CN112491836B - Communication system, method, device and electronic equipment - Google Patents

Communication system, method, device and electronic equipment Download PDF

Info

Publication number
CN112491836B
CN112491836B CN202011280758.7A CN202011280758A CN112491836B CN 112491836 B CN112491836 B CN 112491836B CN 202011280758 A CN202011280758 A CN 202011280758A CN 112491836 B CN112491836 B CN 112491836B
Authority
CN
China
Prior art keywords
client
message
trusted
identity
credibility
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011280758.7A
Other languages
Chinese (zh)
Other versions
CN112491836A (en
Inventor
岳炳词
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd Hefei Branch
Original Assignee
New H3C Technologies Co Ltd Hefei Branch
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd Hefei Branch filed Critical New H3C Technologies Co Ltd Hefei Branch
Priority to CN202011280758.7A priority Critical patent/CN112491836B/en
Publication of CN112491836A publication Critical patent/CN112491836A/en
Application granted granted Critical
Publication of CN112491836B publication Critical patent/CN112491836B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The embodiment of the application provides a communication system, a method, a device and electronic equipment, wherein an identity mark is transmitted along with a trusted message, so that trusted access control of non-web services can be well realized, multi-factor authentication based on web under the non-web services is realized, and the security is improved. Meanwhile, the message carries the user credibility, so that the credibility management of the client under a large number of branch organizations can be well realized. The communication method based on the trusted tunnel is provided, the message of the client carries the identity and the credibility, the transfer of the trusted information is realized, the method is suitable for the situation that a service system is gathered in a headquarter, users are distributed in a large number of branch office scenes around the whole country, the landing performance is strong, and the landing implementation of a zero-trust scheme can be well promoted.

Description

Communication system, method, device and electronic equipment
Technical Field
The present application relates to the field of communications technologies, and in particular, to a communication system, a method, an apparatus, and an electronic device.
Background
With the development of the internet of things and the popularization of cloud computing application based on the high-speed increase of network services, the network boundary is not clear, and a security protection architecture based on zero trust is also advocated and valued more and more. The zero trust security protection architecture refers to performing real-time permission minimum access control based on the identity of a user; the zero trust landing implementation method mainly carries out user identification, identifies a unique identity ID for a user, and carries out dynamic authority control on the user based on the identity ID.
For the existing Network transmission, the information of the user identifier in the message is mainly the source IP and the source port, but in the reality that NAT (Network Address Translation) is generally applied and the mobile user dynamically obtains the IP Address, the user identity cannot be uniquely identified by using the IP Address or "IP Address + port", and the IP Address is easily forged.
In the existing zero trust protection system, trusted access control is mainly provided for a user to access web services, and the identity ID of the user is mainly used as the identity ID of the user through the cookie in a message. The identity ID of the user is borne by the cookie, but the method is limited by web services, and zero trust protection is difficult to realize for a large amount of non-web services.
Disclosure of Invention
An object of the embodiments of the present application is to provide a communication system, a method, a device, and an electronic device, so as to increase an application range of zero trust protection. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a communication system, including: the system comprises a client trusted agent, an authority policy center and a server trusted agent;
the client trusted agent is used for acquiring the identity of the client and determining the credibility of the client according to the source IP address of the client message after receiving the client message of the client; generating a credible message header according to the identity and the credibility of the client, and packaging the client message by using the credible message header to obtain a credible message; sending the trusted message to the server trusted agent;
the server-side trusted agent is used for receiving the trusted message of the client side; extracting a credible message header of the credible message to obtain an identity and credibility of the client; sending an authentication request aiming at the client to the authority policy center, wherein the authentication request comprises an identity identifier and a credibility of the client;
the authority policy center is used for authenticating the client according to the authentication request of the client and sending the authentication result to the server trusted agent;
the server-side trusted agent is also used for analyzing a client-side message from the trusted message and forwarding the client-side message if the authentication result shows that the client-side passes the authentication.
In a possible implementation manner, the client-side trusted agent is further configured to establish a trusted tunnel with the server-side trusted agent based on a preset tunnel protocol, where the client-side trusted agent and the server-side trusted agent communicate with each other through the trusted tunnel.
In a possible implementation manner, the trusted message header further includes a region ID, where, for any trusted message header, the region ID in the trusted message header is used to uniquely identify a client trusted agent that generates the trusted message header;
the server-side trusted agent is further configured to generate an authentication log of the client-side packet, where the authentication log of the client-side packet includes a source IP address of the client-side packet and a corresponding area ID.
In one possible implementation, the server-side trusted agent is further configured to: after receiving a response message aiming at the client, packaging the response message by using a response credible message head to obtain a response message; sending the response message to the server trusted agent;
the client trusted agent is further to: decapsulating the response message to obtain a response message; and sending the response message to the client.
In one possible embodiment, the system further comprises:
the client trusted agent is specifically used for receiving the attribute information and behavior information of the client acquired by the client trusted plug-in, and analyzing the attribute information of the client to obtain the attribute credibility of the client; analyzing the behavior information of the client to obtain the behavior credibility of the client; and combining the attribute credibility and the behavior credibility of the client to obtain the credibility of the client.
In one possible embodiment, the system further comprises: an identity center;
the client trusted agent is also used for judging whether the identity identification is distributed to the client according to the source IP address of the client message; if the identity identification is distributed to the client, the identity identification of the client is obtained; if the identity identification is not distributed to the client, identity verification indicating information is sent to the client; receiving an authentication message sent by the client according to the identity verification indication information, and forwarding the authentication message of the client to the identity center; acquiring the identity of the client sent by the identity center, and recording the corresponding relation between the source address and the identity;
and the identity center is used for distributing identity identification for the client according to the authentication message of the client and synchronizing the identity identification of the client to the authority policy center.
In a second aspect, an embodiment of the present application provides a communication method, which is applied to a client trusted agent, where the method includes:
after receiving a client message of a client, acquiring an identity of the client and determining the reliability of the client according to a source IP address of the client message;
generating a credible message header according to the identity and the credibility of the client, and packaging the client message by using the credible message header to obtain a credible message;
and sending the credible message to a server credible agent.
In a possible implementation manner, the obtaining the identity of the client according to the source IP address of the client packet includes:
judging whether an identity mark is distributed to the client according to the source IP address of the client message;
if the identity identification is not distributed to the client, identity verification indication information is sent to the client; receiving an authentication message sent by the client according to the identity verification indication information, forwarding the authentication message of the client to an identity center, acquiring an identity of the client returned by the identity center according to the authentication message, and recording a corresponding relation between the source IP address and the identity;
and if the identity identification is distributed to the client, acquiring the identity identification of the client.
In one possible embodiment, the determining the trustworthiness of the client includes:
acquiring attribute information and behavior information of the client;
analyzing the attribute information of the client to obtain the attribute reliability of the client; analyzing the behavior information of the client to obtain the behavior credibility of the client;
and combining the attribute credibility and the behavior credibility of the client to obtain the credibility of the client.
In a possible implementation manner, the client trusted agent and the server trusted agent communicate with each other through a trusted tunnel pre-established based on a preset tunnel protocol.
In a third aspect, an embodiment of the present application provides a communication method, which is applied to a server-side trusted agent, and the method includes:
acquiring a trusted message of a client, wherein a trusted message header of the trusted message comprises an identity and a credibility of the client, and a load of the trusted message comprises a client message;
extracting a credible message header of the credible message to obtain an identity and credibility of the client;
sending an authentication request aiming at the client to an authority policy center so that the authority policy center authenticates the client according to the authentication request of the client to obtain an authentication result, wherein the authentication request comprises an identity identification and a credibility of the client;
and receiving the authentication result sent by the authority policy center, and if the authentication result indicates that the client passes the authentication, analyzing the client message from the trusted message and forwarding the client message.
In a possible implementation manner, the trusted message header further includes a zone ID, where, for any trusted message header, the zone ID in the trusted message header is used to uniquely identify a client trusted agent that generates the trusted message header; the method further comprises the following steps:
and generating an authentication log of the client message, wherein the authentication log of the client message comprises a source IP address of the client message and a corresponding area ID.
In a fourth aspect, an embodiment of the present application provides a communication apparatus, which is applied to a client trusted agent, where the apparatus includes:
the identity identification acquisition module is used for acquiring the identity identification of the client and determining the credibility of the client according to the source IP address of the client message after receiving the client message of the client;
the trusted message generating module is used for generating a trusted message header according to the identity and the credibility of the client, and packaging the client message by using the trusted message header to obtain a trusted message;
and the trusted message sending module is used for sending the trusted message to the server trusted agent.
In a fifth aspect, an embodiment of the present application provides a communication apparatus, which is applied to a server-side trusted agent, where the apparatus includes:
the trusted message receiving module is used for acquiring a trusted message of a client, wherein a trusted message header of the trusted message comprises an identity and a credibility of the client, and a load of the trusted message comprises a client message;
the first message analysis module is used for extracting a credible message header of the credible message to obtain the identity and the credibility of the client;
the client authentication module is used for sending an authentication request aiming at the client to an authority policy center so that the authority policy center authenticates the client according to the authentication request of the client to obtain an authentication result, wherein the authentication request comprises an identity identifier and a credibility of the client;
and the second message analysis module is used for receiving the authentication result sent by the authority policy center, and if the authentication result shows that the client passes the authentication, analyzing the client message from the trusted message and forwarding the client message.
In a sixth aspect, an embodiment of the present application provides an electronic device, including a processor and a memory;
the memory is used for storing a computer program;
the processor is configured to implement the communication method according to any one of the present applications when executing the program stored in the memory.
In a seventh aspect, an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and the computer program, when executed by a processor, implements the communication method described in any of the present application.
The embodiment of the application has the following beneficial effects:
according to the communication system, the method, the device and the electronic equipment, the identity identification is transmitted along with the trusted message, so that trusted access control of non-web services can be well realized, multi-factor authentication based on the web under the non-web services is realized, and the safety is improved. Meanwhile, the message carries the user credibility, so that the credibility management of the client under a large number of branch organizations can be well realized. The communication method based on the trusted tunnel is provided, the message of the client carries the identity and the credibility, the transfer of the trusted information is realized, the method is suitable for the situation that a service system is gathered in a headquarter, users are distributed in a large number of branch office scenes around the whole country, the landing performance is strong, and the landing implementation of a zero-trust scheme can be well promoted. Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a first schematic diagram of a communication system according to an embodiment of the present application;
fig. 2 is a second schematic diagram of a communication system according to an embodiment of the present application;
fig. 3a is a third schematic diagram of a communication system according to an embodiment of the present application;
fig. 3b is a fourth schematic diagram of a communication system according to an embodiment of the present application;
fig. 4 is a schematic diagram of a communication method applied to a client according to an embodiment of the present application;
fig. 5 is a schematic diagram of a communication method applied to a server according to an embodiment of the present application;
fig. 6 is a schematic diagram of a communication device applied to a client according to an embodiment of the present application;
fig. 7 is a schematic diagram of a communication device applied to a server according to an embodiment of the present application;
fig. 8 is a schematic diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
First, terms in the present application are explained:
and (3) trusted access control: through a trusted access control gateway (an access control execution system in a zero trust security protection system), each access request of a user needs to be authenticated to a policy center of a zero trust security protection architecture, and the policy center confirms whether the user has the authority to access the service request according to the trusted level of the user and the security sensitivity level of the access service. The strategy center sends the authentication result to the credible access control gateway, and the credible access control gateway determines whether to pass the request message or not according to the authentication result.
The client trusted agent: for the access service of the user, the user needs to be identified, so that the message sent by the user terminal has the unique identity information and the credible information of the user. Identity information and credible information of the user can be added to the user request message through the client credible agent, so that the zero trust protection system realizes credible access control on the service request of the user.
The server trusted agent: and the server-side trusted agent extracts identity and credibility information from the message from the client-side trusted agent, performs zero-trust dynamic authentication on the access request and realizes dynamic control.
User reliability, when accessing network resources, a user wants to access through a terminal, and if the terminal is a malicious terminal or a puppet device (which refers to a device remotely controlled by a hacker), the terminal may pose a large security threat to the accessed network. The method comprises the steps of carrying out security detection on the terminal, analyzing security elements such as configuration security, operating system or application bugs, viruses, whether an application version is too low, whether application software is secure, whether the application software becomes an attack puppet, and the like, evaluating the security of the terminal, and grading according to a certain rule, wherein the higher the grade is, the higher the credibility is, and the higher the security is. And simultaneously, the message of the user is analyzed, and the safety of the user behavior is analyzed. And comprehensively analyzing the security of the terminal and the security of the user behavior, and evaluating the reliability of the user.
In the existing zero trust protection system, trusted access control is mainly provided for a user to access web services, and the identity ID of the user is taken as the identity ID of the user through the cookie in a message. However, the adoption of the cookie to bear the identity ID of the user is limited by web services, and zero trust protection is difficult to realize for a large amount of non-web services.
In view of this, an embodiment of the present application provides a communication system, and referring to fig. 1, the system includes:
the system comprises a client trusted agent 11, an authority policy center 12 and a server trusted agent 13;
the client trusted agent 11 is configured to, after receiving a client message of a client, obtain an identity of the client according to a source IP address of the client message and determine the confidence level of the client; generating a credible message header according to the identity and the credibility of the client, and packaging the client message by using the credible message header to obtain a credible message; sending a trusted message to a server trusted agent;
the server-side trusted agent 13 is used for receiving a trusted message of the client; extracting a credible message header of the credible message to obtain an identity and credibility of the client; sending an authentication request aiming at the client to an authority policy center, wherein the authentication request comprises an identity identifier and a credibility of the client;
the authority policy center 12 is used for authenticating the client according to the authentication request of the client and sending the authentication result to the server trusted agent;
the server trusted agent 13 is further configured to, if the authentication result indicates that the client passes the authentication, parse the client packet from the trusted packet, and forward the client packet.
The client trusted agent 11 may be set on the user side, and a message of the client is first accessed to the client trusted agent 11 and processed by the client trusted agent 11. The client trusted agent 11 may analyze the behavior of the client, for example, analyze user traffic, and thereby perform a confidence evaluation on the behavior of the client. The client trusted agent can also analyze the attribute information of the client, so as to evaluate the credibility of the attribute of the client. Each client corresponds to a unique identity, and in one embodiment, the identity of the client can be bound with the source IP address of the client, so that the identity of the client can be obtained according to the source IP address of the client. In one embodiment, the ID is specifically an ID, and the length of the ID may be set by negotiation, but it should be ensured that the IDs of the clients are not different.
The client trusted agent 11 generates a trusted message header according to the identity and the credibility of the client. In one embodiment, the trusted message header further includes a region ID, where, for any trusted message header, the region ID in the trusted message header is used to uniquely identify a client trusted agent that generates the trusted message header; the server-side trusted agent is also used for generating an authentication log of the client-side message, wherein the authentication log of the client-side message comprises a source IP address of the client-side message and a corresponding area ID. Therefore, security audit and backtracking can be conveniently carried out subsequently according to the authentication log.
In one embodiment, the SecHeader (trusted header) may include: type (header Type), area ID of the client, IP address of the client, identity ID of the client, reliability, checksum (total sum check code), and length of a trusted message header. The area ID of the client may specifically be an ID of the trusted agent of the client, and is used to uniquely identify the trusted agent of the client.
For example, the client message generally includes two types, i.e., a request message and a response message, and for Type, 0 may be used to identify the request Type and 1 may be used to identify the response Type.
Area ID: each client trusted agent represents a zone for which a zone ID is set. The zone ID + user IP can uniquely identify the host location of the client. The method is suitable for the condition that the private IP addresses in the branch are the same.
In one embodiment, the process of encapsulating the client message by the client trusted agent is as follows:
original client message:
original IP header Original TCP/UDP header Load(s)
And packaging the credible message:
tunnel IP head Tunnel TCP head SecHeader Load(s)
The source address in the tunnel IP header is the IP address of the client trusted agent, and the destination address is the IP address of the server, for example, the source address can be the IP address of the server trusted agent; the destination address in the TCP header of the tunnel is a private fixed destination address, such as 8999; the SecHeader represents a credible message header, and the load in the credible message is the original client message.
The server-side trusted agent 13 may be deployed at a server side, and the server-side trusted agent 13 analyzes a packet from a client side, extracts an identity ID, reliability, and other information, and requests authentication from the authority policy center 12. The server trusted agent 13 may record information such as a domain ID and an IP address of the packet in the authentication log, so as to be used for security audit and backtracking. And removing the credible message header from the message passing the authentication to obtain the original client message, and sending the original client message to the corresponding service.
The authority policy center 12 may be deployed at a server, and is configured to perform unified authority management on a client and a service, and perform authorization and authentication on access of the client. And dynamically adjusting the authority of the client according to the identity and the credibility of the client, supporting the receiving of the authentication request of the credible agent 13 of the server, performing authentication in real time, and feeding back the authentication result.
The application, the function of the application, the data and other services that the client wants to access are called an authorized object, and in one embodiment, a corresponding security level is set for the authorized object, for example: high, medium, low, etc. And setting an authorization relationship, for example, the client can access all services with high reliability, and only the services with medium and low security levels can be accessed with medium reliability. The low confidence level can only access the low security level traffic or none of them. The specific authorization relationship can be set by the operator in a self-defined way.
In the embodiment of the application, the identity identification is transmitted along with the trusted message, so that the trusted access control of the non-web service can be well realized, the multi-factor authentication based on the web under the non-web service is realized, and the safety is improved. Meanwhile, the message carries the user credibility, so that the credibility management of the client under a large number of branch organizations can be well realized. The communication method based on the trusted tunnel is provided, the message of the client carries the identity and the credibility, the transfer of the trusted information is realized, the method is suitable for the situation that a service system is gathered in a headquarter, users are distributed in a large number of branch office scenes around the whole country, the landing performance is strong, and the landing implementation of a zero-trust scheme can be well promoted.
In one possible implementation, the server-side trusted agent is further configured to: after receiving a response message aiming at the client, packaging the response message by using a response credible message head to obtain a response message; sending a response message to the server trusted agent;
the client trusted agent is further to: decapsulating the response message to obtain a response message; and sending the response message to the client.
For the message from the service, matching the message of the session, adding a RepSecHeader (responding to the trusted message header), where the RepSecHeader may include: type, authentication result (0: success, 1 failure). And packaging the request message of the service behind the RepSecHeader to obtain a response message, and sending the response message to the client trusted agent.
Wherein, Type: the label 1 is a response message; the source port may be a trusted tunneling protocol port, such as 8999; aiming at the IP head of the response message, the source address is the server end credible proxy address, and the destination address is the client end credible proxy address; after receiving the response message, the client trusted agent extracts the message after responding to the trusted message header and forwards the message to the client.
In the embodiment of the application, the server-side trusted agent and the client-side trusted agent are utilized, so that the server-side sends data to the client-side, and normal sending of the response message is ensured.
In a possible implementation manner, the client trusted agent 11 is specifically configured to receive attribute information and behavior information of the client, which are collected by the client trusted plugin, and analyze the attribute information of the client to obtain attribute reliability of the client; analyzing the behavior information of the client to obtain the behavior credibility of the client; and obtaining the credibility of the client by combining the attribute credibility and the behavior credibility of the client.
In one embodiment, referring to fig. 2, the system further comprises: and the client trusted plug-in 14 is arranged in the client and is used for acquiring the attribute information and the behavior information of the client and sending the attribute information and the behavior information of the client to the client trusted agent. The client trusted plugin can be arranged in the client and used for collecting the attribute information and the behavior information of the client and sending the collected attribute information and the collected behavior information of the client to the client trusted agent. The client trusted agent carries out terminal security monitoring on the attribute information of the client and evaluates the attribute reliability of the client; analyzing the flow of the client, and analyzing the behavior of the user to obtain the behavior credibility of the client; and comprehensively evaluating the reliability of the client according to the terminal reliability and the behavior reliability.
And the client trusted agent analyzes the attribute information of the client to obtain the attribute reliability of the client. For example, the attribute information of the client may include a version number of the client, a login account number of the client, an IP address, an MAC address, or a unique identification number of a device in which the client is located. Under the condition that other attribute information is the same, the closer the version number of the client is to the latest version number, the higher the attribute reliability is; under the condition that other attribute information is the same, the less suspicious traffic of the received IP address is, the higher the attribute reliability is; under the condition that other attribute information is the same, the less suspicious traffic of the received MAC address is, the higher the attribute reliability is; under the condition that other attribute information is the same, the received suspicious traffic of the equipment represented by the unique identification number of the equipment is less, and the attribute reliability is higher; under the condition that other attribute information is the same, the higher the security level of the client login account, the less suspicious traffic, the higher the attribute credibility, and the like.
And the client trusted agent analyzes the behavior information of the client to obtain the behavior credibility of the client. For example, the behavior information of the client may include an operation type and a traffic size of a client process, and the behavior confidence level of the client is obtained through a traffic attack detection technology in the related technology.
And the client trusted agent obtains the credibility of the client by combining the behavior credibility of the client and the attribute credibility of the client. For example, the behavior reliability and the attribute reliability may be weighted and averaged to obtain the reliability of the client.
In the embodiment of the application, the client trusted plugin can be used for effectively collecting the attribute information and the behavior information of the client, the credibility of the client is finally obtained by combining the attribute credibility and the behavior credibility of the client, the factors of the client credibility are more comprehensive, and the credibility of the client credibility can be increased.
In a possible embodiment, with reference to fig. 3a, the system further comprises: an identity center 15;
the client trusted agent 11 is further configured to determine whether an identity identifier has been allocated to the client according to a source IP address of the client packet; if the identity identification is distributed to the client, the identity identification of the client is obtained; if the identity identification is not distributed to the client, identity verification indicating information is sent to the client; receiving an authentication message sent by the client according to the identity verification indication information, and forwarding the authentication message of the client to the identity center; acquiring an identity of a client sent by an identity center, and recording the corresponding relation between a source IP address and the identity;
and the identity center 15 is used for distributing identity identifiers for the client according to the authentication message of the client and synchronizing the identity identifiers of the client to the authority policy center.
The client trusted agent sends identity verification indication information to the client under the condition that the client is detected not to be allocated with the identity; specifically, the identity authentication indication information may be sent to a client trusted plug-in the client, and in addition, an address of the identity center may also be sent; after receiving the identity verification indication information, the client trusted plugin generates an authentication message, where the authentication message may include attribute information of the client, such as an IP address, an MAC address, or a client version number of the client. And the client trusted agent receives the authentication message sent by the client according to the identity verification indication information and forwards the authentication message of the client to the identity center.
The schematic diagram of the communication system in the embodiment of the present application may also be as shown in fig. 3b, where the service system is a system for providing service to a user, and the specific structure and function of the service system may refer to the structure and function of the service system in the related art, and are not described here again. The identity center is deployed at a server and provides identity management and identity authentication for the whole system, and the main functions comprise: managing client information, setting a multi-factor authentication mode for a client, and synchronizing specified information of the client to an authority policy center; authenticating the client, generating an identity ID, and feeding the identity ID of the client back to a client trusted agent and an authority policy center; and carrying out life cycle management, ID refreshing, ID deleting and other operations on the identity ID of the client, and synchronizing to a trusted agent and a permission policy center of the client.
The client trusted agent may trigger multi-factor authentication to obtain an identity, such as an identity ID, of the user through the identity center. Identity authentication is carried out through a client trusted agent, the trusted agent converts a client IP address into an agent address for authentication interaction, the real IP address of the client and client information are required to be input to carry out multi-factor authentication on an authentication page, and after an identity ID is generated by an identity center, the real IP and the identity ID of the client are informed to the client trusted agent. For the length of the ID, settings may be negotiated, but it should be guaranteed that the ID of the clients is not the same.
In the embodiment of the application, the centralized and unified management of the client identities is realized through the identity center, and the query and the unified management of the client identities are facilitated.
The client trusted agent can establish a SecTunnel (trusted tunnel) with the server trusted agent in advance, so that the communication between the client trusted agent and the server trusted agent is ensured to be safe. In one embodiment, the client trusted agent is further configured to: and establishing a trusted tunnel between the client trusted agent and the server trusted agent based on a preset tunnel protocol, wherein the client trusted agent and the server trusted agent communicate through the trusted tunnel. The client-side trusted agent and the server-side trusted agent both need to support a preset tunnel protocol, the preset tunnel protocol can be freely selected according to actual conditions, the client-side trusted agent establishes a trusted tunnel with the server-side trusted agent based on the preset tunnel protocol, and keeps the trusted tunnel alive according to the preset tunnel protocol, so that safe communication between the client-side trusted agent and the server-side trusted agent is achieved.
In one embodiment, before performing communication, initialization setting needs to be performed on each module in a communication system to ensure smooth implementation of the scheme of the present application, including:
1) and the identity center adds user information. The user information may include user attribute information, authentication mode, client address (provided by the client at authentication), client-side trusted agent address.
2) And the identity center synchronizes the user attribute information to the authority policy center.
3) The authority policy center sets authorization objects such as application, function and data, and sets security level. And sets the authorization relationship from the client to the authorization object.
The authorization object refers to an application providing a business service for a user, a function of the application, and also may be a business asset such as data. Setting a security level for the authorized object, such as: high, medium, low, etc. Authorization relationships may be set, for example, a client may access all services with high confidence level, medium confidence level, and low confidence level, and only access to services with medium confidence level and low confidence level. The low confidence level can only access the low security level traffic or none of them. The specific authorization relationship can be set by the operator in a self-defined way.
4) The client trusted agent and the server trusted agent set a SecTunnel (trusted tunnel). Both have the amount of data, tunnel source address, destination address to be protected in common. And labeling the identity of the user: i.e. a client trusted agent or a server trusted agent.
5) The server-side trusted agent and the authority policy center are accessible through routing, authentication can be performed in the authority policy center, the client-side trusted agent sets an identity center address, and sets a Web address for authentication of the identity center.
6) The client accesses the service, and the service request is ensured to be forwarded from the client trusted agent.
7) And the client side installs a client side trusted plug-in for carrying out safety monitoring and authentication triggering on the client side.
An embodiment of the present application further provides a communication method, applied to a client trusted agent, and referring to fig. 4, the method includes:
s401, after receiving a client message of a client, acquiring an identity of the client and determining the reliability of the client according to a source IP address of the client message.
S402, generating a credible message header according to the identity and the credibility of the client, and packaging the client message by using the credible message header to obtain a credible message.
And S403, sending the trusted message to the server trusted agent.
The communication method in the embodiment of the application is applied to the client trusted agent, and can be implemented by a device on the client side, specifically, by a device such as a network switch on the client side.
In a possible implementation manner, obtaining an identity of a client according to a source IP address of a client packet includes:
step one, judging whether an identity mark is distributed to the client according to a source IP address of a client message.
Step two, if the identity identification is not distributed to the client, identity verification indication information is sent to the client; and receiving an authentication message sent by the client according to the identity verification indication information, forwarding the authentication message of the client to the identity center, acquiring the identity of the client returned by the identity center according to the authentication message, and recording the corresponding relation between the source IP address and the identity.
And step three, if the identity identification is distributed to the client, acquiring the identity identification of the client.
In a possible implementation, the determining the trustworthiness of the client includes:
and step A, acquiring attribute information and behavior information of the client.
The attribute information and behavior information of the client may be collected for a client trusted plug-in installed in the client.
Step B, analyzing the attribute information of the client to obtain the attribute reliability of the client; and analyzing the behavior information of the client to obtain the behavior reliability of the client.
And step C, obtaining the credibility of the client by combining the attribute credibility and the behavior credibility of the client.
In one possible implementation, the client trusted agent and the server trusted agent communicate with each other through a trusted tunnel pre-established based on a preset tunneling protocol. The client-side trusted agent establishes a trusted tunnel with the server-side trusted agent based on a preset tunnel protocol, and the client-side trusted agent and the server-side trusted agent communicate through the trusted tunnel. For example, the client trusted agent sends the trusted message to the server trusted agent by using the trusted tunnel.
In the embodiment of the application, the identity identification is transmitted along with the message, so that the trusted access control of the non-web service can be well realized, the multi-factor authentication based on the web under the non-web service is realized, and the safety is improved. Meanwhile, the message carries the user credibility, so that the credibility management of the client under a large number of branch organizations can be well realized. The communication method based on the trusted tunnel is provided, the message of the client carries the identity and the credibility, the transfer of the trusted information is realized, the method is suitable for the situation that a service system is gathered in a headquarter, users are distributed in a large number of branch office scenes around the whole country, the landing performance is strong, and the landing implementation of a zero-trust scheme can be well promoted.
An embodiment of the present application further provides a communication method, which is applied to a server-side trusted agent, and referring to fig. 5, the method includes:
s501, a trusted message of the client is obtained, wherein the trusted message header of the trusted message comprises the identity and the credibility of the client, and the load of the trusted message comprises the client message.
S502, extracting the credible message header of the credible message to obtain the identity and the credibility of the client.
S503, sending an authentication request aiming at the client to the authority policy center so that the authority policy center authenticates the client according to the authentication request of the client to obtain an authentication result, wherein the authentication request comprises the identity and the credibility of the client.
S504, receiving the authentication result sent by the authority policy center, if the authentication result indicates that the client passes the authentication, analyzing the client message from the trusted message, and forwarding the client message.
The communication method in the embodiment of the application is applied to the server-side trusted agent, and can be implemented by a device on the server side, specifically, by a proxy server on the server side.
The server-side trusted agent receives a trusted message of the client side, wherein the trusted message header of the trusted message comprises the identity and the credibility of the client side, and the load of the trusted message comprises the client-side message. And the server-side trusted agent extracts the trusted message header of the trusted message to obtain the identity and the credibility of the client. The server-side trusted agent sends the identity identification and the credibility of the client side to the authority policy center so that the authority policy center can carry out authentication according to the identity identification and the credibility of the client side; the authority policy center returns the authentication result to the server trusted agent, thereby realizing the authentication of the client according to the identity and the credibility of the client. Under the condition that the client passes the authentication, the server-side trusted agent acquires a client message in the trusted message and forwards the client message; and under the condition that the client side does not pass the authentication, discarding the credible message.
In one embodiment, the trusted message header further includes a region ID, where, for any trusted message header, the region ID in the trusted message header is used to uniquely identify a client trusted agent that generates the trusted message header; the method further comprises the following steps: and generating an authentication log of the client message, wherein the authentication log of the client message comprises a source IP address of the client message and a corresponding area ID.
In one embodiment, the method further comprises: after receiving a response message aiming at the client, generating and packaging the response message by using a response credible message head to obtain a response message; and sending the response message to the server so that the client decapsulates the response message to obtain the response message.
In the embodiment of the application, the identity identification is transmitted along with the message, so that the trusted access control of the non-web service can be well realized, the multi-factor authentication based on the web under the non-web service is realized, and the safety is improved. Meanwhile, the message carries the user credibility, so that the credibility management of the client under a large number of branch organizations can be well realized. The communication method based on the trusted tunnel is provided, the message of the client carries the identity and the credibility, the transfer of the trusted information is realized, the method is suitable for the situation that a service system is gathered in a headquarter, users are distributed in a large number of branch office scenes around the whole country, the landing performance is strong, and the landing implementation of a zero-trust scheme can be well promoted.
The embodiment of the application also provides a communication method applied to the authority policy center, which comprises the following steps: and receiving authentication information of the client side sent by the client side trusted agent, authenticating the client side, and sending the authentication result to the server side trusted agent.
The server may further include an identity center, and the embodiment of the present application further provides a communication method applied to the identity center, including: and receiving and distributing an identity identifier for the client according to the attribute information of the client, sending the identity identifier of the client to the client, and synchronizing the identity identifier of the client to the authority policy center.
An embodiment of the present application further provides a communication apparatus, applied to a client trusted agent, and referring to fig. 6, the apparatus includes:
the identity obtaining module 601 is configured to, after receiving a client packet of a client, obtain an identity of the client according to a source IP address of the client packet, and determine a reliability of the client.
The trusted message generating module 602 is configured to generate a trusted message header according to the identity and the reliability of the client, and package a client message by using the trusted message header to obtain a trusted message.
The trusted message sending module 603 is configured to send a trusted message to the server-side trusted agent.
In a possible implementation manner, the identity obtaining module is specifically configured to: judging whether an identity identifier is distributed to the client according to a source IP address of the client message; if the identity identification is not distributed to the client, identity verification indication information is sent to the client; receiving an authentication message sent by the client according to the identity verification indication information, forwarding the authentication message of the client to the identity center, acquiring an identity of the client returned by the identity center according to the authentication message, and recording a corresponding relation between a source IP address and the identity; and if the identity identification is distributed to the client, acquiring the identity identification of the client.
In a possible implementation manner, the credibility obtaining module is specifically configured to: acquiring attribute information and behavior information of a client; analyzing the attribute information of the client to obtain the attribute reliability of the client; analyzing the behavior information of the client to obtain the behavior credibility of the client; and obtaining the credibility of the client by combining the attribute credibility and the behavior credibility of the client.
In one possible implementation, the client trusted agent and the server trusted agent communicate with each other through a trusted tunnel pre-established based on a preset tunneling protocol.
In a possible embodiment, the above apparatus further comprises: and the optional tunnel establishing module is used for establishing a trusted tunnel between the client trusted agent and the server trusted agent based on a preset tunnel protocol, wherein the client trusted agent and the server trusted agent communicate through the trusted tunnel.
An embodiment of the present application further provides a communication apparatus, applied to a server-side trusted agent, with reference to fig. 7, the apparatus includes:
the trusted message receiving module 701 is configured to obtain a trusted message of the client, where a trusted message header of the trusted message includes an identity and a reliability of the client, and a load of the trusted message includes a client message.
The first message parsing module 702 is configured to extract a trusted message header of the trusted message, so as to obtain an identity and a trust of the client.
The client authentication module 703 is configured to send an authentication request for the client to the authority policy center, so that the authority policy center authenticates the client according to the authentication request of the client to obtain an authentication result, where the authentication request includes an identity and a reliability of the client.
And the second message analysis module 704 is configured to receive an authentication result sent by the authority policy center, analyze a client message from the trusted message if the authentication result indicates that the client passes authentication, and forward the client message.
In a possible implementation manner, the trusted message header further includes a zone ID, where, for any trusted message header, the zone ID in the trusted message header is used to uniquely identify a client trusted agent that generates the trusted message header; the above-mentioned device still includes: and the authentication log generation module is used for generating an authentication log of the client message, wherein the authentication log of the client message comprises a source IP address of the client message and a corresponding area ID.
In one embodiment, the apparatus further comprises: the response message sending module is used for generating and packaging the response message by using the response trusted message head after receiving the response message aiming at the client to obtain the response message; and sending the response message to the server so that the client decapsulates the response message to obtain the response message.
The embodiment of the present application further provides a communication device applied to an authority policy center, including:
and the authority policy center module is used for receiving authentication information of the proxy client sent by the client trusted agent, authenticating the client and sending the authentication result to the server trusted agent.
The server may further include an identity center, and an embodiment of the present application further provides a communication device applied to the identity center, including: and the identity center module is used for receiving and distributing identity identification for the client according to the authentication request of the client, sending the identity identification of the client to the client and synchronizing the identity identification of the client to the authority policy center.
An embodiment of the present application further provides an electronic device, including: a processor and a memory;
the memory is used for storing computer programs;
the processor is configured to implement any of the above-described communication methods applied to the client trusted agent when executing the computer program stored in the memory.
Optionally, referring to fig. 8, in addition to the processor 801 and the memory 803, the electronic device according to the embodiment of the present application further includes a communication interface 802 and a communication bus 804, where the processor 801, the communication interface 802, and the memory 803 complete communication with each other through the communication bus 804.
An embodiment of the present application further provides an electronic device, including: a processor and a memory;
the memory is used for storing computer programs;
the processor is configured to implement any one of the communication methods applied to the server-side trusted agent when executing the computer program stored in the memory.
The communication bus mentioned in the electronic device may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a RAM (Random Access Memory) or an NVM (Non-Volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements any one of the above communication methods applied to the client trusted agent.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements any one of the communication methods applied to the server-side trusted agent.
In a further embodiment provided by the present application, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above-described embodiments of the communication method applied to the client trusted agent.
In a further embodiment provided by the present application, there is also provided a computer program product containing instructions, which when run on a computer, cause the computer to perform any one of the above-mentioned embodiments of the communication method applied to the server-side trusted agent.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It should be noted that, in this document, the technical features in the various alternatives can be combined to form the scheme as long as the technical features are not contradictory, and the scheme is within the scope of the disclosure of the present application. Relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the method, the apparatus, the electronic device and the storage medium, since they are substantially similar to the system embodiments, the description is simple, and the relevant points can be referred to the partial description of the system embodiments.
The above description is only for the preferred embodiment of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (15)

1. A communication system, comprising: the system comprises a client trusted agent, an authority policy center and a server trusted agent;
the client trusted agent is used for acquiring the identity of the client and determining the credibility of the client according to the source IP address of the client message after receiving the client message of the client; generating a credible message header according to the identity and the credibility of the client, and packaging the client message by using the credible message header to obtain a credible message; sending the trusted message to the server trusted agent;
the server-side trusted agent is used for receiving the trusted message of the client side; extracting a credible message header of the credible message to obtain an identity and credibility of the client; sending an authentication request aiming at the client to the authority policy center, wherein the authentication request comprises an identity identifier and a credibility of the client;
the authority policy center is used for authenticating the client according to the authentication request of the client and sending the authentication result to the server trusted agent;
and the server-side trusted agent is also used for analyzing a client-side message from the trusted message and forwarding the client-side message if the authentication result shows that the client-side passes the authentication.
2. The system of claim 1,
the client-side trusted agent is further configured to establish a trusted tunnel with the server-side trusted agent based on a preset tunnel protocol, wherein the client-side trusted agent and the server-side trusted agent communicate with each other through the trusted tunnel.
3. The system according to claim 1, wherein the trusted headers further include a zone ID, wherein for any trusted header, the zone ID in the trusted header is used to uniquely identify the client trusted agent that generated the trusted header;
the server-side trusted agent is further configured to generate an authentication log of the client-side packet, where the authentication log of the client-side packet includes a source IP address of the client-side packet and a corresponding area ID.
4. The system of claim 1, wherein the server-side trusted agent is further configured to: after receiving a response message aiming at the client, packaging the response message by using a response credible message head to obtain a response message; sending the response message to the server trusted agent;
the client trusted agent is further to: decapsulating the response message to obtain a response message; and sending the response message to the client.
5. The system of claim 1, further comprising:
the client trusted agent is specifically used for receiving the attribute information and behavior information of the client acquired by the client trusted plug-in, and analyzing the attribute information of the client to obtain the attribute credibility of the client; analyzing the behavior information of the client to obtain the behavior credibility of the client; and combining the attribute credibility and the behavior credibility of the client to obtain the credibility of the client.
6. The system of claim 1, further comprising: an identity center;
the client trusted agent is also used for judging whether the identity identification is distributed to the client according to the source IP address of the client message; if the identity identification is distributed to the client, the identity identification of the client is obtained; if the identity identification is not distributed to the client, identity verification indicating information is sent to the client; receiving an authentication message sent by the client according to the identity verification indication information, and forwarding the authentication message of the client to the identity center; acquiring the identity of the client sent by the identity center, and recording the corresponding relation between the source IP address and the identity;
and the identity center is used for distributing identity identification for the client according to the authentication message of the client and synchronizing the identity identification of the client to the authority policy center.
7. A communication method applied to a client trusted agent, the method comprising:
after receiving a client message of a client, acquiring an identity of the client and determining the reliability of the client according to a source IP address of the client message;
generating a credible message header according to the identity and the credibility of the client, and packaging the client message by using the credible message header to obtain a credible message;
and sending the credible message to a server credible agent.
8. The method according to claim 7, wherein said obtaining the identity of the client according to the source IP address of the client packet comprises:
judging whether an identity mark is distributed to the client according to the source IP address of the client message;
if the identity identification is not distributed to the client, identity verification indication information is sent to the client; receiving an authentication message sent by the client according to the identity verification indication information, forwarding the authentication message of the client to an identity center, acquiring an identity of the client returned by the identity center according to the authentication message, and recording a corresponding relation between the source IP address and the identity;
and if the identity identification is distributed to the client, acquiring the identity identification of the client.
9. The method of claim 7, wherein the determining the trustworthiness of the client comprises:
acquiring attribute information and behavior information of the client;
analyzing the attribute information of the client to obtain the attribute reliability of the client; analyzing the behavior information of the client to obtain the behavior credibility of the client;
and combining the attribute credibility and the behavior credibility of the client to obtain the credibility of the client.
10. The method of claim 7, wherein the client trusted agent and the server trusted agent communicate with each other through a pre-established trusted tunnel based on a preset tunneling protocol.
11. A communication method applied to a server trusted agent, the method comprising:
acquiring a trusted message of a client, wherein a trusted message header of the trusted message comprises an identity and a credibility of the client, and a load of the trusted message comprises a client message;
extracting a credible message header of the credible message to obtain an identity and credibility of the client;
sending an authentication request aiming at the client to an authority policy center so that the authority policy center authenticates the client according to the authentication request of the client to obtain an authentication result, wherein the authentication request comprises an identity identification and a credibility of the client;
and receiving the authentication result sent by the authority policy center, and if the authentication result indicates that the client passes the authentication, analyzing the client message from the trusted message and forwarding the client message.
12. The method of claim 11, wherein the trusted headers further include a zone ID, and wherein for any trusted header, the zone ID in the trusted header is used to uniquely identify the client trusted agent that generated the trusted header; the method further comprises the following steps:
and generating an authentication log of the client message, wherein the authentication log of the client message comprises a source IP address of the client message and a corresponding area ID.
13. A communications apparatus, for application to a client trusted agent, the apparatus comprising:
the identity identification acquisition module is used for acquiring the identity identification of the client and determining the credibility of the client according to the source IP address of the client message after receiving the client message of the client;
the trusted message generating module is used for generating a trusted message header according to the identity and the credibility of the client, and packaging the client message by using the trusted message header to obtain a trusted message;
and the trusted message sending module is used for sending the trusted message to the server trusted agent.
14. A communication apparatus, applied to a server-side trusted agent, the apparatus comprising:
the trusted message receiving module is used for acquiring a trusted message of a client, wherein a trusted message header of the trusted message comprises an identity and a credibility of the client, and a load of the trusted message comprises a client message;
the first message analysis module is used for extracting a credible message header of the credible message to obtain the identity and the credibility of the client;
the client authentication module is used for sending an authentication request aiming at the client to an authority policy center so that the authority policy center authenticates the client according to the authentication request of the client to obtain an authentication result, wherein the authentication request comprises an identity identifier and a credibility of the client;
and the second message analysis module is used for receiving the authentication result sent by the authority policy center, and if the authentication result shows that the client passes the authentication, analyzing the client message from the trusted message and forwarding the client message.
15. An electronic device comprising a processor and a memory;
the memory is used for storing a computer program;
the processor is configured to implement the communication method according to any one of claims 7 to 12 when executing the program stored in the memory.
CN202011280758.7A 2020-11-16 2020-11-16 Communication system, method, device and electronic equipment Active CN112491836B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011280758.7A CN112491836B (en) 2020-11-16 2020-11-16 Communication system, method, device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011280758.7A CN112491836B (en) 2020-11-16 2020-11-16 Communication system, method, device and electronic equipment

Publications (2)

Publication Number Publication Date
CN112491836A CN112491836A (en) 2021-03-12
CN112491836B true CN112491836B (en) 2022-04-22

Family

ID=74930775

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011280758.7A Active CN112491836B (en) 2020-11-16 2020-11-16 Communication system, method, device and electronic equipment

Country Status (1)

Country Link
CN (1) CN112491836B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992402B (en) * 2021-10-27 2023-11-21 贝壳找房(北京)科技有限公司 Access control method, system and medium based on zero trust policy
CN115459966B (en) * 2022-08-25 2024-01-09 北京伽睿智能科技集团有限公司 Trusted remote operation and maintenance method and system for digital equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101291220A (en) * 2007-04-16 2008-10-22 华为技术有限公司 System, device and method for identity security authentication
WO2016015436A1 (en) * 2014-07-28 2016-02-04 百度在线网络技术(北京)有限公司 Platform authorization method, platform server, application client, system, and storage medium
CN105429991A (en) * 2015-12-02 2016-03-23 成都汇合乾元科技有限公司 Efficient data transmission method for mobile terminal
CN106952096A (en) * 2017-03-03 2017-07-14 中国工商银行股份有限公司 Security certification system, method and the credible identifying device of client of client device
CN108234386A (en) * 2016-12-12 2018-06-29 诺基亚技术有限公司 For the method and apparatus of certification
CN110417776A (en) * 2019-07-29 2019-11-05 大唐高鸿信安(浙江)信息科技有限公司 A kind of identity identifying method and device
CN111064574A (en) * 2018-10-16 2020-04-24 金联汇通信息技术有限公司 Digital certificate generation method, authentication method and electronic equipment
CN111314269A (en) * 2018-12-11 2020-06-19 中兴通讯股份有限公司 Address automatic allocation protocol security authentication method and equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106211152B (en) * 2015-04-30 2019-09-06 新华三技术有限公司 A kind of wireless access authentication method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101291220A (en) * 2007-04-16 2008-10-22 华为技术有限公司 System, device and method for identity security authentication
WO2016015436A1 (en) * 2014-07-28 2016-02-04 百度在线网络技术(北京)有限公司 Platform authorization method, platform server, application client, system, and storage medium
CN105429991A (en) * 2015-12-02 2016-03-23 成都汇合乾元科技有限公司 Efficient data transmission method for mobile terminal
CN108234386A (en) * 2016-12-12 2018-06-29 诺基亚技术有限公司 For the method and apparatus of certification
CN106952096A (en) * 2017-03-03 2017-07-14 中国工商银行股份有限公司 Security certification system, method and the credible identifying device of client of client device
CN111064574A (en) * 2018-10-16 2020-04-24 金联汇通信息技术有限公司 Digital certificate generation method, authentication method and electronic equipment
CN111314269A (en) * 2018-12-11 2020-06-19 中兴通讯股份有限公司 Address automatic allocation protocol security authentication method and equipment
CN110417776A (en) * 2019-07-29 2019-11-05 大唐高鸿信安(浙江)信息科技有限公司 A kind of identity identifying method and device

Also Published As

Publication number Publication date
CN112491836A (en) 2021-03-12

Similar Documents

Publication Publication Date Title
US11399010B1 (en) Private network request forwarding
US20220045990A1 (en) Methods and systems for api deception environment and api traffic control and security
US20240089297A1 (en) Selective deep inspection in security enforcement by a network security system (nss)
US9942251B1 (en) Malware detection based on traffic analysis
EP3424178B1 (en) Deterministic reproduction of client/server computer state or output sent to one or more client computers
US10721244B2 (en) Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
EP2779574B1 (en) Attack detection and prevention using global device fingerprinting
US20120255022A1 (en) Systems and methods for determining vulnerability to session stealing
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
US11777960B2 (en) Detection of DNS (domain name system) tunneling and exfiltration through DNS query analysis
CN114145004A (en) System and method for using DNS messages to selectively collect computer forensics data
US10027627B2 (en) Context sharing between endpoint device and network security device using in-band communications
Hao et al. {End-Users} get maneuvered: Empirical analysis of redirection hijacking in content delivery networks
CN112491836B (en) Communication system, method, device and electronic equipment
US11539695B2 (en) Secure controlled access to protected resources
KR101487476B1 (en) Method and apparatus to detect malicious domain
CN112311722A (en) Access control method, device, equipment and computer readable storage medium
EP4167524A1 (en) Local network device connection control
CN115883574A (en) Access equipment identification method and device in industrial control network
CN113472831B (en) Service access method, device, gateway equipment and storage medium
KR20150026187A (en) System and Method for dropper distinction
CN109451094B (en) Method, system, electronic device and medium for acquiring IP address of source station
CN115913583A (en) Business data access method, device and equipment and computer storage medium
KR101997181B1 (en) Apparatus for managing domain name servide and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant