CN113364729B - User authentication method based on UDP proxy protocol - Google Patents
User authentication method based on UDP proxy protocol Download PDFInfo
- Publication number
- CN113364729B CN113364729B CN202110376494.3A CN202110376494A CN113364729B CN 113364729 B CN113364729 B CN 113364729B CN 202110376494 A CN202110376494 A CN 202110376494A CN 113364729 B CN113364729 B CN 113364729B
- Authority
- CN
- China
- Prior art keywords
- auth
- authentication
- data
- thread
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 238000012545 processing Methods 0.000 claims abstract description 6
- 238000013507 mapping Methods 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 230000002411 adverse Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
A user authentication method based on UDP agent protocol includes the following steps: (1), client authentication: and (2) authenticating the server side. The authentication method provided by the invention does not cause the delay of the first packet of the UDP, so that the increase of UDP ports is not caused, and the purposes of reducing the expenditure of the UDP and reducing the processing pressure of a server are achieved.
Description
Technical Field
The invention relates to the field of user authentication application, in particular to a user authentication method based on UDP proxy protocol.
Background
In network applications based on UDP, such as online games, real-time audio and video, etc., the UDP authentication protocol can be designed according to specific service requirements, and usually user authentication is performed at the beginning of connection establishment. However, in the network proxy technology based on the UDP protocol, the UDP protocol used by the proxy application is unpredictable, and cannot be adapted to the protocol to ensure the transparency of the protocol. The authentication method in the present stage has the problems of larger transmission delay, adverse service expansion or higher requirement on the processing capacity of the server.
The information disclosed in this background section is only for enhancement of understanding of the general background of the invention and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person skilled in the art.
Disclosure of Invention
In order to solve the technical problems, the invention provides a user authentication method based on a UDP proxy protocol, so as to achieve the purposes of reducing the expenditure of UDP and reducing the processing pressure on a server.
In order to achieve the above purpose, the technical scheme of the invention is as follows:
a user authentication method based on UDP agent protocol includes the following steps:
(1) Client authentication:
(1-1) opening a new connection, wherein the state of the connection is PENDING_AUTH;
(1-2) starting an authentication thread;
(1-3) if the connection state is AUTH_FAIL, closing the connection, and ending the process;
(1-4) receiving data;
(1-5) sending the message to a server, and returning to the step 3;
(2) And (5) server authentication:
(2-1) starting UDP monitoring, maintaining a mapping table Z from a source IP: source port > to an authentication state S and creating time T >;
(2-2) receiving data;
(2-3) inquiring Z according to a source IP (Internet protocol) source port, if no value exists, creating a new mapping relation, and starting an authentication thread according to the source IP source port-AUTH_PENDING and the current time T;
(2-4) if the authentication state S is AUTH_PENDING, and the difference between T and the current time is more than 10 seconds; setting the authentication state S as AUTH_FAILED, and closing the authentication thread;
(2-5) returning to the step (2-2) if the authentication state S is AUTH_FAILED;
(2-6), retrieving data;
(2-7), if the address type is & 0x8f=0x80, the data is processed by the authentication thread, otherwise, the proxy flow is processed.
Preferably, the step (1-2) is specifically as follows:
(1-2-1) constructing a data structure of table 2, wherein the address type is 0x80, CMD is AUTH_REQ, ID is a randomly generated 16-bit random integer, and Token is data obtained from a server in advance;
(1-2-2), sending to a server;
(1-2-3) receiving data;
(1-2-4), if no data is received within 1s, returning to the step (1-2-1), wherein the ID is kept unchanged;
(1-2-5) comparing whether the ID of the received data is equal to the ID in the step 1, otherwise returning to the step (1-2-3);
(1-2-6) if the CMD receiving the data is authok, setting the connected state to authok; if the CMD receiving the data is AUTH_FAIL, setting the connection state as AUTH_FAIL;
(1-2-7), constructing a data structure;
(1-2-8), transmitting the data, and closing the authentication thread.
Preferably, the step (2-3) is specifically as follows:
(2-3-1) receiving and parsing data transferred from the main thread;
(2-3-2) if the CMD is AUTH_REQ, recording the ID, and verifying 20 bytes consisting of UUID and expiration time by using the PSS pattern of RSA according to the signature in Token. If the verification is passed, setting the authentication state S as AUTH_OK, otherwise setting AUTH_FAILED;
(2-3-3), constructing a data structure, and transmitting to the client;
(2-3-4) receiving data transferred by the main thread;
(2-3-5), if no data is received within 1s, returning to the step (2-3-3);
(2-3-6) receiving data, if CMD is AUTH_ACK and ID is the ID recorded in the step 2, closing the authentication thread, otherwise returning to the step (2-3-4).
The invention has the following advantages:
the authentication method provided by the invention does not cause the delay of the first packet of the UDP, so that the increase of UDP ports is not caused, and the purposes of reducing the expenditure of the UDP and reducing the processing pressure of a server are achieved.
Detailed Description
The following description of the technical solution in the embodiments of the present invention is clear and complete.
The present invention will be described in further detail with reference to examples and embodiments.
A user authentication method based on UDP agent protocol includes the following steps:
(1) Client authentication:
(1-1) opening a new connection, wherein the state of the connection is PENDING_AUTH;
(1-2) starting an authentication thread, which is specifically as follows:
(1-2-1) constructing the data structure of table 1, wherein the address type is 0x80, CMD is AUTH_REQ, ID is a randomly generated 16-bit random integer, and Token is data obtained from a server in advance;
table 1 is as follows:
address type (1 byte) | CMD (1 byte) | ID (2 bytes) | Token (52 bytes) |
And: the Token structure is as follows
UUID (16 bytes) | Expiration time (4 bytes) | Signature (32 bytes) |
Wherein CMD represents control commands, possible values are:
1: auth_req, requesting authentication;
20: auth_ok, authentication pass;
40: auth_fail, authentication failure;
100: AUTH_ACK, confirming receipt of authentication reply;
UUID means user ID;
(1-2-2), sending to a server;
(1-2-3) receiving data;
(1-2-4), if no data is received within 1s, returning to the step (1-2-1), wherein the ID is kept unchanged;
(1-2-5) comparing whether the ID of the received data is equal to the ID in the step 1, otherwise returning to the step (1-2-3);
(1-2-6) if the CMD receiving the data is authok, setting the connected state to authok; if the CMD receiving the data is AUTH_FAIL, setting the connection state as AUTH_FAIL;
(1-2-7) constructing a data structure as in Table 1, wherein the address type is 0x80, CMD is AUTH_ACK, ID is the ID generated in step 1, and Token is null;
(1-2-8), transmitting the data, and closing the authentication thread.
(1-3) if the connection state is AUTH_FAIL, closing the connection, and ending the process;
(1-4) receiving data;
(1-5) constructing a data structure shown in table 2, sending the data structure to a server, and returning to the step 3;
table 2 is as follows:
address type (1 byte) | Target address (variable length) | Target port (2 bytes) | Load(s) |
There are 3 optional values for the address type:
1: indicating that the destination address is an IPv4 address
3: indicating that the target address is a domain name
4: indicating that the destination address is an IPv6 address
In this process, it is necessary to distinguish between the authentication packet and the data packet, since the address type occupies one byte, and the three values 1, 3, and 4 use only the lower 4 bits of 1 byte. In order not to enlarge the packet size, the present patent uses the high 4 bits of the address type as the authentication packet identifier, and specifically as follows:
address type (1 byte) | CMD (1 byte) | ID (2 bytes) | Token (52 bytes) |
(2) And (5) server authentication:
(2-1) starting UDP monitoring, maintaining a mapping table Z from a source IP: source port > to an authentication state S and creating time T >;
(2-2) receiving data;
(2-3) according to the source IP, namely the source port inquire Z, if no value exists, a new mapping relation is created, and the source IP, namely the source port- > AUTH_PENDING (waiting for authentication) and the current time T, an authentication thread is started, wherein the method comprises the following steps:
(2-3-1) receiving and parsing data transferred from the main thread;
(2-3-2) if the CMD is AUTH_REQ, recording the ID, and verifying 20 bytes consisting of UUID and expiration time by using the PSS pattern of RSA according to the signature in Token. If the verification is passed, setting the authentication state S as AUTH_OK, otherwise setting AUTH_FAILED;
(2-3-3) constructing a data structure as in table 1, wherein CMD is the current value of the authentication state S, ID is the ID recorded in step (2-3-2), and transmitting to the client;
(2-3-4) receiving data transferred by the main thread;
(2-3-5), if no data is received within 1s, returning to the step (2-3-3);
(2-3-6) receiving data, if CMD is AUTH_ACK and ID is the ID recorded in the step 2, closing the authentication thread, otherwise returning to the step (2-3-4).
(2-4) if the authentication state S is AUTH_PENDING, and the difference between T and the current time is more than 10 seconds; setting the authentication state S as AUTH_FAILED, and closing the authentication thread;
(2-5) returning to the step (2-2) if the authentication state S is AUTH_FAILED;
(2-6), retrieving data;
(2-7), if the address type is & 0x8f=0x80, the data is processed by the authentication thread, otherwise, the proxy flow is processed.
Through the mode, the user authentication method based on the UDP proxy protocol provided by the invention does not cause the delay of the first packet of UDP, so that the increase of UDP ports is not caused, and the purposes of reducing the expenditure of UDP and reducing the processing pressure of a server are achieved.
The foregoing is merely a preferred embodiment of a user authentication method based on UDP proxy protocol disclosed in the present invention, and it should be noted that, for those skilled in the art, several variations and modifications can be made without departing from the inventive concept of the present invention, which fall within the protection scope of the present invention.
Claims (1)
1. The user authentication method based on the UDP proxy protocol is characterized by comprising the following steps:
1. client authentication:
1-1, opening a new connection, wherein the state of the connection is PENDING_AUTH;
1-2, starting an authentication thread, which is specifically as follows:
1-2-1, constructing a data structure of a table 2, wherein the address type is 0x80, CMD is AUTH_REQ, ID is a randomly generated 16-bit random integer, and Token is data obtained from a server in advance;
1-2-2, sending to a server;
1-2-3, receiving data;
1-2-4, if no data is received within 1s, returning to the step 1-2-1, and keeping the ID unchanged;
1-2-5, comparing whether the ID of the received data is equal to the ID in the step 1, otherwise, returning to the step 1-2-3;
1-2-6, if the CMD of the received data is AUTH_OK, setting the connection state as AUTH_OK; if the CMD receiving the data is AUTH_FAIL, setting the connection state as AUTH_FAIL;
1-2-7, constructing a data structure;
1-2-8, sending the data, and closing an authentication thread;
1-3, if the connection state is AUTH_FAIL, closing the connection, and ending the process;
1-4, receiving data;
1-5, sending the message to a server, and returning to the step 3;
2. and (5) authentication of a server:
2-1, starting UDP monitoring, maintaining a mapping table Z from a source IP: source port > to an authentication state S and creating time T >;
2-2, receiving data;
2-3, according to the source IP, namely the source port query Z, if no value exists, a new mapping relation is created, the source IP, namely the source port- > AUTH_PENDING waits for authentication and the current time T, and an authentication thread is started, wherein the method specifically comprises the following steps:
2-3-1, receiving data transmitted by a main thread and analyzing;
2-3-2, if CMD is AUTH_REQ, recording ID, according to signature in Token, using PSS mode of RSA to verify 20 bytes formed from UUID and expiration time, if the verification is passed, setting authentication state S as AUTH_OK, otherwise setting AUTH_FAILED;
2-3-3, constructing a data structure and sending the data structure to a client;
2-3-4, receiving data transmitted by a main thread;
2-3-5, if no data is received within 1s, returning to the step 2-3-3;
2-3-6, receiving data, if CMD is AUTH_ACK and ID is the ID recorded in the step 2, closing the authentication thread, otherwise, returning to the step 2-3-4;
2-4, if the authentication state S is AUTH_PENDING, and the difference between T and the current time is more than 10 seconds; setting the authentication state S as AUTH_FAILED, and closing the authentication thread;
2-5, returning to the step 2-2 if the authentication state S is AUTH_FAILED;
2-6, taking out data;
2-7, if the address type is & 0x8f=0x80, the data is sent to the authentication thread for processing, otherwise, the proxy flow is processed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110376494.3A CN113364729B (en) | 2021-04-07 | 2021-04-07 | User authentication method based on UDP proxy protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110376494.3A CN113364729B (en) | 2021-04-07 | 2021-04-07 | User authentication method based on UDP proxy protocol |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113364729A CN113364729A (en) | 2021-09-07 |
CN113364729B true CN113364729B (en) | 2023-11-21 |
Family
ID=77525187
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110376494.3A Active CN113364729B (en) | 2021-04-07 | 2021-04-07 | User authentication method based on UDP proxy protocol |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113364729B (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882865A (en) * | 2012-09-19 | 2013-01-16 | 上海美琦浦悦通讯科技有限公司 | Method for realizing multimedia agency service control on basis of socks5 agency agreement |
CN104852919A (en) * | 2015-05-14 | 2015-08-19 | 杭州华三通信技术有限公司 | Method and apparatus for realizing portal authentication |
CN106209897A (en) * | 2016-07-28 | 2016-12-07 | 重庆邮电大学 | A kind of software defined network distributed many Task-size Controlling device safety communicating method based on agency |
CN110719248A (en) * | 2018-07-12 | 2020-01-21 | 中移(杭州)信息技术有限公司 | Method and device for forwarding user datagram protocol message |
CN111355695A (en) * | 2018-12-24 | 2020-06-30 | 中移(杭州)信息技术有限公司 | Security agent method and device |
CN111835758A (en) * | 2020-07-10 | 2020-10-27 | 四川长虹电器股份有限公司 | Honeypot attacker tracing method based on TCP/UDP transparent proxy |
CN111935187A (en) * | 2020-10-12 | 2020-11-13 | 南京云信达科技有限公司 | Data access method and device |
CN111984958A (en) * | 2020-08-06 | 2020-11-24 | 成都安恒信息技术有限公司 | Authentication method supporting VNC double factors |
-
2021
- 2021-04-07 CN CN202110376494.3A patent/CN113364729B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102882865A (en) * | 2012-09-19 | 2013-01-16 | 上海美琦浦悦通讯科技有限公司 | Method for realizing multimedia agency service control on basis of socks5 agency agreement |
CN104852919A (en) * | 2015-05-14 | 2015-08-19 | 杭州华三通信技术有限公司 | Method and apparatus for realizing portal authentication |
CN106209897A (en) * | 2016-07-28 | 2016-12-07 | 重庆邮电大学 | A kind of software defined network distributed many Task-size Controlling device safety communicating method based on agency |
CN110719248A (en) * | 2018-07-12 | 2020-01-21 | 中移(杭州)信息技术有限公司 | Method and device for forwarding user datagram protocol message |
CN111355695A (en) * | 2018-12-24 | 2020-06-30 | 中移(杭州)信息技术有限公司 | Security agent method and device |
CN111835758A (en) * | 2020-07-10 | 2020-10-27 | 四川长虹电器股份有限公司 | Honeypot attacker tracing method based on TCP/UDP transparent proxy |
CN111984958A (en) * | 2020-08-06 | 2020-11-24 | 成都安恒信息技术有限公司 | Authentication method supporting VNC double factors |
CN111935187A (en) * | 2020-10-12 | 2020-11-13 | 南京云信达科技有限公司 | Data access method and device |
Also Published As
Publication number | Publication date |
---|---|
CN113364729A (en) | 2021-09-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210084537A1 (en) | Load balance method and apparatus thereof | |
JP6858749B2 (en) | Devices and methods for establishing connections in load balancing systems | |
EP2974202B1 (en) | Identification of originating ip address and client port connection | |
US9350829B2 (en) | Transparent bridging of transmission control protocol (TCP) connections | |
US7212527B2 (en) | Method and apparatus for communicating using labeled data packets in a network | |
US7436833B2 (en) | Communication system, router, method of communication, method of routing, and computer program product | |
US9571286B2 (en) | Authenticating the identity of initiators of TCP connections | |
US20070064737A1 (en) | Receive coalescing and automatic acknowledge in network interface controller | |
CN112468518B (en) | Access data processing method and device, storage medium and computer equipment | |
US8706889B2 (en) | Mitigating connection identifier collisions in a communication network | |
CN113364729B (en) | User authentication method based on UDP proxy protocol | |
CN106101297B (en) | A kind of message answer method and device | |
US20220046118A1 (en) | Transparent Proxy Conversion of Transmission Control Protocol (TCP) Fast Open Connection | |
TWM541160U (en) | Apparatus for blocking network and computer-readable medium | |
US20110216770A1 (en) | Method and apparatus for routing network packets and related packet processing circuit | |
CN113992410B (en) | Private encrypted data identification method and system | |
CN111092911B (en) | Network agent realizing method for enhancing safety | |
JP7158826B2 (en) | COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL SYSTEM AND COMMUNICATION CONTROL METHOD | |
CN113273140A (en) | System and method for managing network communication sessions | |
US6671264B1 (en) | Method for detecting invalid packets by assigning super-transaction identifiers | |
CN114553938B (en) | Communication message processing method and device, electronic equipment and storage medium | |
US9363226B2 (en) | Method for double IP address recovery | |
EP3541042A1 (en) | Method and apparatus for generating log on basis of packet collection for each session in big data system | |
KR20230050795A (en) | Method and Apparatus for countering DDoS attacks in NDN Network | |
US20200204630A1 (en) | Systems and methods for managing networked communication sessions |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |