CN108243187A - A kind of automatic encryption method, system and service module based on SSH tunnels - Google Patents
A kind of automatic encryption method, system and service module based on SSH tunnels Download PDFInfo
- Publication number
- CN108243187A CN108243187A CN201711473537.XA CN201711473537A CN108243187A CN 108243187 A CN108243187 A CN 108243187A CN 201711473537 A CN201711473537 A CN 201711473537A CN 108243187 A CN108243187 A CN 108243187A
- Authority
- CN
- China
- Prior art keywords
- service modules
- sent
- sshproxy
- sshserver
- ssh
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Abstract
This application discloses a kind of automatic encryption method, that is, system based on SSH tunnels, SSHProxy service modules receive the redirection request of database, and obtain target database address;The SSH tunnel buildings that authentication information is carried to the transmission of SSHServer service modules are asked;And after the authentication success message for receiving SSHServer service modules feedback, target database address is sent to SSHServer service modules;When the SSH tunnel building successful informations for receiving SSHServer service modules feedback, the database connection request packet that user terminal is sent carries out SSH encryptions, and SSHServer service modules are sent to after encryption;The connection response packet of SSHServer service modules feedback is received, is sent to the user terminal after decryption.Realize the automatic SSH encrypted transmissions that plaintext agreement is used between user terminal and target database.
Description
Technical field
The present invention relates to encryption technology field, more particularly to a kind of automatic encryption method based on SSH tunnels, being
System and service module.
Background technology
Network technology fast development while enterprises working efficiency is improved, also bring one be on the rise ask
Topic --- network information transfer safety, network information transfer become safely current business research hot spot and focus.
A kind of network data encryption transmission technology of the SSH tunneling techniques for current enterprise's generally use, SSH tunnels, that is, SSH
Agency or port forwarding.Not Direct Communication between network application client and server-side, but network application client is led to
It crosses ssh client and SSH server-sides is communicated with server-side.SSH tunnels are by ssh client to the base between SSH server-sides
It is fetched and is forwarded by SSH chains in the network data of plaintext transmission, and automatically provided corresponding encryption and decryption service,
To prevent the leakage of individual privacy or important business information.
Although existing SSH tunnel applications technology realizes the encrypted transmission to plaintext agreement, but used in user upper
But there are certain inconvenience and insecurity, user must by special ssh client manual creation SSH tunnels, and
User must obtain the account and password of connection SSH services, so that account and password are more when SSH tunnels are used
Be exposed out, the leakage for easily causing account and password is known by more people so that system is on the hazard safely.
Invention content
In view of this, the present invention provides a kind of automatic encryption method and system based on SSH tunnels, by using resetting
Work(is acted on behalf of to the network redirection function and the go-between of SSHProxy service modules and SSHServer service modules of module
User can be helped to realize the automatic transparent SSH encrypted transmissions with plaintext agreement.
In order to achieve the above-mentioned object of the invention, specific technical solution provided by the invention is as follows:
A kind of automatic encryption method based on SSH tunnels, applied to SSHProxy service modules, the method includes:
The redirection request of database is received, and obtains target database address;
The SSH tunnel buildings that authentication information is carried to the transmission of SSHServer service modules are asked;
After the authentication success message for receiving the SSHServer service modules feedback, serviced to the SSHServer
Module sends the target database address;
When the SSH tunnel building successful informations for receiving the SSHServer service modules feedback, user terminal is sent out
The database connection request packet that send carries out SSH encryptions, and encrypted database connection request packet is sent to described
SSHServer service modules;
The connection response packet of the SSHServer service modules feedback is received, and the connection response packet is decrypted
The connection response packet is sent to the user terminal afterwards;
The upstream data packet sent to the user terminal is encrypted, and encrypted upstream data packet is sent to institute
State SSHServer service modules;
The downlink data packet sent to the SSHServer service modules is decrypted, and by the downlink data after decryption
Packet is sent to the user terminal.
Preferably, it is described to receive the redirection request of database, and target database address is obtained, including:
Start the first listening port, the redirection request in monitored data library;
When the redirection request for receiving database, network redirection bill is obtained, and according to the network redirection
Bill obtains target database address.
Preferably, the method further includes:
When the connection between the user terminal and the target database disconnects, disconnect and being taken with the SSHServer
Connection between module of being engaged in, and disconnect the connection between the user terminal.
A kind of automatic encryption method based on SSH tunnels, applied to SSHServer service modules, the method includes:
Receive the SSH tunnel buildings for the carrying authentication information request that SSHProxy service modules are sent;
The SSHProxy service modules are authenticated according to the authentication information, and mould is serviced to the SSHProxy
Block sends authentication success message;
The target database address that the SSHProxy service modules are sent is received, according to the target data address and mesh
Database connection is marked, and SSH tunnel building successful informations are sent to the SSHProxy service modules;
The database connection request packet that the SSHProxy service modules are sent is received, to the database connection request packet
It is decrypted, and the database connection request packet after decryption is sent to the target database;
The connection response packet of the target database feedback is received, the connection response packet is encrypted, and will encryption
Connection response packet afterwards is sent to the SSHProxy service modules;
The upstream data packet sent to the SSHProxy service modules is decrypted, and by the upstream data packet after decryption
It is sent to the target database;
The downlink data packet sent to the target database is encrypted, and encrypted downlink data packet is sent to
The SSHProxy service modules.
Preferably, the SSH tunnel buildings for the carrying authentication information request for receiving SSHProxy service modules and sending,
Including:
Start the second listening port, monitor the SSH tunnel buildings request from SSHProxy service modules;
When receiving the SSH tunnel buildings request that the SSHProxy service modules are sent, obtain the SSH tunnels and build
The authentication information that vertical request carries.
Preferably, the method further includes:
When the connection between the user terminal and the target database disconnects, disconnect and being serviced with the SSHProxy
Connection between module, and disconnect the connection between the destination server.
A kind of SSHProxy service modules, including:
First receiving unit for receiving the redirection request of database, and obtains target database address;
First transmitting element, the SSH tunnel buildings for carrying authentication information to the transmission of SSHServer service modules please
It asks;
Second transmitting element, for when the authentication success message for receiving the SSHServer service modules feedback after, to
The SSHServer service modules send the target database address;
First encryption unit, for successfully believing when the SSH tunnel buildings for receiving the SSHServer service modules feedback
During breath, the database connection request packet that user terminal is sent carries out SSH encryptions, and by encrypted database connection request packet
It is sent to the SSHServer service modules;
First decryption unit, for receiving the connection response packet of the SSHServer service modules feedback, and to the company
It connects and the connection response packet is sent to the user terminal after response bag is decrypted;
Second encryption unit, the upstream data packet for being sent to the user terminal are encrypted, and will be encrypted
Upstream data packet is sent to the SSHServer service modules;
Second decryption unit, the downlink data packet for being sent to the SSHServer service modules are decrypted, and will
Downlink data packet after decryption is sent to the user terminal.
A kind of SSHServer service modules, including:
Second receiving unit, the SSH tunnels for carrying authentication information for receiving the transmission of SSHProxy service modules are built
Vertical request;
Authentication unit, for being authenticated according to the authentication information to the SSHProxy service modules, and to described
SSHProxy service modules send authentication success message;
Unit is established, for receiving the target database address that the SSHProxy service modules are sent, according to the mesh
It marks data address and establishes connection, and send SSH tunnel buildings to the SSHProxy service modules and successfully believe with target database
Breath;
Third decryption unit, for receiving the database connection request packet that the SSHProxy service modules are sent, to institute
It states database connection request packet to be decrypted, and the database connection request packet after decryption is sent to the target database;
Third encryption unit, for receiving the connection response packet of the target database feedback, to the connection response packet
It is encrypted, and encrypted connection response packet is sent to the SSHProxy service modules;
4th decryption unit, the upstream data packet for being sent to the SSHProxy service modules are decrypted, and will
Upstream data packet after decryption is sent to the target database;
4th encryption unit, the downlink data packet for being sent to the target database are encrypted, and will be after encryption
Downlink data packet be sent to the SSHProxy service modules.
A kind of automatic encryption system based on SSH tunnels, including:
SSHProxy service modules and SSHServer according to any one of claims 8 described in redirection module, claim 7
Service module;
The redirection module is monitored for the database connection request to user terminal, obtains the database
The target database address of connection request sends redirection request, and take to SSHProxy to the SSHProxy service modules
Business module transmission carries the redirection bill of the target database address.
Relative to the prior art, beneficial effects of the present invention are as follows:
The invention discloses a kind of automatic encryption methods and system based on SSH tunnels, and not needing to user, installation is special manually
The ssh client of door, it is not required that user manual creation SSH tunnels, by the present invention in that being reset with the network of redirection module
SSH tunnels are automatically created to go-between's agent functionality of function and SSHProxy service modules and SSHServer service modules
Road is communicated by authentication mechanism between SSHProxy service modules and SSHServer service modules, is detached from original use
Family inputs the authentication mechanism of account number cipher, and user does not need to memory SSH service parameters, alleviates the workload of user, while
Security threat caused by avoiding the leakage of SSH account number ciphers.
Description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention, for those of ordinary skill in the art, without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of logical architecture figure of the automatic encryption method based on SSH tunnels disclosed by the embodiments of the present invention;
Fig. 2 is a kind of automatic encryption method flow chart based on SSH tunnels disclosed by the embodiments of the present invention;
Fig. 3 is another automatic encryption method flow chart based on SSH tunnels disclosed by the embodiments of the present invention;
Fig. 4 is a kind of SSHProxy service modules structure diagram disclosed by the embodiments of the present invention;
Fig. 5 is a kind of SSHProxy service modules structure diagram disclosed by the embodiments of the present invention;
Fig. 6 is a kind of automatic encryption system structure diagram based on SSH tunnels disclosed by the embodiments of the present invention;
Fig. 7 is a kind of schematic diagram of a scenario of automatic encryption system application based on SSH tunnels disclosed by the embodiments of the present invention;
Fig. 8 is a kind of another scene of automatic encryption system application based on SSH tunnels disclosed by the embodiments of the present invention
Schematic diagram;
Fig. 9 is a kind of another scene of automatic encryption system application based on SSH tunnels disclosed by the embodiments of the present invention
Schematic diagram.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without making creative work
Embodiment shall fall within the protection scope of the present invention.
The present invention provides a kind of automatic encryption method based on SSH tunnels, by using the network weight of redirection module
Go-between's agent functionality of orientating function and SSHProxy service modules and SSHServer service modules helps user to realize
With the automatic transparent SSH encrypted transmissions of plaintext agreement.Referring to Fig. 1, Fig. 1 is provided by the invention a kind of based on SSH tunnels
The logical architecture figure of automatic encryption method, wherein, redirection module is monitored the database connection request of user terminal, and
The database connection request is redirected to SSHProxy service modules, SSHProxy service modules are serviced with SSHServer
Automatically SSH tunnels are established between module, SSHProxy service modules are forwarded to SSHServer service modules by SSH tunnels and used
The encryption data of family terminal is forwarded to target database after the decryption of SSHServer service modules.
It is separately below executive agent from SSHProxy service modules and SSHServer service modules are executive agent two
Technical solution provided by the invention is further elaborated in aspect.
Embodiment one
Referring to Fig. 2, present embodiment discloses a kind of automatic encryption method based on SSH tunnels, applied to SSHProxy
Service module, the SSHProxy service modules are mounted on the window client of user, the method includes:
S101:The redirection request of database is received, and obtains target database address;
After user terminal initiates database connection request, which needs to be redirected to SSHProxy clothes
Business module, by the SSH tunnels between SSHProxy service modules and SSHServer service modules, is sent to target database.
Specifically, start the first listening port, the redirection request in monitored data library;
When the redirection request for receiving database, network redirection bill is obtained, and according to the network redirection
Bill obtains target database address.
The database that target database is connected for user terminal needs.
S102:The SSH tunnel buildings that authentication information is carried to the transmission of SSHServer service modules are asked;
S103:After the authentication success message for receiving SSHServer service modules feedback, to described
SSHServer service modules send the target database address;It should be noted that the authentication mechanism in the present embodiment is:
SSHProxy service modules carry the authentication information of SSH accounts and password to the transmission of SSHServer service modules,
SSHServer service modules judge whether SSH accounts and password are correct, if correctly, certification success.
S104:When the SSH tunnel building successful informations for receiving the SSHServer service modules feedback, by user
The database connection request packet that terminal is sent carries out SSH encryptions, and encrypted database connection request packet is sent to described
SSHServer service modules;
S105:The connection response packet of the SSHServer service modules feedback is received, and the connection response packet is carried out
The connection response packet is sent to the user terminal after decryption;
S106:The upstream data packet sent to the user terminal is encrypted, and encrypted upstream data packet is sent out
It is sent to the SSHServer service modules;
S107:The downlink data packet sent to the SSHServer service modules is decrypted, and by the downlink after decryption
Data packet is sent to the user terminal.
After the connection response packet is sent to the user terminal by SSHProxy service modules, user terminal and target
Connection request between database is successfully established, and user terminal can be carried out the normal of database based on SSH tunnels and be had accessed,
SSHProxy service modules, which only need that the upstream data that carrys out user terminal will be received to be encrypted, is forwarded to SSHServer services
The downlink data library that target database returns is decrypted and is forwarded to user terminal again by module.
It should be noted that when the connection between the user terminal and the target database disconnects, disconnection and institute
The connection between SSHServer service modules is stated, and disconnects the connection between the user terminal.
A kind of automatic encryption method based on SSH tunnels disclosed in the present embodiment, does not need to user's manual creation SSH tunnels
Road, by using the network redirection function and SSHProxy service modules and SSHServer service modules of redirection module
Go-between's agent functionality automatically create SSH tunnels, pass through between SSHProxy service modules and SSHServer service modules
Authentication mechanism communicates, and is detached from the authentication mechanism that original user inputs account number cipher, and user does not need to memory SSH service ginsengs
Number, alleviates the workload of user, while also avoids security threat caused by the leakage of SSH account number ciphers.
Embodiment two
Referring to Fig. 3, present embodiment discloses automatic encryption method of the another kind based on SSH tunnels, it is applied to
SSHServer service modules, the method includes:
S201:Receive the SSH tunnel buildings for the carrying authentication information request that SSHProxy service modules are sent;
Specifically, starting the second listening port, the SSH tunnel buildings request from SSHProxy service modules is monitored;
When receiving the SSH tunnel buildings request that the SSHProxy service modules are sent, obtain the SSH tunnels and build
The authentication information that vertical request carries.
S202:The SSHProxy service modules are authenticated according to the authentication information, and to the SSHProxy
Service module sends authentication success message;
S203:The target database address that the SSHProxy service modules are sent is received, according to the target data
Location is established with target database and is connected, and sends SSH tunnel building successful informations to the SSHProxy service modules;
It should be noted that SSHsever service modules also need to receive the target data that SSHProxy service modules are sent
The account number cipher in library could be established with target database and be connected.
S204:The database connection request packet that the SSHProxy service modules are sent is received, the database is connected
Request bag is decrypted, and the database connection request packet after decryption is sent to the target database;
S205:The connection response packet of the target database feedback is received, the connection response packet is encrypted, and will
Encrypted connection response packet is sent to the SSHProxy service modules;
S206:The upstream data packet sent to the SSHProxy service modules is decrypted, and by the uplink after decryption
Data packet is sent to the target database;
S207:The downlink data packet sent to the target database is encrypted, and by encrypted downlink data packet
It is sent to the SSHProxy service modules.
It should be noted that when the connection between the user terminal and the target database disconnects, disconnection and institute
The connection between SSHProxy service modules is stated, and disconnects the connection between the destination server.
It should also be noted that, the forwarding target of SSHServer service modules can be limited, that is, setting SSHServer takes
The database address that business module can connect, avoids user from arbitrarily climbing over the walls, and improves Information Security.
A kind of automatic encryption method based on SSH tunnels disclosed in the present embodiment receives SSHProxy service modules and sends
Carry authentication information SSH tunnel buildings request, the SSHProxy service modules are carried out according to the authentication information
Certification is established with target database according to the target database address that SSHProxy service modules are sent after certification success and is connected,
Realize the automatic encrypted transmission of the data based on SSH tunnels between user terminal and destination server.
Embodiment three
Based on the automatic encryption method based on SSH tunnels a kind of disclosed in above-described embodiment one, referring to Fig. 4, this implementation
Example correspondence discloses a kind of SSHProxy service modules, including:
First receiving unit 301 for receiving the redirection request of database, and obtains target database address;
First receiving unit 301, specifically for starting the first listening port, the redirection request in monitored data library;
When the redirection request for receiving database, network redirection bill is obtained, and obtain according to the network redirection bill
Target database address.
First transmitting element 302, the SSH tunnels for carrying authentication information to the transmission of SSHServer service modules are built
Vertical request;
Second transmitting element 303, for when the authentication success message for receiving the SSHServer service modules feedback
Afterwards, the target database address is sent to the SSHServer service modules;
First encryption unit 304, for when receive the SSH tunnel buildings of SSHServer service modules feedback into
During work(information, the database connection request packet that user terminal is sent carries out SSH encryptions, and please by the connection of encrypted database
Packet is asked to be sent to the SSHServer service modules;
First decryption unit 305, for receiving the connection response packet of the SSHServer service modules feedback, and to institute
It states and the connection response packet is sent to the user terminal after connection response packet is decrypted;
Second encryption unit 306, the upstream data packet for being sent to the user terminal are encrypted, and will be after encryption
Upstream data packet be sent to the SSHServer service modules;
Second decryption unit 307, the downlink data packet for being sent to the SSHServer service modules are decrypted,
And the downlink data packet after decryption is sent to the user terminal.
When the connection between the user terminal and the target database disconnects, the SSHProxy service modules break
The connection between the SSHServer service modules is opened, and disconnects the connection between the user terminal.
It should be noted that SSHProxy service modules exist in the form of services, three-party library libssh is relied on, is mounted on
The window client of user.
SSHProxy service modules disclosed in the present embodiment can establish SSH tunnels with SSHServer service modules,
It is communicated between SSHProxy service modules and SSHServer service modules by authentication mechanism, it is defeated to be detached from original user
Enter the authentication mechanism of account number cipher, user does not need to memory SSH service parameters, alleviates the workload of user, while avoid yet
Security threat caused by the leakage of SSH account number ciphers.Realize between user terminal and destination server based on SSH tunnels
The automatic encrypted transmission of data.
Example IV
Based on the automatic encryption method based on SSH tunnels a kind of disclosed in above-described embodiment two, referring to Fig. 5, this implementation
Example correspondence discloses a kind of SSHServer service modules, including:
Second receiving unit 401, for receiving the SSH tunnels for carrying authentication information of SSHProxy service modules transmission
Establish request;
Second receiving unit 401 specifically for starting the second listening port, is monitored from SSHProxy service modules
SSH tunnel buildings request;When receiving the SSH tunnel buildings request that the SSHProxy service modules are sent, institute is obtained
State the authentication information that the request of SSH tunnel buildings carries.
Authentication unit 402, for being authenticated according to the authentication information to the SSHProxy service modules, and to institute
It states SSHProxy service modules and sends authentication success message;
Unit 403 is established, for receiving the target database address that the SSHProxy service modules are sent, according to described
Target data address is established with target database and is connected, and sends the success of SSH tunnel buildings to the SSHProxy service modules
Information;
Third decryption unit 404 is right for receiving the database connection request packet that the SSHProxy service modules are sent
The database connection request packet is decrypted, and the database connection request packet after decryption is sent to the target data
Library;
Third encryption unit 405, for receiving the connection response packet of the target database feedback, to the connection response
Packet is encrypted, and encrypted connection response packet is sent to the SSHProxy service modules;
4th decryption unit 406, the upstream data packet for being sent to the SSHProxy service modules are decrypted, and
Upstream data packet after decryption is sent to the target database;
4th encryption unit 407, the downlink data packet for being sent to the target database are encrypted, and will encryption
Downlink data packet afterwards is sent to the SSHProxy service modules.
When the connection between the user terminal and the target database disconnects, the SSHServer service modules
The connection between the SSHProxy service modules is disconnected, and disconnects the connection between the destination server.
It should be noted that SSHServer service modules exist in the form of services, three-party library libssh is relied on, it can be with
Mounted on a certain Windows host, a certain Linux host can also be mounted on, only host to be mounted can be with core
The target database unicom of resource domains.
SSHServer service modules disclosed in the present embodiment can establish SSH tunnels with SSHProxy service modules,
It is communicated between SSHProxy service modules and SSHServer service modules by authentication mechanism, it is defeated to be detached from original user
Enter the authentication mechanism of account number cipher, user does not need to memory SSH service parameters, alleviates the workload of user, while avoid yet
Security threat caused by the leakage of SSH account number ciphers.Realize between user terminal and destination server based on SSH tunnels
The automatic encrypted transmission of data.
Embodiment five
Based on above-described embodiment, referring to Fig. 6, present embodiment discloses a kind of automatic encryption system based on SSH tunnels,
Including:
Disclosed in SSHProxy service modules 502 disclosed in redirection module 501, embodiment three and example IV
SSHServer service modules;
The redirection module is monitored for the database connection request to user terminal, obtains the database
The target database address of connection request sends redirection request, and take to SSHProxy to the SSHProxy service modules
Business module transmission carries the redirection bill of the target database address.
A kind of automatic encryption system based on SSH tunnels can be applied to following three kinds of scenes disclosed in the present embodiment:
Scene one
Database server only discloses SSH services, referring to Fig. 7, the only externally exploitation of server where target database
SSH is serviced, and database access user only has the SSH port proxies by external disclosure that could access server where SSH services
Target database.
Scene two
Database is in Intranet, referring to Fig. 8, database access user makees springboard by SSH servers accesses intranet data
Library, Intranet where database limit other servers and are directly connected to, and database access user only passes through the centre of external disclosure
SSH server agents could access intranet data storehouse.
Scene three
Across firewall access intranet data storehouse, targeting database server is located on the inside of fire wall, referring to Fig. 9, number
Accessing user according to library only could access fire-proof wall inner data library by the SSH port proxies that fire wall is externally announced.
A kind of automatic encryption system based on SSH tunnels disclosed in the present embodiment is applicable not only on encryption user terminal
Plaintext protocol network session can equally be well applied to the plaintext protocol network session initiated from virtual platform, such as:Microsoft
Plaintext protocol conversation that TS is initiated in a manner of remote application and the plaintext protocol network session initiated from cloud desktop etc..
Present embodiment discloses a kind of automatic encryption systems based on SSH tunnels, do not need to user and install manually specially
Ssh client, it is not required that user manual creation SSH tunnels, the present embodiment by using redirection module network redirection
Go-between's agent functionality of function and SSHProxy service modules and SSHServer service modules automatically creates SSH tunnels,
It is communicated between SSHProxy service modules and SSHServer service modules by authentication mechanism, is detached from original user
The authentication mechanism of account number cipher is inputted, user does not need to memory SSH service parameters, alleviates the workload of user, while keep away yet
Security threat caused by having exempted from the leakage of SSH account number ciphers.
The foregoing description of the disclosed embodiments enables professional and technical personnel in the field to realize or use the present invention.
A variety of modifications of these embodiments will be apparent for those skilled in the art, it is as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, it is of the invention
The embodiments shown herein is not intended to be limited to, and is to fit to and the principles and novel features disclosed herein phase one
The most wide range caused.
Claims (9)
1. a kind of automatic encryption method based on SSH tunnels, which is characterized in that applied to SSHProxy service modules, the side
Method includes:
The redirection request of database is received, and obtains target database address;
The SSH tunnel buildings that authentication information is carried to the transmission of SSHServer service modules are asked;
After the authentication success message for receiving the SSHServer service modules feedback, to the SSHServer service modules
Send the target database address;
When the SSH tunnel building successful informations for receiving the SSHServer service modules feedback, user terminal is sent
Database connection request packet carries out SSH encryptions, and encrypted database connection request packet is sent to the SSHServer and is taken
Business module;
The connection response packet of the SSHServer service modules feedback is received, and is incited somebody to action after the connection response packet is decrypted
The connection response packet is sent to the user terminal;
The upstream data packet sent to the user terminal is encrypted, and encrypted upstream data packet is sent to described
SSHServer service modules;
The downlink data packet sent to the SSHServer service modules is decrypted, and the downlink data packet after decryption is sent out
It is sent to the user terminal.
2. according to the method described in claim 1, it is characterized in that, described receive the redirection request of database, and obtains mesh
Database address is marked, including:
Start the first listening port, the redirection request in monitored data library;
When the redirection request for receiving database, network redirection bill is obtained, and according to the network redirection bill
Obtain target database address.
3. according to the method described in claim 1, it is characterized in that, the method further includes:
When the connection between the user terminal and the target database disconnects, disconnect and service mould with the SSHServer
Connection between block, and disconnect the connection between the user terminal.
4. a kind of automatic encryption method based on SSH tunnels, which is characterized in that applied to SSHServer service modules, the side
Method includes:
Receive the SSH tunnel buildings for the carrying authentication information request that SSHProxy service modules are sent;
The SSHProxy service modules are authenticated according to the authentication information, and are sent out to the SSHProxy service modules
Send authentication success message;
The target database address that the SSHProxy service modules are sent is received, according to the target data address and number of targets
It establishes and connects according to library, and SSH tunnel building successful informations are sent to the SSHProxy service modules;
The database connection request packet that the SSHProxy service modules are sent is received, the database connection request packet is carried out
Decryption, and the database connection request packet after decryption is sent to the target database;
The connection response packet of the target database feedback is received, the connection response packet is encrypted, and will be encrypted
Connection response packet is sent to the SSHProxy service modules;
The upstream data packet sent to the SSHProxy service modules is decrypted, and the upstream data packet after decryption is sent
To the target database;
The downlink data packet sent to the target database is encrypted, and encrypted downlink data packet is sent to described
SSHProxy service modules.
5. according to the method described in claim 4, it is characterized in that, described receive carrying for SSHProxy service modules transmission
The SSH tunnel buildings request of authentication information, including:
Start the second listening port, monitor the SSH tunnel buildings request from SSHProxy service modules;
When receiving the SSH tunnel buildings request that the SSHProxy service modules are sent, obtaining the SSH tunnel buildings please
Seek the authentication information of carrying.
6. according to the method described in claim 4, it is characterized in that, the method further includes:
When the connection between the user terminal and the target database disconnects, disconnect and the SSHProxy service modules
Between connection, and disconnect and the destination server between connection.
7. a kind of SSHProxy service modules, which is characterized in that including:
First receiving unit for receiving the redirection request of database, and obtains target database address;
First transmitting element, the SSH tunnel buildings for carrying authentication information to the transmission of SSHServer service modules are asked;
Second transmitting element, for when the authentication success message for receiving the SSHServer service modules feedback after, to described
SSHServer service modules send the target database address;
First encryption unit, for when the SSH tunnel building successful informations for receiving the SSHServer service modules feedback
When, the database connection request packet that user terminal is sent carries out SSH encryptions, and encrypted database connection request packet is sent out
It is sent to the SSHServer service modules;
First decryption unit for receiving the connection response packet of the SSHServer service modules feedback, and rings the connection
It should wrap and the connection response packet is sent to the user terminal after being decrypted;
Second encryption unit, the upstream data packet for being sent to the user terminal are encrypted, and by encrypted uplink
Data packet is sent to the SSHServer service modules;
Second decryption unit, the downlink data packet for being sent to the SSHServer service modules are decrypted, and will decryption
Downlink data packet afterwards is sent to the user terminal.
8. a kind of SSHServer service modules, which is characterized in that including:
Second receiving unit, the SSH tunnel buildings for carrying authentication information for receiving the transmission of SSHProxy service modules please
It asks;
Authentication unit, for being authenticated according to the authentication information to the SSHProxy service modules, and to described
SSHProxy service modules send authentication success message;
Unit is established, for receiving the target database address that the SSHProxy service modules are sent, according to the number of targets
It establishes and connects, and SSH tunnel building successful informations are sent to the SSHProxy service modules according to address and target database;
Third decryption unit, for receiving the database connection request packet that the SSHProxy service modules are sent, to the number
It is decrypted according to library connection request packet, and the database connection request packet after decryption is sent to the target database;
Third encryption unit for receiving the connection response packet of the target database feedback, carries out the connection response packet
Encryption, and encrypted connection response packet is sent to the SSHProxy service modules;
4th decryption unit, the upstream data packet for being sent to the SSHProxy service modules are decrypted, and will decryption
Upstream data packet afterwards is sent to the target database;
4th encryption unit, the downlink data packet for being sent to the target database are encrypted, and will be encrypted under
Row data packet is sent to the SSHProxy service modules.
9. a kind of automatic encryption system based on SSH tunnels, which is characterized in that including:
SSHProxy service modules and SSHServer according to any one of claims 8 services described in redirection module, claim 7
Module;
The redirection module is monitored for the database connection request to user terminal, obtains the database connection
The target database address of request sends redirection request, and service mould to SSHProxy to the SSHProxy service modules
Block sends the redirection bill for carrying the target database address.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711473537.XA CN108243187A (en) | 2017-12-29 | 2017-12-29 | A kind of automatic encryption method, system and service module based on SSH tunnels |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711473537.XA CN108243187A (en) | 2017-12-29 | 2017-12-29 | A kind of automatic encryption method, system and service module based on SSH tunnels |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108243187A true CN108243187A (en) | 2018-07-03 |
Family
ID=62701223
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711473537.XA Pending CN108243187A (en) | 2017-12-29 | 2017-12-29 | A kind of automatic encryption method, system and service module based on SSH tunnels |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108243187A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112926050A (en) * | 2021-02-05 | 2021-06-08 | 北京亿赛通网络安全技术有限公司 | Method for acquiring SSH encrypted content based on HOOK technology and application thereof |
CN113806447A (en) * | 2021-09-24 | 2021-12-17 | 深信服科技股份有限公司 | Data synchronization method, device, equipment and medium |
CN114189370A (en) * | 2021-11-30 | 2022-03-15 | 新华三云计算技术有限公司 | Access method and device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1968264A (en) * | 2006-10-18 | 2007-05-23 | 华为技术有限公司 | Communication encryption method and system |
CN201194396Y (en) * | 2008-05-08 | 2009-02-11 | 天津市国瑞数码安全系统有限公司 | Safe gateway platform based on transparent proxy gateway |
CN104243419A (en) * | 2013-06-18 | 2014-12-24 | 腾讯科技(深圳)有限公司 | Data processing method, device and system based on secure shell protocol |
CN104270334A (en) * | 2014-06-13 | 2015-01-07 | 国家电网公司 | SSH (Secure Shell) network security access protocol monitoring method |
CN105162764A (en) * | 2015-07-30 | 2015-12-16 | 北京石盾科技有限公司 | Dual authentication method, system and device for SSH safe login |
US20160226874A1 (en) * | 2015-02-04 | 2016-08-04 | Red Hat, Inc. | Secure Shell (SSH) Proxy for a Platform-as-a-Service System |
-
2017
- 2017-12-29 CN CN201711473537.XA patent/CN108243187A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1968264A (en) * | 2006-10-18 | 2007-05-23 | 华为技术有限公司 | Communication encryption method and system |
CN201194396Y (en) * | 2008-05-08 | 2009-02-11 | 天津市国瑞数码安全系统有限公司 | Safe gateway platform based on transparent proxy gateway |
CN104243419A (en) * | 2013-06-18 | 2014-12-24 | 腾讯科技(深圳)有限公司 | Data processing method, device and system based on secure shell protocol |
CN104270334A (en) * | 2014-06-13 | 2015-01-07 | 国家电网公司 | SSH (Secure Shell) network security access protocol monitoring method |
US20160226874A1 (en) * | 2015-02-04 | 2016-08-04 | Red Hat, Inc. | Secure Shell (SSH) Proxy for a Platform-as-a-Service System |
CN105162764A (en) * | 2015-07-30 | 2015-12-16 | 北京石盾科技有限公司 | Dual authentication method, system and device for SSH safe login |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112926050A (en) * | 2021-02-05 | 2021-06-08 | 北京亿赛通网络安全技术有限公司 | Method for acquiring SSH encrypted content based on HOOK technology and application thereof |
CN112926050B (en) * | 2021-02-05 | 2024-02-09 | 北京亿赛通网络安全技术有限公司 | Method for obtaining SSH encrypted content based on HOOK technology and application thereof |
CN113806447A (en) * | 2021-09-24 | 2021-12-17 | 深信服科技股份有限公司 | Data synchronization method, device, equipment and medium |
CN114189370A (en) * | 2021-11-30 | 2022-03-15 | 新华三云计算技术有限公司 | Access method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3286893B1 (en) | Secure transmission of a session identifier during service authentication | |
US20050277434A1 (en) | Access controller | |
CN103067158B (en) | Encrypting and decrypting method, encrypting and decrypting device and key management system | |
KR101289530B1 (en) | Method and apparatus for bearer and server independent parental control on smartphone, managed by the smartphone | |
CN105307108A (en) | Internet of things information interactive communication method and system | |
JP2014161027A (en) | Encryption method for secure packet transmission | |
US9344417B2 (en) | Authentication method and system | |
US10164958B2 (en) | Open access network secure authentication systems and methods | |
KR101992976B1 (en) | A remote access system using the SSH protocol and managing SSH authentication key securely | |
JP2018533864A (en) | Remote control method, device and portable terminal | |
CN108243187A (en) | A kind of automatic encryption method, system and service module based on SSH tunnels | |
WO2014176964A1 (en) | Communication managing method and communication system | |
CN102223634A (en) | Method and device for controlling mode of accessing user terminal into Internet | |
CN104902470B (en) | A kind of connection control method and system of the hotspot based on dynamic key | |
CN102348210A (en) | Method and mobile security equipment for security mobile officing | |
CN107295507A (en) | A kind of private network cut-in method, apparatus and system | |
CN101674578B (en) | Method and system for safely accessing femtocell into network | |
CN106789845A (en) | A kind of method of network data security transmission | |
CN106302369A (en) | Long-range Activiation method, device and the remote activation system of a kind of network monitoring device | |
CN103475491A (en) | Remote maintenance system which is logged in to safely without code and achieving method | |
CN100376092C (en) | Firewall and invasion detecting system linkage method | |
CN107147661A (en) | One kind strengthens File Transfer Protocol security system and method based on dynamic password | |
KR20180081965A (en) | Apparatus and methdo for providing network service | |
CN100428748C (en) | Dual-status-based multi-party communication method | |
CN104113930B (en) | A kind of method and system for realizing user's termination connection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180703 |
|
RJ01 | Rejection of invention patent application after publication |