CN107277044B - The method and device of publication and access network encryption lock service - Google Patents

The method and device of publication and access network encryption lock service Download PDF

Info

Publication number
CN107277044B
CN107277044B CN201710602119.XA CN201710602119A CN107277044B CN 107277044 B CN107277044 B CN 107277044B CN 201710602119 A CN201710602119 A CN 201710602119A CN 107277044 B CN107277044 B CN 107277044B
Authority
CN
China
Prior art keywords
network encryption
encryption lock
network
service
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710602119.XA
Other languages
Chinese (zh)
Other versions
CN107277044A (en
Inventor
孙吉平
史继超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Senseshield Technology Co Ltd
Original Assignee
Beijing Senseshield Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Senseshield Technology Co Ltd filed Critical Beijing Senseshield Technology Co Ltd
Priority to CN201710602119.XA priority Critical patent/CN107277044B/en
Publication of CN107277044A publication Critical patent/CN107277044A/en
Application granted granted Critical
Publication of CN107277044B publication Critical patent/CN107277044B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these

Abstract

The invention discloses publications and the method for access network encryption lock service and corresponding device.The method of the delivery network encryption lock service includes: to generate and send the multicast packet comprising network encryption lock serve port to the multicast group with agreement multicast address;The connection request of the network encryption lock client computer in the multicast group is received via network encryption lock serve port;The communication connection of safety is established with network encryption lock client computer to service to provide network encryption lock for network encryption lock client computer.The solution of the present invention can be perfectly suitable for the needs under the complicated network environment such as cross-network segment or cross-region using network encryption lock service.

Description

The method and device of publication and access network encryption lock service
Technical field
The present invention relates to network encryption lock technology fields, and in particular to publication with access network encryption lock service method with And corresponding device.
Background technique
Encryption lock, also known as dongle, softdog are a kind of intelligent software cryptography works provided for software developer Tool, it is the hardware circuit being mounted on the interfaces such as computer parallel port, serial ports, while being had a set of suitable for various language Interface software and tool software.Network encryption lock is suitble to work in client-server (client-server) network environment In, it can safely protect software not to be illegally used and issue.Network encryption lock, refers to that encryption lock can count one or more Calculation machine provides the usage scenario of product function, when in use, network encryption can be locked on the parallel port being inserted on network server Or on USB interface, network encryption can also either be locked and be inserted on parallel port or the USB interface of any client, passed through Request without lock client can be sent to network encryption lock by network technology, and encryption lock function postbacks result after being finished It is each that network encryption lock is all allowed more client access to client.By above form realization one encryption lock to more Platform computer provides service, improves the utilization rate of encryption lock.
In use environment, each client is required to configuration server-side IP address for current network encryption lock service. And internal management of a company's IP address usually all can distribute one newly by the way of dynamically distributing after each computer starting IP, server-side IP address are also tended to restart with computer and be changed, and when server-side IP address changes, all clients are all It needs to reset, brings extra workload.Currently, networking plan is relative complex inside large enterprises, for convenience management and Safety, generally according to functional department's subnet division, group company can generally build the internal office work network of cross-region, and strange land is done Public affairs become a part of routine work.Therefore, it produces and uses network encryption under the complicated network environment such as cross-network segment, cross-region Lock the needs of service.And currently, proposing to be under the complicated network environment such as cross-network segment, cross-region not yet using network encryption lock clothes The scheme of business.
Summary of the invention
For above-mentioned defect in the prior art, the purpose of the present invention is to provide a kind of delivery network encryption lock services Method, the method for access network encryption lock service and corresponding device, can be perfectly suitable in cross-network segment or cross-region Deng the needs under complicated network environment using network encryption lock service.
The first aspect of scheme according to the present invention provides a kind of method of delivery network encryption lock service, comprising: raw There is Cheng Bingxiang the multicast group of agreement multicast address to send the multicast packet comprising network encryption lock serve port;Via described Network encryption locks the connection request for the network encryption lock client computer that serve port receives in the multicast group;With the network Encryption lock client computer establishes the communication connection of safety and provides network encryption lock service to lock client computer for the network encryption.
Preferably, described to generate and send to the multicast group with agreement multicast address comprising network encryption lock serve port Multicast packet specifically include: creation web socket, and for created web socket binding arrange port;Generate to To the multicast packet comprising network encryption lock serve port that the multicast group transmission with the agreement multicast address is added Packet;The multicast packet is sent to multicast group via the agreement port.
Preferably, the multicast packet further includes the verifying number for verifying the data integrity of the multicast packet According to.
Preferably, the communication connection for establishing safety with network encryption lock client computer specifically includes: via described Network encryption locks serve port and network encryption lock client computer is established and communicated to connect;To network encryption lock client computer hair SCN Space Cable Network encryption lock service profile information;Key agreement, which is carried out, with network encryption lock client computer generates encryption lock service key For being used in the process with network encryption lock client computer subsequent communications.
The second aspect of scheme according to the present invention provides a kind of method of access network encryption lock service, comprising: logical The multicast group for being added and there is agreement multicast address is crossed, receives and locks server-side comprising network encryption from network encryption lock server The multicast packet of mouth, and record the network address of the network encryption lock server;According to the network encryption lock recorded The network address of server locks serve port via the network encryption and issues connection request to network encryption lock server;With Network encryption lock server establishes the communication connection of safety to obtain network encryption lock service.
Preferably, the multicast group by being added with agreement multicast address, receives and locks server from network encryption Comprising network encryption lock serve port multicast packet include: creation web socket, and monitor agreement port;Using institute It states web socket and is received via the agreement port and lock serve port comprising network encryption from network encryption lock server Multicast packet.
Preferably, the multicast packet further includes the verifying number for verifying the data integrity of the multicast packet According to, and the method also includes: it is verified by data integrity of the verify data to the multicast packet.
Preferably, the communication connection for establishing safety with network encryption lock server specifically includes: via the network Encryption lock serve port and network encryption lock server are established and are communicated to connect;It receives and locks server from the network encryption Network encryption lock service profile information;Key agreement, which is carried out, with network encryption lock server generates encryption lock service key For being used in the process with network encryption lock server subsequent communications.
Preferably, further includes: check whether the network address of recorded network encryption lock server is already recorded in It was found that in encryption lock service list, if it is, to described it has been found that the network encryption in encryption lock service list locks service Last time renewal time refreshed;Otherwise, the network encryption recorded lock service is added to described it has been found that encryption Lock service list.
Preferably, this method further include: according to described it has been found that the network encryption lock clothes recorded in encryption lock service list The last time renewal time of business determines whether network encryption lock service is expired, if it is determined that and the non-mistake of network encryption lock service Phase then refreshes the service of network encryption lock in the last time renewal time having found in encryption lock service list.
A kind of network encryption lock server is provided in another scheme of the invention, the network encryption lock server includes place Device is managed, the processor is configured to execute computer program code to realize: generating and to the multicast for arranging multicast address Group sends the multicast packet comprising network encryption lock serve port;It is received via network encryption lock serve port and comes from institute State the connection request of the network encryption lock client computer in multicast group;The communication link of safety is established with network encryption lock client computer It connects to lock client computer for the network encryption and provide network encryption lock service.
A present invention also scheme provides a kind of network encryption lock client computer, and the network encryption lock client computer includes processing Device, the processor are configured to execute computer program code to realize: there is the multicast group of agreement multicast address by being added, The multicast packet comprising network encryption lock serve port from network encryption lock server is received, and records the network The network address of encryption lock server;According to the network address of the network encryption lock server recorded, add via the network Close lock serve port issues connection request to network encryption lock server;The communication link of safety is established with network encryption lock server It connects to obtain network encryption lock service.
The solution of the present invention enables the network encryption lock client computer in multicast group to obtain automatically by multicast packet Network encryption locks the network address of server and network encryption locks serve port, and is established by locking client computer with network encryption The communication connection of safety provides network encryption lock service to lock client computer for network encryption.Even if server ip address dynamic becomes Change, manually changes server ip address without in network encryption lock client computer, and add in multicast packet comprising network Close lock serve port, network lock client computer can automatically access network lock service.The present invention is able to solve traditional network lock as a result, The cumbersome work that fixed IP is needed to configure in use process is reduced suitable for the LAN environment of dynamic IP address allocation The workload for configuring service, improves applicability.
Detailed description of the invention
Fig. 1 is that the network encryption of the embodiment of the present invention locks the network architecture schematic diagram of server and client computer;
Fig. 2 is that a kind of network encryption of the embodiment of the present invention locks the method for server delivery network encryption lock service.
Fig. 3 is the method that a kind of network encryption corresponding with the embodiment of Fig. 2 locks the encryption lock service of client access networks network.
Fig. 4 is that the network encryption of one embodiment of the present invention locks the method for server delivery network encryption lock service.
Fig. 5 is the method that a kind of network encryption corresponding with the embodiment of Fig. 4 locks the encryption lock service of client access networks network.
Specific embodiment
The attached drawing being included in the description and forms part of the description shows embodiment of the disclosure, and with it is upper What face provided is used to explain the disclosure together to substantially description and the detailed description given below to embodiment of the disclosure Principle.
Fig. 1 is that the network encryption of the embodiment of the present invention locks the network architecture schematic diagram of server and client computer.Such as Fig. 1 institute Show, subnet 10 and subnet 11, network encryption lock server 101, (the support multicast of router 102,112,122 are shown in Fig. 1 Function), subnet 10 include network encryption lock client computer 103,104 and 105, subnet 11 include network encryption lock client computer 113, 114 and 115.Three network encryptions lock client computer only are shown to each subnet in figure as an example, can be with actually in subnet There are more platform network encryption lock client computer, and there can be multiple subnets.
Network encryption, which is locked, is equipped with network encryption lock service, energy on server (for convenience of description, referred to as server) 101 Enough requests in response to each network encryption lock client computer provide network encryption lock service.Network encryption lock 11 by USB interface or Parallel or serial port on server 101 is connect with server 101, and network encryption lock 11 can also be that bluetooth-type network encryption is locked, It is connected and communicated by Bluetooth communication protocol and the foundation of server 101.A network encryption lock 11 is illustrated only in figure, actually Can have that multiple network encryptions lock 11 is connect simultaneously with multiple communication interfaces of server 101 and server 101 is based on each net The request of network encryption lock client computer provides multiple network encryption lock services.Add in this way, more client computer can share several networks Close lock saves the quantity of network encryption lock.As an example, network encryption lock client computer (referred to as client computer) 103,104 with And protected software is installed on 113, which is the support for needing network encryption to lock at runtime, without network encryption The support of lock is then unable to complete execution, so that software be made to be protected.Protected software in client computer 103,104 and 113 is matched It is set to when needing network encryption lock service, the request of access network encryption lock service, waiting for server is issued to server 101 Response, and after establishing safe communication connection with server 101, service is locked using the network encryption needed for it.
The network architecture of the lock server of network encryption shown in embodiment shown in FIG. 1 and client computer is merely illustrative , it is not as a limitation of the invention.For example, support routing function three-tier switch can be used to alternate router 102, 112 or 122;In another example an only router in the path of network encryption lock server and client interconnection, routes at one Multiple mutually independent subnet network segments are marked off in device, the client computer in multiple subnet network segments can be by being added identical multicast Sending and receiving data in being grouped;For another example when in the wide area network use multicast discovery service when, must between wide area network there are two or Data forwarding is completed in routing more than person, and identical multicast group, which is added, in the network that can be connected to can be realized data transmit-receive;In addition, Further for example, matching when on the network (such as Internet) or firewall for not supporting multicast across one between multiple multicast network segments When having set NAT or IPSec VPN, firewall cannot establish PIM neighborhood with opposite equip. and generate Multicast Routing, this In the case of, each isolated multicast network segment can be connected for example, by configuring GRE tunnel, realize the application of multicast.
Fig. 2 is that a kind of network encryption of the embodiment of the present invention locks the method for server delivery network encryption lock service, comprising:
Step S201: generating and sends the multicast comprising network encryption lock serve port to the multicast group with agreed address Data packet.
Multicast (also referred to as " multicast ") refers to information while passing to one group of destination address.The strategy that it is used is high Effect, because message need to only be transmitted once on every network link, and only when link bifurcated, message can just be answered System.Multicast is one-to-one group between network host of communication mode, that is, joined same group of host and can receive All data in this group, interchanger and router in network are only to having demander to replicate and forward data needed for it.It can The host complexes that reception is sent to a specific Multicast group address data are known as multicast group.Host can to router solicitation be added or Some multicast group (group) is exited, the router and interchanger in network selectively replicate and transmit data, i.e., will only count in group Add enrolled host according to those are transferred to.Can once transfer data to so multiple (addition groups) in need host and It can guarantee other communications for the host for not influencing that other do not need and (group are not added).The advantages of multicast: 1) same data stream is needed Client an identical group of shared data stream is added, save the load of server.Has the advantages of broadcast is had.2) Due to multicast protocol be need to carry out duplication forwarding to data stream according to recipient, so the service total bandwidth of server-side not by The limitation of client's incoming end bandwidth.The router that multicast protocol can be run is known as multicast router.Multicast router can be One individual router is also possible to run the ordinary router of multicast software.In addition, certain three layers for supporting routing function Interchanger also has Multicast function.In an ip network, multicast can generally be realized by multicast ip address.Multicast ip address is exactly Class D IP address, i.e. 224.0.0.0 are to the IP address between 239.255.255.255.
In the network using ICP/IP protocol stack, multicast is carried out using UDP in transport layer.Below by taking udp protocol as an example To describe to generate and send to multicast group the detailed process S2011- of the multicast packet comprising network encryption lock serve port 2013 (not shown).
Step S2011: creation web socket socket, and the web socket binding agreement port to be created.
Arranging port is server and the port that client computer is made an appointment, and for example, about determines port-for-port 10010.
Step S2012: it generates and locks server-side comprising network encryption to what is sent to the multicast group with agreement multicast address The multicast packet of mouth.
Udp data packet have defined format, it includes source port number, destination slogan, UDP length, verification and The fields such as data.Network encryption can wherein be locked in serve port filling data field.In multicast packet generated not Only include network encryption lock serve port, can also include agreement characteristic value, the type of multicast message (as request or response), Verify and wait contents.Arrange characteristic value and verification and the data integrity for guaranteeing the received multicast packet of client computer, group Multicast data receiving end, that is, client can carry out checksum validation to multicast packet, prevent from being tampered in data transmission procedure or pseudo- It makes.
Step S2013: after generating multicast packet defined above, multicast number is sent to multicast group via agreement port According to packet.If network encryption lock client computer joined the multicast group, the multicast packet can be received.
It is generated after step S201 and locks server-side comprising network encryption to having the multicast group of agreement multicast address to have sent After the multicast packet of mouth, next, executing step S202.
Step S202: the company of the network encryption lock client computer in multicast group is received via network encryption lock serve port Connect request.
Network encryption lock serve port is that server 101 provides the predetermined port of network encryption lock service.Client computer 103, 104 or 105, which lock serve port by the network encryption, obtains the network encryption lock service that server 101 provides.
In view of the reliability of communication, which usually can use point-to-point TCP communication technology.Client computer is via net Network encryption lock serve port sends TCP request, and server, which is received, to be sent from client computer via network encryption lock serve port TCP request.
Later, enter step S203: the communication connection for establishing safety with network encryption lock client computer thinks that network encryption is locked Client computer provides network encryption lock service.
There are many modes to realize the method that network encryption lock server and client computer establish the communication connection of safety.For example, Utilize SSH agreement (safety shell protocol), https agreement etc..In one embodiment, step S203 can pass through three sub-steps Rapid S2031-S2033 is (not shown) to be realized.
It in step S2031, is requested according to the TCP connection from client computer received, establishes TCP with client computer and connect It connects.
Then, in step S2032, network encryption is sent to network encryption lock client computer and locks service profile information.Network Encryption lock service profile information can specifically include: 1. service host information.As MAC Address, main frame name, IP address, Port.2. service configuration parameters information.Such as: multicast address, service type, operating mode, connection time-out, message time-out etc. are remote Journey server-side configuration parameter.Next, executing step S2033.
In step S2033, key agreement is carried out to generate encryption lock service key with network encryption lock client computer.It gives birth to At encryption lock service key will be used during server is with client computer subsequent communications, with the clothes of encryption lock used in ensuring The safety of business.
Key agreement refers to that two or more entities are negotiated, and establishes the process of session key jointly.
The effect of key agreement is: even if having attacker in the network transmission for peeping client and server, client according to It so can use " key agreement mechanisms " and server end negotiate the key (also referred to as " meeting for being used to encrypt application layer data Talk about key ").Key exchange/negotiation mechanism has several types: 1) utilizing rivest, shamir, adelman.Principle is: taking public key One side first generates random session key, then using public key encryption it;Encrypted result is issued other side, other side's private key solution again It is close;Then both sides have obtained session key.For example, RSA Algorithm.2) special Diffie-Hellman, such as DH algorithm are relied on And its mutation.3) " secret " shared in advance by communication two party.Principle: since both sides have had shared secret (this A " secret " may be a key, it is also possible to only some password/password), it is only necessary to it is generated and is calculated according to certain Method, so that it may both sides be allowed to generate identical key (and key length can be arbitrarily designated), such as PSK and SRP.
HTTPS agreement can be used to realize its process in step S2023.HTTPS(Hypertext Transfer Protocol over Secure Socket Layer), it is safely for the channel HTTP of target.That is SSL is added under HTTP Layer, the foundation for security of HTTPS is SSL, therefore the detailed content encrypted just needs SSL.The initial research and development of this system are by Netscape Company carries out, and provides authentication and encryption communication method, it is widely used in the communication of security sensitive on WWW now, Such as in terms of transaction payment.Further, it is also possible to determine protocol-implementation step S2023 using OAKLEY key.
Using the method for the delivery network encryption lock service of the present embodiment, that multicast group is added by multicast packet Network encryption lock client computer can obtain the network address and network encryption lock serve port of network encryption lock server automatically, And the communication connection of safety is established to provide network encryption lock for network encryption lock client computer by locking client computer with network encryption Service.As a result, in the case where network encryption locks server ip address dynamic change, this method not needing in network encryption Manual configuration server ip address again in client computer is locked, reduces the workload of Configuration network encryption lock service, and for The complexity network environment such as cross-network segment, cross-region, the program can meet in such circumstances well using network encryption lock service Needs.Further, since sending network encryption to client computer by way of multicast locks service profile information, so that client's function Parameters needed for enough automatically configuring network encryption lock service, to improve the energy for automatically accessing network encryption lock service Power.
In the present embodiment, the side of delivery network encryption lock service is elaborated using network encryption lock server as main body Method.However, in some variant embodiments, it can be by locking the proxy server that server establishes communication connection with network encryption Carry out delivery network encryption lock service as main body.In addition, network encryption lock can not be to be connect as shown in Fig. 1 by USB Parallel or serial port on mouth or server 101 is connect with server 101, and network encryption lock may be coupled to similar USB Server Special equipment, then connect by USB Server and network encryption lock server.
Fig. 3 is the method that a kind of network encryption corresponding with the embodiment of Fig. 2 locks the encryption lock service of client access networks network, Include:
Step S301: having the multicast group of agreement multicast address by being added, and receives from network encryption lock server Multicast packet comprising network encryption lock serve port, and record the network address of network encryption lock server.
Multicast packet is that the content in destination address domain in information header is the data packet of multicast address.Network encryption locks client Machine can get the source place (namely network encryption lock server) of multicast packet when receiving the multicast packet IP address.At this point, the network address of the client recording server, and by the multicast packet, it obtains and records Network encryption locks serve port.
Step S301 can specifically include step S3011-S3013 (not shown).In step 3011, client computer creates net Network socket is added the multicast group with agreement multicast address and monitors agreement port.The agreement multicast address is network encryption The multicast address that lock server and client computer are made an appointment, agreement port are that network encryption lock server is made an appointment with client computer Port, such as 11010 ports.Then, in step S3012, client computer is using the web socket via the agreement Port receives the multicast packet comprising network encryption lock serve port from network encryption lock server.Receiving multicast After data packet, in step S3013, the network in the source place (that is, network encryption lock server) of the network packet is recorded (ip) address, subsequently into following step S302.
Step S302: according to the network address of the network encryption lock server recorded, server-side is locked via network encryption Mouth issues connection request to network encryption lock server.
Specifically, it is contemplated that the reliability of communication, network encryption lock client computer can propose that TCP connection is asked to server It asks, waiting for server response.
Step S303: the communication connection of safety is established with network encryption lock server to obtain network encryption lock and service.
There are many modes to realize the method that network encryption lock server and client computer establish the communication connection of safety.For example, Utilize SSH agreement (safety shell protocol), https agreement etc..
In one embodiment, step S303 can be realized by the way that three sub-steps S3031-S3033 are (not shown).Step S3031: it establishes and communicates to connect via network encryption lock serve port and network encryption lock server.Specifically, if client computer Tcp connection request is sent to server, then waiting for server responds, and connect to establish tcp with server.Step S3032: it receives Network encryption from network encryption lock server locks service profile information.Network encryption lock service profile information specifically can wrap It includes: 1. service host information.Such as MAC Address, main frame name, IP address, port.2. service configuration parameters information.Such as: The remote services end configuration parameter such as multicast address, service type, operating mode, connection time-out, message time-out, service describing.It connects Get off, execute step S3033: with network encryption lock server carry out key agreement generate encryption lock service key for network It is used during encryption lock server subsequent communications.Agreement is determined using HTTPS agreement or OAKLEY key to realize step.
Using the method for the access network encryption lock service of the present embodiment, without locking client manual configuration in network encryption Each network encryption locks service profile information, can be realized and automatically accesses desired network encryption lock service.For example, in certain realities Apply in example, network encryption lock client computer can to receive network encryption lock service profile information (such as according to multicast address, Service type, operating mode or service describing etc.) determined, to determine whether to use the specific network encryption lock clothes Business.When client computer determines that network encryption lock service is not itself desired service, current multicast group can be exited, and be added Another multicast group.
Fig. 4 is that the network encryption of one embodiment of the present invention locks the method for server delivery network encryption lock service, packet Include following steps:
S401: creation web socket (such as UDP socket), binding agreement port (such as 11010).
S402: a multicast packet, multicast packet are sent to multicast group with every predetermined time interval (for example, 10 seconds) In comprising agreement characteristic value, network encryption lock service TCP port, multicast message type (request, response), verify and wait service IP information.
S403: the tcp connection request of network encryption lock client computer is waited;
S404: if receiving the tcp connection request of network encryption lock client computer, tcp is established with client computer and is connect;
S405: network encryption is sent to network encryption lock client computer and locks service profile information.Network encryption locks service configuration Information may include: 1. service host information.For example, MAC Address, main frame name, IP address, port.2. service configuration Parameter information.Such as: the remote services such as multicast address, service type, operating mode, connection time-out, message time-out, service describing Hold configuration parameter.
S406: key agreement is carried out with network encryption lock client computer, encryption lock is generated and services temporary key.
Fig. 5 is the method that a kind of network encryption corresponding with the embodiment of Fig. 4 locks the encryption lock service of client access networks network.
S501: creation UDP web socket monitors agreement port (for example, 11010) corresponding with the embodiment of Fig. 4, add Enter there is the multicast group of agreement multicast address, be added and successfully then wait multicast message, failure is added and then exits.
S502: receiving the multicast packet that service TCP port is locked comprising network encryption, parses packet content, obtains The service IP information for including in multicast packet, using the agreement characteristic value and verification in service IP information and to multicast packet In data content verified, while recording the IP address of the transmission source (namely server) of multicast packet.
S503: check whether server ip address has been recorded at it has been found that in encryption lock service list.If do not remembered Record then illustrates that the service is new discovery service, jumps to step S5051;If having been recorded with server ip address, illustrate The service of network encryption lock is it has been found that service, jumps to step S504.
S5051: according to the server ip address recorded, service TCP port is locked via network encryption and is issued to server Connection request enters step S5052.
S5052: waiting for server response is established tcp with server and is connect, enters step S5053.
S5053: it receives the network encryption from server and locks service profile information.
S5054: carrying out key agreement with server, obtains network encryption lock service key to make during subsequent communications Enter S5055 if key agreement is successful with the service key, if negotiating failure, with no treatment.
S5055: network encryption lock service is added to it has been found that encryption lock service list.
S504: the last time renewal time of refreshing service.
It in this embodiment, can also include some additional (optional) steps.
For example, may include locking service profile information according to network encryption to sentence between step S5053 and step S5054 Whether disconnected the step of whether accessing network encryption lock service (carries out the key agreement in S5054), so that it is guaranteed that client computer accesses Oneself desired network encryption lock service.More specifically, for example being retouched according to multicast address, service type, operating mode or service The network encryption lock service for determining whether and using using user's expectation of client computer is stated etc., to decide whether to carry out Cipher key agreement processes in S5054.
In another example can also include the steps that after step S506 for passing through to expired service inspection (not shown) These steps below can inspect periodically the validity of the network encryption lock service recorded.
S507: the last time renewal time of network encryption lock service is checked at a predetermined interval.Inspection intervals are greater than service Hold multicast interval time, for example, 1.5 of server-side groupcast time times or so.It can set, when (N is natural number to N, preferably 2) when the secondary multicast message for not receiving service, network encryption lock service state is designated as unavailable.
Step S507 may include following two sub-step.
S5071: traversal successively judges whether service last time renewal time is expired it has been found that encryption lock service list. For example, judging to take when current computer time and last time renewal time difference being greater than 2 times of service multicast interval time It is engaged in expired.When judging to service not out of date, then refreshing service last time renewal time current computer time is utilized;Otherwise Execute S509.
S5072: judgement service is out of date, attempts access service.TCP validation request is sent according to information such as service IP, such as Fruit receives response, then it represents that and service still has, then utilizes current computer time more new demand servicing last time refresh time, and Set available for service state;Dont answer or time-out are requested, then sets unavailable for service state.
Through the above steps, it can find to have expired network encryption lock service in time, improve the reliable of access service Property.
In the following embodiments, it has been assumed that network encryption locks the case where server and client computer are more network interface card hosts. At this point, obtaining all network interface card informations of server in this one end of server, when periodically sending multicast message, successively traversal is all Network interface card sends multicast message to each agreement multicast address.Correspondingly, in this one end of client computer, all nets of the client computer are obtained Each multicast group is added according to each agreed address to different network interface cards respectively in card information, and listening port waits server-side multicast message.
According to the solutions of the embodiments of the present invention, compared to traditional scheme manual configuration network encryption lock server ip address and Network encryption locks service profile information, finds that method of servicing can reduce manual maintenance workload automatically in multicast group, is adapted to The complexity network environment such as cross-network segment, cross-region, improves the applicability of network encryption lock service.
In addition, another embodiment of the present invention also provides a kind of network encryption lock server comprising processor, processor can Computer program code is executed to realize: being generated and is sent to the multicast group with agreement multicast address comprising network encryption lock clothes The multicast packet of business port;Multicast packet generated is sent to multicast group via agreement port;Via network encryption Lock the connection request for the network encryption lock client computer that serve port receives in multicast group;It is established with network encryption lock client computer The communication connection of safety provides network encryption lock service to lock client computer for network encryption.The network encryption of the embodiment locks service Device can make the client computer that multicast group is added automatic and safely and reliably access the lock service of the network encryption of its offer.
In one embodiment, a kind of network encryption lock client computer is additionally provided comprising processor, processor are executable Computer program code is to realize: having the multicast group of agreement multicast address by being added, receives from network encryption lock service The multicast packet comprising network encryption lock serve port of device, and record the network address of network encryption lock server;Root According to the network address of the network encryption lock server recorded, serve port is locked via network encryption and locks server to network encryption Issue connection request;The communication connection of safety is established with network encryption lock server to obtain network encryption lock and service.The implementation The network encryption lock client computer of example can be automatic and safely and reliably accesses encryption lock server by the multicast group that it is added The particular network encryption lock service of offer, and specific multicast group can be added according to required encryption lock service, when making After finishing network encryption lock service, it can choose and exit the multicast group.
In place of the not detailed description of the embodiment of above-mentioned network encryption lock server and client computer, side of the invention is please referred to Method embodiment illustrates.
Above embodiments are only exemplary embodiment of the present invention, are not used in the limitation present invention, protection scope of the present invention It is defined by the claims.Those skilled in the art can within the spirit and scope of the present invention make respectively the present invention Kind modification or equivalent replacement, this modification or equivalent replacement also should be regarded as being within the scope of the present invention.

Claims (10)

1. a kind of method of delivery network encryption lock service, comprising:
It generates and is sent to the multicast group with agreement multicast address comprising network encryption lock serve port via agreement port Multicast packet;
The connection that the network encryption lock client computer in the multicast group is received via network encryption lock serve port is asked It asks;
The communication connection of safety, which is established, with network encryption lock client computer provides network to lock client computer for the network encryption Encryption lock service,
Wherein, the communication connection for establishing safety with network encryption lock client computer specifically includes:
It establishes and communicates to connect via network encryption lock serve port and network encryption lock client computer;
Network encryption, which is sent, to network encryption lock client computer locks service profile information;And
Key agreement generation encryption lock service key is carried out with network encryption lock client computer for locking with the network encryption It is used during client computer subsequent communications.
2. the method as described in claim 1, wherein the generation and via agreement port to having the more of agreement multicast address Group transmission is broadcast to specifically include comprising the multicast packet of network encryption lock serve port:
Web socket is created, and binds the agreement port for the web socket created;
It generates and locks serve port comprising the network encryption to what is sent to the multicast group with the agreement multicast address The multicast packet;
The multicast packet is sent to the multicast group via the agreement port.
3. the method as described in claim 1, wherein the multicast packet further includes for verifying the multicast packet The verify data of data integrity.
4. a kind of method of access network encryption lock service, comprising:
There is the multicast group of agreement multicast address by being added, receive the packet from network encryption lock server via agreement port The multicast packet of the lock serve port containing network encryption, and record the network address of the network encryption lock server;
According to the network address of the network encryption lock server recorded, add via network encryption lock serve port to network Close lock server issues connection request;
The communication connection of safety, which is established, with network encryption lock server locks service to obtain network encryption,
Wherein, the communication connection for establishing safety with network encryption lock server specifically includes:
It establishes and communicates to connect via network encryption lock serve port and network encryption lock server;
It receives the network encryption from network encryption lock server and locks service profile information;And
Key agreement generation encryption lock service key is carried out with network encryption lock server for locking with the network encryption It is used during server subsequent communications.
5. method as claimed in claim 4, wherein the multicast group by being added with agreement multicast address, via agreement Port receives the multicast packet comprising network encryption lock serve port from network encryption lock server
Web socket is created, the multicast group with agreement multicast address is added and monitors the agreement port;
Being received via the agreement port from network encryption lock server using the web socket includes network encryption Lock the multicast packet of serve port.
6. method as claimed in claim 4, wherein the multicast packet further includes for verifying the multicast packet The verify data of data integrity, and the method also includes: by the verify data to the number of the multicast packet It is verified according to integrality.
7. method as claimed in claim 4, further includes:
Check whether the network address of recorded network encryption lock server is already recorded in it has been found that encryption lock service list In, if it is, to described it has been found that the last time renewal time that the network encryption lock in encryption lock service list services Refreshed;Otherwise, the network encryption recorded lock service is added to described it has been found that encryption lock service list.
8. the method for claim 7, further includes:
According to described it has been found that the last time renewal time of the network encryption lock service recorded in encryption lock service list determines Whether network encryption lock service is expired, and
If it is determined that network encryption lock service is not out of date, then refresh the service of network encryption lock described it has been found that encryption lock service Last time renewal time in list.
9. a kind of network encryption locks server, the network encryption lock server includes processor, and the processor is configured to hold Row computer program code is to realize:
It generates and is sent to the multicast group with agreement multicast address comprising network encryption lock serve port via agreement port Multicast packet;
The connection that the network encryption lock client computer in the multicast group is received via network encryption lock serve port is asked It asks;
The communication connection of safety, which is established, with network encryption lock client computer provides network to lock client computer for the network encryption Encryption lock service,
Wherein, the communication connection for establishing safety with network encryption lock client computer specifically includes:
It establishes and communicates to connect via network encryption lock serve port and network encryption lock client computer;
Network encryption, which is sent, to network encryption lock client computer locks service profile information;And
Key agreement generation encryption lock service key is carried out with network encryption lock client computer for locking with the network encryption It is used during client computer subsequent communications.
10. a kind of network encryption locks client computer, the network encryption lock client computer includes processor, and the processor is configured to hold Row computer program code is to realize:
There is the multicast group of agreement multicast address by being added, receive the packet from network encryption lock server via agreement port The multicast packet of the lock serve port containing network encryption, and record the network address of the network encryption lock server;
According to the network address of the network encryption lock server recorded, add via network encryption lock serve port to network Close lock server issues connection request;
The communication connection of safety, which is established, with network encryption lock server locks service to obtain network encryption,
Wherein, the communication connection for establishing safety with network encryption lock server specifically includes:
It establishes and communicates to connect via network encryption lock serve port and network encryption lock server;
It receives the network encryption from network encryption lock server and locks service profile information;And
Key agreement generation encryption lock service key is carried out with network encryption lock server for locking with the network encryption It is used during server subsequent communications.
CN201710602119.XA 2017-07-21 2017-07-21 The method and device of publication and access network encryption lock service Active CN107277044B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710602119.XA CN107277044B (en) 2017-07-21 2017-07-21 The method and device of publication and access network encryption lock service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710602119.XA CN107277044B (en) 2017-07-21 2017-07-21 The method and device of publication and access network encryption lock service

Publications (2)

Publication Number Publication Date
CN107277044A CN107277044A (en) 2017-10-20
CN107277044B true CN107277044B (en) 2019-06-11

Family

ID=60079386

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710602119.XA Active CN107277044B (en) 2017-07-21 2017-07-21 The method and device of publication and access network encryption lock service

Country Status (1)

Country Link
CN (1) CN107277044B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392076B (en) * 2018-04-19 2021-01-29 华为技术有限公司 Method, device and storage medium for vehicle-to-any V2X communication
CN111680211A (en) * 2020-05-28 2020-09-18 贵州省电子证书有限公司 Method and device for calling smart key password application across browsers

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242306A (en) * 2008-02-28 2008-08-13 华为技术有限公司 Method, system, device and server for automatic discovery of network device
CN101669348A (en) * 2007-04-27 2010-03-10 诺基亚公司 Universal datagram protocol (udp) port based broadcast filtering

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102711104B (en) * 2006-09-07 2015-04-15 华为技术有限公司 Method for determining secret key updating time and secret key using entity
WO2012143880A1 (en) * 2011-04-19 2012-10-26 Nagravision S.A. Ethernet decoder device and method to access protected content
CN103873301A (en) * 2014-03-20 2014-06-18 浙江宇视科技有限公司 System and method for automatically finding and adding devices
US10320612B2 (en) * 2014-06-20 2019-06-11 Tellabs Operations, Inc. Method and apparatus for providing automatic node configuration using a dongle
CN104537283A (en) * 2014-12-17 2015-04-22 安徽清新互联信息科技有限公司 Software licensing control device based on network
US9871666B2 (en) * 2015-06-25 2018-01-16 AvaLAN Wireless Systems, Inc. Intermediate unicast network and method for multicast data networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101669348A (en) * 2007-04-27 2010-03-10 诺基亚公司 Universal datagram protocol (udp) port based broadcast filtering
CN101242306A (en) * 2008-02-28 2008-08-13 华为技术有限公司 Method, system, device and server for automatic discovery of network device

Also Published As

Publication number Publication date
CN107277044A (en) 2017-10-20

Similar Documents

Publication Publication Date Title
CN108551464B (en) Connection establishment and data transmission method, device and system of hybrid cloud
US8443435B1 (en) VPN resource connectivity in large-scale enterprise networks
US11621945B2 (en) Method and system for secure communications
US8327129B2 (en) Method, apparatus and system for internet key exchange negotiation
US20040161110A1 (en) Server apparatus, key management apparatus, and encrypted communication method
EP2043294A1 (en) System and method for realizing multi-party communication security
US20070180514A1 (en) Multipoint server for providing secure, scaleable connections between a plurality of network devices
US9350711B2 (en) Data transmission method, system, and apparatus
WO2019178942A1 (en) Method and system for performing ssl handshake
CN106169952B (en) A kind of authentication method that internet Key Management Protocol is negotiated again and device
US20160006572A1 (en) Communication method and apparatus using changing destination and return destination id's
EP1989855A1 (en) A system and method for establishing a secure group of entities in a computer network
CN105306483B (en) A kind of Anonymizing networks communication means and system safely and fast
CN107426339A (en) A kind of cut-in method, the apparatus and system of data interface channel
CN108848111A (en) A kind of decentralization Virtual Private Network construction method based on block chain technology
CN112422560A (en) Lightweight substation secure communication method and system based on secure socket layer
CN107277044B (en) The method and device of publication and access network encryption lock service
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
US8046820B2 (en) Transporting keys between security protocols
CN100544247C (en) The negotiating safety capability method
WO2016134631A1 (en) Processing method for openflow message, and network element
CN107181762B (en) The method and device of publication and access network encryption lock service
CN114186213B (en) Data transmission method, device, equipment and medium based on federal learning
JP5804480B2 (en) An optimization method for the transfer of secure data streams over autonomous networks
KR101239217B1 (en) High availability system, method for synchronizing devices in the same, and method for managing devices in the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee after: Beijing Shendun Technology Co.,Ltd.

Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder