CN111935187B - Data access method and device - Google Patents

Data access method and device Download PDF

Info

Publication number
CN111935187B
CN111935187B CN202011081418.1A CN202011081418A CN111935187B CN 111935187 B CN111935187 B CN 111935187B CN 202011081418 A CN202011081418 A CN 202011081418A CN 111935187 B CN111935187 B CN 111935187B
Authority
CN
China
Prior art keywords
client
proxy gateway
message
gateway
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011081418.1A
Other languages
Chinese (zh)
Other versions
CN111935187A (en
Inventor
赵熙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Ecloud Technology Co ltd
Original Assignee
Nanjing Ecloud Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Ecloud Technology Co ltd filed Critical Nanjing Ecloud Technology Co ltd
Priority to CN202011081418.1A priority Critical patent/CN111935187B/en
Publication of CN111935187A publication Critical patent/CN111935187A/en
Application granted granted Critical
Publication of CN111935187B publication Critical patent/CN111935187B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a data access method and a data access device, and relates to the technical field of network security. The method comprises the following steps: acquiring a registered equipment identifier of a client, and generating an equipment feature code according to the registered equipment identifier; the security authentication gateway acquires an authentication message sent by a client and verifies the validity of the authentication message; after the authentication message is verified to be legal, the security authentication gateway sends the generated KEY value and the proxy gateway address of the proxy gateway distributed for the client to the client; the client sends a UDP message to the proxy gateway according to the proxy gateway address, wherein the UDP message comprises a KEY value, an equipment feature code and a source address of the client; and the proxy gateway verifies the KEY value and the equipment feature code, writes the source address into a trust list after the verification is passed, and filters all received messages according to the trust list so as to enable the client to access data, thereby realizing the access of the data with high safety.

Description

Data access method and device
Technical Field
The invention relates to the technical field of network security, in particular to a data access method and device.
Background
With the popularization and rapid development of networks, the increase of network users and network traffic is caused, so that the potential network problems are increasingly serious, and various network attacks emerge endlessly. Especially for enterprises accessing the internet, the security of the internal network faces serious examination, the traditional network proxy service also has a series of derivative problems that the speed is slow, the internal network of the enterprise can be accessed randomly by obtaining an account number, and the like, and how to improve the internet access quality and improve the network performance makes the office work smoother is very important, and meanwhile, the security of the internal network of the enterprise is guaranteed. However, in the existing network access, whether the access authority exists is determined by the password account, and under the condition that the account and the password are lost, the security of data access cannot be ensured.
Disclosure of Invention
The invention aims to provide a data access method and a data access device, which are used for solving the problem of low network access security in the prior art.
In a first aspect, an embodiment of the present application provides a data access method, where the method includes: acquiring a registered equipment identifier of a client, and generating an equipment feature code according to the registered equipment identifier; the security authentication gateway acquires an authentication message sent by a client and verifies the validity of the authentication message; after the authentication message is verified to be legal, the security authentication gateway sends the generated KEY value and the proxy gateway address of the proxy gateway distributed for the client to the client; the client sends a UDP message to the proxy gateway according to the proxy gateway address, wherein the UDP message comprises a KEY value, an equipment feature code and a source address of the client; and the proxy gateway verifies the KEY value and the equipment feature code, writes the source address into a trust list after the verification is passed, and filters all received messages according to the trust list so as to enable the client to access data.
In the implementation process, after the unique device feature code corresponding to the unique device feature code is obtained according to the client, the client sends an authentication message to the security authentication gateway, so that the security authentication gateway verifies the validity of the identity of the client according to the authentication message. And the security authentication gateway sends a KEY value to the client with the legal identity and distributes a corresponding proxy gateway to the client. The client sends the UDP message to the proxy gateway, and after the proxy gateway verifies the UDP message, the received message can be filtered according to the source address in the UDP message, so that the message sent by the client can be released by the proxy gateway, and the access of data with high safety is realized.
In some embodiments of the present invention, the authentication packet includes an account, a password, and a registered device identifier, and the step of performing validity verification on the authentication packet includes: the security authentication gateway searches whether data consistent with the account number, the password and the registered equipment identification exist in a database. The security authentication gateway searches a database for the user name, the password and the registered equipment identification, and if the user name, the password and the registered equipment identification are consistent, the user side can be authenticated as legal equipment, so that subsequent access can be ensured to be continued.
In some embodiments of the present invention, after the step of sending, by the security authentication gateway to the client, the generated KEY value and the proxy gateway address of the proxy gateway allocated to the client, and before the step of sending, by the client, the UDP packet to the proxy gateway according to the proxy gateway address, the method includes: and the client performs authentication and single packet authentication according to the KEY value.
In some embodiments of the present invention, the step of sending, by the client, the UDP packet to the proxy gateway according to the proxy gateway address includes: the client encrypts the KEY and the equipment feature code respectively to obtain a first encrypted value and a second encrypted value; and the client sends a UDP message to the proxy gateway, wherein the UDP message comprises the first encrypted value, the second encrypted value and the source address of the client.
In some embodiments of the present invention, the step of verifying the KEY value and the device feature code by the proxy gateway includes: the proxy gateway decrypts the first encrypted value and the second encrypted value respectively to obtain a first decrypted value and a second decrypted value; and the proxy gateway sends the first decryption value to the security authentication gateway for verification and verifies the second decryption value according to the database.
In some embodiments of the present invention, after the step of validating the KEY value in the preset time period, verifying the KEY value and the device feature code by the proxy gateway, and after the validation is passed, writing the source address into the trust list, and filtering all received messages according to the trust list, so that the client performs data access, the method further includes: judging whether the KEY value is invalid or not according to a preset time period; if the KEY value fails, the source address is deleted from the trust list. The messages sent by the client side can be filtered by the proxy gateway, and if the proxy gateway wants to release the messages again, the verification needs to be carried out again, so that the safety of data access can be ensured.
In some embodiments of the present invention, after the step of verifying the KEY value and the device feature code by the proxy gateway, the method further includes: after the verification is passed, connection is established between the client and the proxy gateway; the proxy gateway acquires a port of a client and adds the port into a trust list, wherein the port in the trust list is matched with a source address; and judging whether the source address and the port of the received message are matched and exist in the trust list, if so, releasing the message. The security of the connection can be further ensured by adopting the strategy of jointly filtering the source address and the port.
In some embodiments of the invention, after the step of establishing a connection between the client and the proxy gateway, the method comprises: the proxy gateway acquires an access policy control list corresponding to the client from a database; the access policy control list comprises all internal network addresses which the client is allowed to access; the proxy gateway sends the access policy control list to the client; the client side starts a kernel module of the client to filter the IP message with the access address as the internal network address in the strategy list; the client copies the IP message to a user state, and sends the filtered IP message to the proxy gateway through a link established between the client and the proxy gateway.
In the implementation process, the proxy gateway can send the access policy control list to the client, and the client can filter the messages according to the internal network address in the access policy control list, so that the proxy gateway is prevented from disconnecting after sending the wrong messages to the proxy gateway. Therefore, the access efficiency is improved while the access security is improved.
In some embodiments of the present invention, after the step of verifying the KEY value and the device feature code by the proxy gateway, the method further includes: after the verification is passed, the proxy gateway allocates a virtual IP address to the client so as to establish connection between the client and the proxy gateway; where different virtual IP addresses communicate with different internal networks.
In some embodiments of the invention, after the step of the proxy gateway assigning the virtual IP address to the client, the method further comprises: the proxy gateway carries out integrity verification on the data message sent by the client and obtains an initial message in the data message; the proxy gateway converts the source address in the initial message into a virtual network address distributed for the client; the proxy gateway writes the converted message into a corresponding virtual network card and reads the converted message from the virtual network card; and acquiring the destination address of the converted message, and converting the destination address into the client address of the initial message so as to send data to the client.
In a second aspect, an embodiment of the present application provides a data access apparatus, including: the device identification acquisition module is used for acquiring a registered device identification of the client and generating a device feature code according to the registered device identification; the message authentication module is used for the security authentication gateway to acquire an authentication message sent by the client and verify the validity of the authentication message; the proxy gateway distribution module is used for sending the generated KEY value and a proxy gateway address of the proxy gateway distributed for the client to the client by the security authentication gateway after the authentication message is verified to be legal; the UDP message sending module is used for sending the UDP message to the proxy gateway by the client according to the proxy gateway address, wherein the UDP message comprises a KEY value, an equipment feature code and a source address of the client; and the message filtering module is used for verifying the KEY value and the equipment feature code by the proxy gateway, writing the source address into the trust list after the verification is passed, and filtering all received messages according to the trust list so as to enable the client to access data.
In some embodiments of the present invention, the authentication packet includes an account, a password, and a registered device identifier, and the packet authentication module includes: and the authentication retrieval unit is used for retrieving whether data consistent with the account number, the password and the registered equipment identification exist in the database by the security authentication gateway.
In some embodiments of the invention, an apparatus comprises: and the KEY value authentication module is used for performing authentication and single-packet authentication on the client according to the KEY value.
In some embodiments of the present invention, the UDP packet sending module includes: the encryption unit is used for encrypting the KEY and the equipment feature code by the client respectively to obtain a first encryption value and a second encryption value; and the decryption unit is used for sending the UDP message to the proxy gateway by the client, wherein the UDP message comprises the first encrypted value, the second encrypted value and the source address of the client.
In some embodiments of the present invention, the message filtering module includes: the decryption unit is used for decrypting the first encrypted value and the second encrypted value respectively by the proxy gateway to obtain a first decrypted value and a second decrypted value; and the verification unit is used for sending the first decryption value to the security authentication gateway by the proxy gateway for verification and verifying the second decryption value according to the database.
In some embodiments of the present invention, the KEY value is valid for a preset time period, and the apparatus further comprises: the failure judgment module is used for judging whether the KEY value fails according to a preset time period; and the failure processing module is used for deleting the source address from the trust list if the KEY value fails.
In some embodiments of the invention, the apparatus further comprises: the connection establishing module is used for establishing connection between the client and the proxy gateway after the verification is passed; the port matching module is used for acquiring a port of a client by the proxy gateway and adding the port into a trust list, wherein the port in the trust list is matched with a source address; and the port filtering module is used for judging whether the source address and the port of the received message are matched and exist in the trust list, and if so, releasing the message.
In some embodiments of the invention, an apparatus comprises: the access policy acquisition module is used for acquiring an access policy control list corresponding to the client from the database by the proxy gateway; the access policy control list comprises all internal network addresses which the client is allowed to access; the access policy issuing module is used for sending the access policy control list to the client by the proxy gateway; the filtering module is used for enabling a kernel module of the client to filter the IP message with the access address as the internal network address in the strategy list; and the message sending module is used for copying the IP message to a user state by the client and sending the filtered IP message to the proxy gateway through a link established between the client and the proxy gateway.
In some embodiments of the invention, the apparatus further comprises: the virtual channel establishing module is used for allocating a virtual IP address to the client by the proxy gateway after the verification is passed so as to establish connection between the client and the proxy gateway; where different virtual IP addresses communicate with different internal networks.
In some embodiments of the invention, the apparatus further comprises: the message integrity verification module is used for verifying the integrity of the data message sent by the client by the proxy gateway and acquiring an initial message in the data message; the source address conversion module is used for converting the source address in the initial message into a virtual network address distributed for the client by the proxy gateway; the message reading module is used for writing the converted message into the corresponding virtual network card by the proxy gateway and reading the converted message from the virtual network card; and the destination address conversion module is used for acquiring the destination address of the converted message and converting the destination address into the client address of the initial message so as to send data to the client.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a memory for storing one or more programs; a processor. The program or programs, when executed by a processor, implement the method of any of the first aspects as described above.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the method according to any one of the first aspect described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a flowchart of a data access method according to an embodiment of the present invention;
fig. 2 is a block diagram of a data access apparatus according to an embodiment of the present invention;
fig. 3 is a block diagram of an electronic device according to an embodiment of the present invention.
Icon: 100-a data access device; 110-a device identity acquisition module; 120-message authentication module; 130-proxy gateway assignment module; 140-UDP message sending module; 150-message filtering module; 101-a memory; 102-a processor; 103-communication interface.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the individual features of the embodiments can be combined with one another without conflict.
Before introducing the data access method provided by the application, a device configuration environment is introduced, a user right access policy control list needs to be configured on a management platform in the proxy gateway, a registration ID of the device, namely a registration device identifier, is introduced, and each terminal device only corresponds to the registration ID. In addition, a proxy gateway and a security authentication gateway need to be deployed in the system.
Referring to fig. 1, fig. 1 is a flowchart of a data access method according to an embodiment of the present invention, where the method includes the following steps:
step S110: and acquiring a registered equipment identifier of the client, and generating an equipment feature code according to the registered equipment identifier.
The registered equipment identification of the client is unique, the equipment feature code generated according to the registered equipment identification is also unique, the client can be identified in the data access process according to the unique equipment feature code, the account number and the password are prevented from being stolen and then accessed on other clients, and therefore the data access safety is improved.
Step S120: the security authentication gateway acquires an authentication message sent by the client and verifies the validity of the authentication message.
The authentication message comprises an account number, a password and a registered equipment identifier, and the step of verifying the validity of the authentication message comprises the following steps: the security authentication gateway searches whether data consistent with the account number, the password and the registered equipment identification exist in a database.
When logging in for the first time, the account number, the password and the address of the security authentication gateway input by the user can be acquired, and an authentication message is initiated to the security authentication gateway according to the address of the security authentication gateway. Specifically, the authentication message includes an account number, a password and a registered device identifier, the security authentication gateway performs database retrieval on the user name, the password and the registered device identifier, and if the user name, the password and the registered device identifier are retrieved in the database, the user side can be authenticated as a legal device, so that subsequent access can be ensured to be continued.
Step S130: and after the authentication message is verified to be legal, the security authentication gateway sends the generated KEY value and the proxy gateway address of the proxy gateway distributed for the client to the client.
In order to balance the load of the client, the security authentication gateway distributes the proxy gateway address of the proxy gateway for the client after authenticating the authentication message sent by the client. For example, the allocation may be performed according to the data access amount of the proxy gateway, and the specific allocation scheme may be allocated according to the processing performance of the proxy gateway. The corresponding proxy gateway is distributed to each client, so that the dynamic change and adjustment of the proxy gateways can be realized, the load is balanced, and the access speed is improved.
Step S140: and the client sends a UDP message to the proxy gateway according to the proxy gateway address, wherein the UDP message comprises a KEY value, an equipment feature code and a source address of the client.
Step S150: and the proxy gateway verifies the KEY value and the equipment feature code, writes the source address into a trust list after the verification is passed, and filters all received messages according to the trust list so as to enable the client to access data.
In the implementation process, after the unique device feature code corresponding to the unique device feature code is obtained according to the client, the client sends an authentication message to the security authentication gateway, so that the security authentication gateway verifies the validity of the identity of the client according to the authentication message. And the security authentication gateway sends a KEY value to the client with the legal identity and distributes a corresponding proxy gateway to the client. The client sends the UDP message to the proxy gateway, and after the proxy gateway verifies the UDP message, the received message can be filtered according to the source address in the UDP message, so that the message sent by the client can be released by the proxy gateway, and the access of data with high safety is realized.
After the client is distributed to the corresponding proxy gateway, the client and the proxy gateway communicate by using a UDP protocol, and send a UDP message to the proxy gateway, where the UDP message includes a KEY value, a device feature code, and a source address of the client.
In some embodiments of the present invention, when the client sends the UDP packet to the proxy gateway according to the proxy gateway address, the client first encrypts the KEY and the device feature code to obtain the first encrypted value and the second encrypted value, and then sends the UDP packet to the proxy gateway, where the UDP packet includes the first encrypted value, the second encrypted value, and the source address of the client.
In some embodiments of the present invention, when the proxy gateway verifies the KEY value and the device feature code, the proxy gateway first decrypts the first encrypted value and the second encrypted value respectively to obtain a first decrypted value and a second decrypted value, and then the proxy gateway sends the first decrypted value to the security authentication gateway for verification, and verifies the second decrypted value according to the database.
For example, the client may encrypt the KEY value using a symmetric encryption algorithm, may use different symmetric encryption algorithms for different KEY values, and may also use different encryption algorithms for each client. The client may also base64 encrypt the device feature code. When the client sends the first decryption value to the security authentication gateway for verification, the client may first encapsulate the encrypted KEY value and the encrypted device feature code into a KEY: the data packet in the VALUE format is encapsulated into a UDP message and sent to the proxy gateway, so that the condition of data missing sending or non-correspondence can be avoided, and the reliability of data access is ensured.
After receiving the UDP message of the client, the proxy gateway firstly stores the source address of the message, decrypts the KEY VALUE of the UDP message by adopting a KEY of a symmetric algorithm, and decrypts the VALUE part of the UDP message by using base 64. And then, sending the decrypted KEY VALUE to a security authentication gateway for verification, and verifying the decrypted VALUE part according to all the equipment feature codes stored in the database. After the KEY VALUE and the VALUE part are verified to be correct, the proxy gateway adds the source address into the trust list. After receiving the message subsequently, the proxy gateway can release the message according to the source address, and release the message corresponding to the source address, so as to ensure that the proxy gateway can smoothly access the data and improve the security of the data access.
In some embodiments of the present invention, after the step of sending the generated KEY value and the proxy gateway address of the proxy gateway allocated to the client by the security authentication gateway, and before the step of sending the UDP packet to the proxy gateway according to the proxy gateway address by the client, the client may perform authentication and single packet authentication according to the KEY value to ensure the security of the KEY value, thereby ensuring the security of network access.
In some embodiments of the present invention, the KEY value is valid within the preset time period, the proxy gateway verifies the KEY value and the device feature code, and writes the source address into the trust list after the verification is passed, and filters all received messages according to the trust list, so that after the step of performing data access by the client, whether the KEY value is invalid or not can be determined according to the preset time period; if the KEY value fails, the source address is deleted from the trust list.
For example, if the preset time period is 5 minutes, the client does not initiate tcp packet connection within 5 minutes, and the proxy gateway removes the source address of the client from the trust list. After 5 minutes, the message sent by the client side can be filtered by the proxy gateway, and if the proxy gateway wants to release the message again, the verification needs to be carried out again, so that the safety of data access can be ensured.
In some embodiments of the present invention, the proxy gateway verifies the KEY value and the device feature code, and after the verification is passed, the connection is established between the client and the proxy gateway, and the proxy gateway obtains the port of the client and adds the port to the trust list, where the port in the trust list is matched with the source address. And judging whether the source address and the port of the received message are matched and exist in the trust list, if so, releasing the message.
For example, the source address of the client in the trust list is a, after the connection is established between the client and the proxy gateway, and after the connection is established, the proxy gateway obtains the port of the client as M, and adds the port M into the trust list. If the proxy gateway receives the message with the source address A and the port M, the message can be released according to the trust name list. If the proxy gateway receives the message with the source address A and the port N, the message can be filtered according to the trust name list. Therefore, the server is prevented from sending the connection of a plurality of different ports, and the security of the connection can be further ensured by adopting the strategy of jointly filtering the source address and the ports.
In some embodiments of the present invention, after establishing the connection between the client and the proxy gateway, the proxy gateway obtains an access policy control list corresponding to the client from the database, where the access policy control list includes all internal network addresses that the client is allowed to access. The proxy gateway sends the access policy control list to the client, the client starts a kernel module of the client to filter the IP message with the access address being the internal network address in the policy list, then the client copies the IP message to a user state, and sends the filtered IP message to the proxy gateway through a link established between the client and the proxy gateway.
And simultaneously, the proxy gateway can take an access policy control list of the client from the database, the access policy control list and the user login binding, wherein the list is the address information of the internal network allowed to be accessed. The proxy gateway transfers the strategy addresses to the client, after the client receives the strategy, the client starts a kernel module of the client to filter IP messages with access addresses as a strategy list, the IP messages are copied to a user mode, and the IP messages which accord with the strategy are sent to the proxy gateway service through a TCP link established with the proxy gateway.
In some embodiments of the present invention, after the step of verifying the KEY value and the device feature code by the proxy gateway, the method further includes: after the verification is passed, the proxy gateway allocates a virtual IP address to the client so as to establish connection between the client and the proxy gateway; where different virtual IP addresses communicate with different internal networks. The proxy gateway service allocates a virtual IP address to each client, and different virtual addresses can directly communicate with different internal networks, so that the network performance is improved.
Meanwhile, different virtual addresses can be allocated to clients with different permissions, the permissions of accessing intranet ports can be different, each virtual channel can establish a security firewall policy for the egress message, and permission limitation is allowed to be performed on the addresses and ports accessing the internal network, so that the security of the internal network is protected in a finer-grained manner.
In some embodiments of the present invention, after the proxy gateway allocates the virtual IP address to the client, the proxy gateway performs integrity verification on the data packet sent by the client and obtains an initial packet in the data packet, and the proxy gateway converts the source address in the initial packet into the virtual network address allocated to the client. The proxy gateway writes the converted message into the corresponding virtual network card, reads the converted message from the virtual network card, acquires the destination address of the converted message, and converts the destination address into the client address of the initial message so as to send data to the client. Therefore, the bidirectional access between the proxy gateway and the client is realized, and then the function of accessing the internal network by the client is completed.
Based on the same inventive concept, the present invention further provides a data access apparatus 100, please refer to fig. 2, which includes:
an equipment identifier obtaining module 110, configured to obtain a registered equipment identifier of the client, and generate an equipment feature code according to the registered equipment identifier;
the message authentication module 120 is configured to obtain, by the security authentication gateway, an authentication message sent by the client, and perform validity verification on the authentication message;
the proxy gateway distribution module 130 is configured to, after the authentication packet is verified to be legitimate, send the generated KEY value and a proxy gateway address of the proxy gateway distributed for the client to the client by the security authentication gateway;
the UDP packet sending module 140 is configured to send, by the client, a UDP packet to the proxy gateway according to the proxy gateway address, where the UDP packet includes a KEY value, a device feature code, and a source address of the client;
and the message filtering module 150 is used for verifying the KEY value and the equipment feature code by the proxy gateway, writing the source address into the trust list after the verification is passed, and filtering all received messages according to the trust list so as to enable the client to access data.
In some embodiments of the present invention, the authentication message includes an account, a password, and a registered device identifier, and the message authentication module 120 includes:
and the authentication retrieval unit is used for retrieving whether data consistent with the account number, the password and the registered equipment identification exist in the database by the security authentication gateway.
In some embodiments of the invention, an apparatus comprises:
and the KEY value authentication module is used for performing authentication and single-packet authentication on the client according to the KEY value.
In some embodiments of the present invention, the UDP packet sending module includes:
the encryption unit is used for encrypting the KEY and the equipment feature code by the client respectively to obtain a first encryption value and a second encryption value;
and the decryption unit is used for sending the UDP message to the proxy gateway by the client, wherein the UDP message comprises the first encrypted value, the second encrypted value and the source address of the client.
In some embodiments of the present invention, the message filtering module 150 includes:
the decryption unit is used for decrypting the first encrypted value and the second encrypted value respectively by the proxy gateway to obtain a first decrypted value and a second decrypted value;
and the verification unit is used for sending the first decryption value to the security authentication gateway by the proxy gateway for verification and verifying the second decryption value according to the database.
In some embodiments of the present invention, the KEY value is valid for a preset time period, and the apparatus further comprises:
the failure judgment module is used for judging whether the KEY value fails according to a preset time period;
and the failure processing module is used for deleting the source address from the trust list if the KEY value fails.
In some embodiments of the invention, the apparatus further comprises:
the connection establishing module is used for establishing connection between the client and the proxy gateway after the verification is passed;
the port matching module is used for acquiring a port of a client by the proxy gateway and adding the port into a trust list, wherein the port in the trust list is matched with a source address;
and the port filtering module is used for judging whether the source address and the port of the received message are matched and exist in the trust list, and if so, releasing the message.
In some embodiments of the invention, an apparatus comprises:
the access policy acquisition module is used for acquiring an access policy control list corresponding to the client from the database by the proxy gateway; the access policy control list comprises all internal network addresses which the client is allowed to access;
the access policy issuing module is used for sending the access policy control list to the client by the proxy gateway;
the filtering module is used for enabling a kernel module of the client to filter the IP message with the access address as the internal network address in the strategy list;
and the message sending module is used for copying the IP message to a user state by the client and sending the filtered IP message to the proxy gateway through a link established between the client and the proxy gateway.
In some embodiments of the invention, the apparatus further comprises:
the virtual channel establishing module is used for allocating a virtual IP address to the client by the proxy gateway after the verification is passed so as to establish connection between the client and the proxy gateway; where different virtual IP addresses communicate with different internal networks.
In some embodiments of the invention, the apparatus further comprises:
the message integrity verification module is used for verifying the integrity of the data message sent by the client by the proxy gateway and acquiring an initial message in the data message;
the source address conversion module is used for converting the source address in the initial message into a virtual network address distributed for the client by the proxy gateway;
the message reading module is used for writing the converted message into the corresponding virtual network card by the proxy gateway and reading the converted message from the virtual network card;
and the destination address conversion module is used for acquiring the destination address of the converted message and converting the destination address into the client address of the initial message so as to send data to the client.
Referring to fig. 3, fig. 3 is a schematic structural block diagram of an electronic device according to an embodiment of the present disclosure. The electronic device comprises a memory 101, a processor 102 and a communication interface 103, wherein the memory 101, the processor 102 and the communication interface 103 are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 101 may be used for storing software programs and modules, such as program instructions/modules corresponding to the data access device 100 provided in the embodiments of the present application, and the processor 102 executes the software programs and modules stored in the memory 101, thereby executing various functional applications and data processing. The communication interface 103 may be used for communicating signaling or data with other node devices.
The Memory 101 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The processor 102 may be an integrated circuit chip having signal processing capabilities. The Processor 102 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 3 or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
To sum up, a data access method and apparatus provided by the embodiments of the present application, the method includes: acquiring a registered equipment identifier of a client, and generating an equipment feature code according to the registered equipment identifier; the security authentication gateway acquires an authentication message sent by a client and verifies the validity of the authentication message; after the authentication message is verified to be legal, the security authentication gateway sends the generated KEY value and the proxy gateway address of the proxy gateway distributed for the client to the client; the client sends a UDP message to the proxy gateway according to the proxy gateway address, wherein the UDP message comprises a KEY value, an equipment feature code and a source address of the client; and the proxy gateway verifies the KEY value and the equipment feature code, writes the source address into a trust list after the verification is passed, and filters all received messages according to the trust list so as to enable the client to access data. And after the unique device feature code corresponding to the client is obtained according to the client, the client sends an authentication message to the security authentication gateway, so that the security authentication gateway verifies the legality of the identity of the client according to the authentication message. And the security authentication gateway sends a KEY value to the client with the legal identity and distributes a corresponding proxy gateway to the client. The client sends the UDP message to the proxy gateway, and after the proxy gateway verifies the UDP message, the received message can be filtered according to the source address in the UDP message, so that the message sent by the client can be released by the proxy gateway, and the access of data with high safety is realized.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.

Claims (12)

1. A method of data access, the method comprising:
acquiring a registered equipment identifier of a client, and generating an equipment feature code according to the registered equipment identifier;
the security authentication gateway acquires an authentication message sent by the client and verifies the validity of the authentication message;
after the authentication message is verified to be legal, the security authentication gateway sends the generated KEY value and the proxy gateway address of the proxy gateway distributed for the client to the client;
the client sends a UDP message to the proxy gateway according to the proxy gateway address, wherein the UDP message comprises the KEY value, the equipment feature code and the source address of the client;
and the proxy gateway verifies the KEY value and the equipment feature code, writes the source address into a trust list after the verification is passed, and filters all received messages according to the trust list so as to enable the client to access data.
2. The method of claim 1, wherein an authentication message includes an account number, a password, and a registered device identifier, and the step of validating the validity of the authentication message includes:
and the security authentication gateway searches whether data consistent with the account number, the password and the registered equipment identification exist in a database.
3. The method according to claim 1, wherein after the step of the secure authentication gateway sending the generated KEY value and the proxy gateway address of the proxy gateway allocated to the client, and before the step of the client sending the UDP packet to the proxy gateway according to the proxy gateway address, the method comprises:
and the client performs authentication and single packet authentication according to the KEY value.
4. The method of claim 1, wherein the step of the client sending a UDP packet to the proxy gateway based on the proxy gateway address comprises:
the client encrypts the KEY value and the equipment feature code respectively to obtain a first encrypted value and a second encrypted value;
and the client sends a UDP message to the proxy gateway, wherein the UDP message comprises the first encrypted value, the second encrypted value and the source address of the client.
5. The method of claim 4, wherein the step of the proxy gateway verifying the KEY value and the device feature code comprises:
the proxy gateway decrypts the first encrypted value and the second encrypted value respectively to obtain a first decrypted value and a second decrypted value;
and the proxy gateway sends the first decryption value to the security authentication gateway for verification, and verifies the second decryption value according to a database.
6. The method of claim 1, wherein the KEY value is valid for a preset time period, the proxy gateway verifies the KEY value and the device feature code, and after the verification, writes the source address into a trust list, and filters all received messages according to the trust list, so that the client performs data access, and the method further comprises:
judging whether the KEY value is invalid or not according to a preset time period;
and if the KEY value fails, deleting the source address from the trust list.
7. The method of claim 1, wherein after the step of the proxy gateway verifying the KEY value and the device feature code, the method further comprises:
after the verification is passed, establishing connection between the client and the proxy gateway;
the proxy gateway acquires a port of the client and adds the port into a trust list, wherein the port in the trust list is matched with the source address;
and judging whether the source address and the port of the received message are matched and exist in the trust list, if so, releasing the message.
8. The method of claim 7, wherein after the step of establishing a connection between the client and the proxy gateway, the method comprises:
the proxy gateway acquires an access policy control list corresponding to the client from a database; the access policy control list comprises all internal network addresses that the client is allowed to access;
the proxy gateway sends the access policy control list to the client;
the client side starts a kernel module of the client to filter the IP message with the access address as the internal network address in the access strategy control list;
and the client copies the IP message to a user state and sends the filtered IP message to the proxy gateway through a link established between the client and the proxy gateway.
9. The method of claim 1, wherein after the step of the proxy gateway verifying the KEY value and the device feature code, the method further comprises:
after the verification is passed, the proxy gateway allocates a virtual IP address to the client so as to establish connection between the client and the proxy gateway; wherein different ones of the virtual IP addresses communicate with different ones of the internal networks.
10. The method of claim 9, wherein after the step of the proxy gateway assigning a virtual IP address to the client, the method further comprises:
the proxy gateway carries out integrity verification on the data message sent by the client and acquires an initial message in the data message;
the proxy gateway converts the source address in the initial message into a virtual network address distributed for the client;
the proxy gateway writes the converted message into a corresponding virtual network card and reads the converted message from the virtual network card;
and acquiring the destination address of the converted message, and converting the destination address into the client address of the initial message so as to send data to the client.
11. An electronic device, comprising:
a memory for storing one or more programs;
a processor;
the one or more programs, when executed by the processor, implement the method of any of claims 1-10.
12. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-10.
CN202011081418.1A 2020-10-12 2020-10-12 Data access method and device Active CN111935187B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011081418.1A CN111935187B (en) 2020-10-12 2020-10-12 Data access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011081418.1A CN111935187B (en) 2020-10-12 2020-10-12 Data access method and device

Publications (2)

Publication Number Publication Date
CN111935187A CN111935187A (en) 2020-11-13
CN111935187B true CN111935187B (en) 2020-12-29

Family

ID=73333734

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011081418.1A Active CN111935187B (en) 2020-10-12 2020-10-12 Data access method and device

Country Status (1)

Country Link
CN (1) CN111935187B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112822158B (en) * 2020-12-25 2022-11-11 奇安信科技集团股份有限公司 Network access method and device, electronic equipment and storage medium
CN113132358A (en) * 2021-03-29 2021-07-16 井芯微电子技术(天津)有限公司 Strategy distributor, mimic switch and network system
CN113364729B (en) * 2021-04-07 2023-11-21 苏州瑞立思科技有限公司 User authentication method based on UDP proxy protocol
CN113591058A (en) * 2021-07-28 2021-11-02 四川美康医药软件研究开发有限公司 Processing method and device for online verification plug-in and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106559382A (en) * 2015-09-25 2017-04-05 北京计算机技术及应用研究所 Protection system of security gateway access control method based on OPC agreements
CN107809438A (en) * 2017-11-16 2018-03-16 广东工业大学 A kind of network authentication method, system and its user agent device used

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9578005B2 (en) * 2013-10-01 2017-02-21 Robert K Lemaster Authentication server enhancements
CN109840253A (en) * 2019-01-10 2019-06-04 北京工业大学 Enterprise-level big data platform framework

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106559382A (en) * 2015-09-25 2017-04-05 北京计算机技术及应用研究所 Protection system of security gateway access control method based on OPC agreements
CN107809438A (en) * 2017-11-16 2018-03-16 广东工业大学 A kind of network authentication method, system and its user agent device used

Also Published As

Publication number Publication date
CN111935187A (en) 2020-11-13

Similar Documents

Publication Publication Date Title
CN111935187B (en) Data access method and device
US20230155821A1 (en) Secure shared key establishment for peer to peer communications
CN108684041B (en) System and method for login authentication
US9619632B2 (en) System for providing session-based network privacy, private, persistent storage, and discretionary access control for sharing private data
US9686080B2 (en) System and method to provide secure credential
US9838870B2 (en) Apparatus and method for authenticating network devices
KR102318637B1 (en) Methods of data transmission, methods of controlling the use of data, and cryptographic devices
US20030208681A1 (en) Enforcing file authorization access
EP2544117A1 (en) Method and system for sharing or storing personal data without loss of privacy
AU2016311166B2 (en) System and method for biometric protocol standards
EP2710781A1 (en) Trusted mobile device based security
US11184336B2 (en) Public key pinning for private networks
JP2009514072A (en) Method for providing secure access to computer resources
CN115277168B (en) Method, device and system for accessing server
US11811739B2 (en) Web encryption for web messages and application programming interfaces
CN111800378A (en) Login authentication method, device, system and storage medium
EP3785409B1 (en) Data message sharing
KR20220002455A (en) Improved transmission of data or messages in the vehicle using the SOME/IP communication protocol
CN111510288B (en) Key management method, electronic device and storage medium
EP2359525B1 (en) Method for enabling limitation of service access
CN106576050B (en) Three-tier security and computing architecture
CN114338091B (en) Data transmission method, device, electronic equipment and storage medium
CN111628960B (en) Method and apparatus for connecting to network services on a private network
CN113259124A (en) Block chain data writing and accessing method and device
CN106411826A (en) Data access method and equipment thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant