CN113904826B - Data transmission method, device, equipment and storage medium - Google Patents
Data transmission method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113904826B CN113904826B CN202111151014.XA CN202111151014A CN113904826B CN 113904826 B CN113904826 B CN 113904826B CN 202111151014 A CN202111151014 A CN 202111151014A CN 113904826 B CN113904826 B CN 113904826B
- Authority
- CN
- China
- Prior art keywords
- terminal
- port
- data
- knocking
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 75
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000012795 verification Methods 0.000 claims abstract description 73
- 238000013475 authorization Methods 0.000 claims description 92
- 230000015654 memory Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 4
- 238000010079 rubber tapping Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 5
- 230000000977 initiatory effect Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 238000012937 correction Methods 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The application provides a data transmission method, a device, equipment and a storage medium, wherein the method comprises the following steps: receiving a knocking request of a terminal to a target port; performing first port knocking verification on the terminal according to the knocking request; when the terminal passes the first port knocking verification, the target port is opened, and a data transmission request of the terminal to the target port is received; and carrying out second port knocking verification on the terminal according to the data transmission request, and forwarding the data transmission request to a server through the target port when the terminal passes the second port knocking verification. According to the method and the device, firewall rules can be dynamically changed only after the authorized terminal knocks the gate data packet, and the terminal is allowed to establish connection with the server, so that only the authorized terminal can normally access the server service, and the security of data access is improved.
Description
Technical Field
The present invention relates to the field of information processing technologies, and in particular, to a data transmission method, apparatus, device, and storage medium.
Background
In a computer network, a server provides services from outside through a port, however, once the port is exposed from outside, an attacker scans the server and performs a series of attacks, such as DOS (denial of Service) attacks, so that the server cannot normally provide services; for example, after an attacker scans the type of the provided service, known vulnerability attacks are performed on the type of the service, and the server is difficult to keep the latest version all the time, and the problems of 0day vulnerability and the like are solved, so that the server directly exposing the port is in a huge potential safety hazard.
A common way to deal with the above problems is to use firewall rules, such as iptables (IP packet filtering system), to limit the available sources and destinations, but to manage these rules statically, a task that is almost impossible to accomplish in the age of tele-offices and networks available everywhere today, and a huge management effort.
Disclosure of Invention
The embodiment of the application aims to provide a data transmission method, a device, equipment and a storage medium, wherein firewall rules can be dynamically changed only after authorized terminals knock on data packets, and the terminals are allowed to establish connection to a server, so that only the authorized terminals can normally access the server service, and the security of data access is improved.
An embodiment of the present application provides a data transmission method, including: receiving a knocking request of a terminal to a target port; performing first port knocking verification on the terminal according to the knocking request; when the terminal passes the first port knocking verification, the target port is opened, and a data transmission request of the terminal to the target port is received; and carrying out second port knocking verification on the terminal according to the data transmission request, and forwarding the data transmission request to a server through the target port when the terminal passes the second port knocking verification.
In an embodiment, the performing, according to the knock request, a first port knock check on the terminal includes: extracting the door knocking data of the terminal to the target port from the door knocking request, wherein the door knocking data carries an authorization key identifier of the terminal; and decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and performing the first port knocked-down verification on the terminal according to the knocked-down plaintext data.
In an embodiment, the performing, according to the data transmission request, a second port knock check on the terminal includes: extracting gate knocking data of the terminal to the target port from the data transmission request, wherein the gate knocking data carries an authorization key identifier of the terminal; and decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and carrying out second port knocked-down verification on the terminal according to the knocked-down plaintext data.
In an embodiment, the knocked-down plaintext data includes unique identification information of the terminal; the step of checking the port knock on the terminal according to the knock plaintext data comprises the following steps: comparing the unique identification information with the authorization information of the terminal in a database, and determining that the terminal passes the port knocking verification when the unique identification information is identical with the authorization information of the terminal in the database, wherein the database is pre-stored with the authorization information of the authorized terminal.
In an embodiment, the knocked-down plaintext data further includes a current random code generated by the terminal; after comparing the unique identification information with the authorization information of the terminal in the database, the method further comprises the following steps: when the unique identification information is the same as the authorization information of the terminal in the database, judging whether the current random code is the same as any random code of the terminal; and when the current random code is different from any one of the random codes of the terminal, determining that the terminal passes the port knock verification.
In an embodiment, after comparing the unique identification information with the authorization information of the terminal in the database, the method further includes: and when the current random code is the same as any one random code of the terminal, determining that the terminal fails the port knock verification.
A second aspect of an embodiment of the present application provides a data transmission apparatus, including: the first receiving module is used for receiving a knocking request of the terminal to the target port; the first door knocking module is used for carrying out first port door knocking verification on the terminal according to the door knocking request; the second receiving module is used for starting the target port when the terminal passes the first port knocking verification and receiving a data transmission request of the terminal to the target port; and the second gate knocking module is used for carrying out second port gate knocking verification on the terminal according to the data transmission request, and forwarding the data transmission request to a server through the target port when the terminal passes the second port gate knocking verification.
In an embodiment, the first knock module is configured to: extracting the door knocking data of the terminal to the target port from the door knocking request, wherein the door knocking data carries an authorization key identifier of the terminal; and decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and performing the first port knocked-down verification on the terminal according to the knocked-down plaintext data.
In an embodiment, the second knock module is configured to: extracting gate knocking data of the terminal to the target port from the data transmission request, wherein the gate knocking data carries an authorization key identifier of the terminal; and decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and carrying out second port knocked-down verification on the terminal according to the knocked-down plaintext data.
In an embodiment, the knocked-down plaintext data includes unique identification information of the terminal; the step of checking the port knock on the terminal according to the knock plaintext data comprises the following steps: comparing the unique identification information with the authorization information of the terminal in a database, and determining that the terminal passes the port knocking verification when the unique identification information is identical with the authorization information of the terminal in the database, wherein the database is pre-stored with the authorization information of the authorized terminal.
In an embodiment, the knocked-down plaintext data further includes a current random code generated by the terminal; after comparing the unique identification information with the authorization information of the terminal in the database, the method further comprises the following steps: when the unique identification information is the same as the authorization information of the terminal in the database, judging whether the current random code is the same as any random code of the terminal; and when the current random code is different from any one of the random codes of the terminal, determining that the terminal passes the port knock verification.
In an embodiment, after comparing the unique identification information with the authorization information of the terminal in the database, the method further includes: and when the current random code is the same as any one random code of the terminal, determining that the terminal fails the port knock verification.
A third aspect of the embodiments of the present application provides an electronic device, including: a memory for storing a computer program; a processor for executing the computer program to implement the method of the first aspect of the embodiments of the present application and any one of the embodiments thereof.
A fourth aspect of the present application provides a non-transitory electronic device readable storage medium, comprising: a program which, when run by an electronic device, causes the electronic device to perform the method of the first aspect of the embodiments of the present application and any of the embodiments thereof.
According to the data transmission method, the device, the equipment and the storage medium, the validity of the terminal door knocking request is verified through the first door knocking full-correction verification, when the door knocking request is legal, the requested target port is started, the second port door knocking verification is carried out on the terminal again when the data transmission request is sent, the client is allowed to request data to the server through the target port only when the two port door knocking verifications pass, and therefore firewall rules are dynamically changed only after an authorized terminal door knocking data packet is received, the terminal is allowed to establish connection to the server, so that only the authorized terminal can normally access the server service, and the security of data access is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 2 is a schematic diagram of a scenario of a data transmission system according to an embodiment of the present application;
fig. 3 is a flow chart of a data transmission method according to an embodiment of the present application;
fig. 4 is a flow chart of a data transmission method according to an embodiment of the present application;
FIG. 5A is a schematic diagram of a knock data structure according to an embodiment of the present application;
FIG. 5B is a block diagram of plaintext SPA data according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a data transmission device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. In the description of the present application, the terms "first," "second," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.
As shown in fig. 1, the present embodiment provides an electronic apparatus 1 including: at least one processor 11 and a memory 12, one processor being exemplified in fig. 1. The processor 11 and the memory 12 are connected by a bus 10. The memory 12 stores instructions executable by the processor 11, and the instructions are executed by the processor 11, so that the electronic device 1 can execute all or part of the flow of the method in the following embodiments, so that only the authorized terminal can normally access the server service, thereby improving the security of data access.
In an embodiment, the electronic device 1 may be a gateway, a proxy device, a VPN (Virtual Private Network ) server, a router, a mobile phone, a tablet computer, a notebook computer, a desktop computer, or a gateway server composed of a plurality of computers, etc. Referring to fig. 2, a schematic view of a scenario of a data transmission system according to an embodiment of the present application may mainly include: terminal 2, gateway device 3 and server 4, wherein:
the terminal 2 may be a mobile phone or a computer of a user, and the terminal 2 may be loaded with a client Application (APP) authorized by the gateway device 3, for example, may be a VPN client, through which the terminal 2 may access the gateway device 3.
The server 4 may be a cloud server 4 or a local server 4, and the server 4 may provide data services for the terminal 2 through a port of the gateway device 3. There may be a plurality of servers 4, each server 4 may use a different port, and the user terminal 2 needs to specify a destination port to be accessed when accessing the server 4 through the gateway device 3.
The gateway device 3 may be implemented by the electronic device 1, where the gateway device 3 may be connected to the terminal 2 and the server 4 in a wired or wireless manner, respectively, so as to monitor an access request of the terminal 2 to the server 4, perform validity check on the request of the terminal 2, and allow the access request to access the server 4 through the target port only if the access request passes the verification, thereby improving data security of the server 4.
In order to guarantee the security of the server 4, in a practical scenario, the port of the gateway device 3 is not always open to the outside, but is hidden, i.e. a firewall is set that defaults to discard all requests: to hide the ports requires that the firewall (iptables, below, for example) of the gateway device 3 be configured to discard all requests by default and not return any data for probing as if the gateway device 3 had closed all ports.
Before a specific knock message arrives at the gateway device 3, the port of the gateway device 3 discards the connection from any address, and the attacker cannot perform port scanning, as if the gateway device 3 did not provide any service, i.e. the effect of port hiding is achieved. Therefore, if the terminal 2 needs to access the data service of the server 4, it is first required to send a gate-knocking request to the gateway device 3, and the gateway device 3 monitors the gate-knocking request of the terminal 2 to a certain target port in real time. Port tapping is the sending of a specific connection attempt sequence, which gateway device 3 would allow (authorised) clients to initiate connections if the attempt sequence is considered legal by the gateway device 3. Thus, the gateway device 3 exists as a gateway, proxy device or VPN server, which can only expose one port to the outside (hidden by default), forwarding access to multiple service servers 4 through interaction of the terminal 2 and gateway device 3. The terminal 2 cannot access the server 4 and is decided by the authorization decision of the gateway device 3. Please refer to fig. 3, which is a data transmission method according to an embodiment of the present application, the method may be executed by the electronic device 1 shown in fig. 1 as the gateway device 3, and may be applied to the data transmission scenario in fig. 2, so that only the authorized terminal 2 may normally access the service of the server 4, thereby improving the security of data access. The method comprises the following steps:
step 301: a knock request from the terminal 2 to the destination port is received.
In this step, a mode of knocking the door based on a single packet authorization (Single Packet Authorization, abbreviated as "SPA") port can be adopted, and the single packet authorization port knocks the door, that is, the terminal 2 only needs to send one knocked door packet, so that the effect of knocking the door can be achieved, and thus the possible problems of disorder and the like of a plurality of knocked door packets are avoided. The data of a single packet is encrypted and only the terminal 2 of a legitimate user can initiate. In addition, the connection data allowed to be initiated also contains single-packet authorization authentication data of the terminal 2, so that the validity of the terminal 2 is further ensured. Implementing single-packet authorization requires a knocker client (loaded on terminal 2) and a knocker server (i.e. gateway device 3), and the client may use DTLS (Datagram Transport Layer Security, packet transport layer security protocol) protocol to add extensions in ClientHello to generate a knocker request containing encrypted knocker data, and send it to gateway device 3 for port knocker. Assuming that terminal 2 is initiating a knock request to destination port 443 (configurable), gateway device 3 may receive a DTLS protocol based knock request on destination port 443 using a libpcap (network packet capture function packet).
Step 302: and carrying out first port knocking verification on the terminal 2 according to the knocking request.
In this step, during the first port knocked-down verification, verification may be performed based on knocked-down data in the knocked-down request based on the DTLS protocol on the target port 443 received in step 301, if the verification passes, it is indicated that the terminal 2 is a legal terminal 2 authorized by the gateway device 3, then step 303 is entered, otherwise, it is indicated that the terminal 2 is not authorized, possibly an illegal attacker, in order to protect data security, the data packet of the current knocked-down request is directly discarded, and no response is made, so as to achieve the purpose of hiding the target port, and avoid the attacker from detecting the target port 443.
Step 303: and when the terminal 2 passes the first port knocking check, opening the target port, and receiving a data transmission request of the terminal 2 to the target port.
In this step, it is assumed that after the verification of the first port knock data is successfully verified, the gateway device 3 does not respond to it, but initiates a dynamic modification of the firewall rule of the gateway device 3, so as to allow the terminal 2 to briefly initiate a connection request to the port 443, for example, a TCP (Transmission Control Protocol ) connection from the terminal 2 to the port 443 may be established, and the gateway device 3 receives, in real time, a data transmission request from the terminal 2 to the target port. By short term is meant herein that a certain port opening time can be set, avoiding long-term opening of the port exposing the port to the risk of being attacked. At this time, although the gate knocking is successful, the gateway device 3 does not return any data based on the gate knocking request, and the TCP port is not developed outside before the port gate knocking packet is successfully received, so as to achieve the purpose of port hiding.
Step 304: and carrying out second port knocking check on the terminal 2 according to the data transmission request, and forwarding the data transmission request to the server 4 through the target port when the terminal 2 passes the second port knocking check.
In this step, when a data transmission request from the terminal 2 to the destination port is received, it is indicated that the terminal 2 has already started to access service data to the server 4, and in a practical scenario, if the authorized terminal 2 is in a lan, all devices in the lan access external network data through a static IP, it is likely that after one terminal 2 in the lan knocks on the gateway device 3 successfully, other terminal devices in the lan also use the same IP to access data to the gateway device 3, which also threatens the data security of the server 4. For example, the terminal 2A and the terminal 2B are located in a local area network, where the terminal 2A is a legal terminal authorized by the gateway device 3, and the terminal 2B is not authorized, and when the terminal 2A successfully knocks out the target port 443, it is likely to be used by the terminal 2B, and the terminal 2B initiates a data transmission request to the gateway device 3 through the target port 443.
Therefore, in order to avoid that other unauthorized terminal devices from the same lan access the server 4 illegally by using the IP of the authorized terminal 2, the gateway device 3 may perform a second port knock check on the terminal 2 based on the data transmission request, that is, after the target port 443 knocks successfully, the terminal 2 may send a service request to the server 4 system based on the client agent, the gateway device 3 listens to and processes the data transmission request on the target port 443, and at this time, the port knock data verification will also be performed based on the data transmission request, after the second port knock check is passed, the gateway device 3 will forward the data transmission request of the first-off service to the server 4 through the target port, so as to complete one data access of the terminal 2 to the server 4.
Assuming that the second port check fails, it is indicated that the current data transmission request may not be initiated by the authorized terminal device. For example, as initiated by the terminal 2B in the above example, the gateway device 3 may directly discard the data packet of the current data transmission request in order to protect the data security of the server 4. Therefore, only legal data connection is released, the range capable of initiating the data connection is narrowed, and the terminal 2 initiating the data connection is ensured to be authorized and authenticated by the gateway equipment 3.
In an embodiment, the data transmission request carries the knock data of the terminal 2, for example, a TLS (Transport Layer Security, secure transport layer protocol) security layer may be encapsulated outside the content requested by the terminal 2 to proxy the service data, and an extension may be added to the client hello from the terminal 2 to send the encrypted knock data to the gateway device 3.
In an embodiment, the method may further include: process audit, reporting and analysis are performed on port knock process and data transmission: faithfully records the running process log of the whole system, such as when and when the IP initiated the single packet authorization request. The gateway apparatus 3 opens and closes the time of a specific port. Service forwarding information and the like, and reports audit data, and data analysis and the like can be performed on single-packet authorization requests and service forwarding.
According to the data transmission method, based on the port knocking mode of single-packet authorization, port hiding is achieved, before a specific knocking message is transmitted to the gateway equipment 3, the port of the gateway equipment 3 discards connection from any address, an attacker cannot conduct port scanning, and the effect of port hiding is achieved just like the gateway equipment 3 does not provide any service. The gateway device 3 dynamically changes the iptables rule only after receiving the legal terminal 2 to knock the gate pack, and briefly allows the terminal 2 to establish a data connection to the gateway device 3, so that the legal terminal 2 normally accesses the service. Because the gateway device 3 does not respond to any connection attempt before receiving the legal gate-knocking packet, the problems of port scanning, DOS and vulnerability attack caused by the port scanning are effectively solved, and the safety and usability of the system are improved.
The validity of the gate knocking request of the terminal 2 is verified through the first gate knocking full-correction verification, when the gate knocking request is legal, a requested target port is started, the second port gate knocking verification is carried out on the terminal 2 again when the data transmission request is sent, and the client is allowed to request data to the server 4 through the target port only if the two port gate knocking verifications pass, so that firewall rules can be dynamically changed only after an authorized terminal 2 gate knocking data packet is received, the terminal 2 is allowed to establish connection to the gateway device 3, only the authorized terminal 2 can normally access the service of the server 4, and the safety of data access is improved.
Please refer to fig. 4, which is a data transmission method according to an embodiment of the present application, the method may be executed by the electronic device 1 shown in fig. 1 as the gateway device 3, and may be applied to the data transmission scenario in fig. 2, so that only the authorized terminal 2 may normally access the service of the server 4, thereby improving the security of data access. The method comprises the following steps:
step 401: a knock request from the terminal 2 to the destination port is received. See the description of step 301 in the above embodiments for details.
Step 402: and extracting the door knocking data of the terminal 2 to the target port from the door knocking request, wherein the door knocking data carries the authorization key identification of the terminal 2.
In this step, taking a port knock method with single packet authorization as an example, the knock request may be a request packet including encrypted knock data generated by adding an extension to ClientHello of the terminal 2. For example, the knock request includes pre-configured specific SPA data (knock data), and the gateway device 3 extracts corresponding specific SPA data from the knock request, where the SPA data at least carries an authorized key identifier of the terminal 2, where the authorized key identifier may be information such as a name or a number of the authorized key, and has uniqueness, so as to be used for distinguishing a difference from other keys. The authorization key is a key agreed with the gateway device 3 and the terminal 2 in advance, and the two keys share the authorization key, that is, the authorization key can be stored on the gateway device 3 and can be issued to an authorized user in advance by an administrator of the gateway device 3, and the user is led into the terminal 2. The SPA data does not directly carry the authorization key, so that the authorization key is prevented from being intercepted by an illegal terminal in the transmission process. SPA data can be custom extended based on actual requirements, e.g., the extension number can be 77, and can be modified according to the actual registered extension number.
In one embodiment, the SPA data structure as knock data may be as shown in fig. 5A, wherein:
version: taking 1 byte, for example, in the case of only one version, the value may be 1, after which the version number may be incremented in turn if a new version is available.
Key name: it may take 36 bytes, i.e. UUID (Universally Unique Identifier, universally unique identification code) length, indicating the authorization key of the terminal 2 that needs to be used for port knock verification.
Encrypting SPA data: ciphertext data obtained by encrypting plaintext SPA data, such as data obtained by symmetric encryption by AES (Advanced Encryption Standard ), is dependent on the length of the plaintext SPA data.
Step 403: and decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and performing first port knocked-down verification on the terminal 2 according to the knocked-down plaintext data.
In this step, taking the above single packet authorization as an example, the tapping data is encrypted SPA data, where the tapping data carries an authorization key identifier of the terminal 2, so that a corresponding authorization key can be found from the gateway device 3 based on the authorization key identifier, the encrypted SPA data is decrypted by using the authorization key to obtain plaintext SPA data (i.e., tapping plaintext data), and then the terminal 2 is subjected to first port tapping verification based on the plaintext SPA data, if the verification passes, step 404 is entered, otherwise, it is indicated that the terminal 2 is not authorized, possibly an illegal attacker, and in order to protect data security, the data packet of the current tapping request is directly discarded without any response, so as to achieve the purpose of hiding the target port.
In an embodiment, the knock-out plaintext data may include unique identification information of the terminal 2. In step 403, the step of performing port knock verification on the terminal 2 according to the knock plaintext data includes: comparing the unique identification information with the authorization information of the terminal 2 in the database, and determining that the terminal 2 passes the port knocking verification when the unique identification information is identical with the authorization information of the terminal 2 in the database, wherein the database is pre-stored with the authorization information of the authorized terminal 2.
In this step, the unique identification information may be device ID information of the terminal 2, the database stores authorized information of the terminal 2 that has been authorized, the authorized information at least includes device ID information of each authorized terminal 2, the gateway device 3 compares the device ID information in the plain text data of the knocked-in obtained in step 403 with the authorized information in the database, so as to determine whether the terminal 2 is recorded in the database, if so, it indicates that the terminal 2 is authorized and belongs to the legal terminal 2, it determines that the port knocked-in check is passed, otherwise, it indicates that the database does not have the authorized information of the terminal 2, and if the terminal 2 is an illegal terminal 2, it directly discards the data packet of the port knocked-in.
In an embodiment, in an actual scenario, it is assumed that after a legal terminal 2A adopts a legal gate-knocking data packet Q to successfully gate the port, the data packet Q is likely to be intercepted by an illegal terminal 2B, and if the terminal 2B adopts the data packet Q to make a malicious attack on the server 4, serious loss is caused to the server 4. To avoid this, the current random code generated by the terminal 2 may also be included in the knock-out plaintext data. After comparing the unique identification information with the authorization information of the terminal 2 in the database, step 403 may further include: when the unique identification information is identical to the authorization information of the terminal 2 in the database, it is judged whether the current random code is identical to any one of the previous random codes of the terminal 2. And when the current random code is different from any one of the historical random codes of the terminal 2, determining that the terminal 2 passes the port knock verification.
In one embodiment, after comparing the unique identification information with the authorization information of the terminal 2 in the database, step 403 further includes: and when the current random code is the same as any one of the historical random codes of the terminal 2, determining that the terminal 2 does not pass the port knock verification.
The random code is used to prevent the port knocked-down operation from being repeated on the same data packet during a period of time, so that the random code is a random code in knocked-down data received from the terminal 2 during a period of time, and the period of time can be set based on actual requirements, for example, a month. That is, among the knock data from the legitimate terminal 2, only the knock data containing a random code that is not repeated for one month can be checked by the port knock, otherwise, the knock data carrying a random code that is repeated for one month cannot be checked by the port knock. The verification based on the random code can avoid the illegal terminal 2B from carrying out port knocking by utilizing the intercepted legal data packet Q, thereby further improving the data security of the server 4.
In one embodiment, the plain SPA data may be as shown in FIG. 5B, where the string fields are separated by a semicolon, i.e., the value of each field itself cannot contain a semicolon. The specific definition is as follows:
client version: i.e. the version number of the client APP loaded in the terminal 2, the format may be x.y.z, and the gateway device 3 will perform a matching check on the version of the client and the version in the knock data during verification.
Message type: the message type number can be reserved as a subsequent extension, for example, 1, or can be filled in based on actual requirements.
16 byte random string: i.e., a random code, for preventing repeated port knocks of the same packet over a period of time.
Device ID: for checking if the client device information that originated the request is in the database.
HMAC-SHA256: is a key-dependent hash message authentication code used for HMAC-SHA256 encryption computation of data of client version, message type, 16 byte random string and device ID as shown in fig. 5B by gateway device 3 to co-gateway device 3 for message integrity verification, wherein the key used by the algorithm can be determined according to the terminal 2 authorization key name as shown in fig. 5A.
Step 404: and when the terminal 2 passes the first port knocking check, opening the target port, and receiving a data transmission request of the terminal 2 to the target port. See for details the description of step 303 in the above embodiments.
Step 405: and extracting the gate knocking data of the terminal 2 to the target port from the data transmission request, wherein the gate knocking data carries the authorization key identification of the terminal 2.
In this step, after the first port knocked-in check passes, the target port is opened, the terminal 2 may establish a data connection with the gateway device 3 through the target port within a configured period of time, for example, establish a TPC connection, and the gateway device 3 monitors, in real time, a data transmission request sent by the terminal 2 on the target port, where the data transmission request carries knocked-in data, where the knocked-in data may be the same as knocked-in data in step 402, and details of the description of knocked-in data in step 402 may be referred to. The gateway device 3 first extracts the knock data from the data transfer request.
Step 406: and decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and performing second port knocked-down verification on the terminal 2 according to the knocked-down plaintext data.
In this step, taking the above single packet authorization as an example, the tapping data is encrypted SPA data, where the tapping data carries an authorization key identifier of the terminal 2, so that a corresponding authorization key can be found from the gateway device 3 based on the authorization key identifier, the encrypted SPA data is decrypted by using the authorization key to obtain plaintext SPA data (i.e., tapping plaintext data), and then the terminal 2 is subjected to a second port tapping check based on the plaintext SPA data, if the check passes, step 407 is entered, otherwise, if the second port check does not pass, it is indicated that the data transmission request may not be initiated by the authorized terminal 2. For example, if the data packet is initiated by the illegal terminal 2B in the above example, the data packet of the current data transmission request may be directly discarded in order to protect the data security of the server 4. Therefore, only legal data connection is released, the range capable of initiating the data connection is narrowed, and the terminal 2 initiating the data connection is ensured to be authorized and authenticated by the gateway equipment 3.
The procedure of the second port knock verification may be the same as the procedure of the first port knock verification, and detailed description of the port knock in step 403 and the optional embodiment thereof will not be repeated here.
Step 407: when the terminal 2 passes the second port knock verification, the data transmission request is forwarded to the server 4 through the target port, and the port knock process and the data transmission process can be recorded. See in detail the description of step 304 and its alternative embodiments in the above embodiments.
Please refer to fig. 6, which is a data transmission apparatus 600 according to an embodiment of the present application, which can be applied to the electronic device 1 shown in fig. 1 and can be applied to the data transmission scenario in fig. 2, so that only the authorized terminal 2 can normally access the service of the server 4, thereby improving the security of data access. The device comprises: the principle relation of the first receiving module 601, the first knocking module 602, the second receiving module 603 and the second knocking module 604 is as follows:
a first receiving module 601, configured to receive a knock request from the terminal 2 to the target port.
The first knock module 602 is configured to perform a first port knock check on the terminal 2 according to the knock request.
The second receiving module 603 is configured to open the target port when the terminal 2 passes the first port knock check, and receive a data transmission request from the terminal 2 to the target port.
The second knock module 604 is configured to perform a second port knock check on the terminal 2 according to the data transmission request, and forward the data transmission request to the server 4 through the target port when the terminal 2 passes the second port knock check.
In one embodiment, the first knock module 602 is configured to: and extracting the door knocking data of the terminal 2 to the target port from the door knocking request, wherein the door knocking data carries the authorization key identification of the terminal 2. And decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and performing first port knocked-down verification on the terminal 2 according to the knocked-down plaintext data.
In one embodiment, the second knock module 604 is configured to: and extracting the gate knocking data of the terminal 2 to the target port from the data transmission request, wherein the gate knocking data carries the authorization key identification of the terminal 2. And decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and performing second port knocked-down verification on the terminal 2 according to the knocked-down plaintext data.
In one embodiment, the knock clear text data includes unique identification information of the terminal 2. The step of carrying out port knock verification on the terminal 2 according to the knock plaintext data comprises the following steps: comparing the unique identification information with the authorization information of the terminal 2 in the database, and determining that the terminal 2 passes the port knocking verification when the unique identification information is identical with the authorization information of the terminal 2 in the database, wherein the database is pre-stored with the authorization information of the authorized terminal 2.
In an embodiment, the knocked-down plaintext data further includes a current random code generated by the terminal 2. After comparing the unique identification information with the authorization information of the terminal 2 in the database, it further includes: when the unique identification information is identical to the authorization information of the terminal 2 in the database, it is judged whether the current random code is identical to any one of the previous random codes of the terminal 2. And when the current random code is different from any one of the historical random codes of the terminal 2, determining that the terminal 2 passes the port knock verification.
In one embodiment, after comparing the unique identification information with the authorization information of the terminal 2 in the database, the method further includes: and when the current random code is the same as any one of the historical random codes of the terminal 2, determining that the terminal 2 does not pass the port knock verification.
For a detailed description of the data transmission device 600, please refer to the description of the related method steps in the above embodiment.
The embodiment of the invention also provides a non-transitory electronic device readable storage medium, which comprises: a program which, when run on an electronic device, causes the electronic device to perform all or part of the flow of the method in the above-described embodiments. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid State Drive (SSD), etc. The storage medium may also comprise a combination of memories of the kind described above.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations are within the scope of the invention as defined by the appended claims.
Claims (7)
1. A data transmission method, wherein the method is applied to a gateway device, a port of the gateway device being hidden, the method comprising:
receiving a knocking request of a terminal to a target port;
performing first port knocking verification on the terminal according to the knocking request;
when the terminal passes the first port knocking verification, the target port is opened, and a data transmission request of the terminal to the target port is received;
performing second port knocking verification on the terminal according to the data transmission request, and forwarding the data transmission request to a server through the target port when the terminal passes the second port knocking verification;
the second port knock verification for the terminal according to the data transmission request includes:
extracting gate knocking data of the terminal to the target port from the data transmission request, wherein the gate knocking data carries an authorization key identifier of the terminal;
decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and carrying out second port knocked-down verification on the terminal according to the knocked-down plaintext data; the knocked-down plaintext data comprises unique identification information of the terminal and a current random code generated by the terminal;
the second port knock verification for the terminal according to the knock plaintext data includes:
comparing the unique identification information with the authorization information of the terminal in a database, and judging whether the current random code is the same as any one of the historical random codes of the terminal when the unique identification information is the same as the authorization information of the terminal in the database;
and when the current random code is different from any one of the historical random codes of the terminal, determining that the terminal passes the second port knock verification.
2. The method of claim 1, wherein the performing a first port knock check on the terminal according to the knock request comprises:
extracting the door knocking data of the terminal to the target port from the door knocking request, wherein the door knocking data carries an authorization key identifier of the terminal;
and decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and performing the first port knocked-down verification on the terminal according to the knocked-down plaintext data.
3. The method according to claim 1, further comprising, after said comparing said unique identification information with authorization information of said terminal in a database:
and when the current random code is the same as any one of the historical random codes of the terminal, determining that the terminal fails the second port knock check.
4. A data transmission apparatus, the apparatus being applied to a gateway device, a port of the gateway device being hidden, the apparatus comprising:
the first receiving module is used for receiving a knocking request of the terminal to the target port;
the first door knocking module is used for carrying out first port door knocking verification on the terminal according to the door knocking request;
the second receiving module is used for starting the target port when the terminal passes the first port knocking verification and receiving a data transmission request of the terminal to the target port;
the second gate knocking module is used for carrying out second port gate knocking verification on the terminal according to the data transmission request, and forwarding the data transmission request to a server through the target port when the terminal passes the second port gate knocking verification;
the second port knock verification for the terminal according to the data transmission request includes:
extracting gate knocking data of the terminal to the target port from the data transmission request, wherein the gate knocking data carries an authorization key identifier of the terminal;
decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and carrying out second port knocked-down verification on the terminal according to the knocked-down plaintext data; the knocked-down plaintext data comprises unique identification information of the terminal and a current random code generated by the terminal;
the second port knock verification for the terminal according to the knock plaintext data includes:
comparing the unique identification information with the authorization information of the terminal in a database, and judging whether the current random code is the same as any one of the historical random codes of the terminal when the unique identification information is the same as the authorization information of the terminal in the database;
and when the current random code is different from any one of the historical random codes of the terminal, determining that the terminal passes the second port knock verification.
5. The apparatus of claim 4, wherein the first knock module is configured to:
extracting the door knocking data of the terminal to the target port from the door knocking request, wherein the door knocking data carries an authorization key identifier of the terminal;
and decrypting the knocked-down data by adopting an authorization key corresponding to the authorization key identifier to obtain knocked-down plaintext data, and performing the first port knocked-down verification on the terminal according to the knocked-down plaintext data.
6. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the method of any one of claims 1 to 3.
7. A non-transitory electronic device-readable storage medium, comprising: a program which, when run by an electronic device, causes the electronic device to perform the method of any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111151014.XA CN113904826B (en) | 2021-09-29 | 2021-09-29 | Data transmission method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111151014.XA CN113904826B (en) | 2021-09-29 | 2021-09-29 | Data transmission method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113904826A CN113904826A (en) | 2022-01-07 |
| CN113904826B true CN113904826B (en) | 2024-03-01 |
Family
ID=79189135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111151014.XA Active CN113904826B (en) | 2021-09-29 | 2021-09-29 | Data transmission method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113904826B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022099A (en) * | 2022-08-09 | 2022-09-06 | 北京华云安软件有限公司 | Identity authentication method and system based on UDP transmission protocol |
| CN117220976B (en) * | 2023-09-25 | 2024-01-30 | 北京网藤科技有限公司 | Method and system for improving compliance and safety of local network Web service |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107248911A (en) * | 2017-06-02 | 2017-10-13 | 中国石油大学(华东) | A kind of hidden authentication method of sequence spreading knocked at the door based on address |
| CN108449354A (en) * | 2018-03-30 | 2018-08-24 | 杭州安恒信息技术股份有限公司 | A kind of reinforcing server log safety method, device and server based on agreement of knocking at the door |
| CN108900595A (en) * | 2018-06-25 | 2018-11-27 | 郑州云海信息技术有限公司 | Access method, apparatus, equipment and the calculation medium of cloud storage service device data |
| CN110830446A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | SPA security verification method and device |
| CN112822158A (en) * | 2020-12-25 | 2021-05-18 | 网神信息技术(北京)股份有限公司 | Network access method and device, electronic equipment and storage medium |
| CN113378141A (en) * | 2021-08-12 | 2021-09-10 | 明品云(北京)数据科技有限公司 | Text data transmission method, system, equipment and medium |
-
2021
- 2021-09-29 CN CN202111151014.XA patent/CN113904826B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107248911A (en) * | 2017-06-02 | 2017-10-13 | 中国石油大学(华东) | A kind of hidden authentication method of sequence spreading knocked at the door based on address |
| CN108449354A (en) * | 2018-03-30 | 2018-08-24 | 杭州安恒信息技术股份有限公司 | A kind of reinforcing server log safety method, device and server based on agreement of knocking at the door |
| CN108900595A (en) * | 2018-06-25 | 2018-11-27 | 郑州云海信息技术有限公司 | Access method, apparatus, equipment and the calculation medium of cloud storage service device data |
| CN110830446A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | SPA security verification method and device |
| CN112822158A (en) * | 2020-12-25 | 2021-05-18 | 网神信息技术(北京)股份有限公司 | Network access method and device, electronic equipment and storage medium |
| CN113378141A (en) * | 2021-08-12 | 2021-09-10 | 明品云(北京)数据科技有限公司 | Text data transmission method, system, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113904826A (en) | 2022-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10298610B2 (en) | Efficient and secure user credential store for credentials enforcement using a firewall | |
| US10652210B2 (en) | System and method for redirected firewall discovery in a network environment | |
| US10425387B2 (en) | Credentials enforcement using a firewall | |
| US10542006B2 (en) | Network security based on redirection of questionable network access | |
| US9680860B1 (en) | Endpoint-based man in the middle attack detection using multiple types of detection tests | |
| US9781114B2 (en) | Computer security system | |
| US9444788B2 (en) | Data leak protection in upper layer protocols | |
| US9210126B2 (en) | Method for secure single-packet authorization within cloud computing networks | |
| US8800024B2 (en) | System and method for host-initiated firewall discovery in a network environment | |
| US9094372B2 (en) | Multi-method gateway-based network security systems and methods | |
| US7552323B2 (en) | System, apparatuses, methods, and computer-readable media using identification data in packet communications | |
| US20180146001A1 (en) | Network security based on device identifiers and network addresses | |
| US10834131B2 (en) | Proactive transport layer security identity verification | |
| CN113904826B (en) | Data transmission method, device, equipment and storage medium | |
| US11539695B2 (en) | Secure controlled access to protected resources | |
| CA2506418C (en) | Systems and apparatuses using identification data in network communication | |
| US7594268B1 (en) | Preventing network discovery of a system services configuration | |
| US20110154469A1 (en) | Methods, systems, and computer program products for access control services using source port filtering | |
| US10079857B2 (en) | Method of slowing down a communication in a network | |
| WO2009005698A1 (en) | Computer security system | |
| JP2017521954A (en) | Method for unblocking an external computer system in a computer network infrastructure, a distributed computer network having such a computer network infrastructure, and a computer program product | |
| Pir | Intrusion Detection Systems with Snort | |
| WO2005094174A2 (en) | Managing traffic within an internal communication network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: Qianxin Technology Group Co.,Ltd. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: Qianxin Technology Group Co.,Ltd. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |