CN108243187A - A kind of automatic encryption method, system and service module based on SSH tunnels - Google Patents

A kind of automatic encryption method, system and service module based on SSH tunnels Download PDF

Info

Publication number
CN108243187A
CN108243187A CN201711473537.XA CN201711473537A CN108243187A CN 108243187 A CN108243187 A CN 108243187A CN 201711473537 A CN201711473537 A CN 201711473537A CN 108243187 A CN108243187 A CN 108243187A
Authority
CN
China
Prior art keywords
service modules
sent
sshproxy
sshserver
ssh
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711473537.XA
Other languages
Chinese (zh)
Inventor
潘赛赛
乐超超
赵贵阳
周春楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
YIYANG SAFETY TECHNOLOGY Co Ltd
Original Assignee
YIYANG SAFETY TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by YIYANG SAFETY TECHNOLOGY Co Ltd filed Critical YIYANG SAFETY TECHNOLOGY Co Ltd
Priority to CN201711473537.XA priority Critical patent/CN108243187A/en
Publication of CN108243187A publication Critical patent/CN108243187A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Abstract

This application discloses a kind of automatic encryption method, that is, system based on SSH tunnels, SSHProxy service modules receive the redirection request of database, and obtain target database address;The SSH tunnel buildings that authentication information is carried to the transmission of SSHServer service modules are asked;And after the authentication success message for receiving SSHServer service modules feedback, target database address is sent to SSHServer service modules;When the SSH tunnel building successful informations for receiving SSHServer service modules feedback, the database connection request packet that user terminal is sent carries out SSH encryptions, and SSHServer service modules are sent to after encryption;The connection response packet of SSHServer service modules feedback is received, is sent to the user terminal after decryption.Realize the automatic SSH encrypted transmissions that plaintext agreement is used between user terminal and target database.

Description

A kind of automatic encryption method, system and service module based on SSH tunnels
Technical field
The present invention relates to encryption technology field, more particularly to a kind of automatic encryption method based on SSH tunnels, being System and service module.
Background technology
Network technology fast development while enterprises working efficiency is improved, also bring one be on the rise ask Topic --- network information transfer safety, network information transfer become safely current business research hot spot and focus.
A kind of network data encryption transmission technology of the SSH tunneling techniques for current enterprise's generally use, SSH tunnels, that is, SSH Agency or port forwarding.Not Direct Communication between network application client and server-side, but network application client is led to It crosses ssh client and SSH server-sides is communicated with server-side.SSH tunnels are by ssh client to the base between SSH server-sides It is fetched and is forwarded by SSH chains in the network data of plaintext transmission, and automatically provided corresponding encryption and decryption service, To prevent the leakage of individual privacy or important business information.
Although existing SSH tunnel applications technology realizes the encrypted transmission to plaintext agreement, but used in user upper But there are certain inconvenience and insecurity, user must by special ssh client manual creation SSH tunnels, and User must obtain the account and password of connection SSH services, so that account and password are more when SSH tunnels are used Be exposed out, the leakage for easily causing account and password is known by more people so that system is on the hazard safely.
Invention content
In view of this, the present invention provides a kind of automatic encryption method and system based on SSH tunnels, by using resetting Work(is acted on behalf of to the network redirection function and the go-between of SSHProxy service modules and SSHServer service modules of module User can be helped to realize the automatic transparent SSH encrypted transmissions with plaintext agreement.
In order to achieve the above-mentioned object of the invention, specific technical solution provided by the invention is as follows:
A kind of automatic encryption method based on SSH tunnels, applied to SSHProxy service modules, the method includes:
The redirection request of database is received, and obtains target database address;
The SSH tunnel buildings that authentication information is carried to the transmission of SSHServer service modules are asked;
After the authentication success message for receiving the SSHServer service modules feedback, serviced to the SSHServer Module sends the target database address;
When the SSH tunnel building successful informations for receiving the SSHServer service modules feedback, user terminal is sent out The database connection request packet that send carries out SSH encryptions, and encrypted database connection request packet is sent to described SSHServer service modules;
The connection response packet of the SSHServer service modules feedback is received, and the connection response packet is decrypted The connection response packet is sent to the user terminal afterwards;
The upstream data packet sent to the user terminal is encrypted, and encrypted upstream data packet is sent to institute State SSHServer service modules;
The downlink data packet sent to the SSHServer service modules is decrypted, and by the downlink data after decryption Packet is sent to the user terminal.
Preferably, it is described to receive the redirection request of database, and target database address is obtained, including:
Start the first listening port, the redirection request in monitored data library;
When the redirection request for receiving database, network redirection bill is obtained, and according to the network redirection Bill obtains target database address.
Preferably, the method further includes:
When the connection between the user terminal and the target database disconnects, disconnect and being taken with the SSHServer Connection between module of being engaged in, and disconnect the connection between the user terminal.
A kind of automatic encryption method based on SSH tunnels, applied to SSHServer service modules, the method includes:
Receive the SSH tunnel buildings for the carrying authentication information request that SSHProxy service modules are sent;
The SSHProxy service modules are authenticated according to the authentication information, and mould is serviced to the SSHProxy Block sends authentication success message;
The target database address that the SSHProxy service modules are sent is received, according to the target data address and mesh Database connection is marked, and SSH tunnel building successful informations are sent to the SSHProxy service modules;
The database connection request packet that the SSHProxy service modules are sent is received, to the database connection request packet It is decrypted, and the database connection request packet after decryption is sent to the target database;
The connection response packet of the target database feedback is received, the connection response packet is encrypted, and will encryption Connection response packet afterwards is sent to the SSHProxy service modules;
The upstream data packet sent to the SSHProxy service modules is decrypted, and by the upstream data packet after decryption It is sent to the target database;
The downlink data packet sent to the target database is encrypted, and encrypted downlink data packet is sent to The SSHProxy service modules.
Preferably, the SSH tunnel buildings for the carrying authentication information request for receiving SSHProxy service modules and sending, Including:
Start the second listening port, monitor the SSH tunnel buildings request from SSHProxy service modules;
When receiving the SSH tunnel buildings request that the SSHProxy service modules are sent, obtain the SSH tunnels and build The authentication information that vertical request carries.
Preferably, the method further includes:
When the connection between the user terminal and the target database disconnects, disconnect and being serviced with the SSHProxy Connection between module, and disconnect the connection between the destination server.
A kind of SSHProxy service modules, including:
First receiving unit for receiving the redirection request of database, and obtains target database address;
First transmitting element, the SSH tunnel buildings for carrying authentication information to the transmission of SSHServer service modules please It asks;
Second transmitting element, for when the authentication success message for receiving the SSHServer service modules feedback after, to The SSHServer service modules send the target database address;
First encryption unit, for successfully believing when the SSH tunnel buildings for receiving the SSHServer service modules feedback During breath, the database connection request packet that user terminal is sent carries out SSH encryptions, and by encrypted database connection request packet It is sent to the SSHServer service modules;
First decryption unit, for receiving the connection response packet of the SSHServer service modules feedback, and to the company It connects and the connection response packet is sent to the user terminal after response bag is decrypted;
Second encryption unit, the upstream data packet for being sent to the user terminal are encrypted, and will be encrypted Upstream data packet is sent to the SSHServer service modules;
Second decryption unit, the downlink data packet for being sent to the SSHServer service modules are decrypted, and will Downlink data packet after decryption is sent to the user terminal.
A kind of SSHServer service modules, including:
Second receiving unit, the SSH tunnels for carrying authentication information for receiving the transmission of SSHProxy service modules are built Vertical request;
Authentication unit, for being authenticated according to the authentication information to the SSHProxy service modules, and to described SSHProxy service modules send authentication success message;
Unit is established, for receiving the target database address that the SSHProxy service modules are sent, according to the mesh It marks data address and establishes connection, and send SSH tunnel buildings to the SSHProxy service modules and successfully believe with target database Breath;
Third decryption unit, for receiving the database connection request packet that the SSHProxy service modules are sent, to institute It states database connection request packet to be decrypted, and the database connection request packet after decryption is sent to the target database;
Third encryption unit, for receiving the connection response packet of the target database feedback, to the connection response packet It is encrypted, and encrypted connection response packet is sent to the SSHProxy service modules;
4th decryption unit, the upstream data packet for being sent to the SSHProxy service modules are decrypted, and will Upstream data packet after decryption is sent to the target database;
4th encryption unit, the downlink data packet for being sent to the target database are encrypted, and will be after encryption Downlink data packet be sent to the SSHProxy service modules.
A kind of automatic encryption system based on SSH tunnels, including:
SSHProxy service modules and SSHServer according to any one of claims 8 described in redirection module, claim 7 Service module;
The redirection module is monitored for the database connection request to user terminal, obtains the database The target database address of connection request sends redirection request, and take to SSHProxy to the SSHProxy service modules Business module transmission carries the redirection bill of the target database address.
Relative to the prior art, beneficial effects of the present invention are as follows:
The invention discloses a kind of automatic encryption methods and system based on SSH tunnels, and not needing to user, installation is special manually The ssh client of door, it is not required that user manual creation SSH tunnels, by the present invention in that being reset with the network of redirection module SSH tunnels are automatically created to go-between's agent functionality of function and SSHProxy service modules and SSHServer service modules Road is communicated by authentication mechanism between SSHProxy service modules and SSHServer service modules, is detached from original use Family inputs the authentication mechanism of account number cipher, and user does not need to memory SSH service parameters, alleviates the workload of user, while Security threat caused by avoiding the leakage of SSH account number ciphers.
Description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention, for those of ordinary skill in the art, without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of logical architecture figure of the automatic encryption method based on SSH tunnels disclosed by the embodiments of the present invention;
Fig. 2 is a kind of automatic encryption method flow chart based on SSH tunnels disclosed by the embodiments of the present invention;
Fig. 3 is another automatic encryption method flow chart based on SSH tunnels disclosed by the embodiments of the present invention;
Fig. 4 is a kind of SSHProxy service modules structure diagram disclosed by the embodiments of the present invention;
Fig. 5 is a kind of SSHProxy service modules structure diagram disclosed by the embodiments of the present invention;
Fig. 6 is a kind of automatic encryption system structure diagram based on SSH tunnels disclosed by the embodiments of the present invention;
Fig. 7 is a kind of schematic diagram of a scenario of automatic encryption system application based on SSH tunnels disclosed by the embodiments of the present invention;
Fig. 8 is a kind of another scene of automatic encryption system application based on SSH tunnels disclosed by the embodiments of the present invention Schematic diagram;
Fig. 9 is a kind of another scene of automatic encryption system application based on SSH tunnels disclosed by the embodiments of the present invention Schematic diagram.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other without making creative work Embodiment shall fall within the protection scope of the present invention.
The present invention provides a kind of automatic encryption method based on SSH tunnels, by using the network weight of redirection module Go-between's agent functionality of orientating function and SSHProxy service modules and SSHServer service modules helps user to realize With the automatic transparent SSH encrypted transmissions of plaintext agreement.Referring to Fig. 1, Fig. 1 is provided by the invention a kind of based on SSH tunnels The logical architecture figure of automatic encryption method, wherein, redirection module is monitored the database connection request of user terminal, and The database connection request is redirected to SSHProxy service modules, SSHProxy service modules are serviced with SSHServer Automatically SSH tunnels are established between module, SSHProxy service modules are forwarded to SSHServer service modules by SSH tunnels and used The encryption data of family terminal is forwarded to target database after the decryption of SSHServer service modules.
It is separately below executive agent from SSHProxy service modules and SSHServer service modules are executive agent two Technical solution provided by the invention is further elaborated in aspect.
Embodiment one
Referring to Fig. 2, present embodiment discloses a kind of automatic encryption method based on SSH tunnels, applied to SSHProxy Service module, the SSHProxy service modules are mounted on the window client of user, the method includes:
S101:The redirection request of database is received, and obtains target database address;
After user terminal initiates database connection request, which needs to be redirected to SSHProxy clothes Business module, by the SSH tunnels between SSHProxy service modules and SSHServer service modules, is sent to target database.
Specifically, start the first listening port, the redirection request in monitored data library;
When the redirection request for receiving database, network redirection bill is obtained, and according to the network redirection Bill obtains target database address.
The database that target database is connected for user terminal needs.
S102:The SSH tunnel buildings that authentication information is carried to the transmission of SSHServer service modules are asked;
S103:After the authentication success message for receiving SSHServer service modules feedback, to described SSHServer service modules send the target database address;It should be noted that the authentication mechanism in the present embodiment is: SSHProxy service modules carry the authentication information of SSH accounts and password to the transmission of SSHServer service modules, SSHServer service modules judge whether SSH accounts and password are correct, if correctly, certification success.
S104:When the SSH tunnel building successful informations for receiving the SSHServer service modules feedback, by user The database connection request packet that terminal is sent carries out SSH encryptions, and encrypted database connection request packet is sent to described SSHServer service modules;
S105:The connection response packet of the SSHServer service modules feedback is received, and the connection response packet is carried out The connection response packet is sent to the user terminal after decryption;
S106:The upstream data packet sent to the user terminal is encrypted, and encrypted upstream data packet is sent out It is sent to the SSHServer service modules;
S107:The downlink data packet sent to the SSHServer service modules is decrypted, and by the downlink after decryption Data packet is sent to the user terminal.
After the connection response packet is sent to the user terminal by SSHProxy service modules, user terminal and target Connection request between database is successfully established, and user terminal can be carried out the normal of database based on SSH tunnels and be had accessed, SSHProxy service modules, which only need that the upstream data that carrys out user terminal will be received to be encrypted, is forwarded to SSHServer services The downlink data library that target database returns is decrypted and is forwarded to user terminal again by module.
It should be noted that when the connection between the user terminal and the target database disconnects, disconnection and institute The connection between SSHServer service modules is stated, and disconnects the connection between the user terminal.
A kind of automatic encryption method based on SSH tunnels disclosed in the present embodiment, does not need to user's manual creation SSH tunnels Road, by using the network redirection function and SSHProxy service modules and SSHServer service modules of redirection module Go-between's agent functionality automatically create SSH tunnels, pass through between SSHProxy service modules and SSHServer service modules Authentication mechanism communicates, and is detached from the authentication mechanism that original user inputs account number cipher, and user does not need to memory SSH service ginsengs Number, alleviates the workload of user, while also avoids security threat caused by the leakage of SSH account number ciphers.
Embodiment two
Referring to Fig. 3, present embodiment discloses automatic encryption method of the another kind based on SSH tunnels, it is applied to SSHServer service modules, the method includes:
S201:Receive the SSH tunnel buildings for the carrying authentication information request that SSHProxy service modules are sent;
Specifically, starting the second listening port, the SSH tunnel buildings request from SSHProxy service modules is monitored;
When receiving the SSH tunnel buildings request that the SSHProxy service modules are sent, obtain the SSH tunnels and build The authentication information that vertical request carries.
S202:The SSHProxy service modules are authenticated according to the authentication information, and to the SSHProxy Service module sends authentication success message;
S203:The target database address that the SSHProxy service modules are sent is received, according to the target data Location is established with target database and is connected, and sends SSH tunnel building successful informations to the SSHProxy service modules;
It should be noted that SSHsever service modules also need to receive the target data that SSHProxy service modules are sent The account number cipher in library could be established with target database and be connected.
S204:The database connection request packet that the SSHProxy service modules are sent is received, the database is connected Request bag is decrypted, and the database connection request packet after decryption is sent to the target database;
S205:The connection response packet of the target database feedback is received, the connection response packet is encrypted, and will Encrypted connection response packet is sent to the SSHProxy service modules;
S206:The upstream data packet sent to the SSHProxy service modules is decrypted, and by the uplink after decryption Data packet is sent to the target database;
S207:The downlink data packet sent to the target database is encrypted, and by encrypted downlink data packet It is sent to the SSHProxy service modules.
It should be noted that when the connection between the user terminal and the target database disconnects, disconnection and institute The connection between SSHProxy service modules is stated, and disconnects the connection between the destination server.
It should also be noted that, the forwarding target of SSHServer service modules can be limited, that is, setting SSHServer takes The database address that business module can connect, avoids user from arbitrarily climbing over the walls, and improves Information Security.
A kind of automatic encryption method based on SSH tunnels disclosed in the present embodiment receives SSHProxy service modules and sends Carry authentication information SSH tunnel buildings request, the SSHProxy service modules are carried out according to the authentication information Certification is established with target database according to the target database address that SSHProxy service modules are sent after certification success and is connected, Realize the automatic encrypted transmission of the data based on SSH tunnels between user terminal and destination server.
Embodiment three
Based on the automatic encryption method based on SSH tunnels a kind of disclosed in above-described embodiment one, referring to Fig. 4, this implementation Example correspondence discloses a kind of SSHProxy service modules, including:
First receiving unit 301 for receiving the redirection request of database, and obtains target database address;
First receiving unit 301, specifically for starting the first listening port, the redirection request in monitored data library; When the redirection request for receiving database, network redirection bill is obtained, and obtain according to the network redirection bill Target database address.
First transmitting element 302, the SSH tunnels for carrying authentication information to the transmission of SSHServer service modules are built Vertical request;
Second transmitting element 303, for when the authentication success message for receiving the SSHServer service modules feedback Afterwards, the target database address is sent to the SSHServer service modules;
First encryption unit 304, for when receive the SSH tunnel buildings of SSHServer service modules feedback into During work(information, the database connection request packet that user terminal is sent carries out SSH encryptions, and please by the connection of encrypted database Packet is asked to be sent to the SSHServer service modules;
First decryption unit 305, for receiving the connection response packet of the SSHServer service modules feedback, and to institute It states and the connection response packet is sent to the user terminal after connection response packet is decrypted;
Second encryption unit 306, the upstream data packet for being sent to the user terminal are encrypted, and will be after encryption Upstream data packet be sent to the SSHServer service modules;
Second decryption unit 307, the downlink data packet for being sent to the SSHServer service modules are decrypted, And the downlink data packet after decryption is sent to the user terminal.
When the connection between the user terminal and the target database disconnects, the SSHProxy service modules break The connection between the SSHServer service modules is opened, and disconnects the connection between the user terminal.
It should be noted that SSHProxy service modules exist in the form of services, three-party library libssh is relied on, is mounted on The window client of user.
SSHProxy service modules disclosed in the present embodiment can establish SSH tunnels with SSHServer service modules, It is communicated between SSHProxy service modules and SSHServer service modules by authentication mechanism, it is defeated to be detached from original user Enter the authentication mechanism of account number cipher, user does not need to memory SSH service parameters, alleviates the workload of user, while avoid yet Security threat caused by the leakage of SSH account number ciphers.Realize between user terminal and destination server based on SSH tunnels The automatic encrypted transmission of data.
Example IV
Based on the automatic encryption method based on SSH tunnels a kind of disclosed in above-described embodiment two, referring to Fig. 5, this implementation Example correspondence discloses a kind of SSHServer service modules, including:
Second receiving unit 401, for receiving the SSH tunnels for carrying authentication information of SSHProxy service modules transmission Establish request;
Second receiving unit 401 specifically for starting the second listening port, is monitored from SSHProxy service modules SSH tunnel buildings request;When receiving the SSH tunnel buildings request that the SSHProxy service modules are sent, institute is obtained State the authentication information that the request of SSH tunnel buildings carries.
Authentication unit 402, for being authenticated according to the authentication information to the SSHProxy service modules, and to institute It states SSHProxy service modules and sends authentication success message;
Unit 403 is established, for receiving the target database address that the SSHProxy service modules are sent, according to described Target data address is established with target database and is connected, and sends the success of SSH tunnel buildings to the SSHProxy service modules Information;
Third decryption unit 404 is right for receiving the database connection request packet that the SSHProxy service modules are sent The database connection request packet is decrypted, and the database connection request packet after decryption is sent to the target data Library;
Third encryption unit 405, for receiving the connection response packet of the target database feedback, to the connection response Packet is encrypted, and encrypted connection response packet is sent to the SSHProxy service modules;
4th decryption unit 406, the upstream data packet for being sent to the SSHProxy service modules are decrypted, and Upstream data packet after decryption is sent to the target database;
4th encryption unit 407, the downlink data packet for being sent to the target database are encrypted, and will encryption Downlink data packet afterwards is sent to the SSHProxy service modules.
When the connection between the user terminal and the target database disconnects, the SSHServer service modules The connection between the SSHProxy service modules is disconnected, and disconnects the connection between the destination server.
It should be noted that SSHServer service modules exist in the form of services, three-party library libssh is relied on, it can be with Mounted on a certain Windows host, a certain Linux host can also be mounted on, only host to be mounted can be with core The target database unicom of resource domains.
SSHServer service modules disclosed in the present embodiment can establish SSH tunnels with SSHProxy service modules, It is communicated between SSHProxy service modules and SSHServer service modules by authentication mechanism, it is defeated to be detached from original user Enter the authentication mechanism of account number cipher, user does not need to memory SSH service parameters, alleviates the workload of user, while avoid yet Security threat caused by the leakage of SSH account number ciphers.Realize between user terminal and destination server based on SSH tunnels The automatic encrypted transmission of data.
Embodiment five
Based on above-described embodiment, referring to Fig. 6, present embodiment discloses a kind of automatic encryption system based on SSH tunnels, Including:
Disclosed in SSHProxy service modules 502 disclosed in redirection module 501, embodiment three and example IV SSHServer service modules;
The redirection module is monitored for the database connection request to user terminal, obtains the database The target database address of connection request sends redirection request, and take to SSHProxy to the SSHProxy service modules Business module transmission carries the redirection bill of the target database address.
A kind of automatic encryption system based on SSH tunnels can be applied to following three kinds of scenes disclosed in the present embodiment:
Scene one
Database server only discloses SSH services, referring to Fig. 7, the only externally exploitation of server where target database SSH is serviced, and database access user only has the SSH port proxies by external disclosure that could access server where SSH services Target database.
Scene two
Database is in Intranet, referring to Fig. 8, database access user makees springboard by SSH servers accesses intranet data Library, Intranet where database limit other servers and are directly connected to, and database access user only passes through the centre of external disclosure SSH server agents could access intranet data storehouse.
Scene three
Across firewall access intranet data storehouse, targeting database server is located on the inside of fire wall, referring to Fig. 9, number Accessing user according to library only could access fire-proof wall inner data library by the SSH port proxies that fire wall is externally announced.
A kind of automatic encryption system based on SSH tunnels disclosed in the present embodiment is applicable not only on encryption user terminal Plaintext protocol network session can equally be well applied to the plaintext protocol network session initiated from virtual platform, such as:Microsoft Plaintext protocol conversation that TS is initiated in a manner of remote application and the plaintext protocol network session initiated from cloud desktop etc..
Present embodiment discloses a kind of automatic encryption systems based on SSH tunnels, do not need to user and install manually specially Ssh client, it is not required that user manual creation SSH tunnels, the present embodiment by using redirection module network redirection Go-between's agent functionality of function and SSHProxy service modules and SSHServer service modules automatically creates SSH tunnels, It is communicated between SSHProxy service modules and SSHServer service modules by authentication mechanism, is detached from original user The authentication mechanism of account number cipher is inputted, user does not need to memory SSH service parameters, alleviates the workload of user, while keep away yet Security threat caused by having exempted from the leakage of SSH account number ciphers.
The foregoing description of the disclosed embodiments enables professional and technical personnel in the field to realize or use the present invention. A variety of modifications of these embodiments will be apparent for those skilled in the art, it is as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, it is of the invention The embodiments shown herein is not intended to be limited to, and is to fit to and the principles and novel features disclosed herein phase one The most wide range caused.

Claims (9)

1. a kind of automatic encryption method based on SSH tunnels, which is characterized in that applied to SSHProxy service modules, the side Method includes:
The redirection request of database is received, and obtains target database address;
The SSH tunnel buildings that authentication information is carried to the transmission of SSHServer service modules are asked;
After the authentication success message for receiving the SSHServer service modules feedback, to the SSHServer service modules Send the target database address;
When the SSH tunnel building successful informations for receiving the SSHServer service modules feedback, user terminal is sent Database connection request packet carries out SSH encryptions, and encrypted database connection request packet is sent to the SSHServer and is taken Business module;
The connection response packet of the SSHServer service modules feedback is received, and is incited somebody to action after the connection response packet is decrypted The connection response packet is sent to the user terminal;
The upstream data packet sent to the user terminal is encrypted, and encrypted upstream data packet is sent to described SSHServer service modules;
The downlink data packet sent to the SSHServer service modules is decrypted, and the downlink data packet after decryption is sent out It is sent to the user terminal.
2. according to the method described in claim 1, it is characterized in that, described receive the redirection request of database, and obtains mesh Database address is marked, including:
Start the first listening port, the redirection request in monitored data library;
When the redirection request for receiving database, network redirection bill is obtained, and according to the network redirection bill Obtain target database address.
3. according to the method described in claim 1, it is characterized in that, the method further includes:
When the connection between the user terminal and the target database disconnects, disconnect and service mould with the SSHServer Connection between block, and disconnect the connection between the user terminal.
4. a kind of automatic encryption method based on SSH tunnels, which is characterized in that applied to SSHServer service modules, the side Method includes:
Receive the SSH tunnel buildings for the carrying authentication information request that SSHProxy service modules are sent;
The SSHProxy service modules are authenticated according to the authentication information, and are sent out to the SSHProxy service modules Send authentication success message;
The target database address that the SSHProxy service modules are sent is received, according to the target data address and number of targets It establishes and connects according to library, and SSH tunnel building successful informations are sent to the SSHProxy service modules;
The database connection request packet that the SSHProxy service modules are sent is received, the database connection request packet is carried out Decryption, and the database connection request packet after decryption is sent to the target database;
The connection response packet of the target database feedback is received, the connection response packet is encrypted, and will be encrypted Connection response packet is sent to the SSHProxy service modules;
The upstream data packet sent to the SSHProxy service modules is decrypted, and the upstream data packet after decryption is sent To the target database;
The downlink data packet sent to the target database is encrypted, and encrypted downlink data packet is sent to described SSHProxy service modules.
5. according to the method described in claim 4, it is characterized in that, described receive carrying for SSHProxy service modules transmission The SSH tunnel buildings request of authentication information, including:
Start the second listening port, monitor the SSH tunnel buildings request from SSHProxy service modules;
When receiving the SSH tunnel buildings request that the SSHProxy service modules are sent, obtaining the SSH tunnel buildings please Seek the authentication information of carrying.
6. according to the method described in claim 4, it is characterized in that, the method further includes:
When the connection between the user terminal and the target database disconnects, disconnect and the SSHProxy service modules Between connection, and disconnect and the destination server between connection.
7. a kind of SSHProxy service modules, which is characterized in that including:
First receiving unit for receiving the redirection request of database, and obtains target database address;
First transmitting element, the SSH tunnel buildings for carrying authentication information to the transmission of SSHServer service modules are asked;
Second transmitting element, for when the authentication success message for receiving the SSHServer service modules feedback after, to described SSHServer service modules send the target database address;
First encryption unit, for when the SSH tunnel building successful informations for receiving the SSHServer service modules feedback When, the database connection request packet that user terminal is sent carries out SSH encryptions, and encrypted database connection request packet is sent out It is sent to the SSHServer service modules;
First decryption unit for receiving the connection response packet of the SSHServer service modules feedback, and rings the connection It should wrap and the connection response packet is sent to the user terminal after being decrypted;
Second encryption unit, the upstream data packet for being sent to the user terminal are encrypted, and by encrypted uplink Data packet is sent to the SSHServer service modules;
Second decryption unit, the downlink data packet for being sent to the SSHServer service modules are decrypted, and will decryption Downlink data packet afterwards is sent to the user terminal.
8. a kind of SSHServer service modules, which is characterized in that including:
Second receiving unit, the SSH tunnel buildings for carrying authentication information for receiving the transmission of SSHProxy service modules please It asks;
Authentication unit, for being authenticated according to the authentication information to the SSHProxy service modules, and to described SSHProxy service modules send authentication success message;
Unit is established, for receiving the target database address that the SSHProxy service modules are sent, according to the number of targets It establishes and connects, and SSH tunnel building successful informations are sent to the SSHProxy service modules according to address and target database;
Third decryption unit, for receiving the database connection request packet that the SSHProxy service modules are sent, to the number It is decrypted according to library connection request packet, and the database connection request packet after decryption is sent to the target database;
Third encryption unit for receiving the connection response packet of the target database feedback, carries out the connection response packet Encryption, and encrypted connection response packet is sent to the SSHProxy service modules;
4th decryption unit, the upstream data packet for being sent to the SSHProxy service modules are decrypted, and will decryption Upstream data packet afterwards is sent to the target database;
4th encryption unit, the downlink data packet for being sent to the target database are encrypted, and will be encrypted under Row data packet is sent to the SSHProxy service modules.
9. a kind of automatic encryption system based on SSH tunnels, which is characterized in that including:
SSHProxy service modules and SSHServer according to any one of claims 8 services described in redirection module, claim 7 Module;
The redirection module is monitored for the database connection request to user terminal, obtains the database connection The target database address of request sends redirection request, and service mould to SSHProxy to the SSHProxy service modules Block sends the redirection bill for carrying the target database address.
CN201711473537.XA 2017-12-29 2017-12-29 A kind of automatic encryption method, system and service module based on SSH tunnels Pending CN108243187A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711473537.XA CN108243187A (en) 2017-12-29 2017-12-29 A kind of automatic encryption method, system and service module based on SSH tunnels

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711473537.XA CN108243187A (en) 2017-12-29 2017-12-29 A kind of automatic encryption method, system and service module based on SSH tunnels

Publications (1)

Publication Number Publication Date
CN108243187A true CN108243187A (en) 2018-07-03

Family

ID=62701223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711473537.XA Pending CN108243187A (en) 2017-12-29 2017-12-29 A kind of automatic encryption method, system and service module based on SSH tunnels

Country Status (1)

Country Link
CN (1) CN108243187A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112926050A (en) * 2021-02-05 2021-06-08 北京亿赛通网络安全技术有限公司 Method for acquiring SSH encrypted content based on HOOK technology and application thereof
CN113806447A (en) * 2021-09-24 2021-12-17 深信服科技股份有限公司 Data synchronization method, device, equipment and medium
CN114189370A (en) * 2021-11-30 2022-03-15 新华三云计算技术有限公司 Access method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1968264A (en) * 2006-10-18 2007-05-23 华为技术有限公司 Communication encryption method and system
CN201194396Y (en) * 2008-05-08 2009-02-11 天津市国瑞数码安全系统有限公司 Safe gateway platform based on transparent proxy gateway
CN104243419A (en) * 2013-06-18 2014-12-24 腾讯科技(深圳)有限公司 Data processing method, device and system based on secure shell protocol
CN104270334A (en) * 2014-06-13 2015-01-07 国家电网公司 SSH (Secure Shell) network security access protocol monitoring method
CN105162764A (en) * 2015-07-30 2015-12-16 北京石盾科技有限公司 Dual authentication method, system and device for SSH safe login
US20160226874A1 (en) * 2015-02-04 2016-08-04 Red Hat, Inc. Secure Shell (SSH) Proxy for a Platform-as-a-Service System

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1968264A (en) * 2006-10-18 2007-05-23 华为技术有限公司 Communication encryption method and system
CN201194396Y (en) * 2008-05-08 2009-02-11 天津市国瑞数码安全系统有限公司 Safe gateway platform based on transparent proxy gateway
CN104243419A (en) * 2013-06-18 2014-12-24 腾讯科技(深圳)有限公司 Data processing method, device and system based on secure shell protocol
CN104270334A (en) * 2014-06-13 2015-01-07 国家电网公司 SSH (Secure Shell) network security access protocol monitoring method
US20160226874A1 (en) * 2015-02-04 2016-08-04 Red Hat, Inc. Secure Shell (SSH) Proxy for a Platform-as-a-Service System
CN105162764A (en) * 2015-07-30 2015-12-16 北京石盾科技有限公司 Dual authentication method, system and device for SSH safe login

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112926050A (en) * 2021-02-05 2021-06-08 北京亿赛通网络安全技术有限公司 Method for acquiring SSH encrypted content based on HOOK technology and application thereof
CN112926050B (en) * 2021-02-05 2024-02-09 北京亿赛通网络安全技术有限公司 Method for obtaining SSH encrypted content based on HOOK technology and application thereof
CN113806447A (en) * 2021-09-24 2021-12-17 深信服科技股份有限公司 Data synchronization method, device, equipment and medium
CN114189370A (en) * 2021-11-30 2022-03-15 新华三云计算技术有限公司 Access method and device

Similar Documents

Publication Publication Date Title
EP3286893B1 (en) Secure transmission of a session identifier during service authentication
US20050277434A1 (en) Access controller
CN103067158B (en) Encrypting and decrypting method, encrypting and decrypting device and key management system
KR101289530B1 (en) Method and apparatus for bearer and server independent parental control on smartphone, managed by the smartphone
CN105307108A (en) Internet of things information interactive communication method and system
JP2014161027A (en) Encryption method for secure packet transmission
US9344417B2 (en) Authentication method and system
US10164958B2 (en) Open access network secure authentication systems and methods
KR101992976B1 (en) A remote access system using the SSH protocol and managing SSH authentication key securely
JP2018533864A (en) Remote control method, device and portable terminal
CN108243187A (en) A kind of automatic encryption method, system and service module based on SSH tunnels
WO2014176964A1 (en) Communication managing method and communication system
CN102223634A (en) Method and device for controlling mode of accessing user terminal into Internet
CN104902470B (en) A kind of connection control method and system of the hotspot based on dynamic key
CN102348210A (en) Method and mobile security equipment for security mobile officing
CN107295507A (en) A kind of private network cut-in method, apparatus and system
CN101674578B (en) Method and system for safely accessing femtocell into network
CN106789845A (en) A kind of method of network data security transmission
CN106302369A (en) Long-range Activiation method, device and the remote activation system of a kind of network monitoring device
CN103475491A (en) Remote maintenance system which is logged in to safely without code and achieving method
CN100376092C (en) Firewall and invasion detecting system linkage method
CN107147661A (en) One kind strengthens File Transfer Protocol security system and method based on dynamic password
KR20180081965A (en) Apparatus and methdo for providing network service
CN100428748C (en) Dual-status-based multi-party communication method
CN104113930B (en) A kind of method and system for realizing user's termination connection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180703

RJ01 Rejection of invention patent application after publication