CN108965260B - Message processing method, bastion machine and terminal equipment - Google Patents
Message processing method, bastion machine and terminal equipment Download PDFInfo
- Publication number
- CN108965260B CN108965260B CN201810649004.0A CN201810649004A CN108965260B CN 108965260 B CN108965260 B CN 108965260B CN 201810649004 A CN201810649004 A CN 201810649004A CN 108965260 B CN108965260 B CN 108965260B
- Authority
- CN
- China
- Prior art keywords
- message
- processed
- key
- port number
- bastion machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the application provides a message processing method, a bastion machine and terminal equipment, wherein the message processing method applied to the bastion machine comprises the following steps: receiving a message to be processed sent by terminal equipment; acquiring first characteristic information of a message to be processed; acquiring a first key identifier corresponding to the first characteristic information based on the first corresponding relation between the characteristic information and the key identifier; decrypting the message to be processed by using the key represented by the first key identifier; and processing the decrypted message to be processed. The message to be processed between the client and the bastion machine is encrypted, so that the security of the bastion machine is enhanced, the security reinforcement of the bastion machine is realized, and the risk of the hijacking attack of a middle person is effectively reduced.
Description
Technical Field
The application relates to the technical field of communication, in particular to a message processing method, a bastion machine and terminal equipment.
Background
In the network, the bastion machine is respectively connected with the terminal and the server, so that the bastion machine cuts off the direct connection between the terminal and the server, the direct access of the terminal to the server is also cut off, and the terminal can access the server through the bastion machine. The bastion machine adopts a protocol proxy mode, and the proxy terminal initiates access to the server. And illegal access and malicious attack from the terminal can be effectively intercepted in a mode of accessing the server by the bastion machine proxy. Not only operation and maintenance management is strengthened, but also the access safety to the server is improved.
The bastion machine can be considered as an important safety control hub based on the role of the bastion machine in the access of the terminal to the server. The bastion machine sets corresponding access authority for each terminal respectively so as to improve the security of the terminal for accessing the server. However, once the bastion machine itself is breached, the servers protected by the bastion machine are also exposed, thereby exposing the servers to attacks. Therefore, safety reinforcement aiming at the bastion machine is an urgent problem to be solved.
Disclosure of Invention
The embodiment of the application aims to provide a message processing method, a bastion machine and a terminal device so as to realize the security reinforcement of the bastion machine and reduce the risk of hijacking attack of a middle person. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a message processing method, which is applied to a bastion machine, and the method includes:
receiving a message to be processed sent by a terminal device, wherein the message to be processed is as follows: the terminal equipment uses a self key to encrypt the message;
acquiring first characteristic information of the message to be processed;
acquiring a first key identifier corresponding to the first feature information based on a first corresponding relationship between the feature information and the key identifier, where the first corresponding relationship is: the key identification is obtained based on the corresponding relation between the characteristic information and the terminal equipment and the corresponding relation between the terminal equipment and the key identification;
decrypting the message to be processed by using the key represented by the first key identifier;
and processing the decrypted message to be processed.
In a second aspect, an embodiment of the present application provides a message processing method, which is applied to a terminal device, and the method includes:
acquiring a secret key of the terminal equipment and an external port number of the bastion machine, wherein the external port number is a port number of a non-known port;
generating an encryption key aiming at the message to be processed according to the acquired key and the message information of the message to be processed;
encrypting the message to be processed by using the encryption key;
and taking a port represented by the external port number as a destination port, and sending the encrypted message to be processed to the bastion machine.
In a third aspect, an embodiment of the present application provides a packet processing apparatus, which is applied to a bastion machine, where the apparatus includes:
a receiving module, configured to receive a to-be-processed message sent by a terminal device, where the to-be-processed message is: the terminal equipment uses a self key to encrypt the message;
the first acquisition module is used for acquiring first characteristic information of the message to be processed;
a second obtaining module, configured to obtain, based on a first corresponding relationship between feature information and a key identifier, a first key identifier corresponding to the first feature information, where the first corresponding relationship is: the key identification is obtained based on the corresponding relation between the characteristic information and the terminal equipment and the corresponding relation between the terminal equipment and the key identification;
the decryption module is used for decrypting the message to be processed by using the key represented by the first key identifier;
and the processing module is used for processing the decrypted message to be processed.
In a fourth aspect, an embodiment of the present application provides a packet processing apparatus, which is applied to a terminal device, and the apparatus includes:
the acquisition module is used for acquiring a secret key of the terminal equipment and an external port number of the bastion machine, wherein the external port number is a port number of a non-known port;
the generating module is used for generating an encryption key aiming at the message to be processed according to the acquired key and the message information of the message to be processed;
the encryption module is used for encrypting the message to be processed by utilizing the encryption key;
and the sending module is used for sending the encrypted message to be processed to the bastion machine by taking the port represented by the external port number as a destination port.
In a fifth aspect, embodiments of the present application provide a bastion machine comprising a processor and a machine-readable storage medium, the machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: implementing the message processing method steps of any of the above first aspects.
In a sixth aspect, embodiments of the present application provide a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: implementing the message processing method steps of any of the above first aspects.
In a seventh aspect, an embodiment of the present application provides a terminal device, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions executable by the processor, and the processor is caused by the machine-executable instructions to: implementing the message processing method steps of any of the above second aspects.
In an eighth aspect, embodiments of the present application provide a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: implementing the message processing method steps of any of the above second aspects.
According to the technical scheme provided by the embodiment of the application, the client encrypts the message to be processed sent to the bastion machine, and after receiving the message to be processed sent by the client, the bastion machine decrypts the message to be processed according to the first key identification corresponding to the first characteristic information of the message to be processed, so that the decrypted message to be processed is obtained. The message to be processed between the client and the bastion machine is encrypted, so that the security of the bastion machine is enhanced, the security reinforcement of the bastion machine is realized, and the risk of the hijacking attack of a middle person is effectively reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a first flowchart of a message processing method according to an embodiment of the present application;
fig. 2 is a second flowchart of a message processing method according to an embodiment of the present application;
fig. 3 is a third flowchart of a message processing method according to an embodiment of the present application;
fig. 4 is a signaling diagram of a message processing method according to an embodiment of the present application;
fig. 5 is a schematic diagram of a first structure of a message processing apparatus according to an embodiment of the present application;
fig. 6 is a schematic diagram of a second structure of a message processing apparatus according to an embodiment of the present application;
figure 7 provides a schematic structure diagram of the bastion machine in the embodiment of the application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to realize the safety reinforcement of a bastion machine and further reduce the risk of hijacking attack of a man in the middle, the embodiment of the application provides a message processing method, the bastion machine and a terminal device, which are applied to the bastion machine, wherein the message processing method comprises the following steps:
receiving a message to be processed sent by a terminal device, wherein the message to be processed is as follows: the terminal equipment uses a self key to encrypt the message;
acquiring first characteristic information of a message to be processed;
acquiring a first key identifier corresponding to the first characteristic information based on a first corresponding relationship between the characteristic information and the key identifier, wherein the first corresponding relationship is as follows: the key identification is obtained based on the corresponding relation between the characteristic information and the terminal equipment and the corresponding relation between the terminal equipment and the key identification;
decrypting the message to be processed by using the key represented by the first key identifier;
and processing the decrypted message to be processed.
According to the technical scheme provided by the embodiment of the application, the client encrypts the message to be processed sent to the bastion machine, and after receiving the message to be processed sent by the client, the bastion machine decrypts the message to be processed according to the first key identification corresponding to the first characteristic information of the message to be processed, so that the decrypted message to be processed is obtained. The message to be processed between the client and the bastion machine is encrypted, so that the security of the bastion machine is enhanced, the security reinforcement of the bastion machine is realized, and the risk of the hijacking attack of a middle person is effectively reduced.
First, a message processing method provided in the embodiment of the present application is introduced below, where the message processing method provided in the embodiment of the present application is applied to a bastion machine, and the message processing method includes the following steps.
S101, receiving a message to be processed sent by the terminal equipment.
The messages to be processed are: the terminal equipment uses the key of the terminal equipment to encrypt the message. The message to be processed may be any one of a TCP (Transmission Control Protocol) message, an IP (Internet Protocol) message, a UDP (User data Protocol) message, and the like, and the message to be processed is described below as the TCP message.
The key of the terminal device may adopt a private key, that is, the encryption rule of the private key is set by the user, so that the security of the message can be further encrypted.
Each terminal device stores a corresponding key, and the keys of the terminal devices are different, so that the keys for encrypting the messages sent by the terminal devices are different, and the security of message transmission is improved.
Further, the terminal device may generate a new encryption key for the current message to be processed based on the key thereof in combination with the message information of the message to be processed. The message information may be at least one of a serial number, an acknowledgement number, and the like. And the terminal equipment encrypts the message to be processed by using the new encryption key. Therefore, for each message to be processed sent by the terminal equipment, the encryption keys used for encrypting each message to be processed are different, and the security of message transmission is further improved.
In one embodiment, the external port of the bastion machine for receiving the message to be processed is a non-known port. The bastion machine is a non-known port for the external port of the external embodiment, so that the possibility of missing scanning of an attacker, DDOS attack, hijacking of a man-in-the-middle and the like can be effectively reduced.
Wherein, the non-Known Ports are other Ports except Known Ports (Well-Known Ports). The known port Numbers of The known ports refer to port Numbers reserved by ICANN (The Internet Corporation for Assigned Names and Numbers, The Internet name and number assignment authority) for use with The TCP protocol and UDP protocol, and range from 0 to 1023.
Known port numbers, each fixedly assigned to a service application, can be considered as well-known port numbers to those skilled in the art. For example, port number 5 is assigned to RJE (Remote Job Entry) service, port number 21 is assigned to FTP (File Transfer Protocol) service, port number 25 is assigned to SMTP (Simple Mail Transfer Protocol) service, port number 80 is assigned to HTTP (HyperText Transfer Protocol) service, POP3(Post Office Protocol-Version 3, Post Office Protocol Version 3) uses RPC (Remote Procedure Call) service, and port number 135 is assigned to RPC (Remote Procedure Call) service.
S102, first characteristic information of the message to be processed is obtained.
Wherein, the first characteristic information may be an IP address, an identifier, etc. Specifically, the IP address may be a source IP address, which is an IP address of the terminal device that sends the message to be processed. The identifier may be an identifier of the terminal device, and the identifier of the terminal device may be preset, and each terminal device corresponds to one identifier.
In the following embodiments, the first feature information is taken as an example of a source IP address.
S103, acquiring a first key identifier corresponding to the first characteristic information based on the first corresponding relation between the characteristic information and the key identifier.
The first correspondence is: and obtaining the key identification based on the corresponding relation between the characteristic information and the terminal equipment and the corresponding relation between the terminal equipment and the key identification. The corresponding relation between the characteristic information and the terminal equipment is preset, and each terminal equipment corresponds to one piece of characteristic information. The corresponding relation between the terminal equipment and the key identification is preset, each terminal equipment corresponds to one key identification, and each terminal equipment encrypts the message to be processed sent by the terminal equipment by using the key represented by the corresponding key identification.
Based on the one-to-one correspondence relationship between the terminal device and the feature information and the one-to-one correspondence relationship between the terminal device and the key identifier, in the first correspondence relationship, the feature information and the key identifier are in one-to-one correspondence.
In one embodiment, the bastion machine stores a first correspondence between the feature information and the key identifier, and it is considered that the bastion machine stores a plurality of feature information, each of which corresponds to one key identifier.
After the bastion machine acquires the first feature information of the message to be processed, whether feature information matched with the first feature information exists or not can be firstly inquired in the stored feature information, and only when the feature information is matched, a first key identifier corresponding to the first feature information is acquired based on a first corresponding relation; and when the messages are not matched, the messages to be processed are considered as illegal messages, and the illegal messages are discarded.
And S104, decrypting the message to be processed by using the key represented by the first key identifier.
The key represented by the first key identifier is the key corresponding to the terminal device, the terminal device encrypts the message to be processed by using the key, and the bastion machine can decrypt the same encrypted message to be processed by using the same key.
In one implementation, the key represented by the first key identifier is in a private encryption manner, that is, the key content is set by a user. The private encryption improves the security of message encryption and effectively improves the difficulty of hijack attack of a man in the middle.
The bastion machine stores the corresponding relation between the key identification and the key, and the corresponding relation between the key identification and the key can be stored in the form of a table entry. The key table entry shown in table 1 below:
TABLE 1
| Identification | Key content | Time of key validation | Time to failure of a key |
The identification is the identification of the key, and each key uniquely corresponds to one identification. The key content is the content included in each key, for example, a number encrypted by the key. The key validation time is the time when the key starts to be validated, and the key can be used only after the key validation time. The key expiration time is a time point at which the key expires, and the key is available only before the key expiration time. The time period between the key effective time and the key invalidation time is the validity period of the key, and the validity period can be set by a user. The validity period for the key may be permanently valid.
After the terminal device obtains the first key identifier, the key corresponding to the first key identifier can be directly searched from the key table entry.
According to different encryption modes of the message to be processed by the terminal device by using the corresponding key, different decryption modes of the message to be processed by the bastion machine by using the key represented by the first key identifier are also different, and the following description is respectively given.
In the first decryption mode, the terminal equipment directly encrypts the message to be processed by using the corresponding key, and the bastion machine can directly decrypt the message to be processed by using the key represented by the first key identifier.
In the second decryption mode, the terminal device generates a new encryption key by using the corresponding key and the message information of the message to be processed, and then encrypts the message to be processed by using the new encryption key. For the bastion machine, after the first key identifier is obtained, the key represented by the first key identifier can be obtained from the preset key table entry, a new decryption key is generated by using the key represented by the first key identifier and the message information of the message to be processed, and then the message to be processed is decrypted by using the new decryption key.
The message information is at least one of a serial number, an acknowledgement number and the like, and is the same as the message information used in the terminal equipment. For example, the terminal device generates a new encryption key by using the three parameters of the key, the serial number and the confirmation number for encryption, and then the bastion machine also generates a new decryption key by using the three parameters of the key, the serial number and the confirmation number for decryption.
For the second decryption mode, the generated new decryption key is specific to each message to be processed, that is, the decryption keys required by different messages to be processed are different, so that the security of message transmission is improved, and the security of the bastion machine is further strengthened.
And S105, processing the decrypted message to be processed.
After the message to be processed is decrypted, the bastion machine can obtain the content carried by the message to be processed, and carry out corresponding processing such as operation and maintenance audit according to the obtained content.
For example, if the message to be processed is an operation and maintenance operation request message, the content carried by the message to be processed is operation and maintenance operation information of the operation and maintenance personnel for the server, and the bastion machine performs operation and maintenance audit on the operation and maintenance operation information to reduce the possibility that the server is attacked.
In one embodiment, when the message to be processed is transmitted to the bastion machine, the destination port of the message to be processed is an external port of a non-known port, and after the bastion machine decrypts the message to be processed, the bastion machine needs to transmit the decrypted message to be processed internally, for example, to transmit the message to other modules for processing.
Specifically, the bastion machine acquires a target internal port number corresponding to the first feature information based on a third corresponding relationship between the feature information and the internal port number. The third correspondence between the feature information and the internal port number may be preset, and each feature information corresponds to at least one internal port number. The internal port number is a port number of a known port, for example, the internal port number is a port number of a known port such as 5 or 21.
After the bastion machine acquires the target internal port number, replacing the target port with a port corresponding to the target internal port number, and carrying out internal transmission of the bastion machine on the message to be processed by the port of the target internal port number. And processing the decrypted message to be processed by utilizing the protocol corresponding to the target internal port number.
In order to further strengthen the security reinforcement of the bastion machine, in one embodiment, the pending message carries a Media Access Control (MAC) address of the terminal device.
The bastion machine may determine a target MAC address corresponding to the first feature information based on the second correspondence between the feature information and the MAC address.
The second corresponding relation between the feature information and the MAC address is preset, and each feature information corresponds to one MAC address. And, the MAC address in the second correspondence is the MAC address of the terminal device.
The determined target MAC address is the MAC address uniquely corresponding to the first characteristic information preset by the bastion machine, and the terminal equipment of the target MAC address can be considered as the target terminal equipment. That is, the fort machine sets: the message to be processed represented by the first characteristic information can only be sent to the bastion machine by the target terminal equipment.
For example, in the second correspondence relationship between the source IP address and the MAC address, the source IP address 192.168.138.1 corresponds to the MAC address 44-45-53-54-00-00, and when the first characteristic information is 192.168.138.1, the destination MAC address is 44-45-53-54-00-00, which indicates that the message with the source IP address 192.168.138.1 preset by the bastion machine can only be sent by the terminal device with the MAC address 44-45-53-54-00-00.
After decrypting the message to be processed, the bastion machine can acquire the MAC address carried by the message to be processed, wherein the MAC address is the MAC address of the terminal device which actually sends the message to be processed. And judging whether the MAC address carried by the message to be processed is matched with the target MAC address, namely judging whether the terminal equipment which actually sends the message to be processed and the terminal equipment represented by the target MAC address are the same terminal equipment.
If not, the message to be processed is considered as an illegal message, and the bastion machine discards the message to be processed; if the messages are matched with each other, the messages to be processed are considered to be legal messages allowed by the bastion machine, and the bastion machine processes the messages to be processed.
In the embodiment, the bastion machine binds the characteristic information and the MAC address in advance, and the bastion machine needs to authenticate the terminal equipment after receiving the message to be processed. Therefore, even if an attacker sends the message to be processed by using the characteristic information such as the stolen IP address and the like after the characteristic information such as the IP address and the like is stolen, the terminal device actually sending the message to be processed is not the terminal device preset by the bastion machine and cannot pass the authentication of the terminal device of the bastion machine, the attack is difficult to implement, and the safety of the bastion machine is greatly improved.
In the above embodiment, the MAC address carried by the message to be processed may be stored in multiple ways in the message to be processed, for example, the first way is to directly store the MAC address in the payload of the message to be processed as a whole. The second storage mode may be: and the hexadecimal arrays included in the MAC address are respectively inserted into the loads of the messages to be processed. And according to different storage modes of the MAC address in the message to be processed, the bastion machine acquires the MAC address from the message to be processed. The following describes how the bastion machine acquires the MAC address by taking the two storage modes as examples.
When the MAC address is stored in the message to be processed in the first storage mode, the bastion machine acquires the decryption key aiming at the message to be processed, and splices a plurality of same decryption keys into the same length as the length of the load according to the length of the load in the message to be processed. And then decrypting the message to be processed by using the spliced decryption key so as to obtain the decrypted load, and directly acquiring the MAC address from the decrypted load.
When the MAC address is stored in the message to be processed in a second storage mode, after the message to be processed is decrypted by the bastion machine, the bastion machine acquires the load of the message to be processed from the decrypted message to be processed and divides the acquired load into a preset number of sub-loads; from each of the divided sub-payloads, an array of MAC addresses of the terminal devices included in each of the sub-payloads is extracted.
The preset number is self-defined, for example, the preset number is 6, that is, 6 groups of MAC addresses are respectively stored in six sub-loads divided by the load of the message to be processed.
And the bastion machine decrypts the message to be processed by using the spliced decryption key to obtain the decrypted load, and then divides the load into six sub-loads, wherein each sub-load stores a hexadecimal array of the MAC address. The bastion machine equally divides the decrypted load into six sub-loads with the same length, acquires the stored array from each sub-load, and combines the acquired six arrays to obtain the MAC address carried by the message to be processed.
For example, the fort machine divides the load into six sub-loads: sub-charge 1, sub-charge 2, sub-charge 3, sub-charge 4, sub-charge 5, and sub-charge 6. Wherein the array stored in the sub-load 1 is 00, the array stored in the sub-load 2 is 50, the array stored in the sub-load is BA, the array stored in the sub-load 4 is CE, the array stored in the sub-load 5 is 07, and the array stored in the sub-load 6 is 0C, then after acquiring six arrays from six sub-loads, the bastion machine performs combination to obtain a MAC address: 00-50-BA-CE-07-0C.
After the bastion machine extracts the MAC address from the payload, the length of the payload is reduced by 6 bytes compared with the length before extraction, and the 6 bytes are the length of the MAC address.
According to the technical scheme provided by the embodiment of the application, the client encrypts the message to be processed sent to the bastion machine, and after receiving the message to be processed sent by the client, the bastion machine decrypts the message to be processed according to the first key identification corresponding to the first characteristic information of the message to be processed, so that the decrypted message to be processed is obtained. The message to be processed between the client and the bastion machine is encrypted, so that the security of the bastion machine is enhanced, the security reinforcement of the bastion machine is realized, and the risk of the hijacking attack of a middle person is effectively reduced.
After receiving a message to be processed sent by a terminal device, the bastion machine sends a response message corresponding to the message to be processed to the terminal device. The embodiment of the present application further provides a message processing method for a response message, which may include the following steps as shown in fig. 2.
S201, obtaining a response message corresponding to the message to be processed.
The response message is a message to be processed received by the bastion machine, and if the message to be processed is an operation request message sent by the terminal device, the response message may be an operation execution result message used for feeding back an execution result to the terminal device.
The response message may be any one of a TCP message, an IP message, and a UDP message, and the response message is described as the TCP message in the following.
S202, based on the first corresponding relation, determining a second key identification corresponding to the second characteristic information of the response message.
Wherein, the second characteristic information may be an IP address, an identifier, etc. Specifically, the IP address may be a destination IP address, and the destination IP address is an IP address of the terminal device that receives the response packet. The identifier may be an identifier of the terminal device that receives the response message. In the following embodiments, the second feature information is taken as an example of the destination IP address.
Wherein, the first corresponding relationship is the corresponding relationship between the characteristic information and the key identifier in the above step S103. The bastion machine determines the second key identifier corresponding to the second feature information of the response message based on the first corresponding relationship, see the description of S103 above, and is not described herein again.
In the above S103, the first characteristic information is information for a terminal device that sends a to-be-processed message, and the second characteristic information is information for a terminal device that receives a response message. Thus, based on this, the second key identification is identical to the first key identification.
S203, the response message is encrypted by using the key represented by the second key identifier.
The response message is encrypted by using the key represented by the second key identifier, and in one implementation, the response message may be directly encrypted by using the key represented by the second key identifier.
In another implementation manner, after obtaining the second key identifier, the bastion machine may obtain the key represented by the second key identifier from a preset key table entry, generate a new encryption key for the response message according to the key represented by the second key identifier and the message information of the response message, and encrypt the response message by using the new encryption key. The message information of the response message may be at least one of a serial number, an acknowledgement number, and the like.
When the bastion machine encrypts the response message by using the new encryption key, the length of the new encryption key is spliced to be the same as the load length of the response message, and the response message is encrypted by using the spliced encryption key, so that the encrypted response message can be obtained.
And S204, sending the encrypted response message to the terminal equipment.
In one embodiment, an encrypted response message is sent to a terminal device through a port corresponding to a preset external port number and a port corresponding to the external port number, where the external port number is a port number of a non-known port.
Specifically, the target external port number corresponding to the second feature information is obtained according to the fourth corresponding relationship between the feature information and the external port number. And sending the encrypted response message to the terminal equipment through a port corresponding to the target external port number.
The fourth correspondence between the feature information and the external port number may be preset, and each feature information corresponds to one external port number.
In the fourth corresponding relationship, each piece of feature information corresponds to one external port number, and the port corresponding to the target external port number acquired according to the fourth corresponding relationship is the external port.
Based on the corresponding relationship between the feature information and the internal port number in the third corresponding relationship and the corresponding relationship between the feature information and the external port number in the fourth corresponding relationship. The correspondence between the characteristic information, the internal port number, and the external port number can be determined. The external port number and the internal port number may be stored in the form of an entry, as shown in table 2 below:
TABLE 2
| Internal port number | External port number |
In the correspondence between the three, each piece of feature information corresponds to one external port number and one internal port number. At this time, the target external port number corresponding to the second characteristic information sends the response message to the terminal equipment by using the port corresponding to the external port number; and the target internal port number corresponding to the second characteristic information is the port corresponding to the target internal port number of the internal transmission response message outside the bastion.
In the embodiment corresponding to fig. 2, the bastion machine encrypts the response message, so that the risk of being attacked by a man-in-the-middle can be effectively reduced. The bastion machine selects the non-known port as the external port and sends the response message through the non-known port, so that the external port embodied by the bastion machine is the non-known port, the possibility of missing scanning of an attacker, DDOS attack, hijacking of a middle person and the like is effectively reduced, and the security reinforcement of the bastion machine is further realized.
Corresponding to the embodiment of the message processing method applied to the bastion machine, the embodiment of the application also provides a message processing method applied to the terminal equipment, and the message processing method comprises the following steps.
And S301, acquiring a key of the terminal equipment and an external port number of the bastion machine.
The key of the terminal device may be pre-stored in the terminal device, and each terminal device correspondingly stores one key, where the key is a key for encrypting a message sent by the terminal device.
And each terminal device also prestores an external port number of the bastion machine, wherein the external port number is the port number of an external port of the bastion machine for receiving the message, and when the terminal device sends the message to be processed to the bastion machine, the destination port number carried by the message to be processed is the external port number.
Wherein, the external port number is the port number of the non-known port. Therefore, the bastion machine is externally embodied by the unknown port, and receives the message to be processed sent by the terminal equipment through the unknown port. The possibility of missing scanning of an attacker, DDOS attack, hijacking of a man-in-the-middle and the like is effectively reduced, and further the security reinforcement of the bastion machine is realized.
S302, according to the acquired secret key and the message information of the message to be processed, an encryption secret key aiming at the message to be processed is generated.
The message information may be at least one of a serial number, an acknowledgement number, and the like. The terminal device generates an encryption key for the message to be processed according to the key and the message information, and can refer to the bastion machine to generate a new encryption key or a new decryption key according to the key and the message information, which is not described herein again.
S303, encrypting the message to be processed by using the encryption key.
The encryption key is generated by the key and the message information of the message to be processed, so that the generated encryption key is specific to each message to be processed, that is, the encryption key used for encrypting each message to be processed is different. Thus, the security of the encrypted message is improved.
In addition, the terminal device can also directly utilize the acquired key as an encryption key, and at the moment, the terminal device directly utilizes the acquired key to encrypt the message to be processed. In this way, the same key for encrypting the message to be processed is the same for the same terminal device.
In one embodiment, in order to further enhance the security of the bastion machine, the bastion machine needs to perform MAC authentication on the received message to be processed. Each terminal device corresponds to a unique MAC address, the bastion machine presets a user corresponding to each MAC address, the appointed user can be authenticated as a legal message by the bastion machine only through a message to be processed sent by the terminal device corresponding to the appointed MAC address, otherwise, the bastion machine determines the message to be processed as an illegal message, and discards the message to be processed of the illegal message. The terminal device needs to store the MAC address of the terminal device in the load of the message to be processed, so that the message to be processed carries the MAC address and is sent to the bastion machine. There are various storage modes of the MAC address in the message to be processed, and the first storage mode is that the terminal device directly stores the MAC address in the load of the message to be processed as a whole. The second storage mode is that the terminal device inserts the hexadecimal array included in the MAC address into the load of the message to be processed.
Specifically, the terminal device may divide the load of the packet to be processed into a preset number of sub-loads, where the preset number may be set by a user, for example, the preset number may be 6, that is, the load is divided into 6 sub-loads; the preset number is 3, the payload is divided into 3 sub-payloads.
After the terminal device obtains a plurality of sub-payloads, each array of the MAC address of the terminal device may be inserted into each of the divided sub-payloads. The terminal device divides the load into six equal-length parts, namely six sub-loads, which is described with a preset number of 6. And respectively inserting six arrays of the MAC address of the terminal equipment into six sub-loads, namely inserting the first array into the first sub-load, inserting the second array into the second sub-load, inserting the third array into the third sub-load, inserting the fourth array into the fourth sub-load, inserting the fifth array into the fifth sub-load, and inserting the sixth array into the sixth sub-load. At this time, the length of the payload is increased by 6 bytes compared to the length of the payload before insertion. Thus, the pending message carries the MAC address of the terminal device.
After receiving a message to be processed carrying the MAC address of the terminal equipment, the bastion machine carries out MAC authentication on the received message to be processed, namely, whether the MAC address carried in the message to be processed is matched with the MAC address of the terminal equipment stored in advance by the bastion machine is judged, if not, the message to be processed is determined to be an illegal message, and the message to be processed of the illegal message is discarded; and if so, determining the message to be processed as a legal message.
After the terminal equipment finishes inserting the MAC address into the load, the message to be processed carrying the MAC address is encrypted by using the encryption key.
And S304, taking the port represented by the external port number as a destination port, and sending the encrypted message to be processed to the bastion machine.
The external port number is the port number of the unknown port, the port represented by the external port number is used as the destination port, namely the terminal equipment sends the message to be processed to the unknown port, and for the bastion machine, the message to be processed is received through the unknown port. Therefore, the possibility of missing scanning of an attacker, DDOS attack, hijacking of a man-in-the-middle and the like is effectively reduced, and further the security reinforcement of the bastion machine is realized.
In the embodiment of the application, the terminal equipment encrypts the message to be processed, selects the non-known port as the external port of the bastion machine, and sends the encrypted message to be processed to the non-known port of the bastion machine, so that the bastion machine receives the message to be processed through the non-known port. The danger of attack by a man-in-the-middle can be effectively reduced, the possibility of missing scanning of an attacker, DDOS attack, hijacking of the man-in-the-middle and the like is effectively reduced, and the security reinforcement of the bastion machine is further realized.
With reference to the embodiments corresponding to fig. 1, fig. 2, and fig. 3, the present application further provides a message processing method, and as shown in fig. 4, the message processing method includes the following steps.
S401, the terminal device obtains a secret key of the terminal device and an external port number of the bastion machine.
The obtained key is key 1, and the key 1 is a private encrypted key. The external port number is 2345, which 2345 is the port number of the non-known port.
S402, the terminal device generates an encryption key for the message to be processed according to the acquired key, the serial number and the confirmation number of the message to be processed.
The serial number of the message to be processed is 1, and the confirmation number is 2. The encryption key generated from key 1, serial number 1, and confirmation number 2 is key 11. The key 11 is a key for the message to be processed.
And S403, the terminal equipment divides the load of the message to be processed into a preset number of sub-loads.
The preset number is 6, the payload length of the message is determined to be ReqLen1, and the length of each sub-payload divided into six sub-payloads is as follows: OffsetLen1 ═ ReqLen1/6, and the remainder is LastLen 1. Each sub-payload is represented by RepData1[ ], then six sub-payloads are represented as: RepData1[1], RepData1[2], RepData1[3], RepData1[4], RepData1[5] and RepData1[6 ].
S404, the terminal device inserts each array of its MAC address into each divided sub-payload.
Wherein, the MAC address is composed of 6 arrays, each array in byte unit is represented as: MacArray1[ ]. Namely, the MAC address includes: MacArray1[1], MacArray1[2], MacArray1[3], MacArray1[4], MacArray1[5] and MacArray1[6 ]. MAC addresses are correspondingly inserted into the sub-payloads for storage, namely, MacArray1[1] is inserted into RepData1[1] for storage, MacArray1[2] is inserted into RepData1[2] for storage, MacArray1[3] is inserted into RepData1[3] for storage, MacArray1[4] is inserted into RepData1[4] for storage, MacArray1[5] is inserted into RepData1[5] for storage, and MacArray1[6] is inserted into RepData1[6] for storage.
For example, a MAC address of 44-45-53-54-00-00, then MacArray1[1] is 44, MacArray1[2] is 45, MacArray1[3] is 53, MacArray1[4] is 54, MacArray1[5] is 00, and MacArray1[6] is 00. And inserting 44 into the sub-load RepData1[1] for storage, inserting 45 into the sub-load RepData1[2] for storage, inserting 53 into the sub-load RepData1[3] for storage, inserting 54 into the sub-load RepData1[4] for storage, inserting 00 into the sub-load RepData1[5] for storage, and inserting 00 into the sub-load RepData1[6] for storage.
After inserting the MAC address, the length of the payload becomes ReqLen1+ 6. The added 6 bytes are the length of 6 bytes of the MAC address.
S405, the terminal equipment encrypts the message to be processed carrying the MAC address by using the encryption key.
The encryption key is the key 11, and the key 11 is spliced by means of character strings to form a new key 11 with a length of ReqLen1+ 6. That is, the length of the new key 11 after splicing is completed is the same as the length of the payload after inserting the MAC address.
And then, encrypting the message to be processed carrying the MAC address by using a new key 11 with the length of ReqLen1+ 6.
And S406, the terminal device takes the port represented by the external port number as a destination port, and sends the encrypted message to be processed to the bastion machine.
The external port number is 2345, the port represented by the external port number 2345 is a non-known port, and the destination port in the to-be-processed message is 2345. And the terminal equipment sends the encrypted message to be processed to a port with the port number of 2345 of the bastion machine.
S407, the bastion machine receives the message to be processed sent by the terminal device and obtains first characteristic information of the message to be processed.
The bastion machine receives the message to be processed through the external port with the port number of 2345, and obtains the source IP address of the message to be processed of 123.122.100.134, the destination IP address and the destination port, and the user information of the message to be processed.
And verifying the acquired source IP address, destination port and user information. Specifically, a source IP address, a destination port and user information are stored in the bastion machine in advance, and a corresponding relation exists among the source IP address, the destination port and the user information. After a message to be processed is received and a source IP address 1, a destination port 1 and user information 1 of the message to be processed are obtained, whether a source IP address, a destination port and user information which are matched with the source IP address 1, the destination port 1 and the user information 1 of the message to be processed exist in a bastion machine or not is detected. If not, determining the message to be processed as an illegal message, if so, continuously judging whether the matched source IP address, destination port and user information are in the same corresponding relation in the bastion machine, if not, determining the message to be processed as an illegal message, discarding the message to be processed, and if so, continuously executing the following operations.
S408, the bastion machine acquires a first key identifier corresponding to the first characteristic information based on the first corresponding relation between the characteristic information and the key identifier.
In the first correspondence, if the key identifier corresponding to the source IP address 123.122.100.134 is 1, identifier 1 is used as the first key identifier.
And S409, the bastion machine acquires the key represented by the first key identifier from the preset key table entry.
And if the key corresponding to the identifier 1 is the key 1 in the preset key table entry, acquiring the key 1.
And S410, the bastion machine generates a decryption key aiming at the message to be processed according to the acquired key, the serial number and the confirmation number of the message to be processed.
The serial number of the message to be processed is 1, and the confirmation number is 2. The decryption key generated from key 1, serial number 1, and confirmation number 2 is key 12. The key 12 is a decryption key for the message to be processed.
And S411, the bastion machine decrypts the message to be processed by using the decryption key.
By using the generated key 12, the message to be processed is decrypted, and the load carried by the message to be processed can be obtained.
Specifically, the length of the load carried by the message to be processed is determined to be ReqLen2, and the key 12 is spliced into a new key 12 with the length being ReqLen2 in a character string splicing manner. That is, the length of the new key 12 after splicing is completed is the same as the length of the payload. And then, the new key 12 with the length of ReqLen2 is used for decrypting the message to be processed.
And acquiring the load of the message to be processed from the decrypted message to be processed, and dividing the acquired load into a preset number of sub-loads.
Specifically, the preset number is 6, the payload with the length ReqLen2 is divided into six sub-payloads, and the length of each sub-payload is: OffsetLen2 ═ ReqLen2/6, and the remainder is LastLen 2. Each sub-payload is represented by RepData2[ ], then six sub-payloads are represented as: RepData2[1], RepData2[2], RepData2[3], RepData2[4], RepData2[5] and RepData2[6 ].
From each of the divided sub-payloads, an array of MAC addresses of the terminal devices included in each of the sub-payloads is extracted.
Specifically, arrays of the respective stored MAC addresses are extracted from the replidata 2[1], the replidata 2[2], the replidata 2[3], the replidata 2[4], the replidata 2[5] and the replidata 2[6], respectively, the arrays being expressed as: MacArray1[ ]. That is, array MacArray1[1] may be extracted from RepData2[1], array MacArray1[2] may be extracted from RepData2[2], array MacArray1[3] may be extracted from RepData2[3], array MacArray1[4] may be extracted from RepData2[4], array MacArray1[5] may be extracted from RepData2[5], and array Macray 1[6] may be extracted from RepData2[6 ]. Then combining MacArray1[1], MacArray1[2], MacArray1[3], MacArray1[4], MacArray1[5] and MacArray1[6], so as to obtain the MAC address carried by the message to be processed: 44-45-53-54-00-00.
And S412, the bastion machine determines a target MAC address corresponding to the first characteristic information based on the second corresponding relation between the characteristic information and the MAC address.
In the second correspondence, the MAC address corresponding to the source IP address of 123.122.100.134 is 44-45-53-54-00-00. The target MAC address can be determined to be 44-45-53-54-00-00.
And S413, judging whether the MAC address carried by the message to be processed is matched with the target MAC address by the bastion machine, if so, executing S414, and if not, discarding the message to be processed.
And if the MAC address carried by the message to be processed is 44-45-53-54-00-00 and the target MAC address is 44-45-53-54-00-00, the MAC address carried by the message to be processed can be determined to be matched with the target MAC address.
After determining that the MAC address carried by the message to be processed matches the target MAC address, acquiring a target internal port number of 80 based on a third corresponding relationship between the source IP address and the internal port number, where the internal port number 80 is a port number of a known port.
And processing the decrypted message to be processed by using the HTTP corresponding to the target internal port number 80.
And S414, the bastion machine processes the decrypted message to be processed and obtains a response message corresponding to the message to be processed.
The response message corresponds to the message to be processed, that is, the response message is a message in response to the message to be processed.
And S415, the bastion machine determines a second key identifier corresponding to second characteristic information of the response message based on the first corresponding relation.
The second characteristic information is a destination IP address: 125.112.129.225, the destination IP address is the IP address of the terminal device receiving the response message. From the first correspondence, it can be determined that the second key identification corresponding to the destination IP address 125.112.129.225 is 2.
And S416, the bastion machine acquires the key represented by the second key identifier from the preset key table entry.
And in the preset key table entry, if the key corresponding to the identifier 2 is the key 2, obtaining the key 2.
And S417, the bastion machine generates an encryption key aiming at the response message according to the acquired key and the message information of the response message.
The message information of the response message has a sequence number of 3 and an acknowledgement number of 4, and the encryption key generated by the key 2, the sequence number of 3 and the acknowledgement number of 4 is the key 22. The key 22 is the key for the response message.
And S418, the bastion machine encrypts the response message by using the encryption key.
The length of the obtained response message is ReqLen3, the encryption key is the key 22, and the key 22 is spliced with a new key 22 with the length being ReqLen3 in a character string splicing mode. That is, the length of the new key 22 after splicing is the same as the length of the payload carried by the response message.
The response message is then encrypted using a new key 22 of length ReqLen 3.
And S419, the bastion machine acquires the target external port number corresponding to the second characteristic information according to the fourth corresponding relation between the characteristic information and the external port number.
In the fourth correspondence relationship, the external port number corresponding to the destination IP address 125.112.129.225 is 2333, and this port number 2333 is the port number of the unknown port.
And S420, the bastion machine sends the encrypted response message to the terminal equipment through a port corresponding to the target external port number.
And the bastion machine sends the encrypted response message to the terminal equipment through a port with the port number of 2333.
Corresponding to the above message processing method embodiment, an embodiment of the present application further provides a message processing apparatus, which is applied to a bastion machine, and as shown in fig. 5, the message processing apparatus includes:
a receiving module 510, configured to receive a to-be-processed message sent by a terminal device, where the to-be-processed message is: the terminal equipment uses a self key to encrypt the message;
a first obtaining module 520, configured to obtain first feature information of a packet to be processed;
a second obtaining module 430, configured to obtain a first key identifier corresponding to the first feature information based on a first corresponding relationship between the feature information and the key identifier, where the first corresponding relationship is: the key identification is obtained based on the corresponding relation between the characteristic information and the terminal equipment and the corresponding relation between the terminal equipment and the key identification;
the decryption module 540 is configured to decrypt the to-be-processed packet by using the key represented by the first key identifier;
and the processing module 550 is configured to process the decrypted to-be-processed packet.
Optionally, the decryption module 540 is further configured to:
acquiring the load of the message to be processed from the decrypted message to be processed, and dividing the acquired load into a preset number of sub-loads;
from each of the divided sub-payloads, an array of MAC addresses of the terminal devices included in each of the sub-payloads is extracted.
Optionally, the message to be processed carries the MAC address of the terminal device; the processing module 550 is specifically configured to:
determining a target MAC address corresponding to the first characteristic information based on the second corresponding relation between the characteristic information and the MAC address;
judging whether the MAC address carried by the message to be processed is matched with the target MAC address;
and if so, processing the decrypted message to be processed.
Optionally, the processing module 550 is specifically configured to:
acquiring a target internal port number corresponding to the first characteristic information based on a third corresponding relation between the characteristic information and the internal port number, wherein the internal port number is the port number of the known port;
and processing the decrypted message to be processed by utilizing a protocol corresponding to the target internal port number.
Optionally, the decryption module 540 is specifically configured to:
acquiring a key represented by a first key identifier from a preset key table entry;
generating a decryption key for the message to be processed according to the acquired key and the message information of the message to be processed;
and decrypting the message to be processed by using the decryption key.
Optionally, the apparatus further comprises:
the obtaining module is used for obtaining a response message corresponding to the message to be processed;
the determining module is used for determining a second key identifier corresponding to second characteristic information of the response message based on the first corresponding relation;
the encryption module is used for encrypting the response message by using the key represented by the second key identifier;
and the sending module is used for sending the encrypted response message to the terminal equipment.
Optionally, the sending module is specifically configured to:
acquiring a target external port number corresponding to the second characteristic information according to a fourth corresponding relation between the characteristic information and the external port number, wherein the external port number is the port number of the unknown port;
and sending the encrypted response message to the terminal equipment through a port corresponding to the target external port number.
Optionally, the encryption module is specifically configured to:
acquiring a key represented by a second key identifier from a preset key table entry;
generating an encryption key aiming at the response message according to the acquired key and the message information of the response message;
and encrypting the response message by using the encryption key.
According to the technical scheme provided by the embodiment of the application, the client encrypts the message to be processed sent to the bastion machine, and after receiving the message to be processed sent by the client, the bastion machine decrypts the message to be processed according to the first key identification corresponding to the first characteristic information of the message to be processed, so that the decrypted message to be processed is obtained. The message to be processed between the client and the bastion machine is encrypted, so that the security of the bastion machine is enhanced, the security reinforcement of the bastion machine is realized, and the risk of the hijacking attack of a middle person is effectively reduced.
Corresponding to the above message processing method embodiment, an embodiment of the present application further provides a message processing apparatus, which is applied to a terminal device, and as shown in fig. 6, the message processing apparatus includes:
the acquiring module 610 is used for acquiring a secret key of the terminal equipment and an external port number of the bastion machine, wherein the external port number is a port number of a non-known port;
a generating module 620, configured to generate an encryption key for the message to be processed according to the obtained key and the message information of the message to be processed;
an encryption module 630, configured to encrypt the to-be-processed packet by using the encryption key;
and the sending module 640 is configured to send the encrypted to-be-processed message to the bastion machine by using the port indicated by the external port number as a destination port.
Optionally, the encryption module 630 is specifically configured to:
dividing the load of the message to be processed into a preset number of sub-loads;
respectively inserting each array of the MAC address of the terminal equipment into each divided sub-load;
and encrypting the message to be processed carrying the MAC address by using the encryption key.
In the embodiment of the application, the terminal equipment encrypts the message to be processed, selects the non-known port as the external port of the bastion machine, and sends the encrypted message to be processed to the non-known port of the bastion machine, so that the bastion machine receives the message to be processed through the non-known port. The danger of attack by a man-in-the-middle can be effectively reduced, the possibility of missing scanning of an attacker, DDOS attack, hijacking of the man-in-the-middle and the like is effectively reduced, and the security reinforcement of the bastion machine is further realized.
Corresponding to the above message processing method embodiment, the present application further provides a bastion machine, as shown in fig. 7, including a processor 710 and a machine-readable storage medium 720, where the machine-readable storage medium 720 stores machine-executable instructions that can be executed by the processor 710.
In addition, as shown in fig. 7, the fort machine may further include: a communication interface 730 and a communication bus 740; the processor 710, the machine-readable storage medium 720 and the communication interface 730 are communicated with each other through a communication bus 740, and the communication interface 730 is used for communication between the bastion machine and other devices.
The processor 710 causes execution of any of the above embodiments of the message processing method applied to the bastion machine, wherein the message processing method comprises:
receiving a message to be processed sent by a terminal device, wherein the message to be processed is as follows: the terminal equipment uses a self key to encrypt the message;
acquiring first characteristic information of a message to be processed;
acquiring a first key identifier corresponding to the first characteristic information based on a first corresponding relationship between the characteristic information and the key identifier, wherein the first corresponding relationship is as follows: the key identification is obtained based on the corresponding relation between the characteristic information and the terminal equipment and the corresponding relation between the terminal equipment and the key identification;
decrypting the message to be processed by using the key represented by the first key identifier;
and processing the decrypted message to be processed.
According to the technical scheme provided by the embodiment of the application, the client encrypts the message to be processed sent to the bastion machine, and after receiving the message to be processed sent by the client, the bastion machine decrypts the message to be processed according to the first key identification corresponding to the first characteristic information of the message to be processed, so that the decrypted message to be processed is obtained. The message to be processed between the client and the bastion machine is encrypted, so that the security of the bastion machine is enhanced, the security reinforcement of the bastion machine is realized, and the risk of the hijacking attack of a middle person is effectively reduced.
The communication bus 740 may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus 740 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.
The machine-readable storage medium 720 may include a RAM (Random Access Memory) and may also include a NVM (Non-Volatile Memory), such as at least one disk Memory. Additionally, the machine-readable storage medium 720 may also be at least one memory device located remotely from the aforementioned processor.
The Processor 710 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also DSPs (Digital Signal Processing), ASICs (Application Specific Integrated circuits), FPGAs (Field Programmable Gate arrays) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
Corresponding to the embodiment of the message processing method, the embodiment of the application also provides a machine-readable storage medium, which stores machine executable instructions, and when the machine executable instructions are called and executed by a processor, the machine executable instructions cause the processor to realize the message processing method applied to the bastion machine.
The embodiment of the present application further provides a terminal device, where the terminal device may include a processor, a machine-readable storage medium, a communication interface, and a communication bus, and a schematic structural diagram of the terminal device may be the same as a schematic structural diagram of the bastion machine, and based on the foregoing fig. 7, the processor of the terminal device causes the terminal device to execute any one of the embodiments of the message processing method applied to the terminal device, where the message processing method includes:
acquiring a secret key of the terminal equipment and an external port number of the bastion machine, wherein the external port number is a port number of a non-known port;
generating an encryption key for the message to be processed according to the acquired key and the message information of the message to be processed;
encrypting the message to be processed by using the encryption key;
and taking the port represented by the external port number as a destination port, and sending the encrypted message to be processed to the bastion machine.
In the embodiment of the application, the terminal equipment encrypts the message to be processed, selects the non-known port as the external port of the bastion machine, and sends the encrypted message to be processed to the non-known port of the bastion machine, so that the bastion machine receives the message to be processed through the non-known port. The danger of attack by a man-in-the-middle can be effectively reduced, the possibility of missing scanning of an attacker, DDOS attack, hijacking of the man-in-the-middle and the like is effectively reduced, and the security reinforcement of the bastion machine is further realized.
Corresponding to the embodiment of the message processing method, an embodiment of the present application further provides a machine-readable storage medium, which stores machine-executable instructions, and when the machine-readable storage medium is called and executed by a processor, the machine-executable instructions cause the processor to implement the message processing method applied to the terminal device.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the embodiments of the message processing apparatus, the bastion machine, the terminal device and the machine-readable storage medium, since they are basically similar to the embodiments of the method, the description is relatively simple, and the relevant points can be referred to the partial description of the embodiments of the method.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.
Claims (12)
1. A message processing method is characterized by being applied to a bastion machine, and comprises the following steps:
receiving a message to be processed sent by a terminal device, wherein the message to be processed is as follows: the terminal equipment uses a self key to encrypt the message;
acquiring first characteristic information of the message to be processed;
acquiring a first key identifier corresponding to the first feature information based on a first corresponding relationship between the feature information and the key identifier, where the first corresponding relationship is: the key identification is obtained based on the corresponding relation between the characteristic information and the terminal equipment and the corresponding relation between the terminal equipment and the key identification;
decrypting the message to be processed by using the key represented by the first key identifier;
and processing the decrypted message to be processed.
2. The method according to claim 1, wherein after the step of decrypting the message to be processed by using the key represented by the first key identifier, the method further comprises:
acquiring the load of the message to be processed from the decrypted message to be processed, and dividing the acquired load into a preset number of sub-loads;
and respectively extracting the array of the media access control MAC address of the terminal equipment contained in each sub-load from each divided sub-load.
3. The method according to claim 1 or 2, wherein the message to be processed carries the MAC address of the terminal device;
the step of processing the decrypted message to be processed includes:
determining a target MAC address corresponding to the first characteristic information based on a second corresponding relation between the characteristic information and the MAC address; the second corresponding relation is the corresponding relation between the characteristic information and the MAC address;
judging whether the MAC address carried by the message to be processed is matched with the target MAC address;
and if so, processing the decrypted message to be processed.
4. The method according to claim 1, wherein the step of processing the decrypted message to be processed includes:
acquiring a target internal port number corresponding to the first characteristic information based on a third corresponding relation between the characteristic information and the internal port number, wherein the internal port number is the port number of a known port; the third corresponding relation is the corresponding relation between the characteristic information and the internal port number;
and processing the decrypted message to be processed by utilizing a protocol corresponding to the target internal port number.
5. The method according to claim 1, wherein the step of decrypting the message to be processed by using the key represented by the first key identifier comprises:
acquiring a key represented by the first key identifier from a preset key table entry;
generating a decryption key aiming at the message to be processed according to the acquired key and the message information of the message to be processed;
and decrypting the message to be processed by using the decryption key.
6. The method of claim 1, further comprising:
obtaining a response message corresponding to the message to be processed;
determining a second key identification corresponding to second characteristic information of the response message based on the first corresponding relation;
encrypting the response message by using the key represented by the second key identifier;
and sending the encrypted response message to the terminal equipment.
7. The method according to claim 6, wherein the step of sending the encrypted response message to the terminal device comprises:
acquiring a target external port number corresponding to the second characteristic information according to a fourth corresponding relation between the characteristic information and the external port number, wherein the external port number is the port number of a non-known port; the fourth corresponding relation is the corresponding relation between the characteristic information and the external port number; and sending the encrypted response message to the terminal equipment through a port corresponding to the target external port number.
8. The method of claim 6, wherein the step of encrypting the response message using the key represented by the second key identifier comprises:
acquiring a key represented by the second key identifier from a preset key table entry;
generating an encryption key aiming at the response message according to the acquired key and the message information of the response message;
and encrypting the response message by using the encryption key.
9. A message processing method is applied to a terminal device, and the method comprises the following steps:
acquiring a secret key of the terminal equipment and an external port number of the bastion machine, wherein the external port number is a port number of a non-known port;
generating an encryption key aiming at the message to be processed according to the acquired key and the message information of the message to be processed;
encrypting the message to be processed by using the encryption key;
and taking a port represented by the external port number as a destination port, and sending the encrypted message to be processed to the bastion machine.
10. The method according to claim 9, wherein the step of encrypting the message to be processed by using the encryption key comprises:
dividing the load of the message to be processed into a preset number of sub-loads;
respectively inserting each array of the MAC address of the terminal equipment into each divided sub-load;
and encrypting the message to be processed carrying the MAC address by using the encryption key.
11. A bastion machine comprising a processor and a machine-readable storage medium, said machine-readable storage medium storing machine-executable instructions executable by said processor, said processor being caused by said machine-executable instructions to: carrying out the method steps of any one of claims 1 to 8.
12. A terminal device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: -carrying out the method steps of any one of claims 9 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810649004.0A CN108965260B (en) | 2018-06-22 | 2018-06-22 | Message processing method, bastion machine and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810649004.0A CN108965260B (en) | 2018-06-22 | 2018-06-22 | Message processing method, bastion machine and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108965260A CN108965260A (en) | 2018-12-07 |
| CN108965260B true CN108965260B (en) | 2021-05-28 |
Family
ID=64491814
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810649004.0A Active CN108965260B (en) | 2018-06-22 | 2018-06-22 | Message processing method, bastion machine and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108965260B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124465A (en) * | 2021-10-28 | 2022-03-01 | 济南浪潮数据技术有限公司 | Data transmission method, system, equipment and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8155036B1 (en) * | 2010-02-19 | 2012-04-10 | Lockheed Martin Corporation | Portable multi-level security communications system |
| CN106936817A (en) * | 2017-02-16 | 2017-07-07 | 上海帝联信息科技股份有限公司 | Operation execution method, springboard machine, cluster certificate server and fort machine system |
| CN107959930A (en) * | 2017-11-20 | 2018-04-24 | 新华三技术有限公司 | Terminal access method, device, Lora servers and Lora terminals |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070234412A1 (en) * | 2006-03-29 | 2007-10-04 | Smith Ned M | Using a proxy for endpoint access control |
| US9742560B2 (en) * | 2009-06-11 | 2017-08-22 | Microsoft Technology Licensing, Llc | Key management in secure network enclaves |
-
2018
- 2018-06-22 CN CN201810649004.0A patent/CN108965260B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8155036B1 (en) * | 2010-02-19 | 2012-04-10 | Lockheed Martin Corporation | Portable multi-level security communications system |
| CN106936817A (en) * | 2017-02-16 | 2017-07-07 | 上海帝联信息科技股份有限公司 | Operation execution method, springboard machine, cluster certificate server and fort machine system |
| CN107959930A (en) * | 2017-11-20 | 2018-04-24 | 新华三技术有限公司 | Terminal access method, device, Lora servers and Lora terminals |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108965260A (en) | 2018-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109983752B (en) | Network address with encoded DNS level information | |
| US8214482B2 (en) | Remote log repository with access policy | |
| US10129254B2 (en) | Automated provisioning of a network appliance | |
| US8856525B2 (en) | Authentication of email servers and personal computers | |
| CN107979615B (en) | Message encryption sending and authentication method, device, client and firewall | |
| JP5291725B2 (en) | IP address delegation | |
| KR20130031660A (en) | Network apparatus based contents name and method for generate and authenticate contents name | |
| CN104468865A (en) | Domain name resolution control and response methods and corresponding device | |
| EP3442195B1 (en) | Reliable and secure parsing of packets | |
| CA2986401C (en) | Authenticating a system based on a certificate | |
| CN102231725B (en) | Method, equipment and system for authenticating dynamic host configuration protocol message | |
| JP2020017809A (en) | Communication apparatus and communication system | |
| EP1493243B1 (en) | Secure file transfer | |
| CN113347198B (en) | ARP message processing method, device, network equipment and storage medium | |
| CN112839062B (en) | Port hiding method, device and equipment with mixed authentication signals | |
| Miao et al. | Transport layer security (TLS) transport mapping for Syslog | |
| CN110832806B (en) | ID-based data plane security for identity-oriented networks | |
| CN108965260B (en) | Message processing method, bastion machine and terminal equipment | |
| JP2018074395A (en) | Data communication system, cache dns device and cyber attack prevention method | |
| Kim et al. | Self-certifying id based trustworthy networking system for iot smart service domain | |
| KR102457620B1 (en) | Network security system and operation method thereof | |
| CN113225298A (en) | Message verification method and device | |
| WO2023065578A1 (en) | Information configuration method, domain name resolution method, electronic device, and storage medium | |
| US11463879B2 (en) | Communication device, information processing system and non-transitory computer readable storage medium | |
| JP2011205451A (en) | Unauthorized terminal interruption system, and unauthorized terminal interruption apparatus used therefor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |