CN111181963A - Authentication method based on port forwarding hypertext transfer protocol - Google Patents

Authentication method based on port forwarding hypertext transfer protocol Download PDF

Info

Publication number
CN111181963A
CN111181963A CN201911397473.9A CN201911397473A CN111181963A CN 111181963 A CN111181963 A CN 111181963A CN 201911397473 A CN201911397473 A CN 201911397473A CN 111181963 A CN111181963 A CN 111181963A
Authority
CN
China
Prior art keywords
request
certificate
https
response
transfer protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911397473.9A
Other languages
Chinese (zh)
Other versions
CN111181963B (en
Inventor
袁开
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wasu Media & Network Co ltd
Original Assignee
Wasu Media & Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wasu Media & Network Co ltd filed Critical Wasu Media & Network Co ltd
Priority to CN201911397473.9A priority Critical patent/CN111181963B/en
Publication of CN111181963A publication Critical patent/CN111181963A/en
Application granted granted Critical
Publication of CN111181963B publication Critical patent/CN111181963B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The invention discloses an authentication method based on a port forwarding hypertext transfer protocol, which specifically comprises the following steps: 101) a preprocessing step, 102) an HTTPS request judging step, 103) a responding step; the invention provides the authentication method based on the port forwarding hypertext transfer protocol, which has simple and reasonable flow design and low system consumption.

Description

Authentication method based on port forwarding hypertext transfer protocol
Technical Field
The invention relates to the field of flow monitoring, in particular to an authentication method based on a port forwarding hypertext transfer protocol.
Background
In the current traffic monitoring, professional equipment or switches and hubs with broadcasting functions are used for collecting tcp/upd information in a local area network. Network data is captured using libcap, tcpdump, etc. tools and then the data packets are further analyzed in wireshark or other tools.
There are the following problems:
if a TLS encryption request is encountered, the encrypted network packet cannot be parsed unless the source station's encryption key can be provided.
2, the packet capturing and filtering depends on command interfaces such as tcpdump, and the broadcasting range cannot be effectively controlled, and if the user works in a normal local area network, the network environment can affect the normal network use.
3, advanced listening schemes require expensive equipment, are difficult to customize, and are costly to deploy and develop.
4, the monitoring machine needs to be started in real time, and if the monitoring machine is off-line, network fluctuation can be caused or even the monitoring machine is not available.
Disclosure of Invention
The invention overcomes the defects of the prior art and provides the authentication method based on the port forwarding hypertext transfer protocol, which has simple and reasonable flow design and small system consumption.
In order to solve the technical problems, the technical scheme of the invention is as follows:
the authentication method based on the port forwarding hypertext transfer protocol specifically comprises the following steps:
101) a pretreatment step: establishing a dynamic certificate issuing center, forwarding a specified IP/Mac address through iptables, and sending all 80/443 requests of the current domain name to a router;
102) HTTPS request judging step: the router analyzes and judges after receiving the request, if the request is an HTTP request, the router continues to monitor and decrypt the plaintext through an HTTP packet analysis tool, synchronously sends the plaintext to the terminal user and the server, and then enters a response step;
if the request is an HTTPS request, generating a certificate through a dynamic certificate issuing center according to the requirement; the router initiates an HTTPS request instead, acquires the content of the terminal user request, constructs an HTTPS message by using a certificate, synchronously sends the HTTPS message to the terminal user and the server, and enters a response step; storing the whole HTTPS request recording process and response content to the local, and writing the response result into the request of the user;
103) a response step: and the server and the terminal user normally use the network to perform corresponding response, acquire the written local file and analyze the intercepted data result.
Further, dynamically generating the certificate adopts a root certificate trusted by a user to generate a dynamic sub-certificate, and the sub-certificate adopts a prefabricated batch of domain name certificates to be stored in a related path.
Further, the certificate construction HTTPS message is encrypted using TLS.
Compared with the prior art, the invention has the advantages that:
the invention only monitors the appointed port and protocol, does not affect other networks, and does not affect the use and performance of the original router. The present invention will fully support TLS encryption. The invention finally initiates the request pointing to the server domain name by the router, which is equal to shielding the normal connection between the user and the server, and takes over all the requests by the router, but the user and the server have no influence, so as to achieve the purposes of low system consumption and self-monitoring the designated IP and the designated port. If no monitoring machine exists, the normal use is not influenced.
Drawings
FIG. 1 is a block diagram of the present invention;
FIG. 2 is a flow chart of the present invention.
Detailed Description
The invention is further described with reference to the following figures and detailed description.
As shown in fig. 1, the authentication method based on the port forwarding hypertext transfer protocol specifically includes the following steps:
101) a pretreatment step: establishing a dynamic certificate issuing center, forwarding a specified IP/Mac address through iptables, and sending all 80/443 requests of the current domain name to a router;
102) HTTPS request judging step: the router analyzes and judges after receiving the request, if the request is an HTTP request, the router continues to monitor and decrypt the plaintext through an HTTP packet analysis tool, synchronously sends the plaintext to the terminal user and the server, and then enters a response step;
if the request is an HTTPS request, generating a certificate through a dynamic certificate issuing center according to the requirement; the router initiates an HTTPS request instead, acquires the content requested by the terminal user, and constructs an HTTPS message by using a certificate, wherein the HTTPS message constructed by the certificate is encrypted by TLS. Synchronously sending the data to a terminal user and a server, and entering a response step; wherein, the whole HTTPS request process and the response content are stored locally, and the response result is written into the request of the user. The method comprises the steps that a certificate construction HTTPS message is encrypted by adopting TLS, a router is used for initiating a TLS encryption request, normal TLS connection is carried out with a server, and after the response of the server is obtained, the response result is sent back through the previous TLS connection with a user terminal to form a closed loop.
The dynamic generation of the certificate adopts a root certificate trusted by a user to generate a dynamic sub-certificate, and the sub-certificate adopts a prefabricated batch of domain name certificates to be stored in a related path. Conventional general algorithms are employed to generate dynamic sub-certificates using a root certificate trusted by the user. A batch of domain name certificates are prefabricated on the sub-certificates and stored in the related paths, so that the calculation pressure caused by real-time generation of the certificates is avoided.
103) A response step: and the server and the terminal user normally use the network to perform corresponding response, acquire the written local file and analyze the intercepted data result.
In summary, the request pointing to the server domain name is finally initiated by the router, which is equal to shielding normal connection between the user and the server, all the requests are taken over by the router, the user and the server are not aware of each other, and the CA certificate can be dynamically generated according to the request accessed by the user, so that the overall system consumption is low, and the designated IP and the designated port can be automatically monitored. If no monitoring machine exists, the normal use is not influenced.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and decorations can be made without departing from the spirit of the present invention, and these modifications and decorations should also be regarded as being within the scope of the present invention.

Claims (3)

1. The authentication method based on the port forwarding hypertext transfer protocol is characterized by comprising the following steps:
101) a pretreatment step: establishing a dynamic certificate issuing center, forwarding a specified IP/Mac address through iptables, and sending all 80/443 requests of the current domain name to a router;
102) HTTPS request judging step: the router analyzes and judges after receiving the request, if the request is an HTTP request, the router continues to monitor and decrypt the plaintext through an HTTP packet analysis tool, synchronously sends the plaintext to the terminal user and the server, and then enters a response step;
if the request is an HTTPS request, generating a certificate through a dynamic certificate issuing center according to the requirement; the router initiates an HTTPS request instead, acquires the content of the terminal user request, constructs an HTTPS message by using a certificate, synchronously sends the HTTPS message to the terminal user and the server, and enters a response step; storing the whole HTTPS request recording process and response content to the local, and writing the response result into the request of the user;
103) a response step: and the server and the terminal user normally use the network to perform corresponding response, acquire the written local file and analyze the intercepted data result.
2. The port forwarding hypertext transfer protocol-based authentication and authorization method according to claim 1, wherein: the dynamic generation of the certificate adopts a root certificate trusted by a user to generate a dynamic sub-certificate, and the sub-certificate adopts a prefabricated batch of domain name certificates to be stored in a related path.
3. The port forwarding hypertext transfer protocol-based authentication and authorization method according to claim 1, wherein: the certificate construction HTTPS message is encrypted using TLS.
CN201911397473.9A 2019-12-30 2019-12-30 Authentication method based on port forwarding hypertext transfer protocol Active CN111181963B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911397473.9A CN111181963B (en) 2019-12-30 2019-12-30 Authentication method based on port forwarding hypertext transfer protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911397473.9A CN111181963B (en) 2019-12-30 2019-12-30 Authentication method based on port forwarding hypertext transfer protocol

Publications (2)

Publication Number Publication Date
CN111181963A true CN111181963A (en) 2020-05-19
CN111181963B CN111181963B (en) 2022-11-01

Family

ID=70658461

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911397473.9A Active CN111181963B (en) 2019-12-30 2019-12-30 Authentication method based on port forwarding hypertext transfer protocol

Country Status (1)

Country Link
CN (1) CN111181963B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005060202A1 (en) * 2003-12-10 2005-06-30 International Business Machines Corporation Method and system for analysing and filtering https traffic in corporate networks
CN102916949A (en) * 2012-10-11 2013-02-06 北京东土科技股份有限公司 Web authentication method and device
US20140366117A1 (en) * 2012-06-07 2014-12-11 Vivek R. KUMAR Method and system of managing a captive portal with a router
CN105812481A (en) * 2016-04-20 2016-07-27 上海斐讯数据通信技术有限公司 Hypertext transfer protocol request identification system and hypertext transfer protocol request identification method
CN106105141A (en) * 2014-03-18 2016-11-09 高通股份有限公司 Realize the delivery acceleration device of extension transmission control function
CN107018178A (en) * 2017-02-22 2017-08-04 福建网龙计算机网络信息技术有限公司 The method and system that a kind of network request agency performs
US20170295132A1 (en) * 2014-08-15 2017-10-12 Interdigital Patent Holdings, Inc. Edge caching of https content via certificate delegation
WO2019092825A1 (en) * 2017-11-09 2019-05-16 三菱電機株式会社 Information processing device and information processing method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005060202A1 (en) * 2003-12-10 2005-06-30 International Business Machines Corporation Method and system for analysing and filtering https traffic in corporate networks
US20140366117A1 (en) * 2012-06-07 2014-12-11 Vivek R. KUMAR Method and system of managing a captive portal with a router
CN102916949A (en) * 2012-10-11 2013-02-06 北京东土科技股份有限公司 Web authentication method and device
CN106105141A (en) * 2014-03-18 2016-11-09 高通股份有限公司 Realize the delivery acceleration device of extension transmission control function
US20170295132A1 (en) * 2014-08-15 2017-10-12 Interdigital Patent Holdings, Inc. Edge caching of https content via certificate delegation
CN105812481A (en) * 2016-04-20 2016-07-27 上海斐讯数据通信技术有限公司 Hypertext transfer protocol request identification system and hypertext transfer protocol request identification method
CN107018178A (en) * 2017-02-22 2017-08-04 福建网龙计算机网络信息技术有限公司 The method and system that a kind of network request agency performs
WO2019092825A1 (en) * 2017-11-09 2019-05-16 三菱電機株式会社 Information processing device and information processing method

Also Published As

Publication number Publication date
CN111181963B (en) 2022-11-01

Similar Documents

Publication Publication Date Title
US10992652B2 (en) Methods, systems, and computer readable media for monitoring encrypted network traffic flows
US20190028439A1 (en) Efficient SSL/TLS Proxy
CN111917727A (en) Electric power Internet of things safety intelligent image transmission system and method based on 5G and WiFi
EP3329651B1 (en) Efficient use of ipsec tunnels in a multi-path environment
CN107517183B (en) Method and apparatus for encrypted content detection
US9350711B2 (en) Data transmission method, system, and apparatus
CN107005400A (en) Method for processing business and device
CN108418847B (en) Network traffic caching system, method and device
Merlo et al. A comparative performance evaluation of DNS tunneling tools
US11233777B2 (en) Efficient SSL/TLS proxy
US20200092309A1 (en) Hierarchical scanning of internet connected assets
WO2007036141A1 (en) A system and method for monitoring mobile ip user
CN107124385B (en) Mirror flow-based SSL/TLS protocol plaintext data acquisition method
Schönwälder et al. On the Impact of Security Protocols on the Performance of SNMP
CN110086806B (en) Scanning system for plant station equipment system bugs
Ranjan et al. Security analysis of TLS authentication
CN111181963B (en) Authentication method based on port forwarding hypertext transfer protocol
CN114139192B (en) Encrypted traffic processing method, encrypted traffic processing apparatus, electronic device, medium, and program
CN114679265B (en) Flow acquisition method, device, electronic equipment and storage medium
US20030204586A1 (en) Intelligent data replicator
CN100428748C (en) Dual-status-based multi-party communication method
Gad et al. Hierarchical events for efficient distributed network analysis and surveillance
CN109218064A (en) network management system and management method
CN114070606A (en) Network security terminal device based on domestic operating system and working method
CN113949730A (en) Communication method and device of equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant