CN111181963A - Authentication method based on port forwarding hypertext transfer protocol - Google Patents
Authentication method based on port forwarding hypertext transfer protocol Download PDFInfo
- Publication number
- CN111181963A CN111181963A CN201911397473.9A CN201911397473A CN111181963A CN 111181963 A CN111181963 A CN 111181963A CN 201911397473 A CN201911397473 A CN 201911397473A CN 111181963 A CN111181963 A CN 111181963A
- Authority
- CN
- China
- Prior art keywords
- request
- certificate
- https
- response
- transfer protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention discloses an authentication method based on a port forwarding hypertext transfer protocol, which specifically comprises the following steps: 101) a preprocessing step, 102) an HTTPS request judging step, 103) a responding step; the invention provides the authentication method based on the port forwarding hypertext transfer protocol, which has simple and reasonable flow design and low system consumption.
Description
Technical Field
The invention relates to the field of flow monitoring, in particular to an authentication method based on a port forwarding hypertext transfer protocol.
Background
In the current traffic monitoring, professional equipment or switches and hubs with broadcasting functions are used for collecting tcp/upd information in a local area network. Network data is captured using libcap, tcpdump, etc. tools and then the data packets are further analyzed in wireshark or other tools.
There are the following problems:
if a TLS encryption request is encountered, the encrypted network packet cannot be parsed unless the source station's encryption key can be provided.
2, the packet capturing and filtering depends on command interfaces such as tcpdump, and the broadcasting range cannot be effectively controlled, and if the user works in a normal local area network, the network environment can affect the normal network use.
3, advanced listening schemes require expensive equipment, are difficult to customize, and are costly to deploy and develop.
4, the monitoring machine needs to be started in real time, and if the monitoring machine is off-line, network fluctuation can be caused or even the monitoring machine is not available.
Disclosure of Invention
The invention overcomes the defects of the prior art and provides the authentication method based on the port forwarding hypertext transfer protocol, which has simple and reasonable flow design and small system consumption.
In order to solve the technical problems, the technical scheme of the invention is as follows:
the authentication method based on the port forwarding hypertext transfer protocol specifically comprises the following steps:
101) a pretreatment step: establishing a dynamic certificate issuing center, forwarding a specified IP/Mac address through iptables, and sending all 80/443 requests of the current domain name to a router;
102) HTTPS request judging step: the router analyzes and judges after receiving the request, if the request is an HTTP request, the router continues to monitor and decrypt the plaintext through an HTTP packet analysis tool, synchronously sends the plaintext to the terminal user and the server, and then enters a response step;
if the request is an HTTPS request, generating a certificate through a dynamic certificate issuing center according to the requirement; the router initiates an HTTPS request instead, acquires the content of the terminal user request, constructs an HTTPS message by using a certificate, synchronously sends the HTTPS message to the terminal user and the server, and enters a response step; storing the whole HTTPS request recording process and response content to the local, and writing the response result into the request of the user;
103) a response step: and the server and the terminal user normally use the network to perform corresponding response, acquire the written local file and analyze the intercepted data result.
Further, dynamically generating the certificate adopts a root certificate trusted by a user to generate a dynamic sub-certificate, and the sub-certificate adopts a prefabricated batch of domain name certificates to be stored in a related path.
Further, the certificate construction HTTPS message is encrypted using TLS.
Compared with the prior art, the invention has the advantages that:
the invention only monitors the appointed port and protocol, does not affect other networks, and does not affect the use and performance of the original router. The present invention will fully support TLS encryption. The invention finally initiates the request pointing to the server domain name by the router, which is equal to shielding the normal connection between the user and the server, and takes over all the requests by the router, but the user and the server have no influence, so as to achieve the purposes of low system consumption and self-monitoring the designated IP and the designated port. If no monitoring machine exists, the normal use is not influenced.
Drawings
FIG. 1 is a block diagram of the present invention;
FIG. 2 is a flow chart of the present invention.
Detailed Description
The invention is further described with reference to the following figures and detailed description.
As shown in fig. 1, the authentication method based on the port forwarding hypertext transfer protocol specifically includes the following steps:
101) a pretreatment step: establishing a dynamic certificate issuing center, forwarding a specified IP/Mac address through iptables, and sending all 80/443 requests of the current domain name to a router;
102) HTTPS request judging step: the router analyzes and judges after receiving the request, if the request is an HTTP request, the router continues to monitor and decrypt the plaintext through an HTTP packet analysis tool, synchronously sends the plaintext to the terminal user and the server, and then enters a response step;
if the request is an HTTPS request, generating a certificate through a dynamic certificate issuing center according to the requirement; the router initiates an HTTPS request instead, acquires the content requested by the terminal user, and constructs an HTTPS message by using a certificate, wherein the HTTPS message constructed by the certificate is encrypted by TLS. Synchronously sending the data to a terminal user and a server, and entering a response step; wherein, the whole HTTPS request process and the response content are stored locally, and the response result is written into the request of the user. The method comprises the steps that a certificate construction HTTPS message is encrypted by adopting TLS, a router is used for initiating a TLS encryption request, normal TLS connection is carried out with a server, and after the response of the server is obtained, the response result is sent back through the previous TLS connection with a user terminal to form a closed loop.
The dynamic generation of the certificate adopts a root certificate trusted by a user to generate a dynamic sub-certificate, and the sub-certificate adopts a prefabricated batch of domain name certificates to be stored in a related path. Conventional general algorithms are employed to generate dynamic sub-certificates using a root certificate trusted by the user. A batch of domain name certificates are prefabricated on the sub-certificates and stored in the related paths, so that the calculation pressure caused by real-time generation of the certificates is avoided.
103) A response step: and the server and the terminal user normally use the network to perform corresponding response, acquire the written local file and analyze the intercepted data result.
In summary, the request pointing to the server domain name is finally initiated by the router, which is equal to shielding normal connection between the user and the server, all the requests are taken over by the router, the user and the server are not aware of each other, and the CA certificate can be dynamically generated according to the request accessed by the user, so that the overall system consumption is low, and the designated IP and the designated port can be automatically monitored. If no monitoring machine exists, the normal use is not influenced.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and decorations can be made without departing from the spirit of the present invention, and these modifications and decorations should also be regarded as being within the scope of the present invention.
Claims (3)
1. The authentication method based on the port forwarding hypertext transfer protocol is characterized by comprising the following steps:
101) a pretreatment step: establishing a dynamic certificate issuing center, forwarding a specified IP/Mac address through iptables, and sending all 80/443 requests of the current domain name to a router;
102) HTTPS request judging step: the router analyzes and judges after receiving the request, if the request is an HTTP request, the router continues to monitor and decrypt the plaintext through an HTTP packet analysis tool, synchronously sends the plaintext to the terminal user and the server, and then enters a response step;
if the request is an HTTPS request, generating a certificate through a dynamic certificate issuing center according to the requirement; the router initiates an HTTPS request instead, acquires the content of the terminal user request, constructs an HTTPS message by using a certificate, synchronously sends the HTTPS message to the terminal user and the server, and enters a response step; storing the whole HTTPS request recording process and response content to the local, and writing the response result into the request of the user;
103) a response step: and the server and the terminal user normally use the network to perform corresponding response, acquire the written local file and analyze the intercepted data result.
2. The port forwarding hypertext transfer protocol-based authentication and authorization method according to claim 1, wherein: the dynamic generation of the certificate adopts a root certificate trusted by a user to generate a dynamic sub-certificate, and the sub-certificate adopts a prefabricated batch of domain name certificates to be stored in a related path.
3. The port forwarding hypertext transfer protocol-based authentication and authorization method according to claim 1, wherein: the certificate construction HTTPS message is encrypted using TLS.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911397473.9A CN111181963B (en) | 2019-12-30 | 2019-12-30 | Authentication method based on port forwarding hypertext transfer protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911397473.9A CN111181963B (en) | 2019-12-30 | 2019-12-30 | Authentication method based on port forwarding hypertext transfer protocol |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111181963A true CN111181963A (en) | 2020-05-19 |
CN111181963B CN111181963B (en) | 2022-11-01 |
Family
ID=70658461
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911397473.9A Active CN111181963B (en) | 2019-12-30 | 2019-12-30 | Authentication method based on port forwarding hypertext transfer protocol |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111181963B (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005060202A1 (en) * | 2003-12-10 | 2005-06-30 | International Business Machines Corporation | Method and system for analysing and filtering https traffic in corporate networks |
CN102916949A (en) * | 2012-10-11 | 2013-02-06 | 北京东土科技股份有限公司 | Web authentication method and device |
US20140366117A1 (en) * | 2012-06-07 | 2014-12-11 | Vivek R. KUMAR | Method and system of managing a captive portal with a router |
CN105812481A (en) * | 2016-04-20 | 2016-07-27 | 上海斐讯数据通信技术有限公司 | Hypertext transfer protocol request identification system and hypertext transfer protocol request identification method |
CN106105141A (en) * | 2014-03-18 | 2016-11-09 | 高通股份有限公司 | Realize the delivery acceleration device of extension transmission control function |
CN107018178A (en) * | 2017-02-22 | 2017-08-04 | 福建网龙计算机网络信息技术有限公司 | The method and system that a kind of network request agency performs |
US20170295132A1 (en) * | 2014-08-15 | 2017-10-12 | Interdigital Patent Holdings, Inc. | Edge caching of https content via certificate delegation |
WO2019092825A1 (en) * | 2017-11-09 | 2019-05-16 | 三菱電機株式会社 | Information processing device and information processing method |
-
2019
- 2019-12-30 CN CN201911397473.9A patent/CN111181963B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005060202A1 (en) * | 2003-12-10 | 2005-06-30 | International Business Machines Corporation | Method and system for analysing and filtering https traffic in corporate networks |
US20140366117A1 (en) * | 2012-06-07 | 2014-12-11 | Vivek R. KUMAR | Method and system of managing a captive portal with a router |
CN102916949A (en) * | 2012-10-11 | 2013-02-06 | 北京东土科技股份有限公司 | Web authentication method and device |
CN106105141A (en) * | 2014-03-18 | 2016-11-09 | 高通股份有限公司 | Realize the delivery acceleration device of extension transmission control function |
US20170295132A1 (en) * | 2014-08-15 | 2017-10-12 | Interdigital Patent Holdings, Inc. | Edge caching of https content via certificate delegation |
CN105812481A (en) * | 2016-04-20 | 2016-07-27 | 上海斐讯数据通信技术有限公司 | Hypertext transfer protocol request identification system and hypertext transfer protocol request identification method |
CN107018178A (en) * | 2017-02-22 | 2017-08-04 | 福建网龙计算机网络信息技术有限公司 | The method and system that a kind of network request agency performs |
WO2019092825A1 (en) * | 2017-11-09 | 2019-05-16 | 三菱電機株式会社 | Information processing device and information processing method |
Also Published As
Publication number | Publication date |
---|---|
CN111181963B (en) | 2022-11-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10992652B2 (en) | Methods, systems, and computer readable media for monitoring encrypted network traffic flows | |
US20190028439A1 (en) | Efficient SSL/TLS Proxy | |
CN111917727A (en) | Electric power Internet of things safety intelligent image transmission system and method based on 5G and WiFi | |
EP3329651B1 (en) | Efficient use of ipsec tunnels in a multi-path environment | |
CN107517183B (en) | Method and apparatus for encrypted content detection | |
US9350711B2 (en) | Data transmission method, system, and apparatus | |
CN107005400A (en) | Method for processing business and device | |
CN108418847B (en) | Network traffic caching system, method and device | |
Merlo et al. | A comparative performance evaluation of DNS tunneling tools | |
US11233777B2 (en) | Efficient SSL/TLS proxy | |
US20200092309A1 (en) | Hierarchical scanning of internet connected assets | |
WO2007036141A1 (en) | A system and method for monitoring mobile ip user | |
CN107124385B (en) | Mirror flow-based SSL/TLS protocol plaintext data acquisition method | |
Schönwälder et al. | On the Impact of Security Protocols on the Performance of SNMP | |
CN110086806B (en) | Scanning system for plant station equipment system bugs | |
Ranjan et al. | Security analysis of TLS authentication | |
CN111181963B (en) | Authentication method based on port forwarding hypertext transfer protocol | |
CN114139192B (en) | Encrypted traffic processing method, encrypted traffic processing apparatus, electronic device, medium, and program | |
CN114679265B (en) | Flow acquisition method, device, electronic equipment and storage medium | |
US20030204586A1 (en) | Intelligent data replicator | |
CN100428748C (en) | Dual-status-based multi-party communication method | |
Gad et al. | Hierarchical events for efficient distributed network analysis and surveillance | |
CN109218064A (en) | network management system and management method | |
CN114070606A (en) | Network security terminal device based on domestic operating system and working method | |
CN113949730A (en) | Communication method and device of equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |