CN109587097A - A kind of system, method and apparatus for realizing secure access internal network - Google Patents
A kind of system, method and apparatus for realizing secure access internal network Download PDFInfo
- Publication number
- CN109587097A CN109587097A CN201710905297.XA CN201710905297A CN109587097A CN 109587097 A CN109587097 A CN 109587097A CN 201710905297 A CN201710905297 A CN 201710905297A CN 109587097 A CN109587097 A CN 109587097A
- Authority
- CN
- China
- Prior art keywords
- access request
- request
- network access
- network
- authentication information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Abstract
The invention discloses a kind of system, method and apparatus for realizing secure access internal network, and the system comprises network access request end, intermediary end, internal network servers;The network access request end, for issuing the first request message for realizing network access request and receiving response message;The intermediary end, for monitoring and kidnapping first request message at the network access request end;First request message is parsed, and adds authentication information in first request message, obtains the second request message;Then second request message is sent to the destination network addresses of first request message;And it receives to the response message of second request message, and the response message is forwarded to client;The internal network server therefrom extracts authentication information, judges whether the network access request has access authority for receiving second request message;If so, returning response message.Provided technical solution through the invention, can accurately know whether client has the permission of access Intranet, avoid the access request of lack of competence.
Description
Technical field
This application involves networks to access field, and in particular to a kind of system for realizing secure access internal network.The application
Be related to a kind of method and device for having secure access to internal network simultaneously, a kind of server receive access method and device,
A kind of method and device of data processing and a kind of method and device of data response.
Background technique
In traditional enterprise network configurations, to be remotely accessed, method be rent DDN (Digital Data Net) special line or
Frame relay, such communication scheme necessarily lead to high network communication and maintenance cost.For mobile subscriber (mobile office people
Member) with far-end individual user for, generally can be inevitable by the local area network of dial line (Internet) Entry Firm, but in this way
Bring hidden danger for security.
In order to allow nonlocal employee access to Intranet resource, generally solved using VPN under the prior art;Including this method is
A vpn server is set up in net, after nonlocal employee connects internet in locality, vpn server is connected by internet, then
Pass through vpn server Entry Firm Intranet.
In order to guarantee data security, the communication data between vpn server and client computer has all carried out encryption.Have
Data encryption, so that it may think that data are to carry out safe transmission in a dedicated data link, be set up just as special
One dedicated network is the same.But actually VPN uses the common link on internet, therefore VPN is known as Virtual Private Network
Network is substantially exactly that a data Communication tunnel is encapsulated out on public network using encryption technology.There are VPN technologies, Yong Huwu
By being to go on business in other places or handle official business at home, as long as Intranet resource can be accessed using VPN as long as upper internet, looking forward to VPN
It is widely used in industry.
But there is also obvious problems using VPN access Intranet resource.One of them most important problem is that server is not
The client source that http/https request is initiated can accurately be obtained, in this way, can not just judge whether client really has
Access the permission of Intranet.
Summary of the invention
The present invention provides a kind of system for having secure access to network, can not accurately obtain http/ with settlement server
The problem of client source that https request is initiated.The present invention additionally provides a kind of methods for having secure access to internal network
And device and a kind of server receive the method and device of access.The present invention also provides a kind of method of data processing and dresses
Set and a kind of data response method and device.
The present invention provides a kind of system for realizing secure access internal network, comprising: network access request end, intermediary end,
Internal network server;
The network access request end, for issuing the first request message, Yi Jijie for realizing network access request
Receive response message;
The intermediary end, for monitoring and kidnapping first request message at the network access request end;Parse described
One request message, and authentication information is added in first request message, obtain the second request message;Then to described first
The destination network addresses of request message send second request message;And response of the reception to second request message
Message, and the response message is forwarded to client;
The internal network server therefrom extracts authentication information for receiving second request message, described in judgement
Whether network access request has access authority;If so, returning response message.
Optionally, the intermediary end and the network access request end are arranged in the same mobile device.
Optionally, the network access request that the network access request end issues uses http agreement, then it is described in
Jie end carries out http with the network access request end and shakes hands, the intermediary end exists before receiving first request message
Before issuing second request message, http is carried out with the internal network server and is shaken hands.
Optionally, the network access request that the network access request end issues uses https mode, then it is described in
Jie end carries out SSL with the network access request end and shakes hands before receiving first request message, then, the intermediary
End is shaken hands the server_name field of offer according to the SSL, is issued SSL with the internal network server and is shaken hands;In described
After the termination that is situated between receives the success message of shaking hands that the internal network server returns, Xiang Suoshu network access request end issues and shakes hands
Success message.
Optionally, before carrying out network access request, CA puppet certificate is imported to the network access request end and intermediary
End.
Optionally, the authentication information includes at least one of following information: the terminal where network access request end is set
Standby unique identifying information;User's ID authentication information.
Optionally, the authentication information is encrypted by asymmetric arithmetic.
Optionally, it by the way of DLL injection, is injected in the network access request that the network access request end is initiated
Global traffic kidnaps process, realizes the abduction to first request message.
The present invention also provides a kind of methods for having secure access to internal network, comprising:
Kidnap the network access request that there is the application of network access functions to issue;The network access request is known as first
Request message;
Authentication information is added in first request message, forms the second request message;
Second request message is forwarded to the destination server of the network access request, i.e. internal network service
Device;
Receive the response message that the internal network server returns;
The response message is transmitted to the application for issuing the network access request.
Optionally, it in described the step of kidnapping the network access request that there is the application of network access functions to issue, uses
Hook function kidnaps the network access request;The hook function first passes through DLL injection mode in advance and injects the network access
In request process.
Optionally, first request message is using in the case where http mode, receive first request message it
Before, it shakes hands including carrying out http with the application for issuing network access request;It is and described before issuing second request message
Internal network server carries out http and shakes hands.
Optionally, the network access request uses https mode, before receiving first request message, with institute
It states network access request end and carries out SSL and shake hands, then, shaken hands the server_name field of offer according to the SSL, and it is described
Internal network server carries out SSL and shakes hands;After receiving the success message of shaking hands that the internal network server returns, to sending
Applying for the network access request issues success message of shaking hands.
Optionally, before kidnapping the network access request that the application with network access functions issues, CA is imported
Pseudo- certificate.
Optionally, the authentication information includes at least one of following information: the unique identifying information of terminal device;User
Authentication information.
Optionally, the authentication information is encrypted using rivest, shamir, adelman.
The present invention also provides a kind of methods that server receives access, comprising:
The access request comprising authentication information is obtained, which is known as the second request message;
Extract the authentication information;
According to the authentication information, judge whether the access request is legal;
If so, returning response message.
Optionally, the authentication information is encrypted using rivest, shamir, adelman, described according to the authentication information, judges institute
Whether legal state access request, comprising:
Decrypt the authentication information, include at least one of following information in the authentication information: terminal device it is unique
Identification information, user's ID authentication information;
According to the authentication information after decryption, the legitimacy of second access request is verified.
Optionally, the authentication information according to after decryption verifies the legitimacy of second access request, including
At least one of following manner:
According to the unique identifying information for the terminal device for including in the authentication information after the decryption and the service
Whether the terminal device list comparison for allowing to access of device itself storage, judge the terminal device for issuing access request at this
In list;
According to after the decryption the user's ID authentication information and the server itself storage allow access
Whether in the list user list comparison judges the user of sending access request.
The present invention also provides a kind of data processing methods, comprising:
Intercept first network access request, wherein the first network access request includes source address, destination address;
Authentication information is added in the first network access request, obtains the second network access request;
The corresponding calculating equipment of the destination address is sent by second network access request;
Receive the corresponding response message for calculating equipment and returning of the destination address;
The corresponding calculating equipment of the source address is sent by the response message.
Optionally, the authentication information includes at least one of following information: the source address is corresponding to calculate equipment
Unique identifying information;User's ID authentication information.
The present invention also provides a kind of data response methods characterized by comprising
Obtain the network access request comprising authentication information;
The authentication information is extracted from the network access request;
According to the authentication information, judge whether the network access request is legal;
If so, returning response information.
The present invention also provides a kind of for having secure access to the device of internal network, comprising:
First request message kidnaps unit, asks for kidnapping the network access that the application with network access functions issues
It asks;The network access request is known as the first request message;
Authentication information adding unit forms the second request and disappears for adding authentication information in first request message
Breath;
Second request message retransmission unit, for second request message to be forwarded to the mesh of the network access request
Server, i.e. internal network server;
Response message receiving unit, the response message returned for receiving the internal network server;
Response message retransmission unit is answered described in the network access request for being transmitted to the response message to issue
With.
The present invention also provides the devices that a kind of server receives access, comprising:
Access request acquiring unit, for obtaining the access request comprising authentication information, which, which is known as second, is asked
Seek message;
Authentication information extraction unit, for extracting the authentication information;
Access request validity judgement unit, for judging whether the access request is legal according to the authentication information;
Response message return unit is used for returning response message when the judging result of said units, which is, is.
The present invention also provides a kind of devices of data processing, comprising:
First network access request interception unit, for intercepting first network access request, wherein the first network is visited
Ask that request includes source address, destination address;
Authentication information adding unit obtains the second net for adding authentication information in the first network access request
Network access request;
Second network access request transmission unit, for sending the destination address for second network access request
Corresponding calculating equipment;
Response message receiving unit, for receiving the corresponding response message for calculating equipment and returning of the destination address;
Response message transmission unit, for sending the corresponding calculating equipment of the source address for the response message.
The present invention also provides a kind of data responding devices, comprising:
Network access request acquiring unit, for obtaining the network access request comprising authentication information;
Authentication information extraction unit, for extracting the authentication information from the network access request;
Network access request validity judgement unit, for judging the network access request according to the authentication information
It is whether legal;
Response message return unit is used for returning response message when the judging result of said units, which is, is.
The present invention also provides a kind of electronic equipment, comprising:
Processor;And
Memory, a kind of for having secure access to the program of internal network for storing, which is powered and passes through the place
Reason device operation is described for executing following step after having secure access to the program of internal network:
Kidnap the network access request that there is the application of network access functions to issue;The network access request is known as first
Request message;
Authentication information is added in first request message, forms the second request message;
Second request message is forwarded to the destination server of the network access request, i.e. internal network service
Device;
Receive the response message that the internal network server returns;
The response message is transmitted to the application for issuing the network access request.
The present invention also provides a kind of electronic equipment, comprising:
Processor;And
Memory, for storing a kind of program of server reception access, which is powered and passes through the processor and transport
After the row server receives the program of access, following step is executed:
The access request comprising authentication information is obtained, which is known as the second request message;
Extract the authentication information;
According to the authentication information, judge whether the access request is legal;
If so, returning response message.
The present invention also provides a kind of electronic equipment, comprising:
Processor;And
Memory, for storing a kind of program of data processing, which is powered and passes through described in the processor operation
After the program of data processing, following step is executed:
Intercept first network access request, wherein the first network access request includes source address, destination address;
Authentication information is added in the first network access request, obtains the second network access request;
The corresponding calculating equipment of the destination address is sent by second network access request;
Receive the corresponding response message for calculating equipment and returning of the destination address;
The corresponding calculating equipment of the source address is sent by the response message.
The present invention also provides a kind of electronic equipment, comprising:
Processor;And
Memory, for storing a kind of program of data response, which is powered and passes through described in the processor operation
After the program of data response, following step is executed:
Obtain the network access request comprising authentication information;
The authentication information is extracted from the network access request;
According to the authentication information, judge whether the network access request is legal;
If so, returning response information.
The system and corresponding method, apparatus provided by the present application for being used to have secure access to internal network, is sent out by client
Access request is played, and request message is kidnapped to intermediary end;Intermediary end is by parsing cleartext information, will after encryption information is added
Request message is sent to server.
Compared with prior art, according to the application one embodiment, advantage includes:
Server requests the client source initiated by extracting encryption information, the accurate http/https that obtains, so as to
Accurately to know whether client has the permission of access Intranet, the access request of lack of competence is avoided.
According to the application one embodiment, technical solution provided by the present application have the further advantage that due to without using
VPN service, has cast out manual access and opening operation, and does not need input password and realize verifying;More preferably user can be obtained
Experience.
According to the application one embodiment, technical solution provided by the present application, which has the further advantage that, to be directly connected to
Intranet server improves access speed.
Detailed description of the invention
Fig. 1 is the system schematic for realizing secure access internal network that the application first embodiment provides.
Fig. 2 is the schematic diagram using http protocol realization access network request that the application first embodiment provides;
Fig. 3 is the schematic diagram using https protocol realization access network request that the application first embodiment provides;
Fig. 4 is the flow chart for the method for having secure access to internal network that the application second embodiment provides;
Fig. 5 is the flow chart for the method that the server that the application 3rd embodiment provides receives access;
Fig. 6 is the flow chart for the data processing method that the application fourth embodiment provides;
Fig. 7 is the flow chart for the data response method that the 5th embodiment of the application provides;
Fig. 8 is the schematic device for being used to have secure access to internal network that the application sixth embodiment provides;
Fig. 9 is the schematic device that the server that the 7th embodiment of the application provides receives access;
Figure 10 is the schematic device for the data processing that the 8th embodiment of the application provides;
Figure 11 is the schematic device for the data response that the 9th embodiment of the application provides;
Figure 12 is the schematic diagram for the electronic equipment that the tenth embodiment of the application provides;
Figure 13 is the schematic diagram for the electronic equipment that the 11st embodiment of the application provides;
Figure 14 is the schematic diagram for the electronic equipment that the 12nd embodiment of the application provides;
Figure 15 is the schematic diagram for the electronic equipment that the 13rd embodiment of the application provides.
Specific embodiment
In the following description, numerous specific details are set forth in order to facilitate a full understanding of the present invention.But the present invention can be with
Much it is different from other way described herein to implement, those skilled in the art can be without prejudice to intension of the present invention the case where
Under do similar popularization, therefore the present invention is not limited to the specific embodiments disclosed below.
The application provides a kind of system for having secure access to internal network, a kind of for having secure access to the side of internal network
A kind of method that method and server receive access, embodiment presented below are unfolded to be described in detail to the system and method.Institute
System and method are stated to design mainly in access company Intranet resource, but the system and method can be used having it is same
In the all-network system of demand, it is not specifically limited here.
Key Term used herein is illustrated below.
Refer in particular to the application software that can issue network access request, such as browser in this application in network access request end
Or APP;The application software is mounted in the software platform of the hardware devices such as computer, mobile phone.
Intermediary end is refered in particular to after being activated in the application, monitors the access request that the network access request end issues
(being known as the first request message in the application) kidnaps the access request when the access request is directed toward scheduled network address, and
It is added after authentication information and issues access request (being known as the second request message in the application) to scheduled network address again
Application software module.The application software module is generally arranged on the same terminal device with the network access request end, but
Also main body is not excluded for be arranged on another terminal device, the network access request end only be arranged realization monitor,
The case where kidnapping the program of first solicited message.
Internal network server refers to receive network access request by network, and special as entering in this application
The server of the entrance of fixed internal network.
The application first embodiment provides a kind of system for having secure access to internal network, please refers to Fig. 1 and understands the reality
Example is applied, Fig. 1 is the system schematic for being used to have secure access to internal network that the application first embodiment provides.Below in conjunction with Fig. 1
The system for having secure access to internal network is described in detail.Embodiment involved in being described below is for explaining
Illustrate system principle, is not the restriction of actual use.
A kind of system for having secure access to internal network, comprising: network access request end 101, intermediary end 102 are internal
Network server 103.
The network access request end 101 be used for issue for realizing network access request the first request message and
Receive response message.
The detailed operation at above-mentioned network access request end 101 is illustrated below.
The network access request end 101 is arranged on the software program in particular terminal device, and the form of expression can be with
It is APP application or browser;The network access request end 101 can issue network access request, the network access request
Mainly use http agreement or https agreement.In this application, the network network access request end 101 issued is visited
Ask that request is known as the first request message.
The http agreement or https agreement are current two kinds of main network application layer associations for realizing network access
View;The latter is that ssl protocol is combined on the basis of the former, realizes the secrecy to access process.
The case where for https agreement is used, needs to import CA puppet certificate described in front of carrying out network access request
Network access request end 101 and intermediary end 102, the CA puppet certificate is at the network access request end 101 and the intermediary end 102
Between establish https connection use.Wherein, the intermediary end 102 uses the CA puppet certificate as server end.
In addition it is also necessary to be asked by the way of DLL injection in the network access that the network access request end 101 is initiated
It asks middle injection global traffic to kidnap process, realizes monitoring and abduction to first request message.Realize that the process kidnapped can
To be considered as a part at the intermediary end 102, only it is deployed in the network that the network access request end 101 issues and is visited
It asks in request.The realization of hook function can be used in concrete implementation mode.So-called hook function is a kind of special application program
Interface (i.e. API), can change the original function of a system API using hook function, and basic method is exactly to pass through
New customized function is directed toward in the api function entrance that hook function " contact " is modified to needs, the address for changing it.
In the present embodiment, using global DLL injection by the way of, by hook function call injection to http access process or
In https access process;So-called DLL injection, is the address space that a dll file is put into some process, it is allowed to become
A part of the process;Many application programs are not a complete executable file, but are divided into some relatively only
Vertical dynamic link library, i.e. dll file, are placed in system.When executing some program, corresponding dll file will be by
It calls.It is that hook function is put into the network access request end 101 by global DLL injection mode to send out in the present embodiment
In each http access process or https access process risen.
The intermediary end 102, for monitoring and kidnapping first request message at the network access request end;Described in parsing
First request message, and authentication information is added in first request message, obtain the second request message;Then to described
The destination network addresses of one request message send second request message;And reception is to the sound of second request message
Message is answered, and the response message is forwarded to the network access request end 101.
The intermediary end 102, as the intermediate forwarding for realizing network access request in technical solution provided by the present application
Unit, entity is generally a software program, and be typically located at the network access request end 101 APP application or
On terminal device where person's browser;Of course it is not excluded in some cases, be disposed in special equipment or some
On remote server, at this point, there is still a need for arrange the program for being responsible for monitoring and kidnap on the network access request end 101.
In system provided in this embodiment, the intermediary end 102 realizes following function:
Firstly, the intermediary end 102 is the server use for being taken as the network access request end;The network access
Any network access request (being known as the first request message in the present embodiment) that request end 101 issues, is robbed by abduction mode
The intermediary end 102 is held, response is carried out to first request message as server by the intermediary end 102;Inevitable, it is
During realizing this, also firstly the need of shaking hands between the network access request end 101 and the intermediary end 102
Link.
Secondly, the second request message is obtained after adding authentication information in first request message by the intermediary end 102,
And requesting party is used as by the intermediary end 102, the internal network server 103 of Xiang Zuowei destination server issues;Receiving
After the response message for stating internal network server 103, then the response message is forwarded to the network access request end 101;
It is inevitable, during realizing this, between the intermediary end 102 and the internal network server 103 also firstly the need of
There is the link shaken hands.
As can be seen that the intermediary end 102 realizes that the premise of above-mentioned function is realized to the network access request end
The monitoring and abduction of 101 network access requests issued.The monitoring and the first request for kidnapping the network access request end
The specific implementation of message can there are many;A kind of most probable mode be exactly it is aforementioned have been described above hook function is used
Global DLL injection mode is injected into the http process and https process at the network access request end, passes through hook function
Realize to the network access request --- i.e. the first request message --- that the network access request end 101 issues carry out monitoring with
It kidnaps.For realize above-mentioned monitoring and kidnap and in advance with global DLL injection mode network access request end http process with
And the hook function arranged in https process should be considered as a part at the intermediary end 102.Hook function, which is realized, monitors and robs
The process held belongs to the common technological means of the art, is not discussed in detail herein.
After first request message is held as a hostage, which will be unable to directly access
The server of its target network address, but first request message is obtained by the intermediary end 102, and disappear in first request
Authentication information is added in breath, obtains the second request message.
The authentication information, user or terminal for proving to issue access request have to internal network to be visited
The information of the access authority of server 103.The authentication information can use following information: the end where network access request end
The unique identifying information of end equipment;User's ID authentication information.Above two authentication information can be respectively adopted, can also be simultaneously
Using.Before being added to the authentication information, the authentication information need to be encrypted by rivest, shamir, adelman.
The unique identifying information of the 101 place terminal device of access request end refers to the arrangement access request end 101
Terminal device --- such as laptop computer or mobile phone, tablet computer --- identification information, such as the hardware sequence of equipment
Number or IMEI mark etc. and the unique corresponding identity code of terminal device;Since mobile terminal device is currently mainstream, these are set
It is standby to be directly linked with personal identification, therefore, some equipment can be often directly linked to the access authority of Intranet, for example, can
To set certain mobile phone or some iPad with the access authority to some internal network, therefore, only using terminal device
One identification information, either hardware sequence number or IMEI mark, may be used to judge whether access request has access right
These information are added in the network access request limit, it can judge the network access as internal network server
Whether request has the foundation of access authority.Since the intermediary end 102 is generally located at together with the network access request end 101
One hardware device therefore can be as the hardware sequence number of the hardware device where intermediary end 102 directly reads it or IMEI
Mark obtains;Specific reading manner is related to the hardware environment of specific equipment and system environments, and those skilled in the art can be square
Just acquisition related art method.In addition, if the intermediary end 102 is not arranged in the network access request end 101
On the same hardware device, the hardware of the hardware device at the network access request end 101 can also be arranged from external reading
Sequence number or IMEI identify and correspond to network access request end 101 identification record in the intermediary end 102, intercepting
In the case where the network access request from the network access request end 101, so that it may directly using the corresponding network
The unique identifying information of the terminal device at access request end 101 is as authentication information.
The user's ID authentication information is the authentication information for corresponding directly to specific visitor, for example, for some access
The identity ID for accessing some internal network that person provides;These information are managed and are issued by the internal network server 103, institute
It states intermediary end 102 and stores the directly related user's ID authentication information of the identity with visitor, and be added into described first
Request message, so that it may differentiate whether the side for issuing network request has the inside as the internal network server 103
The foundation of the access authority for the internal network that network server 103 manages.
The mode that authentication information is specifically added in first request message can take a variety of possible modes, Yi Zhongzhu
It wants add the authentication information in the header information of the first request message by the way of, can specifically use as follows
Step: parsing first request message obtains its original header information;The authentication information is added to institute by preset format
Header information is stated, the processing occiput information for being added to authentication information is obtained;Using the processing occiput information as new head
Portion's information replaces the original header information in first request message, obtains second solicited message.Second request
Message may be used for as the network request sent to the destination network addresses of first request message;Naturally, described
What the destination network addresses of the second request message were directed toward is exactly the internal network server 103.
After the intermediary end 102 sends the second request message to the internal network server 103, if certification is logical
It crosses, then can receive the response message that the internal network server 103 returns;The intermediary end 102 needs to parse the response
Message knows that the response message is the response of the request to which network access request end, then sends the response message
To corresponding network access request end.
Herein it should be further noted that the intermediary end 102 accesses first as the scapegoat of server with the network
The process that http communication or https communication are established between request end 101, then as the scapegoat of client, with the inside
Network server establishes http communication or https is communicated, and in the above process, is required to advise according to the communication of respective protocol respectively
It then carries out, including the handshake procedure communicated for the first time;For above-mentioned different network protocol, above-mentioned two step was specifically executed
Journey is different, and is explained individually below.
Fig. 2 can be referred to by the way of the http protocol realization above process, illustrated below in conjunction with Fig. 2.
If the network access request that the network access request end issues uses http agreement, the intermediary end
102 when receiving first request message, is firstly received connection request 1, intermediary end 2 and the network access request end into
Row shakes hands 2, establishes TCP connection;When receiving the http request 3 of first request message (in http protocol implementation
One specific request) when, then the intermediary end 102 is obtained according to modes such as the host field of its storage or initiation DNS requests
The IP address for the internal network server that the network access request is directed toward, and request to take with the internal network to be accessed
Business device 103 establishes a connection 4;It is realized between 103 meeting of internal network server and the intermediary end 102 and shakes hands 5, in
Jie end 102 receives shake hands successful message after, so that it may will be added in the first request message obtained in 3 step of http request
The second request message 6 obtained after authentication information is forwarded to the internal network server 103;The internal network server
Http request 7 is responded after 103 verifyings;The intermediary end 102 is by the forwarding 8 of received response message to the network access request end
101, realize primary complete access-response process;Certainly, a connection procedure may include http request and response several times
Process, aforementioned link of shaking hands can only carry out primary.
Fig. 3 can be referred to by the way of the https protocol realization above process, illustrated below in conjunction with Fig. 3.
If the network access request that the network access request end issues uses https agreement, the intermediary end
102 in the connection procedure before receiving first request message, carries out SSL with the network access request end and shakes hands 1 ',
Then, the intermediary end is shaken hands the server_name field of offer according to the SSL, is carried out with the internal network server
SSL shakes hands 2 ';The server_name field is the meaning of server name, this is because the corresponding same IP address may refer to
To different servers, corresponding each server needs corresponding CA certificate, so needing to determine using server_name field
Using any CA certificate.
When the intermediary end 102 receive signal shake hands successfully 3 ' after, the intermediary end 102 is to the network access request
101 sending signals of end shake hands successfully 4 ';Hereafter, the network access request end 101 can be initiated to the intermediary end 102
Https request, i.e. the first request message 5 ';After authentication information the second request message of formation is added at the intermediary end 102 wherein,
Forward the second request message 6 ' to the internal network server 103, returning response after the internal network server 103 is verified
Message 7 ', intermediary end 102 by the response message forwarding 8 ' give the network access request end 101, the secondary connection it is subsequent
Https request message and response message are still forwarded by the intermediary end 102.
In general, either http request or https are requested, and are to regard the intermediary end 102 as a transfer
Server, intermediary end 102 shake hands respectively with the network access request end 101 and the internal network server 103 and
Connection, and in the beginning of forwarding, authentication information is added into the first request message, after authenticating successfully, it can continue Xiang Yifang
Forward the message from an other side.
The internal network server 103 therefrom extracts authentication information, judges for receiving second request message
Whether the network access request has access authority;If so, returning response message.
In this application, the internal network server 103 refers to receive network access request, and make by network
For the server of the entrance of the specific internal network of entrance.In the present embodiment, the internal network server 103 is above-mentioned net
The destination network addresses at network access request end 101 and the intermediary end 102, its object is to receive network access request information simultaneously
Response message is provided according to the network access request information.
Above by first request message addition certification letter that intermediary end 102 is the network access request end 101
Breath is forwarded second request message, and the internal network server 103 and institute with forming the second request message
It states scala media end 102 to shake hands successfully and after establishing a connection, the internal network server 103 receives described comprising authentication information
The second request message, and analyze it, judge its legitimacy, i.e., whether be the access request with access authority.
In the present embodiment, judge that the process of the second request message legitimacy can be by analyzing second request message
Header information and realize, in the above-mentioned description to the intermediary end 102, the header information of second request message is to add
The processing occiput information for having added the authentication information, extracts the encrypted authentication information from the header information, leads to
It crosses decryption method corresponding with rivest, shamir, adelman the encrypted authentication information is decrypted, can be obtained certification
Information, the authentication information are the unique identifying information and at least one of user's ID authentication information of terminal device, due to
The authentication information is preset and is managed by the internal network server 103, and the internal network server 103 is pre-
It is first stored with the terminal device list for allowing to access it and user list, therefore, judges whether the network access request has
The process nature for having access authority is to carry out identifying matched process to the authentication information, and specific matched process includes as follows
At least one of: according to the unique identifying information for the terminal device for including in the authentication information after the decryption with it is described
Server itself storage allow access terminal device list comparison, judge issue access request the terminal device whether
In the list;Allow to access according to the user's ID authentication information and the server after the decryption itself storage
User list comparison, judge issue access request the user whether in the list.If matching result is consistent, show
The access request has access authority, and the internal network server 103 is immediately according to the message of second request message
Content (the first request message) generates corresponding response message, and is directed toward the intermediary end 102 and sends the response message.
Process in relation to the 103 returning response information of internal network server, in the above-mentioned phase to the intermediary end 102
It closes and has been explained in description, details are not described herein.
The application second embodiment provides a kind of method for having secure access to internal network, please refers to Fig. 4 and understands the reality
Example is applied, Fig. 4 is described for having secure access to the flow chart of the method for internal network.
System technology contents having the same provided by method provided by the present embodiment and above-mentioned first embodiment,
Predominantly the intermediary end in above-described embodiment is illustrated as the subject of implementation of this method, in relation to the technology in the present embodiment
The related content of the above-mentioned first embodiment of detail with reference, details are not described herein.
As shown in figure 4, the method for having secure access to internal network, includes the following steps:
S101 kidnaps the network access request that there is the application of network access functions to issue;The network access request claims
For the first request message.
The effect of this step is to receive original access request information.The original access request information is that the first request disappears
Breath is to be sent to network using http agreement or https agreement by network access requests ends such as APP application or browsers to visit
The destination server asked.
It is described to kidnap the network access request that there is the application of network access functions to issue, it refers to being sent to mesh originally
The network access request of server monitored and kidnapped, to take the lead in receiving the network access request.The present embodiment
In, the process of the abduction are as follows: using the overall situation DLL injection by the way of, by hook function call injection to http access process or
In https access process.
When kidnapping first request message, if first request message is sent using http agreement,
It needs to shake hands with the sender of first request message progress http before receiving first request message, institute after shaking hands successfully
First request message can be transmitted in the transmission for stating the first request message just now;If first solicited message is using https
What agreement was sent, then it needs to import CA puppet certificate before kidnapping first request message, and disappear receiving first request
Before breath, need to shake hands with the sender of first request message and subsequent destination server progress SSL respectively, to a series of
After SSL shakes hands successfully, first request message is can be transmitted in the transmission of first request message just now.
S102 adds authentication information in first request message, forms the second request message.
First request message is kidnapped in above-mentioned steps completion, and the effect of this step is in first request
Authentication information is added in message, to form the second request message, for proving that the network for issuing first request message accesses
Request end has the access authority of destination server to be visited.The authentication information can use following information: network access
The unique identifying information of terminal device locating for request end;User's ID authentication information, above two authentication information can be distinguished
Using can also use simultaneously.The authentication information is added to described first after rivest, shamir, adelman is encrypted
In the header information of request message.
Second request message is forwarded to the destination server of the network access request, i.e. internal network by S103
Server.
The effect of this step is that the second request message for forming above-mentioned steps is forwarded to the purpose service of network access
Device, destination server described herein are internal network server.
Before second request message is forwarded to the internal network server, need first with the internal network
Server establishes connection, specifically: it is sent according to http agreement, then carries out http with the internal network server and shake hands;
It sends, has then been completed in the step S101 and the sender of first request message and institute according to https agreement
The SSL for stating internal network server shakes hands, the process are as follows: in the connection procedure before receiving first request message, with
The network access request end carries out SSL and shakes hands, and then, is shaken hands the server_name field of offer according to the SSL, with institute
Internal network server progress SSL is stated to shake hands.
Second request message includes authentication information and first request message, and the internal network server is from institute
It states and extracts the authentication information in the second request message, the certification is believed by the corresponding decryption method of rivest, shamir, adelman
Breath is decrypted, and judges whether the network access request has access authority according to the authentication information;If so, returning
Return response message.
S104 receives the response message that the internal network server returns.
When the judging result of above-mentioned steps is that the network access request has access authority and the internal network service
After device returning response information, this step is used to receive the response message of the return.
The response message is transmitted to the application for issuing the network access request by S105.
The received response message for being transmitted to the application for issuing the network access request by this step.It should
Process needs parse the response message, know the response message is the network access request to which network application
Response, then send corresponding network application for the response message.
The application 3rd embodiment provides a kind of method that server receives access, please refers to Fig. 5 and understands the embodiment, schemes
5 receive the flow chart of the method for access for the server.
System technology contents having the same provided by method provided by the present embodiment and above-mentioned first embodiment,
Predominantly be illustrated the internal network server in above-described embodiment as the subject of implementation of this method, and the present embodiment with
The embodiment of the method for above-mentioned second embodiment is corresponding, please refers to above-mentioned first embodiment in relation to the technical detail in the present embodiment
With the related content of second embodiment, details are not described herein.
As shown in figure 5, the method that the server receives access, includes the following steps:
S201, obtains the access request comprising authentication information, which is known as the second request message.
The effect of this step is to receive access request.
The access request comprising authentication information refers to that the step S103 in above-mentioned second embodiment is forwarded
Two request messages.
S202 extracts the authentication information.
The effect of this step is to extract the authentication information in second request message, is believed by the certification
Breath can determine whether the user for issuing the access request or terminal have access authority.
S203 judges whether the access request is legal according to the authentication information.
This step verifies the legitimacy of second access request with this for the authentication information to be decrypted.
The authentication information is encrypted using rivest, shamir, adelman, and therefore, the present embodiment is added using asymmetric
The authentication information is decrypted in decryption method corresponding to close algorithm, the authentication information after decryption include following information extremely
Few one kind: the unique identifying information of terminal device, user's ID authentication information;It is corresponding, verify second access request
The mode of legitimacy includes at least one such as under type: being set according to the terminal for including in the authentication information after the decryption
The terminal device list for allowing to access of standby unique identifying information and the server itself storage compares, and judges to issue access
In the list whether the terminal device of request;According to after the decryption the user's ID authentication information and the clothes
Whether the user list comparison for allowing to access of business device itself storage, judge the user for issuing access request in the list
In.
S204, if so, returning response message.
This step is used to make corresponding response according to the judging result of above-mentioned steps, if described in above-mentioned judging result proof
Access request has legitimacy, then returns to corresponding response message according to the access request.
The application fourth embodiment provides a kind of data processing method, please refers to Fig. 6 and understands the embodiment, Fig. 6 is described
Server receives the flow chart of the method for access.
As described in Figure 6, the method for the data processing includes the following steps:
S301 intercepts first network access request, wherein the first network access request includes source address, target
Location.
S302 adds authentication information in the first network access request, obtains the second network access request.
The authentication information includes at least one of following information: the corresponding unique identification for calculating equipment of the source address
Information;User's ID authentication information.
Second network access request is sent the corresponding calculating equipment of the destination address by S303.
S304 receives the corresponding response message for calculating equipment and returning of the destination address.
The response message is sent the corresponding calculating equipment of the source address by S305.
A kind of method of data processing provided in this embodiment, the system and that essence is provided with above-mentioned first embodiment
Method provided by two embodiments for having secure access to internal network is same technique content, is only adjusted in statement.
The subject of implementation of the present embodiment is the intermediary end in the first embodiment, the corresponding calculating of the source address in the present embodiment
Equipment represents the network access request end in the first embodiment, and the corresponding calculating of the destination address in the present embodiment is set
The standby internal network server represented in the first embodiment;The first network access request represents in second embodiment
First request message, second network access request represent the second request message in the second embodiment;Related content
The application first embodiment and second embodiment are please referred to, details are not described herein.
The 5th embodiment of the application provides a kind of data response method, please refers to Fig. 7 and understands the embodiment, Fig. 7 is described
The flow chart of data response method.
As described in Figure 7, the method for the data response includes the following steps:
S401 obtains the network access request comprising authentication information.
S402 extracts the authentication information from the network access request.
S403 judges whether the network access request is legal according to the authentication information.
S404, if so, returning response information.
A kind of method of data response provided in this embodiment, system that essence is provided with above-mentioned first embodiment and the
The method that server provided by three embodiments receives access is same technique content, is only adjusted in statement.This implementation
The subject of implementation of example is the internal network server in the first embodiment.Related content please refers to the application first embodiment
And 3rd embodiment, details are not described herein.
The application sixth embodiment provides a kind of for having secure access to the device of internal network, please refers to Fig. 8 and understands the reality
Example is applied, Fig. 8 is provided in this embodiment for having secure access to the schematic device of internal network.
As shown in figure 8, the device for having secure access to internal network includes:
First request message kidnaps unit 201, the network access issued for kidnapping the application with network access functions
Request;The network access request is known as the first request message;
Authentication information adding unit 202 forms the second request for adding authentication information in first request message
Message;
Second request message retransmission unit 203, for second request message to be forwarded to the network access request
Destination server, i.e. internal network server;
Response message receiving unit 204, the response message returned for receiving the internal network server;
Response message retransmission unit 205, for the response message to be transmitted to the institute for issuing the network access request
State application.
Optionally, it in described the step of kidnapping the network access request that there is the application of network access functions to issue, uses
Hook function kidnaps the network access request;The hook function first passes through DLL injection mode in advance and injects the network access
In request process.
Optionally, first request message is using in the case where http mode, receive first request message it
Before, it shakes hands including carrying out http with the application for issuing network access request;It is and described before issuing second request message
Internal network server carries out http and shakes hands.
Optionally, the network access request uses https mode, before receiving first request message, with institute
It states network access request end and carries out SSL and shake hands, then, shaken hands the server_name field of offer according to the SSL, and it is described
Internal network server carries out SSL and shakes hands;After receiving the success message of shaking hands that the internal network server returns, to sending
Applying for the network access request issues success message of shaking hands.
Optionally, before kidnapping the network access request that the application with network access functions issues, CA is imported
Pseudo- certificate.
Optionally, the authentication information includes at least one of following information: the unique identifying information of terminal device;User
Authentication information.
Optionally, the authentication information is encrypted using rivest, shamir, adelman.
The 7th embodiment of the application provides a kind of device of server reception access, please refers to Fig. 9 and understands the embodiment, schemes
9 receive the schematic device of access for server provided in this embodiment.
As shown in figure 9, the device that the server receives access includes:
Access request acquiring unit 301, for obtaining the access request comprising authentication information, which is known as second
Request message;
Authentication information extraction unit 302, for extracting the authentication information;
Access request validity judgement unit 303, for judging whether the access request closes according to the authentication information
Method;
Response message return unit 304 is used for returning response message when the judging result of said units, which is, is.
Optionally, the authentication information is encrypted using rivest, shamir, adelman, described according to the authentication information, judges institute
Whether legal state access request, comprising:
Decrypt the authentication information, include at least one of following information in the authentication information: terminal device it is unique
Identification information, user's ID authentication information;
According to the authentication information after decryption, the legitimacy of second access request is verified.
Optionally, the authentication information according to after decryption verifies the legitimacy of second access request, including
At least one of following manner:
According to the unique identifying information for the terminal device for including in the authentication information after the decryption and the service
Whether the terminal device list comparison for allowing to access of device itself storage, judge the terminal device for issuing access request at this
In list;
According to after the decryption the user's ID authentication information and the server itself storage allow access
Whether in the list user list comparison judges the user of sending access request.
The 8th embodiment of the application provides a kind of device of data processing, please refers to Figure 10 and understands the embodiment, Tu10Wei
The schematic device of data processing provided in this embodiment.
As shown in Figure 10, the device of the data processing includes:
First network access request interception unit 401, for intercepting first network access request, wherein first net
Network access request includes source address, destination address;
Authentication information adding unit 402 obtains second for adding authentication information in the first network access request
Network access request;
Second network access request transmission unit 403, for sending the target for second network access request
The corresponding calculating equipment in address;
Response message receiving unit 404, for receiving the corresponding response message for calculating equipment and returning of the destination address;
Response message transmission unit 405, for sending the corresponding calculating equipment of the source address for the response message.
Preferably, the authentication information includes at least one of following information: the source address is corresponding to calculate equipment
Unique identifying information;User's ID authentication information.
The 9th embodiment of the application provides a kind of device of data response, please refers to Figure 11 and understands the embodiment, Tu11Wei
The schematic device of data response provided in this embodiment.
As shown in figure 11, the device of the data response includes:
Network access request acquiring unit 501, for obtaining the network access request comprising authentication information;
Authentication information extraction unit 502, for extracting the authentication information from the network access request;
Network access request validity judgement unit 503, for judging that the network access is asked according to the authentication information
Seeking Truth is no legal;
Response message return unit 504 is used for returning response message when the judging result of said units, which is, is.
The tenth embodiment of the application provides a kind of electronic equipment, please refers to Figure 12, which is the signal of the apparatus embodiments
Figure.Since apparatus embodiments are substantially similar to embodiment of the method, so describing fairly simple, related place is implemented referring to method
The part explanation of example.Apparatus embodiments described below are only schematical.
The electronic equipment, comprising: processor 601;Memory 602.The memory 602 is a kind of for pacifying for storing
The program of full access internal network, the equipment is powered and pass through the processor 601 run described in be used to have secure access to intranet
After the program of network, following step is executed:
Kidnap the network access request that there is the application of network access functions to issue;The network access request is known as first
Request message;Authentication information is added in first request message, forms the second request message;By second request message
It is forwarded to the destination server of the network access request, i.e. internal network server;The internal network server is received to return
The response message returned;The response message is transmitted to the application for issuing the network access request.
The 11st embodiment of the application provides a kind of electronic equipment, please refers to Figure 13, which is showing for the apparatus embodiments
It is intended to.Since apparatus embodiments are substantially similar to embodiment of the method, so describing fairly simple, related place is referring to method reality
Apply the part explanation of example.Apparatus embodiments described below are only schematical.
The electronic equipment, comprising: processor 701;Memory 702.The memory 702 is for storing a kind of server
The program of access is received to hold after the equipment is powered and runs the program that the server receives access by the processor 701
Row following step:
The access request comprising authentication information is obtained, which is known as the second request message;Extract the certification letter
Breath;According to the authentication information, judge whether the access request is legal;If so, returning response message.
The 12nd embodiment of the application provides a kind of electronic equipment, please refers to Figure 14, which is showing for the apparatus embodiments
It is intended to.Since apparatus embodiments are substantially similar to embodiment of the method, so describing fairly simple, related place is referring to method reality
Apply the part explanation of example.Apparatus embodiments described below are only schematical.
The electronic equipment, comprising: processor 801;Memory 802.The memory 802 is for storing at a kind of data
The program of reason after the equipment is powered and runs the program of the data processing by the processor 801, executes following step:
Intercept first network access request, wherein the first network access request includes source address, destination address;?
Authentication information is added in the first network access request, obtains the second network access request;Second network access is asked
It asks and is sent to the corresponding calculating equipment of the destination address;Receive the corresponding response letter for calculating equipment and returning of the destination address
Breath;The corresponding calculating equipment of the source address is sent by the response message.
The 13rd embodiment of the application provides a kind of electronic equipment, please refers to Figure 15, which is showing for the apparatus embodiments
It is intended to.Since apparatus embodiments are substantially similar to embodiment of the method, so describing fairly simple, related place is referring to method reality
Apply the part explanation of example.Apparatus embodiments described below are only schematical.
The electronic equipment, comprising: processor 901;Memory 902.The memory 902 is for storing a kind of data sound
The program answered executes following step after the equipment is powered and runs the program of the data response by the processor 901:
Obtain the network access request comprising authentication information;The authentication information is extracted from the network access request;
According to the authentication information, judge whether the network access request is legal;If so, returning response information.
Although the present invention is disclosed as above with preferred embodiment, it is not for limiting the present invention, any this field skill
Art personnel without departing from the spirit and scope of the present invention, can make possible variation and modification, therefore guarantor of the invention
Shield range should be subject to the range that the claims in the present invention are defined.
Although the application is disclosed as above with preferred embodiment, it is not for limiting the application, any this field skill
Art personnel are not departing from spirit and scope, can make possible variation and modification, therefore the guarantor of the application
Shield range should be subject to the range that the claim of this application defined.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium
Example.
1, computer-readable medium can be by any side including permanent and non-permanent, removable and non-removable media
Method or technology realize that information stores.Information can be computer readable instructions, data structure, the module of program or other numbers
According to.The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory
(SRAM), dynamic random access memory (DRAM), other kinds of random access memory (RAM), read-only memory
(ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory techniques, CD-ROM are read-only
Memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or
Other magnetic storage devices or any other non-transmission medium, can be used for storage can be accessed by a computing device information.According to
Herein defines, and computer-readable medium does not include non-temporary computer readable media (transitorymedia), such as modulation
Data-signal and carrier wave.
2, it will be understood by those skilled in the art that embodiments herein can provide as the production of method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the application
Form.It can be used moreover, the application can be used in the computer that one or more wherein includes computer usable program code
The computer program product implemented on storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Form.
Claims (25)
1. a kind of system for realizing secure access internal network characterized by comprising network access request end, intermediary end are interior
Portion's network server;
The network access request end is rung for issuing the first request message for realizing network access request and receiving
Answer message;
The intermediary end, for monitoring and kidnapping first request message at the network access request end;Described first is parsed to ask
Message is sought, and adds authentication information in first request message, obtains the second request message;Then to first request
The destination network addresses of message send second request message;And receive to the response message of second request message,
And the response message is forwarded to client;
The internal network server therefrom extracts authentication information, judges the network for receiving second request message
Whether access request has access authority;If so, returning response message.
2. the system according to claim 1 for having secure access to internal network, which is characterized in that the intermediary end and institute
Network access request end is stated to be arranged in the same mobile device.
3. the system according to claim 1 for having secure access to internal network, which is characterized in that the network access is asked
The network access request for asking end to issue using http agreement, then the intermediary end receive first request message it
Before, http is carried out with the network access request end and is shaken hands, and the intermediary end is before issuing second request message, with institute
Internal network server progress http is stated to shake hands.
4. the system according to claim 1 for having secure access to internal network, which is characterized in that the network access is asked
The network access request for asking end to issue using https mode, then the intermediary end receive first request message it
Before, SSL is carried out with the network access request end and is shaken hands, and then, the intermediary end is shaken hands offer according to the SSL
Server_name field issues SSL with the internal network server and shakes hands;Intermediary's termination receives the internal network
After the success message of shaking hands that server returns, Xiang Suoshu network access request end issues success message of shaking hands.
5. the system according to claim 4 for having secure access to internal network, which is characterized in that carrying out network access
Before request, CA puppet certificate is imported to the network access request end and intermediary end.
6. the system according to claim 1 for having secure access to internal network, which is characterized in that the authentication information packet
At least one containing following information: the unique identifying information of the terminal device where network access request end;User identity authentication
Information.
7. the system according to claim 1 for having secure access to internal network, which is characterized in that the authentication information warp
Cross asymmetric arithmetic encryption.
8. the system according to claim 1 for having secure access to internal network, which is characterized in that using DLL injection
Mode, injection global traffic kidnaps process in the network access request that the network access request end is initiated, and realizes to described
The abduction of first request message.
9. a kind of method for having secure access to internal network characterized by comprising
Kidnap the network access request that there is the application of network access functions to issue;The network access request is known as the first request
Message;
Authentication information is added in first request message, forms the second request message;
Second request message is forwarded to the destination server of the network access request, i.e. internal network server;
Receive the response message that the internal network server returns;
The response message is transmitted to the application for issuing the network access request.
10. the method according to claim 9 for having secure access to internal network, which is characterized in that the abduction has
In the step of network access request that the application of network access functions issues, the network access is kidnapped using hook function and is asked
It asks;The hook function first passes through DLL injection mode in advance and injects in the network access request process.
11. the method according to claim 9 for having secure access to internal network, which is characterized in that first request
In the case that message uses http mode, before receiving first request message, including with issue network access request
It shakes hands using http is carried out;Before issuing second request message, http is carried out with the internal network server and is shaken hands.
12. the method according to claim 9 for having secure access to internal network, which is characterized in that the network access
Request uses https mode, before receiving first request message, carries out SSL with the network access request end and shakes hands,
Then, it is shaken hands the server_name field of offer according to the SSL, carries out SSL with the internal network server and shake hands;It connects
After receiving the success message of shaking hands that the internal network server returns, to being held using sending for the sending network access request
Hand success message.
13. the method according to claim 12 for having secure access to internal network, which is characterized in that kidnapping the tool
Before the network access request for thering is the application of network access functions to issue, CA puppet certificate is imported.
14. the method according to claim 9 for having secure access to internal network, which is characterized in that the authentication information
At least one comprising following information: the unique identifying information of terminal device;User's ID authentication information.
15. the method according to claim 9 for having secure access to internal network, which is characterized in that the authentication information
It is encrypted using rivest, shamir, adelman.
16. a kind of method that server receives access characterized by comprising
The access request comprising authentication information is obtained, which is known as the second request message;
Extract the authentication information;
According to the authentication information, judge whether the access request is legal;
If so, returning response message.
17. the method that server according to claim 16 receives secure access, which is characterized in that the authentication information is adopted
It is encrypted with rivest, shamir, adelman, it is described according to the authentication information, judge whether the access request is legal, comprising:
The authentication information is decrypted, includes at least one of following information: the unique identification of terminal device in the authentication information
Information, user's ID authentication information;
According to the authentication information after decryption, the legitimacy of second access request is verified.
18. the method that server according to claim 17 receives secure access, which is characterized in that it is described according to decryption after
The authentication information, verify the legitimacy of second access request, at least one including following manner:
Certainly according to the unique identifying information for the terminal device for including in the authentication information after the decryption and the server
Whether the terminal device list comparison for allowing to access of body storage, judge the terminal device for issuing access request in the list
In;
According to the user for allowing to access of the user's ID authentication information and the server itself storage after the decryption
Whether in the list list comparison judges the user of sending access request.
19. a kind of data processing method characterized by comprising
Intercept first network access request, wherein the first network access request includes source address, destination address;
Authentication information is added in the first network access request, obtains the second network access request;
The corresponding calculating equipment of the destination address is sent by second network access request;
Receive the corresponding response message for calculating equipment and returning of the destination address;
The corresponding calculating equipment of the source address is sent by the response message.
20. data processing method according to claim 19, which is characterized in that the authentication information includes following information
It is at least one: the corresponding unique identifying information for calculating equipment of the source address;User's ID authentication information.
21. a kind of data response method characterized by comprising
Obtain the network access request comprising authentication information;
The authentication information is extracted from the network access request;
According to the authentication information, judge whether the network access request is legal;
If so, returning response information.
22. a kind of electronic equipment characterized by comprising
Processor;And
Memory, a kind of for having secure access to the program of internal network for storing, which is powered and passes through the processor
Operation is described for executing following step after having secure access to the program of internal network:
Kidnap the network access request that there is the application of network access functions to issue;The network access request is known as the first request
Message;
Authentication information is added in first request message, forms the second request message;
Second request message is forwarded to the destination server of the network access request, i.e. internal network server;
Receive the response message that the internal network server returns;
The response message is transmitted to the application for issuing the network access request.
23. a kind of electronic equipment characterized by comprising
Processor;And
Memory, for storing a kind of program of server reception access, which is powered and passes through processor operation institute
After stating the program that server receives access, following step is executed:
The access request comprising authentication information is obtained, which is known as the second request message;
Extract the authentication information;
According to the authentication information, judge whether the access request is legal;
If so, returning response message.
24. a kind of electronic equipment characterized by comprising
Processor;And
Memory, for storing a kind of program of data processing, which is powered and runs the data by the processor
After the program of processing, following step is executed:
Intercept first network access request, wherein the first network access request includes source address, destination address;
Authentication information is added in the first network access request, obtains the second network access request;
The corresponding calculating equipment of the destination address is sent by second network access request;
Receive the corresponding response message for calculating equipment and returning of the destination address;
The corresponding calculating equipment of the source address is sent by the response message.
25. a kind of electronic equipment characterized by comprising
Processor;And
Memory, for storing a kind of program of data response, which is powered and runs the data by the processor
After the program of response, following step is executed:
Obtain the network access request comprising authentication information;
The authentication information is extracted from the network access request;
According to the authentication information, judge whether the network access request is legal;
If so, returning response information.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710905297.XA CN109587097A (en) | 2017-09-29 | 2017-09-29 | A kind of system, method and apparatus for realizing secure access internal network |
| TW107120280A TW201916628A (en) | 2017-09-29 | 2018-06-13 | System, method, and apparatus for securely accessing internal network |
| PCT/CN2018/106976 WO2019062666A1 (en) | 2017-09-29 | 2018-09-21 | System, method, and apparatus for securely accessing internal network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710905297.XA CN109587097A (en) | 2017-09-29 | 2017-09-29 | A kind of system, method and apparatus for realizing secure access internal network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109587097A true CN109587097A (en) | 2019-04-05 |
Family
ID=65900652
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710905297.XA Pending CN109587097A (en) | 2017-09-29 | 2017-09-29 | A kind of system, method and apparatus for realizing secure access internal network |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN109587097A (en) |
| TW (1) | TW201916628A (en) |
| WO (1) | WO2019062666A1 (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110807202A (en) * | 2019-10-31 | 2020-02-18 | 北京字节跳动网络技术有限公司 | Processing method and device of verification information, electronic equipment and computer readable medium |
| CN110995422A (en) * | 2019-11-29 | 2020-04-10 | 深信服科技股份有限公司 | Data analysis method, system, equipment and computer readable storage medium |
| CN111355720A (en) * | 2020-02-25 | 2020-06-30 | 深信服科技股份有限公司 | Method, system and equipment for accessing intranet by application and computer storage medium |
| CN111737723A (en) * | 2020-08-25 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Service processing method, device and equipment |
| CN111814084A (en) * | 2020-06-18 | 2020-10-23 | 北京天空卫士网络安全技术有限公司 | Data access management method, device and system |
| CN112260981A (en) * | 2019-07-22 | 2021-01-22 | 北京明华联盟科技有限公司 | Identity authentication method, device, system and storage medium |
| CN112532561A (en) * | 2019-08-28 | 2021-03-19 | 斑马智行网络(香港)有限公司 | Method, device, system and storage medium for realizing access between devices |
| CN112541136A (en) * | 2019-09-23 | 2021-03-23 | 北京国双科技有限公司 | Method and device for acquiring network address information, storage medium and electronic equipment |
| CN115065530A (en) * | 2022-06-13 | 2022-09-16 | 北京华信傲天网络技术有限公司 | Trusted data interaction method and system |
| CN116633687A (en) * | 2023-07-20 | 2023-08-22 | 深圳市永达电子信息股份有限公司 | Terminal safety access method, system and controller |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112104605B (en) * | 2020-08-10 | 2023-02-03 | 深信服科技股份有限公司 | Network management method, device and storage medium |
| CN114157475B (en) * | 2021-11-30 | 2023-09-19 | 迈普通信技术股份有限公司 | Equipment access method and device, authentication equipment and access equipment |
| CN114363031A (en) * | 2021-12-29 | 2022-04-15 | 中国电信股份有限公司 | Network access method and device |
| CN115766059A (en) * | 2022-09-22 | 2023-03-07 | 网易(杭州)网络有限公司 | Cluster deployment method, access method, device and electronic equipment |
| CN116796306B (en) * | 2023-08-15 | 2023-11-14 | 浩鲸云计算科技股份有限公司 | Method for controlling authority of notebook table under same tenant |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102171984A (en) * | 2008-10-06 | 2011-08-31 | 诺基亚西门子通信公司 | Service provider access |
| CN102368768A (en) * | 2011-10-12 | 2012-03-07 | 北京星网锐捷网络技术有限公司 | Identification method, equipment and system as well as identification server |
| CN104239577A (en) * | 2014-10-09 | 2014-12-24 | 北京奇虎科技有限公司 | Method and device for detecting authenticity of webpage data |
| CN106790194A (en) * | 2016-12-30 | 2017-05-31 | 中国银联股份有限公司 | A kind of access control method and device based on ssl protocol |
| US20170187708A1 (en) * | 2015-12-29 | 2017-06-29 | International Business Machines Corporation | Service provider initiated additional authentication in a federated system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2659651B1 (en) * | 2010-12-29 | 2019-10-23 | Citrix Systems Inc. | Systems and methods for policy based integration to horizontally deployed wan optimization appliances |
| CN102811225B (en) * | 2012-08-22 | 2016-08-17 | 神州数码网络(北京)有限公司 | A kind of SSL middle-agent accesses method and the switch of WEB resource |
| CN105915550B (en) * | 2015-11-25 | 2018-12-21 | 北京邮电大学 | A kind of Portal/Radius authentication method based on SDN |
-
2017
- 2017-09-29 CN CN201710905297.XA patent/CN109587097A/en active Pending
-
2018
- 2018-06-13 TW TW107120280A patent/TW201916628A/en unknown
- 2018-09-21 WO PCT/CN2018/106976 patent/WO2019062666A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102171984A (en) * | 2008-10-06 | 2011-08-31 | 诺基亚西门子通信公司 | Service provider access |
| CN102368768A (en) * | 2011-10-12 | 2012-03-07 | 北京星网锐捷网络技术有限公司 | Identification method, equipment and system as well as identification server |
| CN104239577A (en) * | 2014-10-09 | 2014-12-24 | 北京奇虎科技有限公司 | Method and device for detecting authenticity of webpage data |
| US20170187708A1 (en) * | 2015-12-29 | 2017-06-29 | International Business Machines Corporation | Service provider initiated additional authentication in a federated system |
| CN106790194A (en) * | 2016-12-30 | 2017-05-31 | 中国银联股份有限公司 | A kind of access control method and device based on ssl protocol |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112260981A (en) * | 2019-07-22 | 2021-01-22 | 北京明华联盟科技有限公司 | Identity authentication method, device, system and storage medium |
| CN112532561A (en) * | 2019-08-28 | 2021-03-19 | 斑马智行网络(香港)有限公司 | Method, device, system and storage medium for realizing access between devices |
| CN112541136B (en) * | 2019-09-23 | 2024-02-13 | 北京国双科技有限公司 | Network address information acquisition method and device, storage medium and electronic equipment |
| CN112541136A (en) * | 2019-09-23 | 2021-03-23 | 北京国双科技有限公司 | Method and device for acquiring network address information, storage medium and electronic equipment |
| CN110807202A (en) * | 2019-10-31 | 2020-02-18 | 北京字节跳动网络技术有限公司 | Processing method and device of verification information, electronic equipment and computer readable medium |
| CN110995422B (en) * | 2019-11-29 | 2023-02-03 | 深信服科技股份有限公司 | Data analysis method, system, equipment and computer readable storage medium |
| CN110995422A (en) * | 2019-11-29 | 2020-04-10 | 深信服科技股份有限公司 | Data analysis method, system, equipment and computer readable storage medium |
| CN111355720A (en) * | 2020-02-25 | 2020-06-30 | 深信服科技股份有限公司 | Method, system and equipment for accessing intranet by application and computer storage medium |
| CN111814084A (en) * | 2020-06-18 | 2020-10-23 | 北京天空卫士网络安全技术有限公司 | Data access management method, device and system |
| CN111737723A (en) * | 2020-08-25 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Service processing method, device and equipment |
| CN115065530A (en) * | 2022-06-13 | 2022-09-16 | 北京华信傲天网络技术有限公司 | Trusted data interaction method and system |
| CN115065530B (en) * | 2022-06-13 | 2024-01-23 | 北京华信傲天网络技术有限公司 | Trusted data interaction method and system |
| CN116633687A (en) * | 2023-07-20 | 2023-08-22 | 深圳市永达电子信息股份有限公司 | Terminal safety access method, system and controller |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2019062666A1 (en) | 2019-04-04 |
| TW201916628A (en) | 2019-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109587097A (en) | A kind of system, method and apparatus for realizing secure access internal network | |
| CN108901022B (en) | Micro-service unified authentication method and gateway | |
| US10965772B2 (en) | Interface invocation method and apparatus for hybrid cloud | |
| CN104144163B (en) | Auth method, apparatus and system | |
| CN105933353B (en) | The realization method and system of secure log | |
| CN109936547A (en) | Identity identifying method, system and calculating equipment | |
| US20140189808A1 (en) | Multi-factor authentication and comprehensive login system for client-server networks | |
| US11451533B1 (en) | Data cycling | |
| CN104869102B (en) | Authorization method, device and system based on xAuth agreement | |
| CN107666383A (en) | Message processing method and device based on HTTPS agreements | |
| CN107005569A (en) | Peer-to-peer services layer certification | |
| Shetty et al. | Are you dating danger? An interdisciplinary approach to evaluating the (in) security of android dating apps | |
| EP3633949A1 (en) | Method and system for performing ssl handshake | |
| US10257171B2 (en) | Server public key pinning by URL | |
| CN110401641A (en) | User authen method, device, electronic equipment | |
| CN109495503A (en) | A kind of SSL VPN authentication method, client, server and gateway | |
| CN105208041A (en) | HOOK-based cloud storage application encryption data packet cracking method | |
| CN109040069A (en) | A kind of dissemination method, delivery system and the access method of cloud application program | |
| CN109743373A (en) | Remote assistance method, equipment, system and the medium of terminal | |
| CN108156119A (en) | Login validation method and device | |
| Chen et al. | A full lifecycle authentication scheme for large-scale smart IoT applications | |
| CN107135190B (en) | Data flow attribution identification method and device based on transport layer secure connection | |
| CN109067749A (en) | A kind of information processing method, equipment and computer readable storage medium | |
| CN110166471A (en) | A kind of portal authentication method and device | |
| CN109495458A (en) | A kind of method, system and the associated component of data transmission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190405 |