CN113364729B - User authentication method based on UDP proxy protocol - Google Patents

User authentication method based on UDP proxy protocol Download PDF

Info

Publication number
CN113364729B
CN113364729B CN202110376494.3A CN202110376494A CN113364729B CN 113364729 B CN113364729 B CN 113364729B CN 202110376494 A CN202110376494 A CN 202110376494A CN 113364729 B CN113364729 B CN 113364729B
Authority
CN
China
Prior art keywords
auth
authentication
data
thread
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110376494.3A
Other languages
Chinese (zh)
Other versions
CN113364729A (en
Inventor
冯杰
李嘉伟
周谊成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Ruilisi Technology Co ltd
Original Assignee
Suzhou Ruilisi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Ruilisi Technology Co ltd filed Critical Suzhou Ruilisi Technology Co ltd
Priority to CN202110376494.3A priority Critical patent/CN113364729B/en
Publication of CN113364729A publication Critical patent/CN113364729A/en
Application granted granted Critical
Publication of CN113364729B publication Critical patent/CN113364729B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

A user authentication method based on UDP agent protocol includes the following steps: (1), client authentication: and (2) authenticating the server side. The authentication method provided by the invention does not cause the delay of the first packet of the UDP, so that the increase of UDP ports is not caused, and the purposes of reducing the expenditure of the UDP and reducing the processing pressure of a server are achieved.

Description

User authentication method based on UDP proxy protocol
Technical Field
The invention relates to the field of user authentication application, in particular to a user authentication method based on UDP proxy protocol.
Background
In network applications based on UDP, such as online games, real-time audio and video, etc., the UDP authentication protocol can be designed according to specific service requirements, and usually user authentication is performed at the beginning of connection establishment. However, in the network proxy technology based on the UDP protocol, the UDP protocol used by the proxy application is unpredictable, and cannot be adapted to the protocol to ensure the transparency of the protocol. The authentication method in the present stage has the problems of larger transmission delay, adverse service expansion or higher requirement on the processing capacity of the server.
The information disclosed in this background section is only for enhancement of understanding of the general background of the invention and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person skilled in the art.
Disclosure of Invention
In order to solve the technical problems, the invention provides a user authentication method based on a UDP proxy protocol, so as to achieve the purposes of reducing the expenditure of UDP and reducing the processing pressure on a server.
In order to achieve the above purpose, the technical scheme of the invention is as follows:
a user authentication method based on UDP agent protocol includes the following steps:
(1) Client authentication:
(1-1) opening a new connection, wherein the state of the connection is PENDING_AUTH;
(1-2) starting an authentication thread;
(1-3) if the connection state is AUTH_FAIL, closing the connection, and ending the process;
(1-4) receiving data;
(1-5) sending the message to a server, and returning to the step 3;
(2) And (5) server authentication:
(2-1) starting UDP monitoring, maintaining a mapping table Z from a source IP: source port > to an authentication state S and creating time T >;
(2-2) receiving data;
(2-3) inquiring Z according to a source IP (Internet protocol) source port, if no value exists, creating a new mapping relation, and starting an authentication thread according to the source IP source port-AUTH_PENDING and the current time T;
(2-4) if the authentication state S is AUTH_PENDING, and the difference between T and the current time is more than 10 seconds; setting the authentication state S as AUTH_FAILED, and closing the authentication thread;
(2-5) returning to the step (2-2) if the authentication state S is AUTH_FAILED;
(2-6), retrieving data;
(2-7), if the address type is & 0x8f=0x80, the data is processed by the authentication thread, otherwise, the proxy flow is processed.
Preferably, the step (1-2) is specifically as follows:
(1-2-1) constructing a data structure of table 2, wherein the address type is 0x80, CMD is AUTH_REQ, ID is a randomly generated 16-bit random integer, and Token is data obtained from a server in advance;
(1-2-2), sending to a server;
(1-2-3) receiving data;
(1-2-4), if no data is received within 1s, returning to the step (1-2-1), wherein the ID is kept unchanged;
(1-2-5) comparing whether the ID of the received data is equal to the ID in the step 1, otherwise returning to the step (1-2-3);
(1-2-6) if the CMD receiving the data is authok, setting the connected state to authok; if the CMD receiving the data is AUTH_FAIL, setting the connection state as AUTH_FAIL;
(1-2-7), constructing a data structure;
(1-2-8), transmitting the data, and closing the authentication thread.
Preferably, the step (2-3) is specifically as follows:
(2-3-1) receiving and parsing data transferred from the main thread;
(2-3-2) if the CMD is AUTH_REQ, recording the ID, and verifying 20 bytes consisting of UUID and expiration time by using the PSS pattern of RSA according to the signature in Token. If the verification is passed, setting the authentication state S as AUTH_OK, otherwise setting AUTH_FAILED;
(2-3-3), constructing a data structure, and transmitting to the client;
(2-3-4) receiving data transferred by the main thread;
(2-3-5), if no data is received within 1s, returning to the step (2-3-3);
(2-3-6) receiving data, if CMD is AUTH_ACK and ID is the ID recorded in the step 2, closing the authentication thread, otherwise returning to the step (2-3-4).
The invention has the following advantages:
the authentication method provided by the invention does not cause the delay of the first packet of the UDP, so that the increase of UDP ports is not caused, and the purposes of reducing the expenditure of the UDP and reducing the processing pressure of a server are achieved.
Detailed Description
The following description of the technical solution in the embodiments of the present invention is clear and complete.
The present invention will be described in further detail with reference to examples and embodiments.
A user authentication method based on UDP agent protocol includes the following steps:
(1) Client authentication:
(1-1) opening a new connection, wherein the state of the connection is PENDING_AUTH;
(1-2) starting an authentication thread, which is specifically as follows:
(1-2-1) constructing the data structure of table 1, wherein the address type is 0x80, CMD is AUTH_REQ, ID is a randomly generated 16-bit random integer, and Token is data obtained from a server in advance;
table 1 is as follows:
address type (1 byte) CMD (1 byte) ID (2 bytes) Token (52 bytes)
And: the Token structure is as follows
UUID (16 bytes) Expiration time (4 bytes) Signature (32 bytes)
Wherein CMD represents control commands, possible values are:
1: auth_req, requesting authentication;
20: auth_ok, authentication pass;
40: auth_fail, authentication failure;
100: AUTH_ACK, confirming receipt of authentication reply;
UUID means user ID;
(1-2-2), sending to a server;
(1-2-3) receiving data;
(1-2-4), if no data is received within 1s, returning to the step (1-2-1), wherein the ID is kept unchanged;
(1-2-5) comparing whether the ID of the received data is equal to the ID in the step 1, otherwise returning to the step (1-2-3);
(1-2-6) if the CMD receiving the data is authok, setting the connected state to authok; if the CMD receiving the data is AUTH_FAIL, setting the connection state as AUTH_FAIL;
(1-2-7) constructing a data structure as in Table 1, wherein the address type is 0x80, CMD is AUTH_ACK, ID is the ID generated in step 1, and Token is null;
(1-2-8), transmitting the data, and closing the authentication thread.
(1-3) if the connection state is AUTH_FAIL, closing the connection, and ending the process;
(1-4) receiving data;
(1-5) constructing a data structure shown in table 2, sending the data structure to a server, and returning to the step 3;
table 2 is as follows:
address type (1 byte) Target address (variable length) Target port (2 bytes) Load(s)
There are 3 optional values for the address type:
1: indicating that the destination address is an IPv4 address
3: indicating that the target address is a domain name
4: indicating that the destination address is an IPv6 address
In this process, it is necessary to distinguish between the authentication packet and the data packet, since the address type occupies one byte, and the three values 1, 3, and 4 use only the lower 4 bits of 1 byte. In order not to enlarge the packet size, the present patent uses the high 4 bits of the address type as the authentication packet identifier, and specifically as follows:
address type (1 byte) CMD (1 byte) ID (2 bytes) Token (52 bytes)
(2) And (5) server authentication:
(2-1) starting UDP monitoring, maintaining a mapping table Z from a source IP: source port > to an authentication state S and creating time T >;
(2-2) receiving data;
(2-3) according to the source IP, namely the source port inquire Z, if no value exists, a new mapping relation is created, and the source IP, namely the source port- > AUTH_PENDING (waiting for authentication) and the current time T, an authentication thread is started, wherein the method comprises the following steps:
(2-3-1) receiving and parsing data transferred from the main thread;
(2-3-2) if the CMD is AUTH_REQ, recording the ID, and verifying 20 bytes consisting of UUID and expiration time by using the PSS pattern of RSA according to the signature in Token. If the verification is passed, setting the authentication state S as AUTH_OK, otherwise setting AUTH_FAILED;
(2-3-3) constructing a data structure as in table 1, wherein CMD is the current value of the authentication state S, ID is the ID recorded in step (2-3-2), and transmitting to the client;
(2-3-4) receiving data transferred by the main thread;
(2-3-5), if no data is received within 1s, returning to the step (2-3-3);
(2-3-6) receiving data, if CMD is AUTH_ACK and ID is the ID recorded in the step 2, closing the authentication thread, otherwise returning to the step (2-3-4).
(2-4) if the authentication state S is AUTH_PENDING, and the difference between T and the current time is more than 10 seconds; setting the authentication state S as AUTH_FAILED, and closing the authentication thread;
(2-5) returning to the step (2-2) if the authentication state S is AUTH_FAILED;
(2-6), retrieving data;
(2-7), if the address type is & 0x8f=0x80, the data is processed by the authentication thread, otherwise, the proxy flow is processed.
Through the mode, the user authentication method based on the UDP proxy protocol provided by the invention does not cause the delay of the first packet of UDP, so that the increase of UDP ports is not caused, and the purposes of reducing the expenditure of UDP and reducing the processing pressure of a server are achieved.
The foregoing is merely a preferred embodiment of a user authentication method based on UDP proxy protocol disclosed in the present invention, and it should be noted that, for those skilled in the art, several variations and modifications can be made without departing from the inventive concept of the present invention, which fall within the protection scope of the present invention.

Claims (1)

1. The user authentication method based on the UDP proxy protocol is characterized by comprising the following steps:
1. client authentication:
1-1, opening a new connection, wherein the state of the connection is PENDING_AUTH;
1-2, starting an authentication thread, which is specifically as follows:
1-2-1, constructing a data structure of a table 2, wherein the address type is 0x80, CMD is AUTH_REQ, ID is a randomly generated 16-bit random integer, and Token is data obtained from a server in advance;
1-2-2, sending to a server;
1-2-3, receiving data;
1-2-4, if no data is received within 1s, returning to the step 1-2-1, and keeping the ID unchanged;
1-2-5, comparing whether the ID of the received data is equal to the ID in the step 1, otherwise, returning to the step 1-2-3;
1-2-6, if the CMD of the received data is AUTH_OK, setting the connection state as AUTH_OK; if the CMD receiving the data is AUTH_FAIL, setting the connection state as AUTH_FAIL;
1-2-7, constructing a data structure;
1-2-8, sending the data, and closing an authentication thread;
1-3, if the connection state is AUTH_FAIL, closing the connection, and ending the process;
1-4, receiving data;
1-5, sending the message to a server, and returning to the step 3;
2. and (5) authentication of a server:
2-1, starting UDP monitoring, maintaining a mapping table Z from a source IP: source port > to an authentication state S and creating time T >;
2-2, receiving data;
2-3, according to the source IP, namely the source port query Z, if no value exists, a new mapping relation is created, the source IP, namely the source port- > AUTH_PENDING waits for authentication and the current time T, and an authentication thread is started, wherein the method specifically comprises the following steps:
2-3-1, receiving data transmitted by a main thread and analyzing;
2-3-2, if CMD is AUTH_REQ, recording ID, according to signature in Token, using PSS mode of RSA to verify 20 bytes formed from UUID and expiration time, if the verification is passed, setting authentication state S as AUTH_OK, otherwise setting AUTH_FAILED;
2-3-3, constructing a data structure and sending the data structure to a client;
2-3-4, receiving data transmitted by a main thread;
2-3-5, if no data is received within 1s, returning to the step 2-3-3;
2-3-6, receiving data, if CMD is AUTH_ACK and ID is the ID recorded in the step 2, closing the authentication thread, otherwise, returning to the step 2-3-4;
2-4, if the authentication state S is AUTH_PENDING, and the difference between T and the current time is more than 10 seconds; setting the authentication state S as AUTH_FAILED, and closing the authentication thread;
2-5, returning to the step 2-2 if the authentication state S is AUTH_FAILED;
2-6, taking out data;
2-7, if the address type is & 0x8f=0x80, the data is sent to the authentication thread for processing, otherwise, the proxy flow is processed.
CN202110376494.3A 2021-04-07 2021-04-07 User authentication method based on UDP proxy protocol Active CN113364729B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110376494.3A CN113364729B (en) 2021-04-07 2021-04-07 User authentication method based on UDP proxy protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110376494.3A CN113364729B (en) 2021-04-07 2021-04-07 User authentication method based on UDP proxy protocol

Publications (2)

Publication Number Publication Date
CN113364729A CN113364729A (en) 2021-09-07
CN113364729B true CN113364729B (en) 2023-11-21

Family

ID=77525187

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110376494.3A Active CN113364729B (en) 2021-04-07 2021-04-07 User authentication method based on UDP proxy protocol

Country Status (1)

Country Link
CN (1) CN113364729B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882865A (en) * 2012-09-19 2013-01-16 上海美琦浦悦通讯科技有限公司 Method for realizing multimedia agency service control on basis of socks5 agency agreement
CN104852919A (en) * 2015-05-14 2015-08-19 杭州华三通信技术有限公司 Method and apparatus for realizing portal authentication
CN106209897A (en) * 2016-07-28 2016-12-07 重庆邮电大学 A kind of software defined network distributed many Task-size Controlling device safety communicating method based on agency
CN110719248A (en) * 2018-07-12 2020-01-21 中移(杭州)信息技术有限公司 Method and device for forwarding user datagram protocol message
CN111355695A (en) * 2018-12-24 2020-06-30 中移(杭州)信息技术有限公司 Security agent method and device
CN111835758A (en) * 2020-07-10 2020-10-27 四川长虹电器股份有限公司 Honeypot attacker tracing method based on TCP/UDP transparent proxy
CN111935187A (en) * 2020-10-12 2020-11-13 南京云信达科技有限公司 Data access method and device
CN111984958A (en) * 2020-08-06 2020-11-24 成都安恒信息技术有限公司 Authentication method supporting VNC double factors

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882865A (en) * 2012-09-19 2013-01-16 上海美琦浦悦通讯科技有限公司 Method for realizing multimedia agency service control on basis of socks5 agency agreement
CN104852919A (en) * 2015-05-14 2015-08-19 杭州华三通信技术有限公司 Method and apparatus for realizing portal authentication
CN106209897A (en) * 2016-07-28 2016-12-07 重庆邮电大学 A kind of software defined network distributed many Task-size Controlling device safety communicating method based on agency
CN110719248A (en) * 2018-07-12 2020-01-21 中移(杭州)信息技术有限公司 Method and device for forwarding user datagram protocol message
CN111355695A (en) * 2018-12-24 2020-06-30 中移(杭州)信息技术有限公司 Security agent method and device
CN111835758A (en) * 2020-07-10 2020-10-27 四川长虹电器股份有限公司 Honeypot attacker tracing method based on TCP/UDP transparent proxy
CN111984958A (en) * 2020-08-06 2020-11-24 成都安恒信息技术有限公司 Authentication method supporting VNC double factors
CN111935187A (en) * 2020-10-12 2020-11-13 南京云信达科技有限公司 Data access method and device

Also Published As

Publication number Publication date
CN113364729A (en) 2021-09-07

Similar Documents

Publication Publication Date Title
US20210084537A1 (en) Load balance method and apparatus thereof
JP6858749B2 (en) Devices and methods for establishing connections in load balancing systems
EP2974202B1 (en) Identification of originating ip address and client port connection
US9350829B2 (en) Transparent bridging of transmission control protocol (TCP) connections
US7212527B2 (en) Method and apparatus for communicating using labeled data packets in a network
US7436833B2 (en) Communication system, router, method of communication, method of routing, and computer program product
US9571286B2 (en) Authenticating the identity of initiators of TCP connections
US20070064737A1 (en) Receive coalescing and automatic acknowledge in network interface controller
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
US8706889B2 (en) Mitigating connection identifier collisions in a communication network
CN113364729B (en) User authentication method based on UDP proxy protocol
CN106101297B (en) A kind of message answer method and device
US20220046118A1 (en) Transparent Proxy Conversion of Transmission Control Protocol (TCP) Fast Open Connection
TWM541160U (en) Apparatus for blocking network and computer-readable medium
US20110216770A1 (en) Method and apparatus for routing network packets and related packet processing circuit
CN113992410B (en) Private encrypted data identification method and system
CN111092911B (en) Network agent realizing method for enhancing safety
JP7158826B2 (en) COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL SYSTEM AND COMMUNICATION CONTROL METHOD
CN113273140A (en) System and method for managing network communication sessions
US6671264B1 (en) Method for detecting invalid packets by assigning super-transaction identifiers
CN114553938B (en) Communication message processing method and device, electronic equipment and storage medium
US9363226B2 (en) Method for double IP address recovery
EP3541042A1 (en) Method and apparatus for generating log on basis of packet collection for each session in big data system
KR20230050795A (en) Method and Apparatus for countering DDoS attacks in NDN Network
US20200204630A1 (en) Systems and methods for managing networked communication sessions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant