CN112887265A - Access method for preventing unregistered terminal from being forged to legal communication under NAT - Google Patents

Access method for preventing unregistered terminal from being forged to legal communication under NAT Download PDF

Info

Publication number
CN112887265A
CN112887265A CN202011622370.0A CN202011622370A CN112887265A CN 112887265 A CN112887265 A CN 112887265A CN 202011622370 A CN202011622370 A CN 202011622370A CN 112887265 A CN112887265 A CN 112887265A
Authority
CN
China
Prior art keywords
nat
key
terminal
check code
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011622370.0A
Other languages
Chinese (zh)
Other versions
CN112887265B (en
Inventor
邵森龙
孟飞飞
傅昱皓
杨玲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Yuanwang Information Co ltd
Original Assignee
Zhejiang Yuanwang Information Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Yuanwang Information Co ltd filed Critical Zhejiang Yuanwang Information Co ltd
Priority to CN202011622370.0A priority Critical patent/CN112887265B/en
Publication of CN112887265A publication Critical patent/CN112887265A/en
Application granted granted Critical
Publication of CN112887265B publication Critical patent/CN112887265B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention provides an admission method for preventing an unregistered terminal from being forged into legal communication under NAT, which comprises the following steps: the terminal of the client under NAT is started or periodically requests a secret key from the access system through a safety encryption communication method, the access system generates a new secret key according to the request, and the secret key content and the secret key ID are returned to the terminal. The client program calculates the IP address and the service port of the service server by using the key; the terminal of the registered client uses the key ID and the generated check code in the data stream of the current access service server; if the NAT data stream exists, and the key content is searched out if the NAT data stream exists and the key ID and the check code exist, the key is used for calculating the check code for the target IP and the port, and if the NAT data stream does not exist, the blocking is performed. If the admission system judges that the check code in the data stream is consistent with the calculated check code, the data stream is released, and if the check code in the data stream is inconsistent with the calculated check code, the data stream is blocked. The problem that equipment accessed to the network in the form of NAT cannot be effectively found and detected to be forged into legal equipment is solved.

Description

Access method for preventing unregistered terminal from being forged to legal communication under NAT
[ technical field ] A method for producing a semiconductor device
The invention relates to the technical field of network security access control, in particular to an access method for preventing an unregistered terminal from being forged into legal communication under NAT.
[ background of the invention ]
Nat (network Address translation), a network Address translation technology, is widely used as a temporary solution for the current IPv4 Address resource being increasingly exhausted, and has its shadow in the size of operators and in the size of home networks. The application of NAT greatly reduces the threshold of network access, simultaneously makes the network topology more complicated, and greatly increases the difficulty of network operation and maintenance management. Especially, for a network which has special requirements and needs access control, the private network equipment accessed in the NAT must be effectively managed, and the problem that the private network equipment accessed in the NAT is forged to be accessed to the network with other legal equipment under the NAT needs to be prevented. In order to solve the above problems, it is necessary to provide an admission control method for NAT access devices, which is used to detect the connection legal situation of the NAT access devices in the network.
[ summary of the invention ]
The invention aims to overcome the defects of the prior art and provide an admission method for preventing terminals of unregistered clients from being forged into legal communication under NAT, aiming at solving the problem that equipment which is accessed into a network in an NAT form cannot be forged into legal equipment effectively by using the prior art.
In order to achieve the above object, the present invention provides an admission method for preventing an unregistered terminal from being forged into a legal communication under NAT, which specifically comprises the following steps:
s1, the terminal of the client under NAT is started or the access system requests the key periodically by the safety encryption communication method, the access system generates a new key according to the request, the key content and the key ID are returned to the terminal, and the step S2 is switched to after the execution is finished;
s2, when the terminal of the registered client initiates the access to the service server, the client program uses the key to calculate the IP address of the service server and the service port of the service server, generates the check code, and goes to the step S3 after the execution is finished;
s3, the terminal of the registered client uses the key ID and the generated check code in the data flow of the current access service server, and goes to step S4 after the execution is finished;
s4, for the connection, judging whether the connection is NAT data flow, if the connection is NAT data flow, turning to the step S5;
s5, the access system analyzes the intercepted NAT data flow, judges whether the key ID and the check code exist, if yes, the execution goes to the step S6, and if not, the execution goes to the step S8;
s6, through the key ID, the access system retrieves the key content, uses the key to calculate the check code for the target IP and the port, and goes to step S7 after the execution is finished;
s7, the admission system judges whether the check code in the data flow is consistent with the calculated check code, if so, the data flow is released, and if not, the step S8 is carried out;
and S8, the admission system blocks the current data stream.
Preferably, in step S1, before requesting the key from the admission system, it is determined whether the client is in the NAT environment, and the specific steps are as follows: after a terminal of a registered client under NAT is started, a terminal local IP is sent to an access system through a safety encryption communication method, the access system judges whether the received terminal local IP is in an NAT environment or not according to whether the received terminal local IP is consistent with a communication opposite terminal IP or not and sends a judgment result back to the client, and if the client judges that the terminal local IP is in the NAT environment, the client requests a secret key to the access system.
Preferably, the NAT list is also established while the determination result is sent back to the client.
Preferably, in step S1, the admission system generates a new key according to the request of the client, and simultaneously establishes a key list, returns the key content and the key ID to the terminal, periodically executes the process, periodically updates the key, and then goes to step S2 after the execution is completed.
Preferably, in step S4, it is determined whether the source IP is in the NAT list, thereby confirming whether the source IP is a NAT data stream.
Preferably, in step S4, if the source IP is not a NAT data stream, it is determined whether the source IP is in the release list, if so, the source IP is released, and if not, the process goes to step S8.
The invention has the beneficial effects that: the invention uses the key with the same two sides only between the client and the server to encrypt and decrypt the data stream, thereby effectively solving the problem that the illegal terminal in the NAT access equipment forges the legal communication to escape the access control.
The features and advantages of the present invention will be described in detail by embodiments in conjunction with the accompanying drawings.
[ description of the drawings ]
Fig. 1 is a flowchart of an admission method for preventing an unregistered terminal from being forged to legal communication under NAT according to the present invention.
[ detailed description ] embodiments
When a terminal in the NAT environment communicates with a service server, according to a data stream in the communication, not only a terminal of a registered client and a terminal of an unregistered client need to be distinguished, but also a situation that the terminal of the unregistered client spoofs a system to enter a network by being a legal communication is required to be prevented. Referring to fig. 1, the present invention provides an admission method for preventing terminals of unregistered clients from being forged into legal communication under NAT, which specifically includes the following steps:
s1, after the terminal of the client under NAT is started, the terminal sends the local IP of the terminal to the access system by the safe encryption communication method, the access system judges whether the terminal is in NAT environment according to whether the received local IP of the terminal is consistent with the opposite IP of the communication, and sends the judgment result back to the client, and establishes the NAT list. And if the client judges that the Network Address Translation (NAT) environment exists, the client requests a key from the access system, the access system generates a new key according to the request, and simultaneously establishes a key list and returns the key content and the key ID to the terminal. The process also needs to be executed periodically, the key is updated periodically, and the process goes to step S2 after the execution is completed.
S2, when the terminal of the registered client initiates the access to the service server, the client program will use the key to calculate the IP address of the service server and the service port of the service server, generate the check code, and go to step S3 after the execution is finished.
S3, the terminal of the registered client uses the key ID and the generated check code in the data flow of the current access service server, and then the step goes to S4 after the execution is finished.
S4, for the connection, it is determined whether the source IP is in the internal NAT list to determine whether it is NAT data flow, if it is NAT data flow, it goes to step S5. If not, judging whether the source IP equipment is the equipment in the legal list pool, if so, passing the network, otherwise, turning to the step S8.
S5, the admittance system analyzes the intercepted NAT data flow, judges whether the secret key ID and the check code exist, if yes, the execution goes to the step S6, if not, the execution goes to the step S8.
S6, through the ID of the key, the admission system searches the key content, uses the key to calculate the check code for the target IP and the port, and goes to step S7 after the execution is finished.
S7, the admission system judges whether the check code in the data flow is consistent with the calculated check code, if so, the data flow is released, and if not, the step S8 is carried out.
And S8, the admission system blocks the current data stream.
The above embodiments are illustrative of the present invention, and are not intended to limit the present invention, and any simple modifications of the present invention are within the scope of the present invention.

Claims (6)

1. An admission method for preventing an unregistered terminal from being forged into legal communication under NAT is characterized in that: the method specifically comprises the following steps:
s1, the terminal of the client under NAT is started or the access system requests the key periodically by the safety encryption communication method, the access system generates a new key according to the request, the key content and the key ID are returned to the terminal, and the step S2 is switched to after the execution is finished;
s2, when the terminal of the registered client initiates the access to the service server, the client program uses the key to calculate the IP address of the service server and the service port of the service server, generates the check code, and goes to the step S3 after the execution is finished;
s3, the terminal of the registered client uses the key ID and the generated check code in the data flow of the current access service server, and goes to step S4 after the execution is finished;
s4, for the connection, judging whether the connection is NAT data flow, if the connection is NAT data flow, turning to the step S5;
s5, the access system analyzes the intercepted NAT data flow, judges whether the key ID and the check code exist, if yes, the execution goes to the step S6, and if not, the execution goes to the step S8;
s6, through the key ID, the access system retrieves the key content, uses the key to calculate the check code for the target IP and the port, and goes to step S7 after the execution is finished;
s7, the admission system judges whether the check code in the data flow is consistent with the calculated check code, if so, the data flow is released, and if not, the step S8 is carried out;
and S8, the admission system blocks the current data stream.
2. An admission method for preventing an unregistered terminal from being forged into legal communication under the NAT according to claim 1, wherein: in step S1, before requesting a key from the admission system, it is first determined whether the client is in an NAT environment, and the specific steps are as follows: after a terminal of a registered client under NAT is started, a terminal local IP is sent to an access system through a safety encryption communication method, the access system judges whether the received terminal local IP is in an NAT environment or not according to whether the received terminal local IP is consistent with a communication opposite terminal IP or not and sends a judgment result back to the client, and if the client judges that the terminal local IP is in the NAT environment, the client requests a secret key to the access system.
3. An admission method for preventing an unregistered terminal from being forged into legal communication under the NAT according to claim 2, wherein: and when the judgment result is sent back to the client, an NAT list needs to be established.
4. An admission method for preventing an unregistered terminal from being forged into legal communication under the NAT according to claim 3, wherein: in step S1, the admission system generates a new key according to the request of the client, and simultaneously establishes a key list, returns the key content and the key ID to the terminal, periodically executes the process, periodically updates the key, and goes to step S2 after the execution is completed.
5. An admission method for preventing an unregistered terminal from being forged into legal communication under the NAT according to claim 3, wherein: in step S4, it is determined whether the source IP is in the NAT list, and it is determined whether the source IP is a NAT data stream.
6. An admission method for preventing an unregistered terminal from being forged into legal communication under the NAT according to claim 1, wherein: in step S4, if not, it is determined whether the source IP is in the release list, if yes, the source IP is released, otherwise, the process goes to step S8.
CN202011622370.0A 2020-12-31 2020-12-31 Access method for preventing unregistered terminal from being falsified into legal communication under NAT Active CN112887265B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011622370.0A CN112887265B (en) 2020-12-31 2020-12-31 Access method for preventing unregistered terminal from being falsified into legal communication under NAT

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011622370.0A CN112887265B (en) 2020-12-31 2020-12-31 Access method for preventing unregistered terminal from being falsified into legal communication under NAT

Publications (2)

Publication Number Publication Date
CN112887265A true CN112887265A (en) 2021-06-01
CN112887265B CN112887265B (en) 2024-03-26

Family

ID=76046482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011622370.0A Active CN112887265B (en) 2020-12-31 2020-12-31 Access method for preventing unregistered terminal from being falsified into legal communication under NAT

Country Status (1)

Country Link
CN (1) CN112887265B (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20010046990A (en) * 1999-11-17 2001-06-15 김진찬 A security method of Frame Relay Routers for Advanced Information Communication Processing System
CN101127454A (en) * 2006-08-18 2008-02-20 北京国智恒电力管理科技有限公司 Power monitoring information security access device
KR20080060010A (en) * 2006-12-26 2008-07-01 주식회사 케이티 System for controlling total access based on user terminal and method thereof
WO2008082441A1 (en) * 2006-12-29 2008-07-10 Prodea Systems, Inc. Display inserts, overlays, and graphical user interfaces for multimedia systems
WO2014075485A1 (en) * 2012-11-14 2014-05-22 中兴通讯股份有限公司 Processing method for network address translation technology, nat device and bng device
CN104580553A (en) * 2015-02-03 2015-04-29 网神信息技术(北京)股份有限公司 Identification method and device for network address translation device
CN104717316A (en) * 2015-04-03 2015-06-17 山东华软金盾软件有限公司 Client access method and system in trans-NAT environment
CN104796261A (en) * 2015-04-16 2015-07-22 长安大学 Secure access control system and method for network terminal nodes
CN106788983A (en) * 2017-03-01 2017-05-31 深圳市中博睿存信息技术有限公司 A kind of communication data encryption method and device based on customer end/server mode
CN107018134A (en) * 2017-04-06 2017-08-04 北京中电普华信息技术有限公司 A kind of distribution terminal secure accessing platform and its implementation
CN107483461A (en) * 2017-08-30 2017-12-15 北京奇安信科技有限公司 Terminal admittance control method and device under a kind of NAT environment
CN111917706A (en) * 2020-05-21 2020-11-10 西安交大捷普网络科技有限公司 Method for identifying NAT equipment and determining number of terminals behind NAT
CN111970234A (en) * 2020-06-30 2020-11-20 浙江远望信息股份有限公司 Cookie-based evidence obtaining method for NAT private network access illegal external connection equipment

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20010046990A (en) * 1999-11-17 2001-06-15 김진찬 A security method of Frame Relay Routers for Advanced Information Communication Processing System
CN101127454A (en) * 2006-08-18 2008-02-20 北京国智恒电力管理科技有限公司 Power monitoring information security access device
KR20080060010A (en) * 2006-12-26 2008-07-01 주식회사 케이티 System for controlling total access based on user terminal and method thereof
WO2008082441A1 (en) * 2006-12-29 2008-07-10 Prodea Systems, Inc. Display inserts, overlays, and graphical user interfaces for multimedia systems
WO2014075485A1 (en) * 2012-11-14 2014-05-22 中兴通讯股份有限公司 Processing method for network address translation technology, nat device and bng device
CN104580553A (en) * 2015-02-03 2015-04-29 网神信息技术(北京)股份有限公司 Identification method and device for network address translation device
CN104717316A (en) * 2015-04-03 2015-06-17 山东华软金盾软件有限公司 Client access method and system in trans-NAT environment
CN104796261A (en) * 2015-04-16 2015-07-22 长安大学 Secure access control system and method for network terminal nodes
CN106788983A (en) * 2017-03-01 2017-05-31 深圳市中博睿存信息技术有限公司 A kind of communication data encryption method and device based on customer end/server mode
CN107018134A (en) * 2017-04-06 2017-08-04 北京中电普华信息技术有限公司 A kind of distribution terminal secure accessing platform and its implementation
CN107483461A (en) * 2017-08-30 2017-12-15 北京奇安信科技有限公司 Terminal admittance control method and device under a kind of NAT environment
CN111917706A (en) * 2020-05-21 2020-11-10 西安交大捷普网络科技有限公司 Method for identifying NAT equipment and determining number of terminals behind NAT
CN111970234A (en) * 2020-06-30 2020-11-20 浙江远望信息股份有限公司 Cookie-based evidence obtaining method for NAT private network access illegal external connection equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
A. AL-BAIZ等: ""Internet access denial by higher-tier ISPS: A NAT-based solution"", 《2011 24TH CANADIAN CONFERENCE ON ELECTRICAL AND COMPUTER ENGINEERING(CCECE)》, 29 September 2011 (2011-09-29) *
王琼;胡建钧;: "基于内网扫描和内网检测的非法外联监控方案", 信息通信技术, no. 06, 15 December 2008 (2008-12-15) *

Also Published As

Publication number Publication date
CN112887265B (en) 2024-03-26

Similar Documents

Publication Publication Date Title
CN109039436B (en) Method and system for satellite security access authentication
US10356092B2 (en) Uncloneable registration of an internet of things (IoT) device in a network
EP2779574A1 (en) Attack detection and prevention using global device fingerprinting
US20090288158A1 (en) Intelligent firewall
KR20160002058A (en) Modbus Communication Pattern Learning Based Abnormal Traffic Detection Apparatus and Method
CN102231748B (en) Method and device for verifying client
CN102984031B (en) Method and device for allowing encoding equipment to be safely accessed to monitoring and control network
CN114513786A (en) 5G feeder automation access control method, device and medium based on zero trust
CN115396200A (en) Cross-platform data security management application method, device and system
CN104301437A (en) Private cloud platform based on multipoint transmission
CN115499235A (en) DNS-based zero-trust network authorization method and system
CN102025769B (en) Access method of distributed internet
CN110086806B (en) Scanning system for plant station equipment system bugs
CN109150290B (en) Satellite lightweight data transmission protection method and ground safety service system
CN114697092A (en) Data encryption control system fusing quantum encryption and zero trust
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
CN109040225A (en) A kind of dynamic port desktop access management method and system
US20070113087A1 (en) Computer system establishing a safe communication path
CN112887265A (en) Access method for preventing unregistered terminal from being forged to legal communication under NAT
WO2015081560A1 (en) Instant messaging client recognition method and recognition system
CN106961435B (en) access protection method and system
CN112751929B (en) Method and system for communicating with remote PLC (programmable logic controller) equipment
CN116208334A (en) Identity authentication method, system and related equipment
CN114465744A (en) Safety access method and network firewall system
CN113645196A (en) Internet of things equipment authentication method and system based on block chain and edge assistance

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Shao Senlong

Inventor after: Pang Zhuo

Inventor after: Zhao Yunong

Inventor after: Yang Ling

Inventor after: Shen Li

Inventor before: Shao Senlong

Inventor before: Meng Feifei

Inventor before: Fu Yuhao

Inventor before: Yang Ling

GR01 Patent grant
GR01 Patent grant