CN108270742A - A kind of method that VPN safety certifications are carried out using bill - Google Patents
A kind of method that VPN safety certifications are carried out using bill Download PDFInfo
- Publication number
- CN108270742A CN108270742A CN201611265621.8A CN201611265621A CN108270742A CN 108270742 A CN108270742 A CN 108270742A CN 201611265621 A CN201611265621 A CN 201611265621A CN 108270742 A CN108270742 A CN 108270742A
- Authority
- CN
- China
- Prior art keywords
- server
- vpn
- ticket
- client
- bill
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 12
- 238000012795 verification Methods 0.000 claims abstract description 25
- 230000005540 biological transmission Effects 0.000 claims description 9
- 230000003139 buffering effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005641 tunneling Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A kind of method that VPN safety certifications are carried out using bill disclosed by the invention, is included the following steps:Step 1, client sends bill data request to ticket server;Step 2, ticket server generation bill data;Step 3, client sends connection request and bill data to vpn server;Step 4, vpn server sends verification ticket requests bill data to ticket server and sends;Step 5, ticket server carries out legitimate verification, and verification result is back to vpn server to the bill data got;Step 6, vpn server acquisition judges the verification result got, if it is determined that verification result is successfully, then VPN secure tunnels is established between vpn server and client.The present invention can be under the premise of safety not be influenced, and client only needs certification that can once log in more vpn servers, realizes the function of single-sign-on, effectively improves the overall performance of vpn server.
Description
Technical field
The present invention relates to VPN technical field of security authentication more particularly to a kind of sides that VPN safety certifications are carried out using bill
Method.
Background technology
In VPN application environments, user will connect application server, first have to be connected to vpn server, vpn server
Safety certification is carried out to the user of connection, VPN secure tunnels are established in certification after, and then user terminal passes through this secure tunnel
Application server is connected, the data transmission between user terminal and server ensure that use by this secure tunnel encrypted transmission
The safety of user data.
In the process, vpn server is generally authenticated client identity using digital certificate mode, VPN services
The work of the device not only work to the encryption/decryption for transmitting data, further includes the work being authenticated to client identity, visitor
Family end, which often logs in, to be once required for verifying again once, as deployment N (N in system>1) during platform vpn server, every VPN service
Device will authenticate once, and the wherein certification work of N-1 times is to repeat, and generally increase the work load of vpn server, drop
The low whole work efficiency of vpn server.
For this purpose, applicant carried out beneficial exploration and trial, result of the above problems is had found, will be detailed below being situated between
The technical solution to continue generates in this background.
Invention content
The technical problems to be solved by the invention:It is provided a kind of using bill progress VPN peaces for prior art deficiency
The method of full certification, this method can be under the premise of safety not be influenced, and client only needs certification that can once log in more
Vpn server realizes the function of single-sign-on, effectively improves the overall performance of vpn server.
Following technical scheme may be used to realize in technical problem solved by the invention:
A kind of method that VPN safety certifications are carried out using bill, is included the following steps:
Step S1, client are established with ticket server and are connected, and send bill data request to ticket server;
Step S2, ticket server test bill data request after receiving the bill data request of client transmission
Card, to the new bill data that requests to generate after being verified, and is back to client by new bill data;
Step S3, client get ticket server return bill data after to vpn server send connection request
And bill data;
Step S4, vpn server are built after getting the connection request and bill data of client transmission with ticket server
Vertical connection, and verification ticket requests are sent, while the bill data got is sent to bill data device to ticket server;
Step S5, after ticket server gets the verification ticket requests and bill data of vpn server transmission, to obtaining
The bill data arrived carries out legitimate verification, and verification result is back to vpn server;
Step S6, after vpn server gets the verification result of ticket server return, to the verification result that gets into
Row judgement, if it is determined that verification result is successfully, then establishes VPN secure tunnels between vpn server and client, otherwise refuses
Client request.
As a result of technical solution as above, the beneficial effects of the present invention are:The method of the present invention can not influence
Under the premise of safety, client only needs certification that can once log in more vpn servers, realizes the function of single-sign-on,
Effectively improve the overall performance of vpn server.
Description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention, for those of ordinary skill in the art, without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the system deployment figure of the present invention.
Fig. 2 is the system sequence figure of the present invention.
Fig. 3 is the work flow diagram of the present invention.
Fig. 4 is the system construction drawing of the present invention.
Specific embodiment
In order to be easy to understand the technical means, the creative features, the aims and the efficiencies achieved by the present invention, tie below
Conjunction is specifically illustrating, and the present invention is further explained.
The method that VPN safety certifications are carried out using bill of the present invention is to be based on to verify client body in vpn server
The work stripping of part, ticket server complete the work of user's checking, user management, and vpn server is connected using bill data,
To improve the efficiency of encryption/decryption of VPN transmission data, improve vpn server overall performance.Bill in the present invention is
The characteristics of authority of client legal identity, bill data, includes randomness, uniqueness and timeliness.Bill data is to produce at random
Raw, be not in identical bill data.Bill data is unique, and a bill has corresponded to a unique terminal and used
Family;Bill data has certain life cycle, such as 1 minute, and user must use the bill within 1 minute, otherwise bill
It will fail, and increase the safety of bill.
Bill data is generated by ticket server, and ticket server groundwork includes client identity verification, Yong Huhe
Bill data management when users log on, is firstly connected to ticket server and obtains bill, then taken using ticket requests VPN
Business device establishes tunnel, and vpn server to ticket server verifies bill legitimacy, is verified rear vpn tunneling and establishes completion.
Based on above-mentioned principle, referring to Fig. 1 to Fig. 4, the method for the invention for carrying out VPN safety certifications using bill passes through such as
Lower step is realized:
1) system integral deployment is shown in that detailed description are as follows:
A) vpn server establishes VPN escape ways using bill identification mode;
B) ticket server is deployed as HTTPS bi-directional authentications, and client logs in ticket using KEY equipment in a manner of WEB
Authentication is done according to server;
C) application server and vpn server are deployed as series system, and terminal user has to pass through vpn server and could visit
Ask application service;
2) client uses web browser connection ticket server URL addresses;
3) ticket server receives client request, returns to server certificate information;
4) client obtains server certificate information, and authentication server certificate legitimacy sends client after being verified
Certificate information in KEY asks authentication to ticket server;
5) after server receives client certificate, client identity is verified, after client identity is verified,
Generation bill data simultaneously returns to client, and bill is saved in buffering area by ticket server, and when preservation uses SHA256 (HASH
Algorithm) the HASH values of bill are calculated, the HASH values of bill are only preserved in buffering area, do not preserve original bill data, simultaneously also
The generated time of bill is preserved, which is used to verify the lifetime of bill;
6) client receives bill data, connects vpn server using bill data, vpn server obtains bill data
Afterwards, connection ticket server verifies the legitimacy of this bill;
7) ticket server receives vpn server verification ticket requests, carries out HASH operations to bill, searches system cache
The HASH values of middle bill, and the lifetime of bill is verified, by rear, return is proved to be successful verification bill;
8) vpn server obtains the good authentication of ticket server return as a result, establishing VPN secure tunnels;
9) client accesses application server by tunnel;
The scheme further illustrated the present invention below by way of specific example:
1) system deployment and IP address configuration information, it is as follows in detail:
A) vpn server (3):192.168.10.20 192.168.10.21 192.168.10.22
B) ticket server:192.168.10.30
C) application server:192.168.10.40
D) client terminal:VPN security client softwares are installed
2) configuration server information is as follows in detail:
A) in vpn server, configuration ticket server address is 192.168.10.30, and configuration allows the application clothes accessed
Device address be engaged in as 192.168.10.40;
B) in ticket server, it is configured to the certificate information of verification user identity;
3) client opens browser, inputs ticket server address 192.168.10.30, user KEY is inserted into after opening
Equipment simultaneously inputs PIN code, logs on to ticket server request bill;
4) ticket server receives client request, verifies client certificate and signing messages, and client identity verification is logical
Later, it generates bill data and returns to client, ticket server preserves this billing information;
5) after client receives bill, start VPN client program, VPN client program is connected to VPN using bill and takes
Device be engaged in (such as:192.168.10.20), escape way is established in request;
6) vpn server is (such as:192.168.10.20) receive client request, bill data is sent to ticket server
Verify bill legitimacy;
7) ticket server receives vpn server verification ticket requests, calculates the HASH values of this bill and searches buffering area,
The life cycle of bill is verified after finding, is returned in life cycle successfully, otherwise returns to failure;
8) vpn server receives the message of ticket server return, and successful then vpn tunneling is successfully established;
9) client normally accesses application server 192.168.10.40, the data between client and application server
Transmission all passes through VPN escape way encryptions.
The basic principles, main features and the advantages of the invention have been shown and described above.The technology of the industry
Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this
The principle of invention, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, these changes
Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its
Equivalent thereof.
Claims (1)
- A kind of 1. method that VPN safety certifications are carried out using bill, which is characterized in that include the following steps:Step S1, client are established with ticket server and are connected, and send bill data request to ticket server;Step S2, ticket server receive after the bill data that client is sent is asked and bill data request are verified, To the new bill data that requests to generate after being verified, and new bill data is back to client;Step S3, client get and send connection request and ticket to vpn server after the bill data of ticket server return According to data;Step S4, vpn server connect after getting the connection request and bill data of client transmission with ticket server foundation It connects, and sends verification ticket requests to ticket server, while the bill data got is sent to bill data device;Step S5, after ticket server gets the verification ticket requests and bill data of vpn server transmission, to what is got Bill data carries out legitimate verification, and verification result is back to vpn server;Step S6 after vpn server gets the verification result of ticket server return, sentences the verification result got It is fixed, if it is determined that verification result is successfully, then VPN secure tunnels are established between vpn server and client, otherwise refuse client End request.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611265621.8A CN108270742A (en) | 2016-12-30 | 2016-12-30 | A kind of method that VPN safety certifications are carried out using bill |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611265621.8A CN108270742A (en) | 2016-12-30 | 2016-12-30 | A kind of method that VPN safety certifications are carried out using bill |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108270742A true CN108270742A (en) | 2018-07-10 |
Family
ID=62771016
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611265621.8A Pending CN108270742A (en) | 2016-12-30 | 2016-12-30 | A kind of method that VPN safety certifications are carried out using bill |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108270742A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109544153A (en) * | 2018-10-16 | 2019-03-29 | 珠海横琴现联盛科技发展有限公司 | Electronic certificate note validating method based on anti-tamper Encryption Algorithm |
CN111355720A (en) * | 2020-02-25 | 2020-06-30 | 深信服科技股份有限公司 | Method, system and equipment for accessing intranet by application and computer storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101207482A (en) * | 2007-12-13 | 2008-06-25 | 深圳市戴文科技有限公司 | System and method for implementation of single login |
CN101651666A (en) * | 2008-08-14 | 2010-02-17 | 中兴通讯股份有限公司 | Method and device for identity authentication and single sign-on based on virtual private network |
US20160286400A1 (en) * | 2014-01-29 | 2016-09-29 | Red Hat, Inc. | Mobile device user authentication for accessing protected network resources |
-
2016
- 2016-12-30 CN CN201611265621.8A patent/CN108270742A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101207482A (en) * | 2007-12-13 | 2008-06-25 | 深圳市戴文科技有限公司 | System and method for implementation of single login |
CN101651666A (en) * | 2008-08-14 | 2010-02-17 | 中兴通讯股份有限公司 | Method and device for identity authentication and single sign-on based on virtual private network |
US20160286400A1 (en) * | 2014-01-29 | 2016-09-29 | Red Hat, Inc. | Mobile device user authentication for accessing protected network resources |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109544153A (en) * | 2018-10-16 | 2019-03-29 | 珠海横琴现联盛科技发展有限公司 | Electronic certificate note validating method based on anti-tamper Encryption Algorithm |
CN111355720A (en) * | 2020-02-25 | 2020-06-30 | 深信服科技股份有限公司 | Method, system and equipment for accessing intranet by application and computer storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105516195B (en) | A kind of security certification system and its authentication method based on application platform login | |
CN102271042B (en) | Certificate authorization method, system, universal serial bus (USB) Key equipment and server | |
US7793340B2 (en) | Cryptographic binding of authentication schemes | |
CN102201915B (en) | Terminal authentication method and device based on single sign-on | |
EP2304636B1 (en) | Mobile device assisted secure computer network communications | |
CN101183932B (en) | Security identification system of wireless application service and login and entry method thereof | |
US20090055916A1 (en) | Secure delegation using public key authentication | |
CN108243176B (en) | Data transmission method and device | |
CN101453334B (en) | Access management method and system based Novell network | |
CN101534192B (en) | System used for providing cross-domain token and method thereof | |
CN104838629A (en) | Method and system for authenticating user using mobile device and by means of certificates | |
CN109359464B (en) | Wireless security authentication method based on block chain technology | |
CN106330838B (en) | A kind of dynamic signature method and the client and server using this method | |
CN102916970B (en) | Network-based PIN cache method | |
CN103067402A (en) | Method and system for digital certificate generation | |
CN101902327A (en) | Method and device for realizing single-point log-in and system thereof | |
CN111786799B (en) | Digital certificate signing and issuing method and system based on Internet of things communication module | |
CN102868702B (en) | System login device and system login method | |
CN102333085B (en) | Security network authentication system and method | |
CN104821951B (en) | A kind of method and apparatus of secure communication | |
JP5186648B2 (en) | System and method for facilitating secure online transactions | |
CN108270742A (en) | A kind of method that VPN safety certifications are carried out using bill | |
CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
CN114679276B (en) | Identity authentication method and device of time-based one-time password algorithm | |
CN105681364B (en) | A kind of IPv6 mobile terminal attack resistance method based on enhancing binding |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 200436 Room 601, Lane 299, Lane 299, JIANGCHANG West Road, Jingan District, Shanghai Applicant after: KOAL SOFTWARE Co.,Ltd. Address before: 200436 Room 601, Lane 299, Lane 299, JIANGCHANG West Road, Zhabei District, Shanghai Applicant before: SHANGHAI KOAL SOFTWARE Co.,Ltd. |
|
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180710 |