA Algorithm.2) special Diffie-Hellman, such as DH algorithm are relied on
And its mutation.3) " secret " shared in advance by communication two party.Principle: since both sides have had shared secret (this
A " secret " may be a key, it is also possible to only some password/password), it is only necessary to it is generated and is calculated according to certain
Method, so that it may both sides be allowed to generate identical key (and key length can be arbitrarily designated), such as PSK and SRP.
HTTPS agreement can be used to realize its process in step S2023.HTTPS(Hypertext Transfer
Protocol over Secure Socket Layer), it is safely for the channel HTTP of target.That is SSL is added under HTTP
Layer, the foundation for security of HTTPS is SSL, therefore the detailed content encrypted just needs SSL.The initial research and development of this system are by Netscape
Company carries out, and provides authentication and encryption communication method, it is widely used in the communication of security sensitive on WWW now,
Such as in terms of transaction payment.Further, it is also possible to determine protocol-implementation step S2023 using OAKLEY key.
Using the method for the delivery network encryption lock service of the present embodiment, that multicast group is added by multicast packet
Network encryption lock client computer can obtain the network address and network encryption lock serve port of network encryption lock server automatically,
And the communication connection of safety is established to provide network encryption lock for network encryption lock client computer by locking client computer with network encryption
Service.As a result, in the case where network encryption locks server ip address dynamic change, this method not needing in network encryption
Manual configuration server ip address again in client computer is locked, reduces the workload of Configuration network encryption lock service, and for
The complexity network environment such as cross-network segment, cross-region, the program can meet in such circumstances well using network encryption lock service
Needs.Further, since sending network encryption to client computer by way of multicast locks service profile information, so that client's function
Parameters needed for enough automatically configuring network encryption lock service, to improve the energy for automatically accessing network encryption lock service
Power.
In the present embodiment, the side of delivery network encryption lock service is elaborated using network encryption lock server as main body
Method.However, in some variant embodiments, it can be by locking the proxy server that server establishes communication connection with network encryption
Carry out delivery network encryption lock service as main body.In addition, network encryption lock can not be to be connect as shown in Fig. 1 by USB
Parallel or serial port on mouth or server 101 is connect with server 101, and network encryption lock may be coupled to similar USB Server
Special equipment, then connect by USB Server and network encryption lock server.
Fig. 3 is the method that a kind of network encryption corresponding with the embodiment of Fig. 2 locks the encryption lock service of client access networks network,
Include:
Step S301: having the multicast group of agreement multicast address by being added, and receives from network encryption lock server
Multicast packet comprising network encryption lock serve port, and record the network address of network encryption lock server.
Multicast packet is that the content in destination address domain in information header is the data packet of multicast address.Network encryption locks client
Machine can get the source place (namely network encryption lock server) of multicast packet when receiving the multicast packet
IP address.At this point, the network address of the client recording server, and by the multicast packet, it obtains and records
Network encryption locks serve port.
Step S301 can specifically include step S3011-S3013 (not shown).In step 3011, client computer creates net
Network socket is added the multicast group with agreement multicast address and monitors agreement port.The agreement multicast address is network encryption
The multicast address that lock server and client computer are made an appointment, agreement port are that network encryption lock server is made an appointment with client computer
Port, such as 11010 ports.Then, in step S3012, client computer is using the web socket via the agreement
Port receives the multicast packet comprising network encryption lock serve port from network encryption lock server.Receiving multicast
After data packet, in step S3013, the network in the source place (that is, network encryption lock server) of the network packet is recorded
(ip) address, subsequently into following step S302.
Step S302: according to the network address of the network encryption lock server recorded, server-side is locked via network encryption
Mouth issues connection request to network encryption lock server.
Specifically, it is contemplated that the reliability of communication, network encryption lock client computer can propose that TCP connection is asked to server
It asks, waiting for server response.
Step S303: the communication connection of safety is established with network encryption lock server to obtain network encryption lock and service.
There are many modes to realize the method that network encryption lock server and client computer establish the communication connection of safety.For example,
Utilize SSH agreement (safety shell protocol), https agreement etc..
In one embodiment, step S303 can be realized by the way that three sub-steps S3031-S3033 are (not shown).Step
S3031: it establishes and communicates to connect via network encryption lock serve port and network encryption lock server.Specifically, if client computer
Tcp connection request is sent to server, then waiting for server responds, and connect to establish tcp with server.Step S3032: it receives
Network encryption from network encryption lock server locks service profile information.Network encryption lock service profile information specifically can wrap
It includes: 1. service host information.Such as MAC Address, main frame name, IP address, port.2. service configuration parameters information.Such as:
The remote services end configuration parameter such as multicast address, service type, operating mode, connection time-out, message time-out, service describing.It connects
Get off, execute step S3033: with network encryption lock server carry out key agreement generate encryption lock service key for network
It is used during encryption lock server subsequent communications.Agreement is determined using HTTPS agreement or OAKLEY key to realize step.
Using the method for the access network encryption lock service of the present embodiment, without locking client manual configuration in network encryption
Each network encryption locks service profile information, can be realized and automatically accesses desired network encryption lock service.For example, in certain realities
Apply in example, network encryption lock client computer can to receive network encryption lock service profile information (such as according to multicast address,
Service type, operating mode or service describing etc.) determined, to determine whether to use the specific network encryption lock clothes
Business.When client computer determines that network encryption lock service is not itself desired service, current multicast group can be exited, and be added
Another multicast group.
Fig. 4 is that the network encryption of one embodiment of the present invention locks the method for server delivery network encryption lock service, packet
Include following steps:
S401: creation web socket (such as UDP socket), binding agreement port (such as 11010).
S402: a multicast packet, multicast packet are sent to multicast group with every predetermined time interval (for example, 10 seconds)
In comprising agreement characteristic value, network encryption lock service TCP port, multicast message type (request, response), verify and wait service
IP information.
S403: the tcp connection request of network encryption lock client computer is waited;
S404: if receiving the tcp connection request of network encryption lock client computer, tcp is established with client computer and is connect;
S405: network encryption is sent to network encryption lock client computer and locks service profile information.Network encryption locks service configuration
Information may include: 1. service host information.For example, MAC Address, main frame name, IP address, port.2. service configuration
Parameter information.Such as: the remote services such as multicast address, service type, operating mode, connection time-out, message time-out, service describing
Hold configuration parameter.
S406: key agreement is carried out with network encryption lock client computer, encryption lock is generated and services temporary key.
Fig. 5 is the method that a kind of network encryption corresponding with the embodiment of Fig. 4 locks the encryption lock service of client access networks network.
S501: creation UDP web socket monitors agreement port (for example, 11010) corresponding with the embodiment of Fig. 4, add
Enter there is the multicast group of agreement multicast address, be added and successfully then wait multicast message, failure is added and then exits.
S502: receiving the multicast packet that service TCP port is locked comprising network encryption, parses packet content, obtains
The service IP information for including in multicast packet, using the agreement characteristic value and verification in service IP information and to multicast packet
In data content verified, while recording the IP address of the transmission source (namely server) of multicast packet.
S503: check whether server ip address has been recorded at it has been found that in encryption lock service list.If do not remembered
Record then illustrates that the service is new discovery service, jumps to step S5051;If having been recorded with server ip address, illustrate
The service of network encryption lock is it has been found that service, jumps to step S504.
S5051: according to the server ip address recorded, service TCP port is locked via network encryption and is issued to server
Connection request enters step S5052.
S5052: waiting for server response is established tcp with server and is connect, enters step S5053.
S5053: it receives the network encryption from server and locks service profile information.
S5054: carrying out key agreement with server, obtains network encryption lock service key to make during subsequent communications
Enter S5055 if key agreement is successful with the service key, if negotiating failure, with no treatment.
S5055: network encryption lock service is added to it has been found that encryption lock service list.
S504: the last time renewal time of refreshing service.
It in this embodiment, can also include some additional (optional) steps.
For example, may include locking service profile information according to network encryption to sentence between step S5053 and step S5054
Whether disconnected the step of whether accessing network encryption lock service (carries out the key agreement in S5054), so that it is guaranteed that client computer accesses
Oneself desired network encryption lock service.More specifically, for example being retouched according to multicast address, service type, operating mode or service
The network encryption lock service for determining whether and using using user's expectation of client computer is stated etc., to decide whether to carry out
Cipher key agreement processes in S5054.
In another example can also include the steps that after step S506 for passing through to expired service inspection (not shown)
These steps below can inspect periodically the validity of the network encryption lock service recorded.
S507: the last time renewal time of network encryption lock service is checked at a predetermined interval.Inspection intervals are greater than service
Hold multicast interval time, for example, 1.5 of server-side groupcast time times or so.It can set, when (N is natural number to N, preferably
2) when the secondary multicast message for not receiving service, network encryption lock service state is designated as unavailable.
Step S507 may include following two sub-step.
S5071: traversal successively judges whether service last time renewal time is expired it has been found that encryption lock service list.
For example, judging to take when current computer time and last time renewal time difference being greater than 2 times of service multicast interval time
It is engaged in expired.When judging to service not out of date, then refreshing service last time renewal time current computer time is utilized;Otherwise
Execute S509.
S5072: judgement service is out of date, attempts access service.TCP validation request is sent according to information such as service IP, such as
Fruit receives response, then it represents that and service still has, then utilizes current computer time more new demand servicing last time refresh time, and
Set available for service state;Dont answer or time-out are requested, then sets unavailable for service state.
Through the above steps, it can find to have expired network encryption lock service in time, improve the reliable of access service
Property.
In the following embodiments, it has been assumed that network encryption locks the case where server and client computer are more network interface card hosts.
At this point, obtaining all network interface card informations of server in this one end of server, when periodically sending multicast message, successively traversal is all
Network interface card sends multicast message to each agreement multicast address.Correspondingly, in this one end of client computer, all nets of the client computer are obtained
Each multicast group is added according to each agreed address to different network interface cards respectively in card information, and listening port waits server-side multicast message.
According to the solutions of the embodiments of the present invention, compared to traditional scheme manual configuration network encryption lock server ip address and
Network encryption locks service profile information, finds that method of servicing can reduce manual maintenance workload automatically in multicast group, is adapted to
The complexity network environment such as cross-network segment, cross-region, improves the applicability of network encryption lock service.
In addition, another embodiment of the present invention also provides a kind of network encryption lock server comprising processor, processor can
Computer program code is executed to realize: being generated and is sent to the multicast group with agreement multicast address comprising network encryption lock clothes
The multicast packet of business port;Multicast packet generated is sent to multicast group via agreement port;Via network encryption
Lock the connection request for the network encryption lock client computer that serve port receives in multicast group;It is established with network encryption lock client computer
The communication connection of safety provides network encryption lock service to lock client computer for network encryption.The network encryption of the embodiment locks service
Device can make the client computer that multicast group is added automatic and safely and reliably access the lock service of the network encryption of its offer.
In one embodiment, a kind of network encryption lock client computer is additionally provided comprising processor, processor are executable
Computer program code is to realize: having the multicast group of agreement multicast address by being added, receives from network encryption lock service
The multicast packet comprising network encryption lock serve port of device, and record the network address of network encryption lock server;Root
According to the network address of the network encryption lock server recorded, serve port is locked via network encryption and locks server to network encryption
Issue connection request;The communication connection of safety is established with network encryption lock server to obtain network encryption lock and service.The implementation
The network encryption lock client computer of example can be automatic and safely and reliably accesses encryption lock server by the multicast group that it is added
The particular network encryption lock service of offer, and specific multicast group can be added according to required encryption lock service, when making
After finishing network encryption lock service, it can choose and exit the multicast group.
In place of the not detailed description of the embodiment of above-mentioned network encryption lock server and client computer, side of the invention is please referred to
Method embodiment illustrates.
Above embodiments are only exemplary embodiment of the present invention, are not used in the limitation present invention, protection scope of the present invention
It is defined by the claims.Those skilled in the art can within the spirit and scope of the present invention make respectively the present invention
Kind modification or equivalent replacement, this modification or equivalent replacement also should be regarded as being within the scope of the present invention.
Claims (10)
1. a kind of method of delivery network encryption lock service, comprising:
It generates and is sent to the multicast group with agreement multicast address comprising network encryption lock serve port via agreement port
Multicast packet;
The connection that the network encryption lock client computer in the multicast group is received via network encryption lock serve port is asked
It asks;
The communication connection of safety, which is established, with network encryption lock client computer provides network to lock client computer for the network encryption
Encryption lock service,
Wherein, the communication connection for establishing safety with network encryption lock client computer specifically includes:
It establishes and communicates to connect via network encryption lock serve port and network encryption lock client computer;
Network encryption, which is sent, to network encryption lock client computer locks service profile information;And
Key agreement generation encryption lock service key is carried out with network encryption lock client computer for locking with the network encryption
It is used during client computer subsequent communications.
2. the method as described in claim 1, wherein the generation and via agreement port to having the more of agreement multicast address
Group transmission is broadcast to specifically include comprising the multicast packet of network encryption lock serve port:
Web socket is created, and binds the agreement port for the web socket created;
It generates and locks serve port comprising the network encryption to what is sent to the multicast group with the agreement multicast address
The multicast packet;
The multicast packet is sent to the multicast group via the agreement port.
3. the method as described in claim 1, wherein the multicast packet further includes for verifying the multicast packet
The verify data of data integrity.
4. a kind of method of access network encryption lock service, comprising:
There is the multicast group of agreement multicast address by being added, receive the packet from network encryption lock server via agreement port
The multicast packet of the lock serve port containing network encryption, and record the network address of the network encryption lock server;
According to the network address of the network encryption lock server recorded, add via network encryption lock serve port to network
Close lock server issues connection request;
The communication connection of safety, which is established, with network encryption lock server locks service to obtain network encryption,
Wherein, the communication connection for establishing safety with network encryption lock server specifically includes:
It establishes and communicates to connect via network encryption lock serve port and network encryption lock server;
It receives the network encryption from network encryption lock server and locks service profile information;And
Key agreement generation encryption lock service key is carried out with network encryption lock server for locking with the network encryption
It is used during server subsequent communications.
5. method as claimed in claim 4, wherein the multicast group by being added with agreement multicast address, via agreement
Port receives the multicast packet comprising network encryption lock serve port from network encryption lock server
Web socket is created, the multicast group with agreement multicast address is added and monitors the agreement port;
Being received via the agreement port from network encryption lock server using the web socket includes network encryption
Lock the multicast packet of serve port.
6. method as claimed in claim 4, wherein the multicast packet further includes for verifying the multicast packet
The verify data of data integrity, and the method also includes: by the verify data to the number of the multicast packet
It is verified according to integrality.
7. method as claimed in claim 4, further includes:
Check whether the network address of recorded network encryption lock server is already recorded in it has been found that encryption lock service list
In, if it is, to described it has been found that the last time renewal time that the network encryption lock in encryption lock service list services
Refreshed;Otherwise, the network encryption recorded lock service is added to described it has been found that encryption lock service list.
8. the method for claim 7, further includes:
According to described it has been found that the last time renewal time of the network encryption lock service recorded in encryption lock service list determines
Whether network encryption lock service is expired, and
If it is determined that network encryption lock service is not out of date, then refresh the service of network encryption lock described it has been found that encryption lock service
Last time renewal time in list.
9. a kind of network encryption locks server, the network encryption lock server includes processor, and the processor is configured to hold
Row computer program code is to realize:
It generates and is sent to the multicast group with agreement multicast address comprising network encryption lock serve port via agreement port
Multicast packet;
The connection that the network encryption lock client computer in the multicast group is received via network encryption lock serve port is asked
It asks;
The communication connection of safety, which is established, with network encryption lock client computer provides network to lock client computer for the network encryption
Encryption lock service,
Wherein, the communication connection for establishing safety with network encryption lock client computer specifically includes:
It establishes and communicates to connect via network encryption lock serve port and network encryption lock client computer;
Network encryption, which is sent, to network encryption lock client computer locks service profile information;And
Key agreement generation encryption lock service key is carried out with network encryption lock client computer for locking with the network encryption
It is used during client computer subsequent communications.
10. a kind of network encryption locks client computer, the network encryption lock client computer includes processor, and the processor is configured to hold
Row computer program code is to realize:
There is the multicast group of agreement multicast address by being added, receive the packet from network encryption lock server via agreement port
The multicast packet of the lock serve port containing network encryption, and record the network address of the network encryption lock server;
According to the network address of the network encryption lock server recorded, add via network encryption lock serve port to network
Close lock server issues connection request;
The communication connection of safety, which is established, with network encryption lock server locks service to obtain network encryption,
Wherein, the communication connection for establishing safety with network encryption lock server specifically includes:
It establishes and communicates to connect via network encryption lock serve port and network encryption lock server;
It receives the network encryption from network encryption lock server and locks service profile information;And
Key agreement generation encryption lock service key is carried out with network encryption lock server for locking with the network encryption
It is used during server subsequent communications.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710602119.XA CN107277044B (en) | 2017-07-21 | 2017-07-21 | The method and device of publication and access network encryption lock service |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710602119.XA CN107277044B (en) | 2017-07-21 | 2017-07-21 | The method and device of publication and access network encryption lock service |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107277044A CN107277044A (en) | 2017-10-20 |
CN107277044B true CN107277044B (en) | 2019-06-11 |
Family
ID=60079386
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710602119.XA Active CN107277044B (en) | 2017-07-21 | 2017-07-21 | The method and device of publication and access network encryption lock service |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107277044B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110392076B (en) * | 2018-04-19 | 2021-01-29 | 华为技术有限公司 | Method, device and storage medium for vehicle-to-any V2X communication |
CN111680211A (en) * | 2020-05-28 | 2020-09-18 | 贵州省电子证书有限公司 | Method and device for calling smart key password application across browsers |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101242306A (en) * | 2008-02-28 | 2008-08-13 | 华为技术有限公司 | Method, system, device and server for automatic discovery of network device |
CN101669348A (en) * | 2007-04-27 | 2010-03-10 | 诺基亚公司 | Universal datagram protocol (udp) port based broadcast filtering |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102711104B (en) * | 2006-09-07 | 2015-04-15 | 华为技术有限公司 | Method for determining secret key updating time and secret key using entity |
WO2012143880A1 (en) * | 2011-04-19 | 2012-10-26 | Nagravision S.A. | Ethernet decoder device and method to access protected content |
CN103873301A (en) * | 2014-03-20 | 2014-06-18 | 浙江宇视科技有限公司 | System and method for automatically finding and adding devices |
US10320612B2 (en) * | 2014-06-20 | 2019-06-11 | Tellabs Operations, Inc. | Method and apparatus for providing automatic node configuration using a dongle |
CN104537283A (en) * | 2014-12-17 | 2015-04-22 | 安徽清新互联信息科技有限公司 | Software licensing control device based on network |
US9871666B2 (en) * | 2015-06-25 | 2018-01-16 | AvaLAN Wireless Systems, Inc. | Intermediate unicast network and method for multicast data networks |
-
2017
- 2017-07-21 CN CN201710602119.XA patent/CN107277044B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101669348A (en) * | 2007-04-27 | 2010-03-10 | 诺基亚公司 | Universal datagram protocol (udp) port based broadcast filtering |
CN101242306A (en) * | 2008-02-28 | 2008-08-13 | 华为技术有限公司 | Method, system, device and server for automatic discovery of network device |
Also Published As
Publication number | Publication date |
---|---|
CN107277044A (en) | 2017-10-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108551464B (en) | Connection establishment and data transmission method, device and system of hybrid cloud | |
US8443435B1 (en) | VPN resource connectivity in large-scale enterprise networks | |
US11621945B2 (en) | Method and system for secure communications | |
US8327129B2 (en) | Method, apparatus and system for internet key exchange negotiation | |
US20040161110A1 (en) | Server apparatus, key management apparatus, and encrypted communication method | |
EP2043294A1 (en) | System and method for realizing multi-party communication security | |
US20070180514A1 (en) | Multipoint server for providing secure, scaleable connections between a plurality of network devices | |
US9350711B2 (en) | Data transmission method, system, and apparatus | |
WO2019178942A1 (en) | Method and system for performing ssl handshake | |
CN106169952B (en) | A kind of authentication method that internet Key Management Protocol is negotiated again and device | |
US20160006572A1 (en) | Communication method and apparatus using changing destination and return destination id's | |
EP1989855A1 (en) | A system and method for establishing a secure group of entities in a computer network | |
CN105306483B (en) | A kind of Anonymizing networks communication means and system safely and fast | |
CN107426339A (en) | A kind of cut-in method, the apparatus and system of data interface channel | |
CN108848111A (en) | A kind of decentralization Virtual Private Network construction method based on block chain technology | |
CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
CN107277044B (en) | The method and device of publication and access network encryption lock service | |
CN111756530B (en) | Quantum service mobile engine system, network architecture and related equipment | |
US8046820B2 (en) | Transporting keys between security protocols | |
CN100544247C (en) | The negotiating safety capability method | |
WO2016134631A1 (en) | Processing method for openflow message, and network element | |
CN107181762B (en) | The method and device of publication and access network encryption lock service | |
CN114186213B (en) | Data transmission method, device, equipment and medium based on federal learning | |
JP5804480B2 (en) | An optimization method for the transfer of secure data streams over autonomous networks | |
KR101239217B1 (en) | High availability system, method for synchronizing devices in the same, and method for managing devices in the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
CP01 | Change in the name or title of a patent holder |