Disclosure of Invention
The application aims to provide a remote control method, a remote control device, a remote control equipment and a storage medium, so that the security of related messages in a network transmission process in a control process is improved, and the risk of interception and tampering is reduced.
In order to solve the technical problem, the application provides the following technical scheme:
a remote management and control method is applied to remote management and control equipment and comprises the following steps:
determining to establish connection with a controlled device;
negotiating a symmetric key with the managed device;
and in the process of managing and controlling the managed and controlled equipment, after encrypting a control instruction by using the symmetric key, sending the encrypted control instruction to the managed and controlled equipment, and after encrypting feedback information by using the symmetric key, returning the encrypted feedback information to the remote management and control equipment by using the managed and controlled equipment.
In a specific embodiment of the present application, the determining to establish a connection with a managed device includes:
sending a connection request to the managed device;
receiving an authentication instruction returned by the controlled equipment, wherein the authentication instruction carries information to be authenticated;
signing the information to be authenticated to obtain signature information, and sending the signature information to the controlled equipment;
and determining to establish connection with the managed device under the condition of receiving authentication success information returned by the managed device.
In a specific embodiment of the present application, the signing the to-be-authenticated information includes:
and signing the information to be authenticated by using a pre-obtained asymmetric key.
In a specific embodiment of the present application, after obtaining the signature information, the method further includes:
carrying out integrity check on the signature information;
and under the condition that the signature information is confirmed to be complete, the step of sending the signature information to the managed device is executed.
In a specific embodiment of the present application, after the receiving the authentication instruction returned by the managed device and before the signing the to-be-authenticated information, the method further includes:
performing identity authentication on an operator;
and if the authentication is passed, executing the step of signing the information to be authenticated.
In a specific embodiment of the present application, the negotiating a symmetric key with the managed device includes:
obtaining a random number which is the same as the random number obtained by the managed device;
and generating a symmetric key based on the random number by using the same key generation algorithm as the managed device respectively.
In a specific embodiment of the present application, the negotiating a symmetric key with the managed device includes:
generating a symmetric key; after encrypting the symmetric key by using a public key obtained in advance, sending the encrypted symmetric key to the controlled device, and decrypting by using a private key by the controlled device to obtain the symmetric key;
alternatively, the first and second electrodes may be,
receiving a symmetric key which is sent by the managed and controlled equipment and encrypted by using a public key; and obtaining the symmetric key by using private key decryption.
A remote management and control device is applied to remote management and control equipment, and comprises:
the connection establishment determining module is used for determining the establishment of connection with the controlled equipment;
the key negotiation module is used for negotiating a symmetric key with the managed and controlled equipment;
and the device management and control module is used for encrypting a control instruction by using the symmetric key and then sending the encrypted control instruction to the managed and controlled device in the process of managing and controlling the managed and controlled device, and the managed and controlled device returns feedback information to the remote management and control device after encrypting the feedback information by using the symmetric key.
A remote management and control device, comprising:
a memory for storing a computer program;
a processor, configured to implement the steps of any one of the above remote control methods when executing the computer program.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of any of the above described remote management methods.
By applying the technical scheme provided by the embodiment of the application, after the remote control device determines to establish connection with the controlled device and negotiates a symmetric key with the controlled device, in the process of managing and controlling the controlled device, no matter a control instruction sent by the remote control device to the controlled device or feedback information sent by the controlled device to the remote control device is encrypted by the negotiated symmetric key and then transmitted, so that even if the control instruction or the feedback information is intercepted in the transmission process, the control instruction or the feedback information is not easily tampered because of encryption, the security of a related message in the network transmission process in the management and control process can be improved, the risk of tampering is reduced, and the normal operation of the controlled device can be guaranteed.
Detailed Description
The core of the application is to provide a remote control method, and the method can be applied to remote control equipment. After the remote control device determines to establish connection with the controlled device, a symmetric key can be negotiated with the controlled device, in the process of controlling the controlled device, the symmetric key can be used for encrypting the control instruction and then sending the encrypted control instruction to the controlled device, and similarly, the controlled device can also use the symmetric key to encrypt feedback information and then return the encrypted feedback information to the remote control device. In the process that the remote control device controls the controlled device, no matter the control instruction or the feedback information is transmitted after being encrypted, so that the safety of the related message in the network transmission process in the control process can be improved, and the risk of interception and tampering is reduced.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, a flowchart of an implementation of a remote management and control method provided in an embodiment of the present application is shown, where the method may include the following steps:
s110: and determining to establish connection with the managed device.
In this embodiment of the application, the remote control device may be a terminal device such as a computer and a tablet computer, the controlled device may be a network device such as a server, a switch and a router, and the controlled device may run an operating system such as Windows and Linux.
The remote management and control device may initiate a connection request to the managed device, and after obtaining a response of the managed device, may determine to establish a connection with the managed device.
Or, when the remote control device establishes connection with the controlled device, the remote control device and the controlled device may perform corresponding identity authentication first, and if the authentication passes, the remote control device determines to establish connection with the controlled device.
S120: and negotiating a symmetric key with the managed device.
After the remote control device determines to establish connection with the controlled device, the remote control device may negotiate a set of symmetric keys with the controlled device in a negotiation manner.
S130: in the process of managing and controlling the controlled equipment, the control instruction is encrypted by using the symmetric key and then sent to the controlled equipment, and the controlled equipment encrypts feedback information by using the symmetric key and then returns the feedback information to the remote management and control equipment.
After the remote management and control device determines to establish connection with the managed and controlled device and negotiates a symmetric key with the managed and controlled device, the remote management and control device and the managed and controlled device both have the same symmetric key. The remote management device may manage the managed device.
In the process that the remote control device controls the controlled device, a control instruction needs to be sent to the controlled device, and the controlled device also returns feedback information after corresponding actions are executed based on the control instruction to the remote control device. In order to improve the security of the control related message in the network transmission process, in the embodiment of the present application, the remote control device may encrypt the control instruction by using the negotiated symmetric key and send the encrypted control instruction to the controlled device when performing the control on the controlled device. The managed device receives the encrypted control instruction, may decrypt the encrypted control instruction using the symmetric key, obtains the decrypted control instruction, and may then perform a corresponding action based on the control instruction. After the controlled device executes the corresponding action, the negotiated symmetric key can be used for encrypting the feedback information and returning the encrypted feedback information to the remote control device, so that the remote control device decrypts the feedback information by using the same symmetric key, can obtain the decrypted feedback information, and can analyze and display the decrypted feedback information.
After the remote control device and the controlled device encrypt the relevant information by using the negotiated symmetric key, integrity check may be further performed on the encrypted data, for example, data integrity check processing is performed by using a national cryptographic HASH algorithm such as SM 3.
The embodiment of the present application will be described with reference to the system configuration shown in fig. 2.
The system may include a remote policing device and a policed device. The method comprises the steps that a client can be deployed on the remote control device, a server can be deployed on the controlled device, the remote control device and the controlled device can be connected through socket connection of the client and the server, and a symmetric key is negotiated. The method comprises the steps that a master fake terminal and a slave fake terminal can be deployed in a managed device provided with a Linux operating system. The method comprises the steps that during the process of managing and controlling the controlled equipment by the remote management and control equipment, a client side of the remote management and control equipment can encrypt a control instruction by using a symmetric key and then sends the encrypted control instruction to a server side of the controlled equipment, the server side of the controlled equipment can decrypt the encrypted control instruction by using the symmetric key after receiving the encrypted control instruction to obtain the decrypted control instruction, then the decrypted control instruction is sent to a pseudo terminal of the controlled equipment, the pseudo terminal logs in the controlled equipment, corresponding actions are executed based on the control instruction, after the corresponding actions are executed, feedback information is returned to the server side, and the server side encrypts the feedback information by using the negotiated symmetric key and then sends the encrypted feedback information to the client side of the remote management and control equipment. The server side of the managed and controlled device can communicate with the pseudo terminal through a pipeline, and the pseudo terminal is provided with a standard input stdin interface and a standard output stdout interface.
By applying the method provided by the embodiment of the application, after the remote control device determines to establish connection with the controlled device and negotiates a symmetric key with the controlled device, in the process of managing and controlling the controlled device, no matter a control instruction sent by the remote control device to the controlled device or feedback information sent by the controlled device to the remote control device is encrypted by the negotiated symmetric key and then transmitted, so that even if the control instruction or the feedback information is intercepted in the transmission process, the control instruction or the feedback information is not easily tampered because of encryption, the security of a related message in the network transmission process in the management and control process can be improved, the risk of tampering is reduced, and the normal operation of the controlled device can be ensured.
In one embodiment of the present application, step S110 may include the steps of:
the method comprises the following steps: sending a connection request to the managed device;
step two: receiving an authentication instruction returned by the controlled equipment, wherein the authentication instruction carries information to be authenticated;
step three: signing the information to be authenticated to obtain signature information, and sending the signature information to the controlled equipment;
step four: and determining to establish connection with the managed device under the condition of receiving authentication success information returned by the managed device.
For convenience of description, the above four steps are combined for illustration.
In practical applications, the remote management and control device may send a connection request to the managed device according to practical needs. After receiving a connection request of the remote control device, the controlled device may return an authentication instruction to the remote control device, where the authentication instruction may carry information to be authenticated, and the information to be authenticated may include information such as a version number, a random number, and an algorithm suite.
After receiving the authentication instruction returned by the controlled device, the remote control device may sign the information to be authenticated to obtain signature information, and then send the signature information to the controlled device, and the controlled device may perform identity authentication on the remote control device based on the signature information. Specifically, the managed device may sign the information to be authenticated using the same algorithm, compare the obtained signature information with the received signature information, and if the obtained signature information is consistent with the received signature information, determine that the authentication passes, and if the obtained signature information is inconsistent with the received signature information, determine that the authentication fails.
After the authentication is passed, the managed device may return authentication success information to the remote management device. If the authentication is not passed, the managed device may not respond, or may return authentication failure information to the remote management device. The remote management and control device may determine to establish connection with the managed and controlled device and may continue to perform operations such as further symmetric key agreement and device management and control, when receiving the authentication success information returned by the managed and controlled device. When receiving authentication failure information returned by the managed device, or receiving no information returned by the managed device within a set time period, the remote management device may determine that a connection is not currently established with the managed device, and may repeat sending a connection request to the managed device and the following steps. If the repeated execution times reaches the set time threshold, alarm information can be output, so that an operator can check problems in time.
After the identity authentication is passed, it is determined that the connection between the remote control device and the controlled device is established, and then further operations such as symmetric key agreement and device control can be performed, so that it can be ensured that the controlled device is controlled by the legal remote control device, and the controlled device is the legal controlled device.
In a specific embodiment of the present application, the to-be-authenticated information may be signed by using a pre-obtained asymmetric key, so as to obtain signature information.
In practical application, a set of certificate and asymmetric key supporting the cryptographic algorithm may be issued in advance for the remote control device and the controlled device. The certificate and the asymmetric key can adopt a single-certificate mode or a double-certificate mode. The single certificate mode refers to that the same certificate and the corresponding asymmetric key are adopted for data signature and encryption in the operation process; the double-certificate mode is that in the operation process, different certificates and corresponding symmetric keys are respectively adopted for signature and encryption.
After receiving an authentication instruction returned by the controlled device, the remote control device can obtain information to be authenticated of the controlled device, signs the information to be authenticated by using a pre-obtained asymmetric key to obtain signature information, and then sends the signature information to the controlled device.
In a specific embodiment of the present application, after the signature information is obtained, integrity verification may be performed on the signature information, and in a case that it is determined that the signature information is complete, the step of sending the signature information to the managed device is performed. This can avoid incomplete information from interfering with the accuracy of identity authentication.
In a specific embodiment of the application, after receiving the authentication instruction returned by the controlled device and before signing the information to be authenticated, the remote control device may further perform identity authentication on the operator, and if the authentication passes, may perform the step of signing the information to be authenticated.
The identity authentication of the operator can be carried out in a password mode, a USBKEY mode, a fingerprint mode and the like so as to strengthen the safety authentication and confirm the legality of the operator. The control operation of an illegal operator on the controlled equipment is effectively avoided.
In an embodiment of the present application, the remote management and control device and the managed device may negotiate a symmetric key by:
the method comprises the following steps: obtaining a random number which is the same as the random number obtained by the managed device;
step two: and generating symmetric keys based on random numbers by using the same key generation algorithm as the managed and controlled equipment respectively.
In the embodiment of the present application, the remote policing device and the policed device may obtain the same random number.
For example, the managed device may generate a random number, and the information to be authenticated carried in the authentication instruction sent to the remote management device may include information of the random number. The remote control device can obtain the random number after receiving the authentication instruction.
During the interaction process, the remote management device and the managed device may perform encryption processing on the transmission data, for example, using a cryptographic algorithm such as SM1, SM4, and the like.
Then, the remote management and control device and the controlled device may respectively use the same key generation algorithm to generate a symmetric key based on the random number, so that the remote management and control device and the controlled device have the same symmetric key. The symmetric key can be used for encryption and decryption operations of corresponding information.
In another embodiment of the present application, the remote management device and the managed device may negotiate a symmetric key by:
generating a symmetric key; encrypting the symmetric key by using a public key obtained in advance, sending the encrypted symmetric key to the controlled equipment, and decrypting by using a private key by the controlled equipment to obtain the symmetric key;
or, receiving a symmetric key which is sent by the controlled device and encrypted by using the public key; the symmetric key is obtained by using the private key for decryption.
In this embodiment of the present application, the remote management and control device may generate a symmetric key, encrypt the symmetric key using a public key obtained in advance, and send the encrypted symmetric key to the managed and controlled device, so that the managed and controlled device obtains the encrypted symmetric key. The managed device can decrypt the key by using a private key to obtain a symmetric key.
Or, the controlled device may generate a symmetric key, encrypt the symmetric key using a public key obtained in advance, and send the encrypted symmetric key to the remote control device, so that the remote control device obtains the encrypted symmetric key. The remote management and control device can decrypt the key by using a private key to obtain a symmetric key.
Corresponding to the above method embodiment, an embodiment of the present application further provides a remote management and control apparatus, which is applied to a remote management and control device, and the remote management and control apparatus described below and the remote management and control method described above may be referred to in correspondence.
Referring to fig. 3, the apparatus may include the steps of:
a connection establishment determination module 310, configured to determine to establish a connection with a managed device;
a key negotiation module 320, configured to negotiate a symmetric key with a managed device;
the device management and control module 330 is configured to encrypt the control instruction by using the symmetric key in the management and control process of the managed and controlled device, send the encrypted control instruction to the managed and controlled device, encrypt the feedback information by using the symmetric key by the managed and controlled device, and return the encrypted feedback information to the remote management and control device.
By applying the device provided by the embodiment of the application, after the remote control device determines to establish connection with the controlled device and negotiates a symmetric key with the controlled device, in the process of managing and controlling the controlled device, no matter a control instruction sent by the remote control device to the controlled device or feedback information sent by the controlled device to the remote control device is encrypted by the negotiated symmetric key and then transmitted, so that even if the control instruction or the feedback information is intercepted in the transmission process, the control instruction or the feedback information is not easily tampered because of encryption, the security of a related message in the network transmission process in the management and control process can be improved, the risk of tampering is reduced, and the normal operation of the controlled device can be guaranteed.
In one embodiment of the present application, the connection establishment determining module 310 is configured to:
sending a connection request to the managed device;
receiving an authentication instruction returned by the controlled equipment, wherein the authentication instruction carries information to be authenticated;
signing the information to be authenticated to obtain signature information, and sending the signature information to the controlled equipment;
and determining to establish connection with the managed device under the condition of receiving authentication success information returned by the managed device.
In one embodiment of the present application, the connection establishment determining module 310 is configured to:
and signing the information to be authenticated by using the asymmetric key obtained in advance.
In one embodiment of the present application, the connection establishment determining module 310 is further configured to:
after the signature information is obtained, carrying out integrity check on the signature information;
and in the case of confirming that the signature information is complete, executing the step of sending the signature information to the managed device.
In one embodiment of the present application, the connection establishment determining module 310 is further configured to:
after receiving an authentication instruction returned by the controlled equipment and before signing the information to be authenticated, performing identity authentication on an operator;
and if the authentication is passed, executing the step of signing the information to be authenticated.
In one embodiment of the present application, the key agreement module 320 is configured to:
obtaining a random number which is the same as the random number obtained by the managed device;
and generating symmetric keys based on random numbers by using the same key generation algorithm as the managed and controlled equipment respectively.
In one embodiment of the present application, the key agreement module 320 is configured to:
generating a symmetric key; encrypting the symmetric key by using a public key obtained in advance, sending the encrypted symmetric key to the controlled equipment, and decrypting by using a private key by the controlled equipment to obtain the symmetric key;
alternatively, the first and second electrodes may be,
receiving a symmetric key which is sent by the controlled equipment and encrypted by using a public key; the symmetric key is obtained by using the private key for decryption.
Corresponding to the above method embodiment, an embodiment of the present application further provides a remote management and control device, including:
a memory for storing a computer program;
and the processor is used for realizing the steps of the remote control method when executing the computer program.
As shown in fig. 4, in order to illustrate a composition structure of the remote management and control device, the remote management and control device may include: a processor 10, a memory 11, a communication interface 12 and a communication bus 13. The processor 10, the memory 11 and the communication interface 12 all communicate with each other through a communication bus 13.
In the embodiment of the present application, the processor 10 may be a Central Processing Unit (CPU), an application specific integrated circuit, a digital signal processor, a field programmable gate array or other programmable logic device, etc.
The processor 10 may call a program stored in the memory 11, and in particular, the processor 10 may perform operations in an embodiment of the remote management method.
The memory 11 is used for storing one or more programs, the program may include program codes, the program codes include computer operation instructions, in this embodiment, the memory 11 stores at least the program for implementing the following functions:
determining to establish connection with a controlled device;
negotiating a symmetric key with a managed device;
in the process of managing and controlling the controlled equipment, the control instruction is encrypted by using the symmetric key and then sent to the controlled equipment, and the controlled equipment encrypts feedback information by using the symmetric key and then returns the feedback information to the remote management and control equipment.
In one possible implementation, the memory 11 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function (such as a network connection function and a data transmission function), and the like; the storage data area may store data created during use, such as key data, instruction data, and the like.
Further, the memory 11 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 13 may be an interface of a communication module for connecting with other devices or systems.
Of course, it should be noted that the structure shown in fig. 4 does not constitute a limitation on the remote management device in the embodiment of the present application, and in practical applications, the remote management device may include more or less components than those shown in fig. 4, or some components may be combined.
Corresponding to the above method embodiment, this application embodiment further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the above remote management and control method are implemented.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The principle and the implementation of the present application are explained in the present application by using specific examples, and the above description of the embodiments is only used to help understanding the technical solution and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.