CN108833395B - External network access authentication system and authentication method based on hardware access card - Google Patents
External network access authentication system and authentication method based on hardware access card Download PDFInfo
- Publication number
- CN108833395B CN108833395B CN201810582314.5A CN201810582314A CN108833395B CN 108833395 B CN108833395 B CN 108833395B CN 201810582314 A CN201810582314 A CN 201810582314A CN 108833395 B CN108833395 B CN 108833395B
- Authority
- CN
- China
- Prior art keywords
- access card
- authentication
- hardware access
- client
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
An external network access authentication system and an authentication method based on a hardware access card are provided, the external network access authentication system based on the hardware access card comprises: the authentication server connected with the intranet adopts a hardware access card as a peripheral connected with the extranet, the hardware access card is externally connected with the client through the extranet, the hardware access card is internally connected with a CPU through a peripheral bus, and the CPU is connected with the intranet through a network card; the client and the hardware access card must be subjected to bidirectional authentication; the connection between the outer network and the inner network uses a hardware access card as a security boundary. The invention adopts the hardware access card as the peripheral equipment for connecting the external network, the connection between the external network and the internal network takes the hardware access card as the safety boundary, the interface is simple and clear, the authentication server is more strictly isolated from the network where the client is positioned, the risk of the authentication server being invaded is avoided, and the invention can cooperate with other existing servers, and has good applicability.
Description
Technical Field
The invention relates to the technology of interconnection of an external network and an internal network, in particular to an external network access authentication system and an authentication method based on a hardware access card, belonging to the technical field of data communication.
Background
Under the background of rapid development of network communication technology, network information and various applications are increasingly popularized, and information transmission and sharing and various applications are realized on the basis of effective connection between an external network and an internal network (internal network: Intranet, herein abbreviated as Intranet; external network: Internet, herein abbreviated as extranet, such as Internet). The intranet is relatively secure and neither attacked nor compromised by hackers from the extranet. But because the outer net is flooded with many unsafe factors, such as: malicious attacks by hackers, virus infections, etc., are threatening the security of the intranet at all times. When a user uses an external network (internet) and needs to access an intranet, unsafe factors on the internet may enter the intranet of an enterprise through a client (such as a personal computer) serving as a forwarding bridge, and directly threaten the information security of the enterprise. Therefore, in order to ensure the security of the network, after the user identity is authenticated by the authentication server, the user can be allowed to connect to the intranet to access the service in the intranet with certain authority, so the authentication server can be regarded as a portal of the system and is also the core of the authentication system, and therefore the authentication server is most vulnerable to attack. At present, a firewall is generally adopted to block attacks, but the firewall and the design and configuration of software such as an application program, a VPN protocol stack or an Ethernet protocol stack and the like have the possibility of generating vulnerabilities. Furthermore, the CPU itself may have a bug, and the intranet may be infected by a worm or directly attacked, which may risk the intrusion of the authentication server. Therefore, finding an external network access authentication system and an authentication method is a technical problem that needs to be solved urgently to ensure network security at present.
Disclosure of Invention
The invention aims to provide an external network access authentication system and an authentication method based on a hardware access card, and aims to solve the problem of risk of invasion of an authentication server through the optimized design of the external network access authentication system and achieve the purpose of improving and ensuring network security.
In order to achieve the purpose, the invention adopts the following technical scheme:
an authentication server connected with an intranet adopts a hardware access card as a peripheral connected with the intranet, the hardware access card is externally connected with a client through the intranet, the hardware access card is internally connected with a CPU through a peripheral bus, and the CPU is connected with the intranet through a network card; the client and the hardware access card must be subjected to bidirectional authentication; the connection between the outer network and the inner network uses a hardware access card as a security boundary.
In the above system, the logical interface between the hardware access card and the CPU is abstracted to a power-on switch, and the power-on switch notifies the CPU of the authenticated client information, which is equivalent to triggering a power-on event to the CPU, so that the CPU or other servers in the same authentication domain in the intranet start to provide services for the client.
In the above external network access authentication system based on the hardware access card, the authentication server installs and runs a driver to access the hardware access card, and the driver enables the authentication server to update the client identity information stored on the hardware access card.
The external network access authentication system based on the hardware access card comprises a bus interface module, an identity authentication module and a network protocol stack module.
In the extranet access authentication system based on the hardware access card, the bus interface module receives the configuration of the authentication server and submits the connection state information of the client; the network protocol stack module processes an external network protocol; the identity authentication module processes the client identity authentication and generates a communication key.
An external network access authentication method based on a hardware access card comprises the following steps:
a. the client sends a request for connecting the intranet to the hardware access card;
b. the hardware access card and the client perform bidirectional authentication on the connection information;
c. if the authentication process passes, the starting switch informs the CPU, and the client side realizes intranet access.
The invention adopts the hardware access card as the external equipment for connecting the external network, and the authentication server can receive the connection information (comprising a communication key, an IP address and the like) of the external network client only after the client and the hardware access card pass the two-way authentication, so that the authentication server is isolated from the external network where the client is located more strictly.
The interconnection of the external network and the internal network of the external network access authentication system based on the hardware access card takes the hardware access card as a safety boundary, the interface is simple and clear, and compared with the technical scheme of the prior common firewall isolation, the external network access authentication system based on the hardware access card is easier to perform safety authentication. In addition, the technical scheme of the invention can be cooperated with other existing servers, and has good applicability.
Drawings
The invention will be further explained with reference to the drawings.
FIG. 1 is a schematic structural diagram of an extranet access authentication system based on a hardware access card according to the present invention;
FIG. 2 is a schematic diagram of a hardware access card;
fig. 3 is a flowchart of the work flow of the hardware access card-based extranet access authentication method of the present invention.
The list of labels in the figure is: 1. the system comprises a client, 2, a hardware access card, 2-1, an Ethernet interface, 2-2, a starting switch, 2-3, a digital certificate, 21, a bus interface module, 22, an identity authentication module, 23, a network protocol stack module, 3, an authentication server, 4, a CPU, 5 and a network card.
Detailed Description
Referring to fig. 1 and 2, the present invention is an extranet access authentication system based on a hardware access card, an authentication server 3 connected with an intranet adopts the hardware access card 2 as a peripheral connected with the extranet; the hardware access card 2 is externally connected with the client 1 through an external network, and the hardware access card 2 is internally connected with the CPU4 through a peripheral bus; the CPU4 is connected with an internal network through a network card 5; the client 1 and the hardware access card 2 must be subjected to bidirectional authentication; the connection between the external network and the internal network uses the hardware access card 2 as a security boundary.
Referring to fig. 1 and 2, in the system for authenticating external network access based on the hardware access card according to the present invention, a logical interface between the hardware access card 2 and the CPU4 is abstracted to be a power-on switch 2-2, and the power-on switch 2-2 notifies the CPU4 of the authenticated client information, which is equivalent to triggering a power-on event to the CPU4, so that the CPU4 or other servers in the same authentication domain in the intranet starts to provide services for the client 1.
Referring to fig. 1 and 2, the hardware access card based extranet access authentication system of the present invention has an authentication server 3 installed and running a driver to access a hardware access card 2. The driver enables the authentication server 3 to update the client 1 identity information stored on the hardware access card 2.
Referring to fig. 1 and fig. 2, the hardware access card 2 of the extranet access authentication system based on the hardware access card according to the present invention includes a bus interface module 21, an identity authentication module 22 and a network protocol stack module 23; the bus interface module 21 receives the configuration of the authentication server 2 and submits the connection state information of the client 1; the network protocol stack module 23 processes the external network protocol, and the network protocol stack of the external network is realized inside the hardware access card 2, so that the external network is invisible to the authentication server 2; the identity authentication module 22 processes the identity authentication of the client 1 and generates a communication key, and in order to realize the identity authentication with the client 1, the identity authentication module 22 stores the identity information of the authentication server 3, wherein the identity information comprises the digital certificate 2-3, a private key and the like. In order to protect the security of the identity information, the hardware access card 2 is used as a security boundary, and internal data is stored in an encryption mode.
Referring to fig. 3, the method for authenticating the external network access based on the hardware access card of the present invention comprises: when the client 1 sends a request for entering the intranet to the hardware access 2 card, the hardware access card 2 and the client 1 perform bidirectional authentication on the connection information, if the authentication process passes, the hardware access card 2 packages the information of the client 1 and submits the information to the CPU4 through the starting switch 2-2, and the client 1 realizes intranet access. The client protocol stack is defined on the network protocol stack 23, and specifically, the data packet of the client protocol is encapsulated in the network protocol data packet. The network protocol may be, but is not limited to, the TCP/IP protocol.
Example (b): the Ethernet is used as an external network, and the client 1 and the hardware access card 2 both have respective external network IP addresses. The network card 5 built in the authentication server 3 is connected to the intranet. The information stored by the hardware access card 2 includes: a certificate at the 3 end of the authentication server issued by CA, a private key corresponding to the certificate at the 3 end of the authentication server, and a CA certificate issuing a certificate at the client 1; the information stored by the client 1 includes: a client side 1 certificate issued by CA, a private key corresponding to the client side 1 certificate, and a CA certificate for issuing a server side 3 certificate. The hardware access card 2 and the client 1 perform bidirectional authentication on the connection information (including a communication key, an IP address and the like), if the authentication process passes, the hardware access card 2 encapsulates the information of the client 1 and submits the information to the CPU4 through the starting switch 2-2, and the client 1 realizes intranet access.
Claims (5)
1. An external network access authentication system based on a hardware access card is characterized in that an authentication server (3) connected with an internal network adopts the hardware access card (2) as a peripheral device connected with the external network, the hardware access card (2) is externally connected with a client (1) through the external network, the hardware access card (2) is internally connected with a CPU (4) through a peripheral bus, and the CPU (4) is connected with the internal network through a network card (5); the client (1) and the hardware access card (2) must be subjected to bidirectional authentication; the connection between the outer network and the inner network takes a hardware access card (2) as a safety boundary;
the hardware access card (2) comprises a bus interface module (21), an identity authentication module (22) and a network protocol stack module (23).
2. The system according to claim 1, wherein the logical interface between the hardware access card (2) and the CPU (4) is abstracted into a power-on switch (2-2), and the power-on switch (2-2) notifies the CPU (4) of the authenticated client information, which is equivalent to triggering a power-on event to the CPU (4), so that the CPU (4) or other servers in the same authentication domain in the intranet starts to provide services to the client.
3. The extranet hardware access card based access authentication system of claim 2, wherein the authentication server (3) installs and runs a driver to access the hardware access card (2), the driver enabling the authentication server (3) to update the client (1) identity information stored on the hardware access card (2).
4. The extranet access authentication system based on the hardware access card according to claim 1, wherein the bus interface module (21) receives the configuration of the authentication server (3) and submits the connection status information of the client (1); the network protocol stack module (23) processes an external network protocol; the identity authentication module (22) processes client identity authentication and generates a communication key.
5. A hardware access card based extranet access authentication method for implementing the hardware access card based extranet access authentication system of any one of claims 1 to 4, the authentication method comprising the following steps:
a. the client (1) sends a request for connecting an intranet to the hardware access card (2);
b. the hardware access card (2) and the client (1) perform bidirectional authentication on the connection information;
c. if the authentication process passes, the starting switch (2-2) informs the CPU (4), and the client (1) realizes intranet access.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810582314.5A CN108833395B (en) | 2018-06-07 | 2018-06-07 | External network access authentication system and authentication method based on hardware access card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810582314.5A CN108833395B (en) | 2018-06-07 | 2018-06-07 | External network access authentication system and authentication method based on hardware access card |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108833395A CN108833395A (en) | 2018-11-16 |
| CN108833395B true CN108833395B (en) | 2021-12-03 |
Family
ID=64143315
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810582314.5A Active CN108833395B (en) | 2018-06-07 | 2018-06-07 | External network access authentication system and authentication method based on hardware access card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108833395B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113726788B (en) * | 2021-08-31 | 2022-12-27 | 中国建设银行股份有限公司 | Network access method, system, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072102A (en) * | 2007-03-23 | 2007-11-14 | 南京联创网络科技有限公司 | Information leakage preventing technology based on safety desktop for network environment |
| CN101453458A (en) * | 2007-12-06 | 2009-06-10 | 北京唐桓科技发展有限公司 | Personal identification process for dynamic cipher password bidirectional authentication based on multiple variables |
| CN102006307A (en) * | 2010-12-16 | 2011-04-06 | 中国电子科技集团公司第三十研究所 | Application proxy-based network management system isolation control device |
| US9876772B1 (en) * | 2012-07-16 | 2018-01-23 | Wickr Inc. | Encrypting and transmitting data |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101800738B (en) * | 2009-12-31 | 2013-01-16 | 暨南大学 | Realization system and method for safely visiting and storing intranet data by mobile equipment |
| CN103019640B (en) * | 2012-12-12 | 2015-11-25 | 中国航天科工集团第二研究院七〇六所 | A kind of network embedded KVM remote management apparatus |
| CN203103998U (en) * | 2012-12-21 | 2013-07-31 | 深圳市傲冠软件股份有限公司 | Remote management system and control device |
| CN104363221A (en) * | 2014-11-10 | 2015-02-18 | 青岛微智慧信息有限公司 | Network safety isolation file transmission control method |
| CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
| CN106998333A (en) * | 2017-05-24 | 2017-08-01 | 山东省计算中心(国家超级计算济南中心) | A kind of bilateral network security isolation system and method |
-
2018
- 2018-06-07 CN CN201810582314.5A patent/CN108833395B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072102A (en) * | 2007-03-23 | 2007-11-14 | 南京联创网络科技有限公司 | Information leakage preventing technology based on safety desktop for network environment |
| CN101453458A (en) * | 2007-12-06 | 2009-06-10 | 北京唐桓科技发展有限公司 | Personal identification process for dynamic cipher password bidirectional authentication based on multiple variables |
| CN102006307A (en) * | 2010-12-16 | 2011-04-06 | 中国电子科技集团公司第三十研究所 | Application proxy-based network management system isolation control device |
| US9876772B1 (en) * | 2012-07-16 | 2018-01-23 | Wickr Inc. | Encrypting and transmitting data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108833395A (en) | 2018-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10103892B2 (en) | System and method for an endpoint hardware assisted network firewall in a security environment | |
| US9071600B2 (en) | Phishing and online fraud prevention | |
| US20070294759A1 (en) | Wireless network control and protection system | |
| WO2015047442A1 (en) | Trusted execution of an executable object on a local device | |
| US20110107410A1 (en) | Methods, systems, and computer program products for controlling server access using an authentication server | |
| US20160127316A1 (en) | Highly secure firewall system | |
| CN107222508B (en) | Security access control method, device and system | |
| KR101089157B1 (en) | System and method for logically separating servers from clients on network using virtualization of client | |
| Alfaqih et al. | Internet of things security based on devices architecture | |
| JP2008276457A (en) | Network protection program, network protection device, and network protection method | |
| CN108833395B (en) | External network access authentication system and authentication method based on hardware access card | |
| CN110022319A (en) | Attack security isolation method, device, computer equipment and the storage equipment of data | |
| US10298588B2 (en) | Secure communication system and method | |
| CN106576050B (en) | Three-tier security and computing architecture | |
| US10523633B2 (en) | Method of communicating between secured computer systems, a computer network infrastructure and a computer program product | |
| US8590031B2 (en) | Methods, systems, and computer program products for access control services using a transparent firewall in conjunction with an authentication server | |
| CN110492994B (en) | Trusted network access method and system | |
| JP6488001B2 (en) | Method for unblocking an external computer system in a computer network infrastructure, a distributed computer network having such a computer network infrastructure, and a computer program product | |
| Katsinis et al. | A security mechanism for web servers based on deception | |
| Patel et al. | Analyzing Security Vulnerability and Forensic Investigation of ROS2: A Case Study | |
| KR102444356B1 (en) | Security-enhanced intranet connecting method and system | |
| TWI706281B (en) | Device verification method | |
| US20210218747A1 (en) | System and method for computer network communication | |
| RU2163727C2 (en) | Protective system for virtual channel of corporate network using capability principle for controlling access to resources and built around switching facilities of shared communication network | |
| Karev et al. | INVESTIGATION OF ATTACKS METHODS ON INFORMATION SYSTEMS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |