CN110049046A - Access control method, terminal, server and system - Google Patents
Access control method, terminal, server and system Download PDFInfo
- Publication number
- CN110049046A CN110049046A CN201910322523.0A CN201910322523A CN110049046A CN 110049046 A CN110049046 A CN 110049046A CN 201910322523 A CN201910322523 A CN 201910322523A CN 110049046 A CN110049046 A CN 110049046A
- Authority
- CN
- China
- Prior art keywords
- authorization
- single packet
- server
- resource requestor
- authorization requests
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000013475 authorization Methods 0.000 claims abstract description 278
- 238000001914 filtration Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 15
- 235000013399 edible fruits Nutrition 0.000 description 7
- 230000007613 environmental effect Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012502 risk assessment Methods 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 241001269238 Data Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of access control methods applied to terminal, it include: when detecting that the resource requestor in terminal sends access request to server, acquire the preset information of resource requestor, preset information includes multiple attribute informations relevant to resource requestor, single packet authorization requests are generated based on preset information and access request, the single packet authorization requests are sent to server, in the case where single packet authorization requests are transmitted to authorization control system by server and authorization control system is verified single packet authorization requests, so that server is to resource requestor open source access port.The invention also discloses a kind of applied to the access control method of server, a kind of terminal, a kind of server and a kind of access control system.The present invention avoids unauthorized access caused by revealing because of authorization message by making attacker that can not forge single packet authorization data easily using the preset information of resource requestor as authorized certificate.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of access control method, terminal, server and systems.
Background technique
SPA (Single Packet Authorization, single packet authorization) is the mistake based on default packet discard
Filter strategy sends certification and authorization requests by single encrypted packet, keeps protected server-side open to particular clients
A kind of method of port, and the client of unauthenticated authorization can not detect protected serve port, to improve
Security of system.
But existing single packet authorization is all based on the static single-factor certification policy pre-established.Once certification letter
Breath leakage then can easily forge certification request and obtain port access authority, illegal to obtain server-side resource;On the other hand,
There is the risk invaded, kidnapped, in this case, attacker in the client itself for having single packet authorization identifying ability
Server-side resource can be directly accessed by the client being held as a hostage.
Summary of the invention
The main purpose of the present invention is to provide a kind of access control method, terminal, server and systems.
First aspect of the embodiment of the present invention provides a kind of access control method, is applied to terminal, comprising: when detecting terminal
When interior resource requestor sends access request to server, the preset information of the resource requestor, the pre- confidence are acquired
Breath includes multiple attribute informations relevant to the resource requestor, is generated based on the preset information and the access request single
Data packet authorization requests, Xiang Suoshu server sends the single packet authorization requests, in the single packet authorization requests quilt
The server is transmitted to authorization control system and the authorization control system is verified the single packet authorization requests and led to
In the case where crossing, so that server is to the resource requestor open source access port.
According to embodiments of the present invention, the above method further include: generate disposable authorization code.It is described to be based on the preset information
Generating single packet authorization requests with the access request includes: based on the preset information, disposable authorization code and the visit
It asks request, generates single packet authorization requests.
According to embodiments of the present invention, above-mentioned multiple attribute informations relevant to the resource requestor include Internet protocol
Location, next-hop gateway address, MAC Address and application execution file MD5 digest;The single packet is sent to the server
Before authorization requests, the method also includes: whether the MD5 digest for judging the resource requestor is that preset legal MD5 is plucked
It wants, if preset legal MD5 digest, then sends the single packet authorization requests to the server.
Second aspect of the embodiment of the present invention provides a kind of access control method, is applied to server, comprising: receives resource and asks
The single packet authorization requests that the person of asking is sent by terminal, the single packet authorization requests include the pre- of the resource requestor
Confidence breath and access request, the preset information include multiple attribute informations relevant to the resource requestor, the access
Request is that the resource requestor is to access the server to the request that the server is sent, and the single packet is awarded
Power request be transmitted to authorization control system, receive the authorization control system to the single packet authorization requests carry out authorization test
The Authorization result generated is demonstrate,proved, if the Authorization result indicates that the single packet authorization requests pass through the authorization control system
Authority checking, then to the resource requestor open source access port.
According to embodiments of the present invention, above-mentioned single packet authorization requests further include: disposable authorization code, it is described disposably to award
Weighted code is the authorization code that the terminal generates at random.
According to embodiments of the present invention, above-mentioned multiple attribute informations relevant to the resource requestor include Internet protocol
Location, next-hop gateway address, MAC Address and application execution file MD5 digest.The reception resource requestor is sent out by terminal
The single packet authorization requests sent, comprising: the case where the MD5 digest of the resource requestor is preset legal MD5 digest
Under, receive the single packet authorization requests that the resource requestor in the terminal is sent.
According to embodiments of the present invention, after Xiang Suoshu resource requestor open source access port, the method also includes:
Record the request time of the single packet authorization requests, the internet protocol address of the resource requestor, the single packet
The application message of the request results of authorization requests, the port numbers of the resource access port and the resource requestor.
According to embodiments of the present invention, above-mentioned to the resource requestor open source access port, comprising: to be based on data packet
Filter, Xiang Suoshu resource requestor open source access port.
The third aspect of the embodiment of the present invention provides a kind of terminal, comprising: acquisition module, the first generation module and transmission mould
Block.Wherein, acquisition module is used for when detecting that the resource requestor in terminal sends access request to server, described in acquisition
The preset information of resource requestor, the preset information include multiple attribute informations relevant to the resource requestor.First
Generation module is used to generate single packet authorization requests based on the preset information and the access request.Sending module be used for
The server sends the single packet authorization requests, is transmitted to and awards by the server in the single packet authorization requests
In the case that power control system and the authorization control system are verified the single packet authorization requests, so that described
Server is to the resource requestor open source access port.
According to embodiments of the present invention, above-mentioned terminal further include: the second generation module, for generating disposable authorization code.Institute
Stating and generating single packet authorization requests based on the preset information and the access request includes: based on the preset information, one
Secondary property authorization code and the access request generate single packet authorization requests.
According to embodiments of the present invention, above-mentioned multiple attribute informations relevant to the resource requestor include Internet protocol
Location, next-hop gateway address, MAC Address and application execution file MD5 digest;The single packet is sent to the server
Before authorization requests, the terminal further include: judgment module, for judging whether the MD5 digest of the resource requestor is pre-
Legal MD5 digest is set, if preset legal MD5 digest, then sends the single packet authorization requests to the server.
Fourth aspect of the embodiment of the present invention provides a kind of server, comprising: the first receiving module, forwarding module, second connect
Receive module and open-ended module.Wherein, the first receiving module is for receiving the forms data that resource requestor is sent by terminal
Packet authorization requests, the single packet authorization requests include the preset information and access request of the resource requestor, described pre-
Confidence breath includes multiple attribute informations relevant to the resource requestor, and the access request is that the resource requestor is visit
The request asking the server and being sent to the server.The single packet authorization requests for being transmitted to by forwarding module
Authorization control system.Second receiving module awards the single packet authorization requests for receiving the authorization control system
The Authorization result that power verifying generates.If open-ended module indicates that the single packet authorization requests are logical for the Authorization result
The authority checking of the authorization control system is crossed, then to the resource requestor open source access port.
According to embodiments of the present invention, above-mentioned single packet authorization requests further include: disposable authorization code, it is described disposably to award
Weighted code is the authorization code that the terminal generates at random.
According to embodiments of the present invention, above-mentioned multiple attribute informations relevant to the resource requestor include Internet protocol
Location, next-hop gateway address, MAC Address and application execution file MD5 digest.The reception resource requestor is sent out by terminal
The single packet authorization requests sent, comprising: the case where the MD5 digest of the resource requestor is preset legal MD5 digest
Under, receive the single packet authorization requests that the resource requestor in the terminal is sent.
According to embodiments of the present invention, after Xiang Suoshu resource requestor open source access port, the server is also wrapped
It includes: logging modle, for recording the request time of the single packet authorization requests, the Internet protocol of the resource requestor
Location, the request results of the single packet authorization requests, the port numbers of the resource access port and the resource requestor
Application message.
According to embodiments of the present invention, above-mentioned to the resource requestor open source access port, comprising: to be based on data packet
Filter, Xiang Suoshu resource requestor open source access port.
The 5th aspect of the embodiment of the present invention provides a kind of access control system, including above-mentioned terminal and above-mentioned service
Device.
The 6th aspect of the embodiment of the present invention provides a kind of terminal, comprising: one or more processors, storage device are used for
Store one or more programs, wherein when one or more of programs are executed by one or more of processors, so that
One or more of processors execute method as described above.
The 7th aspect of the embodiment of the present invention provides a kind of server, comprising: one or more processors, storage device are used
In the one or more programs of storage, wherein when one or more of programs are executed by one or more of processors, make
It obtains one or more of processors and executes method as described above.
Eighth aspect of the embodiment of the present invention provides a kind of computer readable storage medium, is stored with the executable finger of computer
It enables, described instruction is when executed for realizing method as described above.
The 9th aspect of the embodiment of the present invention provides a kind of computer program, and the computer program includes that computer is executable
Instruction, described instruction is when executed for realizing method as described above.
It, can from the embodiments of the present invention it is found that access control method provided by the invention, terminal, server and system
Realize it is following the utility model has the advantages that
(1) real-time collecting resource requestor information determines authorization knot according to the factor of authorization as authorization factor, server-side
Fruit.So as to find to collect resource requestor key message feature (such as multiple attributes relevant to resource requestor in time
Information) variation, evade risk caused by due to being broken into.
(2) using resource requestor information and disposable authorization code as the voucher of authorization.To make attacker can not be easily
Single packet authorization data is forged, unauthorized access caused by revealing because of authentication information is avoided.
(3) it is returned with authorization control cooperative system according to authorization control system when carrying out single packet authorization identifying
Certificate Authority result determines whether port opens.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those skilled in the art without creative efforts, can also basis
These attached drawings obtain other attached drawings.
Fig. 1 is the flow diagram for the access control method applied to terminal that one embodiment of the invention provides;
Fig. 2 be another embodiment of the present invention provides the access control method applied to terminal flow diagram;
Fig. 3 is the flow diagram for the access control method applied to server that one embodiment of the invention provides;
Fig. 4 be another embodiment of the present invention provides the access control method applied to server flow diagram;
Fig. 5 is the structural schematic diagram for the access control system that one embodiment of the invention provides;
Fig. 6 is the structural schematic diagram for the terminal that one embodiment of the invention provides;
Fig. 7 is the structural schematic diagram for the terminal that further embodiment of this invention provides;
Fig. 8 is the structural schematic diagram for the server that one embodiment of the invention provides;And
Fig. 9 be another embodiment of the present invention provides server structural schematic diagram.
Specific embodiment
In order to make the invention's purpose, features and advantages of the invention more obvious and easy to understand, below in conjunction with the present invention
Attached drawing in embodiment, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described reality
Applying example is only a part of the embodiment of the present invention, and not all embodiments.Based on the embodiments of the present invention, those skilled in the art
Member's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
Referring to Fig. 1, Fig. 1 is the process signal for the access control method applied to terminal that one embodiment of the invention provides
Figure, this method mainly include the following steps that S101~S103:
S101, when detect the resource requestor in terminal to server send access request when, acquire resource requestor
Preset information, preset information includes multiple attribute informations relevant to resource requestor.
Wherein, resource requestor refers to that request obtains the object of resource to server.For example, the application in terminal.
According to embodiments of the present invention, the preset information (multiple attribute informations relevant to resource requestor) of resource requestor
Including internet protocol address, next-hop gateway address, MAC Address and MD5 digest of application execution file etc..Wherein, not only may be used
To acquire the preset information of the resource requestor when detecting that resource requestor sends access request, can also according to it is fixed when
Between be spaced, the preset information of regular timing acquiring resource requestor.
Wherein, when next-hop gateway address for example can be sent to another equipment with index evidence, local area network where the equipment
Gateway address.In embodiments of the present invention, since terminal needs to send the data to server, next-hop gateway
The gateway address of local area network where location can refer to server.
Wherein, MD5 digest refers to a kind of Cryptographic Hash Function being widely used, and can produce out 128 (16 words
Section) hashed value, for ensuring that information transmission is complete consistent.Therefore, application execution file is encrypted by MD5 digest,
It may insure that executing file content is not tampered with.
According to embodiments of the present invention, the present invention can be authenticated and authorized using multiple-factor certification policy.For example, internet association
View address, next-hop gateway address, MAC Address and MD5 digest can be used as multiple factors and be certified authorization.Therefore, collected
The preset information of resource requestor can be used as authorization factor, and determined based on the authorization factor for authorization to knot
Fruit.Authorization judgement is carried out namely based on preset information (multiple attribute informations), can find the key message of resource requestor in time
Risk caused by due to resource requestor is broken into is evaded in the variation of feature.
S102, single packet authorization requests are generated based on preset information and access request.For example, can by preset information and
Access request is combined to generate single packet authorization requests.
S103, the single packet authorization requests are sent to server, is transmitted in single packet authorization requests by server
In the case that authorization control system and authorization control system are verified single packet authorization requests, so that server is to money
Source requestor's open source access port.
According to embodiments of the present invention, after single packet authorization requests are sent to server by terminal, server is by forms data
Packet authorization requests are transmitted to authorization control system, and verify the single packet authorization requests by authorization control system.For example, service
The preset information of multiple legal resource requestors can be stored in advance in device or authorization control system, ask receiving Current resource
After the single packet authorization requests that the person of asking sends, by the progress of the preset information of itself and pre-stored legal resource requestor
Match, if successful match, it is logical that the single packet authorization requests for the person that can indicate current resource request are authorized to control system verifying
It crosses.
Referring to Fig. 2, Fig. 2 be another embodiment of the present invention provides the process of the access control method applied to terminal show
Be intended to, this method mainly includes the following steps that S101~S103 and step S201~S202, wherein step S101~S103 with
The upper step with reference to described in Fig. 1 is same or like, and details are not described herein.
S201, disposable authorization code is generated.
Wherein, generating single packet authorization requests based on preset information and access request includes: based on preset information, once
Property authorization code and access request, generate single packet authorization requests.
According to embodiments of the present invention, disposable authorization code for example can be dynamic password.The disposable authorization code, pre- confidence
Breath, access request, which can be combined, constitutes single packet authorization requests.So that attacker can not forge single packet easily
Authorization data avoids unauthorized access caused by revealing because of authentication information.
Wherein, when the resource requestor in terminal sends access request to server every time, different one are generated at random
Secondary property authorization code avoids duration risk caused by revealing because of authorization code.
When in the single packet authorization requests preset information and disposable authorization code by verifying after, it was demonstrated that the resource
The single packet authorization requests that requestor initiates are legitimate request, then server is to the resource requestor open source access end
Mouthful, allow the resource requestor to access, realizes normal flow agency and forwarding.
Whether S202, the MD5 digest for judging resource requestor are preset legal MD5 digest, if preset legal MD5
Abstract then sends single packet authorization requests to server.
According to embodiments of the present invention, before sending single packet authorization requests to server, it can first judge resource request
Whether the MD5 digest of person is preset legal MD5 digest, if preset legal MD5 digest, then sends forms data to server
Packet authorization requests.
For example, the preset legal MD5 digest about resource requestor can be stored in advance, by by current resource request
The MD5 digest of person is matched with pre-stored preset legal MD5 digest, if successful match, then it represents that Current resource is asked
The MD5 digest for the person of asking is legal.
More, after server open source access port, complete Certificate Authority access log, log be can recorde
Interior includes but is not limited to the request time of single packet authorization requests, the internet protocol address of resource requestor, this forms data
The information such as the application message of the request results of packet authorization requests, the port numbers of resource access port and resource requestor.Then, will
Log filing storage, and log collection analysis system is reported, convenient for carrying out audit and security risk analysis to port access request.
In embodiments of the present invention, when the resource requestor in terminal sends access request to server, the resource is acquired
The preset information of requestor, and disposable authorization code is generated at random, by the preset information and disposable authorization code and access request
In conjunction with generation single packet authorization requests send the single packet authorization requests to server, server awards the single packet
Power request is transmitted to authorization control system, and receives the authorization knot that authorization control system is returned according to the single packet authorization requests
Fruit, if the Authorization result is to pass through, to the resource requestor open source access port.By the preset information of resource requestor
With disposable authorization code as authorized certificate, make attacker that can not forge single packet authorization data easily, avoids believing because of authorization
Unauthorized access caused by breath leakage.
Referring to Fig. 3, the process that Fig. 3 is the access control method applied to server that one embodiment of the invention provides is shown
It is intended to, this method mainly includes the following steps that S301~S304:
S301, the single packet authorization requests that resource requestor is sent by terminal, the single packet authorization requests are received
Preset information including the resource requestor and and access request, preset information include multiple attributes relevant to resource requestor
Information, access request are that resource requestor is the request for accessing server and sending to server.
Wherein, single packet authorization requests can also include disposable authorization code, which is that terminal is random
The authorization code of generation.
S302, the single packet authorization requests are transmitted to authorization control system.
S303, the authorization knot that the authorization control system carries out authority checking generation to the single packet authorization requests is received
Fruit.
For example, server does not judge the single packet authorization requests, but directly forward it to authorization control
Then system receives the Authorization result of authorization control system return.Authorization control system mainly may include illustratively visiting
It asks control system and context aware systems, is combined by access control system and context aware systems and the single packet authorization is asked
It asks and is determined, authorized result.Then Authorization result is returned into server, makes server according to Authorization result to determine
Whether open port.
For example, context aware systems can determine the environmental information of resource requestor that the environmental information for example may be used
To include geographical location locating for resource requestor, the terminal type at place is PC or mobile device, and whether device systems have leakage
Hole etc. information.If the environmental information of resource requestor is (such as environmental information before) without exception, environment sensing
The result that system determines the environmental information of resource requestor is to pass through.In addition, access control system can be to forms data
Packet authorization requests carry out authorization judgement.
If S304, the Authorization result indicate that single packet authorization requests pass through the authority checking of authorization control system, to
The resource requestor open source access port.
For example, when the result that context aware systems determine the environmental information of resource requestor is to pass through, and visit
Ask control system to single packet authorization requests carry out authorization judgement result be by when, server can be to the resource request
Person's open source access port.
Further, server can be based on packet filtering to resource requestor open source access port.Wherein,
Packet filtering may include iptables, firewalld, ipfw or libpcap.It is logical to authorization by packet filtering
The resource requestor Open Dynamic port crossed.
If the Authorization result is not pass through, server does not make any response to the resource requestor.
Referring to Fig. 4, Fig. 4 be another embodiment of the present invention provides the access control method applied to server process
Schematic diagram, this method mainly include the following steps that S301~S304 and step S401, wherein step S301~S304 as above joins
It is same or like to examine step described in Fig. 3, details are not described herein.
S401, the record request time of single packet authorization requests, the internet protocol address of resource requestor, single packet
Request results, the port numbers of resource access port and the application message of resource requestor of authorization requests.
For example, recording complete Certificate Authority access log after open source access port, include in log but unlimited
In the request times of single packet authorization requests, the internet protocol address of resource requestor, this single packet authorization requests
The information such as the application message of request results, the port numbers of resource access port and resource requestor.Then, log filing is deposited
Storage, and log collection analysis system is reported, convenient for carrying out audit and security risk analysis to port access request.
In embodiments of the present invention, when the resource requestor in terminal sends access request to server, the resource is acquired
The preset information of requestor, and disposable authorization code is generated at random, by the preset information and disposable authorization code and access request
In conjunction with generation single packet authorization requests send the single packet authorization requests to server, server awards the single packet
Power request is transmitted to authorization control system, and receives the authorization knot that authorization control system is returned according to the single packet authorization requests
Fruit, if the Authorization result is to pass through, to the resource requestor open source access port.By the preset information of resource requestor
With disposable authorization code as authorized certificate, make attacker that can not forge single packet authorization data easily, avoids believing because of authorization
Unauthorized access caused by breath leakage.
Referring to Fig. 5, Fig. 5 is the structural schematic diagram for the access control system that one embodiment of the invention provides, the access control
System 500 processed specifically includes that terminal 501, server 502 and authorization control system 503.
According to embodiments of the present invention, the single packet authorization requests of resource requestor can be sent to service by terminal 501
Device 502, the single packet authorization requests are for example including preset information, access request and disposable authorization code.And by server 502
The single packet authorization requests are transmitted to authorization control system 503 and carry out authority checking, when authorization control system 503 is to the list
After data packet authorization requests are proved to be successful, server 502 can resource requestor open source access end into terminal 501
Mouthful.
Referring to Fig. 6, Fig. 6 is the structural schematic diagram for the terminal that one embodiment of the invention provides, which is mainly wrapped
It includes: acquisition module 601, the first generation module 602 and sending module 603.
Acquisition module 601, for acquiring when detecting that the resource requestor in terminal sends access request to server
The preset information of resource requestor, preset information include multiple attribute informations relevant to resource requestor.It is real according to the present invention
Example is applied, acquisition module 601 can for example execute the step S101 with reference to Fig. 1, and details are not described herein.
First generation module 602, for generating single packet authorization requests based on preset information and access request.According to this
Inventive embodiments, the first generation module 602 can for example execute the step S102 with reference to Fig. 1, and details are not described herein.
Sending module 603 is serviced for sending single packet authorization requests to server in single packet authorization requests
In the case that device is transmitted to authorization control system and authorization control system is verified single packet authorization requests, so that clothes
Device be engaged in resource requestor open source access port.According to embodiments of the present invention, sending module 603 can for example execute ginseng
The step S103 of Fig. 1 is examined, details are not described herein.
Wherein, the preset information (multiple attribute informations i.e. relevant to resource requestor) of resource requestor includes internet association
Discuss address, next-hop gateway address, MAC Address and MD5 digest.
In the embodiment of the present invention, when the resource requestor in terminal sends access request to server, acquires the resource and ask
The preset information for the person of asking, and disposable authorization code is generated at random, by the preset information and disposable authorization code and access request knot
It closes, generates single packet authorization requests, send the single packet authorization requests to server, server is by the single packet authorization
Request is transmitted to authorization control system, and receives the authorization knot that authorization control system is returned according to the single packet authorization requests
Fruit, if the Authorization result is to pass through, to the resource requestor open source access port.By the preset information of resource requestor
With disposable authorization code as authorized certificate, make attacker that can not forge single packet authorization data easily, avoids believing because of authorization
Unauthorized access caused by breath leakage.
Referring to Fig. 7, Fig. 7 is the structural schematic diagram for the terminal that further embodiment of this invention provides, which is mainly wrapped
It includes: acquisition module 601, the first generation module 602, sending module 603, the second generation module 701 and judgment module 702.Wherein,
The module that acquisition module 601, the first generation module 602 and sending module 603 describe for example on reference to Fig. 6 is same or like,
Details are not described herein.
Second generation module 701, for generating disposable authorization code.According to embodiments of the present invention, the second generation module 701
Such as the step S201 for referring to Fig. 2 can be executed, details are not described herein.
Judgment module 702, for judging the MD5 of resource requestor before sending single packet authorization requests to server
Whether abstract is preset legal MD5 digest, if preset legal MD5 digest, then sends single packet authorization to server
Request.According to embodiments of the present invention, the second generation module 702 can for example execute the step S202 with reference to Fig. 2, herein no longer
It repeats.
Referring to Fig. 8, Fig. 8 is the structural schematic diagram for the server that one embodiment of the invention provides, the server 800 is main
It include: the first receiving module 801, forwarding module 802, the second receiving module 803 and open-ended module 804.
First receiving module 801, the single packet authorization requests sent for receiving resource requestor by terminal, the list
Data packet authorization requests include the preset information and access request of resource requestor, and preset information includes related to resource requestor
Multiple attribute informations, access request be resource requestor be access server and to server send request.According to this hair
Bright embodiment, the first receiving module 801 can for example execute the step S301 with reference to Fig. 3, and details are not described herein.
Forwarding module 802, for single packet authorization requests to be transmitted to authorization control system.Implement according to the present invention
Example, forwarding module 802 can for example execute the step S302 with reference to Fig. 3, and details are not described herein.
Second receiving module 803 carries out authority checking life to single packet authorization requests for receiving authorization control system
At Authorization result.According to embodiments of the present invention, the second receiving module 803 can for example execute the step S303 with reference to Fig. 3,
Details are not described herein.
Open-ended module 804, if indicating that single packet authorization requests pass through authorization control system for Authorization result
Authority checking is then based on packet filtering, to resource requestor open source access port.According to embodiments of the present invention, it holds
The open module 804 of mouth can for example execute the step S304 with reference to Fig. 3, and details are not described herein.
According to embodiments of the present invention, single packet authorization requests further include: disposable authorization code, disposable authorization code are eventually
Hold the authorization code generated at random.
According to embodiments of the present invention, multiple attribute datas relevant to resource requestor include internet protocol address, it is next
Jump the MD5 digest of gateway address, MAC Address and application execution file.Receive the forms data that the resource requestor in terminal is sent
Packet authorization requests, comprising: when the MD5 digest of resource requestor is preset legal MD5 digest, the resource received in terminal is asked
The single packet authorization requests that the person of asking sends.
According to embodiments of the present invention, to resource requestor open source access port, comprising: it is based on packet filtering,
To resource requestor open source access port.
Referring to Fig. 9, Fig. 9 be another embodiment of the present invention provides server structural schematic diagram, the server 900 is main
It include: the first receiving module 801, forwarding module 802, the second receiving module 803, open-ended module 804 and logging modle
901.Wherein, the first receiving module 801, forwarding module 802, the second receiving module 803 and open-ended module 804 for example and on
The module described with reference to Fig. 8 is same or like, and details are not described herein.
Logging modle 901, for recording the request time of single packet authorization requests, the Internet protocol of resource requestor
Location, the request results of single packet authorization requests, the application message of the port numbers of resource access port and resource requestor.According to
The embodiment of the present invention, logging modle 901 can for example execute the step S401 with reference to Fig. 4, and details are not described herein.
In embodiments of the present invention, when the resource requestor in terminal sends access request to server, the resource is acquired
The preset information of requestor, and disposable authorization code is generated at random, by the preset information and disposable authorization code and access request
In conjunction with generation single packet authorization requests send the single packet authorization requests to server, server awards the single packet
Power request is transmitted to authorization control system, and receives the authorization knot that authorization control system is returned according to the single packet authorization requests
Fruit, if the Authorization result is to pass through, to the resource requestor open source access port.By the preset information of resource requestor
With disposable authorization code as authorized certificate, make attacker that can not forge single packet authorization data easily, avoids believing because of authorization
Unauthorized access caused by breath leakage.
In multiple embodiments provided herein, it should be understood that disclosed device and method can pass through it
Its mode is realized.For example, embodiments described above is only schematical, for example, the division of the module, only
A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple module or components can combine or
Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Between coupling or direct-coupling or communication linkage can be through some interfaces, the INDIRECT COUPLING or communication linkage of module can
To be electrically mechanical or other forms.
The module as illustrated by the separation member may or may not be physically separated, aobvious as module
The component shown may or may not be physical module, it can and it is in one place, or may be distributed over multiple
On network module.Some or all of the modules therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
It, can also be in addition, each functional module in each embodiment of the present invention can integrate in a processing module
It is that modules physically exist alone, can also be integrated in two or more modules in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.
It should be noted that for the various method embodiments described above, describing for simplicity, therefore, it is stated as a series of
Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because
According to the present invention, certain steps can use other sequences or carry out simultaneously.Secondly, those skilled in the art should also know
It knows, the embodiments described in the specification are all preferred embodiments, and related actions and modules might not all be this hair
Necessary to bright.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiments.
The above are the descriptions to access control method provided by the present invention, terminal, server and system, for this field
Those skilled in the art, thought according to an embodiment of the present invention has change in specific embodiments and applications
Place, to sum up, the contents of this specification are not to be construed as limiting the invention.
Claims (13)
1. a kind of access control method is applied to terminal characterized by comprising
When detecting that the resource requestor in terminal sends access request to server, the preset of the resource requestor is acquired
Information, the preset information include multiple attribute informations relevant to the resource requestor;
Single packet authorization requests are generated based on the preset information and the access request;And
The single packet authorization requests are sent to the server;
Authorization control system and the authorization control system are transmitted to by the server in the single packet authorization requests
In the case where being verified to the single packet authorization requests, so that server is accessed to the resource requestor open source
Port.
2. access control method according to claim 1, which is characterized in that the method also includes:
Generate disposable authorization code;
The preset information and access request generation single packet authorization requests of being based on includes: based on the pre- confidence
Breath, disposable authorization code and the access request generate single packet authorization requests.
3. access control method according to claim 1, it is characterised in that:
Multiple attribute informations relevant to the resource requestor include internet protocol address, next-hop gateway address, MAC
The MD5 digest of address and application execution file;
Before sending the single packet authorization requests to the server, the method also includes:
Whether the MD5 digest for judging the resource requestor is preset legal MD5 digest, if preset legal MD5 digest,
Then the single packet authorization requests are sent to the server.
4. a kind of access control method is applied to server characterized by comprising
The single packet authorization requests that resource requestor is sent by terminal are received, the single packet authorization requests include described
The preset information and access request of resource requestor, the preset information include multiple attributes relevant to the resource requestor
Information, the access request are that the resource requestor is the request for accessing the server and sending to the server;
The single packet authorization requests are transmitted to authorization control system;
Receive the Authorization result that the authorization control system carries out authority checking generation to the single packet authorization requests;
If the Authorization result indicate the single packet authorization requests by the authority checking of the authorization control system, to
The resource requestor open source access port.
5. access control method according to claim 4, which is characterized in that the single packet authorization requests further include:
Disposable authorization code, the disposable authorization code are the authorization code that the terminal generates at random.
6. access control method according to claim 4, it is characterised in that:
Multiple attribute informations relevant to the resource requestor include internet protocol address, next-hop gateway address, MAC
The MD5 digest of address and application execution file;
The single packet authorization requests for receiving resource requestor and being sent by terminal, comprising: in the resource requestor
In the case that MD5 digest is preset legal MD5 digest, receives the single packet that the resource requestor in the terminal is sent and award
Power request.
7. access control method according to claim 4, which is characterized in that the access of Xiang Suoshu resource requestor open source
After port, the method also includes:
Record the request time of the single packet authorization requests, the internet protocol address of the resource requestor, the odd number
According to the request results of packet authorization requests, the application message of the port numbers of the resource access port and the resource requestor.
8. the access control method according to any one of claim 4-7, which is characterized in that described to be asked to the resource
The person's of asking open source access port, comprising:
Based on packet filtering, Xiang Suoshu resource requestor open source access port.
9. a kind of terminal characterized by comprising
Acquisition module, for acquiring the money when detecting that the resource requestor in terminal sends access request to server
The preset information of source requestor, the preset information include multiple attribute informations relevant to the resource requestor;
First generation module, for generating single packet authorization requests based on the preset information and the access request;And
Sending module, for sending the single packet authorization requests to the server, in the single packet authorization requests
Authorization control system is transmitted to by the server and the authorization control system verifies the single packet authorization requests
In the case where, so that the server is to the resource requestor open source access port.
10. a kind of server characterized by comprising
First receiving module, the single packet authorization requests sent for receiving resource requestor by terminal, the forms data
Packet authorization requests include the preset information and access request of the resource requestor, and the preset information includes asking with the resource
The relevant multiple attribute informations of the person of asking, the access request are that the resource requestor is to access the server and to the clothes
The request that business device is sent;
Forwarding module, for the single packet authorization requests to be transmitted to authorization control system;
Second receiving module carries out authority checking life to the single packet authorization requests for receiving the authorization control system
At Authorization result;
Open-ended module, if indicating that the single packet authorization requests pass through the authorization control system for the Authorization result
The authority checking of system, then to the resource requestor open source access port.
11. a kind of access control system, which is characterized in that including terminal according to claim 9 and according to claim
Server described in 10.
12. a kind of terminal, comprising:
One or more processors;
Storage device, for storing one or more programs,
Wherein, when one or more of programs are executed by one or more of processors, so that one or more of
Processor executes method described in any one of claim 1 to 3.
13. a kind of server, comprising:
One or more processors;
Storage device, for storing one or more programs,
Wherein, when one or more of programs are executed by one or more of processors, so that one or more of
Processor executes the method according to any one of claim 4~8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910322523.0A CN110049046A (en) | 2019-04-19 | 2019-04-19 | Access control method, terminal, server and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910322523.0A CN110049046A (en) | 2019-04-19 | 2019-04-19 | Access control method, terminal, server and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110049046A true CN110049046A (en) | 2019-07-23 |
Family
ID=67278248
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910322523.0A Pending CN110049046A (en) | 2019-04-19 | 2019-04-19 | Access control method, terminal, server and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110049046A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830444A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | Method and device for single-packet enhanced security verification |
| CN110830447A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | SPA single packet authorization method and device |
| CN111131310A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Access control method, device, system, computer device and storage medium |
| CN111193707A (en) * | 2019-11-29 | 2020-05-22 | 云深互联(北京)科技有限公司 | Pre-verification access method and device based on enterprise browser |
| CN111193712A (en) * | 2019-12-03 | 2020-05-22 | 云深互联(北京)科技有限公司 | Agent access method and device based on enterprise browser |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070234428A1 (en) * | 2006-03-22 | 2007-10-04 | Rash Michael B | Method for secure single-packet remote authorization |
| CN102447677A (en) * | 2010-09-30 | 2012-05-09 | 北大方正集团有限公司 | Resource access control method, system and equipment |
| CN105930728A (en) * | 2016-06-17 | 2016-09-07 | 浪潮(北京)电子信息产业有限公司 | Application examining method and device |
| CN108429730A (en) * | 2018-01-22 | 2018-08-21 | 北京智涵芯宇科技有限公司 | Feedback-less safety certification and access control method |
| CN109600399A (en) * | 2019-02-02 | 2019-04-09 | 北京奇安信科技有限公司 | API Access control method and API Access agent apparatus |
-
2019
- 2019-04-19 CN CN201910322523.0A patent/CN110049046A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070234428A1 (en) * | 2006-03-22 | 2007-10-04 | Rash Michael B | Method for secure single-packet remote authorization |
| CN102447677A (en) * | 2010-09-30 | 2012-05-09 | 北大方正集团有限公司 | Resource access control method, system and equipment |
| CN102447677B (en) * | 2010-09-30 | 2015-05-20 | 北大方正集团有限公司 | Resource access control method, system and equipment |
| CN105930728A (en) * | 2016-06-17 | 2016-09-07 | 浪潮(北京)电子信息产业有限公司 | Application examining method and device |
| CN108429730A (en) * | 2018-01-22 | 2018-08-21 | 北京智涵芯宇科技有限公司 | Feedback-less safety certification and access control method |
| CN109600399A (en) * | 2019-02-02 | 2019-04-09 | 北京奇安信科技有限公司 | API Access control method and API Access agent apparatus |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830444A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | Method and device for single-packet enhanced security verification |
| CN110830447A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | SPA single packet authorization method and device |
| CN111193707A (en) * | 2019-11-29 | 2020-05-22 | 云深互联(北京)科技有限公司 | Pre-verification access method and device based on enterprise browser |
| CN111193712A (en) * | 2019-12-03 | 2020-05-22 | 云深互联(北京)科技有限公司 | Agent access method and device based on enterprise browser |
| CN111131310A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Access control method, device, system, computer device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110049046A (en) | Access control method, terminal, server and system | |
| US20210326451A1 (en) | Automated security assessment of business-critical systems and applications | |
| CN105007280B (en) | A kind of application login method and device | |
| CN103067385B (en) | The method of defence Hijack Attack and fire compartment wall | |
| CN110324310A (en) | Networked asset fingerprint identification method, system and equipment | |
| CN109522726A (en) | Method for authenticating, server and the computer readable storage medium of small routine | |
| US8782796B2 (en) | Data exfiltration attack simulation technology | |
| CN103916244B (en) | Verification method and device | |
| CN104753730B (en) | A kind of method and device of Hole Detection | |
| US20070011450A1 (en) | System and method for concurrent discovery and survey of networked devices | |
| CN109413096B (en) | A kind of login method and device more applied | |
| CN105933245B (en) | Safe and trusted access method in software defined network | |
| JP2012508410A (en) | Method and system for protecting against unauthorized use using identity theft or duplication | |
| CN113868659B (en) | Vulnerability detection method and system | |
| CN106453378A (en) | Data authentication method, apparatus and system | |
| CN108881309A (en) | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform | |
| CN110474921A (en) | A kind of perception layer data fidelity method towards local Internet of Things | |
| CN109067768A (en) | A kind of detection method, system, equipment and the medium of inquiry of the domain name safety | |
| KR20090058536A (en) | Client-based pseudonyms | |
| US20140237091A1 (en) | Method and System of Network Discovery | |
| CN108063748A (en) | A kind of user authen method, apparatus and system | |
| CN109067749A (en) | A kind of information processing method, equipment and computer readable storage medium | |
| CA2815690A1 (en) | Back-end constrained delegation model | |
| CN113868670A (en) | Vulnerability detection flow inspection method and system | |
| CN108881484A (en) | A method of whether detection terminal can access internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| CB02 | Change of applicant information |
Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: QAX Technology Group Inc. Address before: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190723 |
|
| RJ01 | Rejection of invention patent application after publication |