CN114024712B - Authentication method, authentication device, computer equipment and storage medium - Google Patents

Authentication method, authentication device, computer equipment and storage medium Download PDF

Info

Publication number
CN114024712B
CN114024712B CN202111151422.5A CN202111151422A CN114024712B CN 114024712 B CN114024712 B CN 114024712B CN 202111151422 A CN202111151422 A CN 202111151422A CN 114024712 B CN114024712 B CN 114024712B
Authority
CN
China
Prior art keywords
operating system
digital certificate
target server
target
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111151422.5A
Other languages
Chinese (zh)
Other versions
CN114024712A (en
Inventor
王柏森
王全璞
纪柏雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202111151422.5A priority Critical patent/CN114024712B/en
Publication of CN114024712A publication Critical patent/CN114024712A/en
Application granted granted Critical
Publication of CN114024712B publication Critical patent/CN114024712B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides an authentication method and device, wherein the method is used for a client and comprises the following steps: establishing connection with a target server, and sending a first data packet to the target server; receiving a second data packet returned by the target server according to the first data packet; analyzing the operating system identification information from the second data packet; judging the type of a target operating system of the target server according to the operating system identification information; generating a digital certificate according to the type of the target operating system; and sending the digital certificate to the target server. In the scheme, the type of the operating system of the target server is primarily judged through interaction of the data information, the type of the operating system of the target server is determined through the fed-back operating system identification information, and by the mode, cross-platform security authentication can be realized, the problem that the prior art cannot perform cross-platform security authentication is solved, and smooth interaction among a plurality of platforms is realized.

Description

Authentication method, authentication device, computer equipment and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an authentication method, an authentication device, a computer device, and a storage medium.
Background
With the informatization and digitalization, information security is also attracting attention. A secure transport layer protocol (Transport Layer Security, abbreviated TLS) is used to provide confidentiality and data integrity between two communication applications. TLS is a security protocol that employs a master-slave architecture model for establishing secure connections between two applications across a network to prevent eavesdropping and tampering during data exchange. There are mainly two ways to achieve this: one is to use a unified TLS protocol communication port; the other is that the client requests the server to connect to TLS using a specific protocol mechanism. Once both the client and server agree to use the TLS protocol, they negotiate a stateful connection to transfer data using a handshake process. Through the handshake, the client and server negotiate various parameters for establishing a secure connection.
However, when the client and the server are in handshake, the operating system of the destination platform to be transmitted cannot be judged, which may cause the problem that the destination platform cannot use the provided digital certificate, and the two parties cannot be successfully authenticated, so that the connection cannot be established.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide an authentication method, an apparatus, a computer device, and a storage medium, so as to solve the problem in the prior art that an operating system of a target platform cannot be identified when a client and a server perform handshake, and thus authentication cannot be successfully performed.
According to a first aspect, an embodiment of the present invention provides an authentication method, for a client, including:
establishing connection with a target server, and sending a first data packet to the target server;
receiving a second data packet returned by the target server according to the first data packet;
analyzing the operating system identification information from the second data packet;
judging the type of a target operating system of the target server according to the operating system identification information;
generating a digital certificate according to the type of the target operating system;
and sending the digital certificate to the target server.
In the method, the type of the operating system of the target server is primarily judged through interaction of data information, the type of the operating system of the target server is determined through feedback of operating system identification information, then a digital certificate is generated for the target server of the specific type, the digital certificate is sent to the server for verification, and the type of the operating system in the target platform is analyzed through a packet.
With reference to the first aspect, in a first implementation manner of the first aspect, the method further includes:
receiving information of whether the digital certificate fed back by the target server is correct or not;
and if the digital certificate is incorrect, determining a plurality of alternative operating system types according to the operating system identification information and the target operating system type.
In this manner, since the operating system type is identified by the operating system identification information fed back by the packet, hundred percent accuracy cannot be achieved, and thus there is still a case where there is a small probability of error. Because the operating system type fed back according to the operating system identification information is not completely accurate, the digital certificate generated based on the operating system type cannot meet the requirement of a target server, in this case, by receiving the information about whether the digital certificate fed back by the target server is correct or not, whether the operating system type determined before is correct or not can be known, if not, a plurality of alternative operating system types are selected for trial, and the method is an effective supplement of the scheme, and provides conditions for further determining the correct operating system type under the condition that the given operating system type is not correct through preliminary judgment.
With reference to the first embodiment of the first aspect, in a second embodiment of the first aspect, the method includes:
selecting one operating system type from a plurality of the alternative operating system types to generate a corresponding digital certificate;
transmitting the digital certificate to the target server;
receiving information of whether the digital certificate fed back by the target server is correct or not;
if the digital certificate is incorrect, selecting another operating system type from the alternative operating system types, generating a corresponding digital certificate, and repeating the steps until the target server feeds back that the digital certificate is correct.
In the method, multiple alternative operating system types are judged one by one, and attempts are sequentially made in a polling mode, so that the correct operating system type is finally obtained, and cross-platform TLS interconnection is smoothly realized.
With reference to the second implementation manner of the first aspect, in a third implementation manner of the first aspect, selecting one operating system type from a plurality of the alternative operating system types to generate a corresponding digital certificate includes:
sorting the probabilities of a plurality of alternative operating system types according to the operating system identification information;
and selecting alternative operating system types according to the sequence from the big probability to the small probability, and generating corresponding digital certificates.
In the method, in the process of sequentially trying a plurality of alternative operating system types, in order to acquire the correct operating system type as soon as possible, the probability of the alternative operating system type can be determined according to the operating system identification information, and the operating system type with the high probability is preferentially tried, so that an accurate result can be obtained in the shortest time, and the efficiency of the try is improved.
With reference to the first aspect and the first implementation manner, the second implementation manner, and the third implementation manner of the first aspect, in a fourth implementation manner of the first aspect, the first data packet is an ICMP packet.
With reference to the fourth implementation manner of the first aspect, in a fifth implementation manner of the first aspect, the operating system identification information includes TTL information.
In this manner, the ICMP protocol is a connectionless-oriented protocol for transmitting error report control information. It belongs to network layer protocol, and is mainly used for transferring control information between host and router, including reporting error, exchanging limited control and state information, etc. After the client sends the ICMP packet, the target server returns corresponding information to the client after receiving the ICMP packet, the returned information comprises TTL information, and the type of the operating system can be primarily judged according to the returned value of the TTL information.
With reference to the fifth implementation manner of the first aspect, in a sixth embodiment of the first aspect, determining a plurality of candidate operating system types according to the operating system identification information and the target operating system type includes:
excluding the types of the operating systems which do not belong to the corresponding range according to the TTL information;
excluding the target operating system type;
an alternate operating system type is selected from the remaining operating system types.
In the scheme, if the primarily judged target operating system type is incorrect, the obviously non-corresponding operating system type can be eliminated firstly according to TTL information returned by the target server when the candidate operating system type is further obtained, meanwhile, the incorrect target operating system type is eliminated, the types of the rest operating systems can be used as the candidate operating system type and used as the basis of sequential trial, the data processing amount can be reduced, the efficiency is improved, and the target platform operating system type can be obtained more quickly during cross-platform interaction.
According to a second aspect, an embodiment of the present invention further provides an authentication apparatus, for a client, including:
the first sending unit is used for establishing connection with a target server and sending a first data packet to the target server;
the receiving unit is used for receiving a second data packet returned by the target server according to the first data packet;
the analyzing unit is used for analyzing the operating system identification information from the second data packet;
the identification unit is used for judging the type of the target operating system of the target server according to the operating system identification information;
a generation unit for generating a digital certificate according to the target operating system type;
and the second sending unit is used for sending the digital certificate to the target server.
With reference to the second aspect, in a first implementation manner of the second aspect, the method further includes:
the feedback unit is used for receiving the information of whether the digital certificate fed back by the target server is correct or not;
and the alternative unit is used for determining a plurality of alternative operating system types according to the operating system identification information and the target operating system type if the digital certificate is incorrect.
With reference to the first embodiment of the second aspect, in a second embodiment of the second aspect, the method further includes:
the selection unit is used for selecting one operating system type from a plurality of alternative operating system types to generate a corresponding digital certificate;
a third transmitting unit configured to transmit the digital certificate to the target server;
the feedback judging unit is used for receiving the information of whether the digital certificate fed back by the target server is correct or not;
and the circulation unit is used for selecting another operating system type from the alternative operating system types to generate a corresponding digital certificate if the digital certificate is incorrect, and repeating the steps until the target server feeds back that the digital certificate is correct.
With reference to the second embodiment of the second aspect, in a third embodiment of the second aspect, the selecting unit includes:
the probability sorting subunit is used for sorting the probabilities of a plurality of alternative operating system types according to the operating system identification information;
and the selection subunit is used for selecting the alternative operating system types according to the order of the probability from high to low and generating corresponding digital certificates.
With reference to the second aspect and the first implementation manner, the second implementation manner, and the third implementation manner of the second aspect, in a fourth implementation manner of the second aspect, the first data packet is an ICMP packet.
With reference to the fourth implementation manner of the second aspect, in a fifth implementation manner of the second aspect, the operating system identification information includes TTL information.
With reference to the fifth implementation manner of the second aspect, in a sixth embodiment of the second aspect, the alternative unit includes:
a first exclusion subunit, configured to exclude, according to the TTL information, an operating system type that does not belong to a corresponding range thereof;
a second exclusion subunit, configured to exclude the target operating system type;
and the screening subunit is used for selecting an alternative operating system type from the rest operating system types.
According to a third aspect, embodiments of the present invention further provide a computer device comprising a memory and a processor, the memory and the processor being communicatively coupled to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the authentication method of any of the first aspect and its alternative embodiments.
According to a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing computer instructions for causing the computer to perform the authentication method of any one of the first aspect and its alternative embodiments.
According to a fifth aspect, embodiments of the present invention provide a computer program product comprising a computer program stored on a computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the authentication method of any of the first aspect and alternative embodiments thereof.
Drawings
The features and advantages of the present invention will be more clearly understood by reference to the accompanying drawings, which are illustrative and should not be construed as limiting the invention in any way, in which:
FIG. 1 shows a flow diagram of the steps of an authentication method in one embodiment;
FIG. 2 shows a flow chart of steps of an authentication method in another embodiment;
FIG. 3 shows a flow chart of steps of an authentication method in another embodiment;
FIG. 4 shows a block diagram of an authentication device in one embodiment;
FIG. 5 shows a block diagram of an authentication apparatus in another embodiment;
FIG. 6 shows a block diagram of an authentication apparatus in another embodiment;
FIG. 7 illustrates a block diagram of a computer device, according to one embodiment.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
Conventional syslog (System Logging Protocol) is a clear text protocol and in some circumstances it is necessary to construct an encrypted system log channel by using the correct drivers on the client and server. The client sends a syslog message to the server.
Wherein the client uses a driver via TCP, syslog forwards the message to the central server on port 6514; the server side accepts the incoming message through normal TCP using a driver on port 6514, syslog.
The interactive flow of TLS occurs after a three-way handshake of TCP, requiring a certificate on the server. The certificate supports SSL operations because it provides the necessary encryption keys for protecting the connection. The client authenticates the server by requesting its certificate and public key. The opposite server may also request credentials from the client so mutual authentication is possible. When mutual authentication is used to verify the identity of a client, it is necessary that a certificate of the client is received on the server that is available. Under the condition that the client and the server both use the same operating system, the digital certificate sent by the client can be used by the server, but if the client and the server are different in operating system, when the cross-platform interaction is carried out, when the TLS is carried out for three times, the client cannot judge that the destination platform to be transmitted is a linux system, an unix system or a Windows system, and the two parties cannot be authenticated successfully, so that the problem that connection cannot be established is caused.
In order to solve the above-mentioned problem of cross-platform interaction between the TLS client and the server, the embodiment of the present invention provides an authentication method for the client, and it should be noted that an execution body of the authentication method may be an authentication device, and the authentication device may be implemented by software, hardware or a combination of software and hardware to form part or all of a computer device, where the computer device may be a terminal or a client, a target server in the embodiment of the present invention may be a server, or may be a server cluster formed by multiple servers, and a terminal in the embodiment of the present invention may be a smart phone, a personal computer, a tablet computer, a wearable device, an intelligent robot, or other intelligent hardware devices. In the following method embodiments, the execution subject is a computer device.
The authentication method in this embodiment, as shown in fig. 1, includes the following steps:
s1, establishing connection with a target server, and sending a first data packet to the target server.
According to the TLS security protocol, a client requests a server to connect to the TLS, and after the client establishes connection with the server, the client firstly sends a data packet to a target server for realizing cross-platform smooth interaction, wherein the data packet can select an ICMP packet. ICMP (Internet Control Message Protocol) Internet control message protocol, ICMP protocol is a connectionless-oriented protocol for transmitting error report control information. It belongs to network layer protocol, and is mainly used for transferring control information between host and router, including reporting error, exchanging limited control and state information, etc. After the client sends the ICMP packet, the target server returns corresponding information to the client after receiving the ICMP packet.
From the technical point of view, ICMP is an "error detection and reporting mechanism" which aims to make us able to detect the network connection status and ensure the connection accuracy. The functions of the device are as follows: detecting the existence of the remote host, establishing and maintaining the routing data, redirecting the data transmission path (ICMP redirection), and controlling the data flow. In communication, ICMP allows the machine to identify different connection conditions through different types and codes (codes).
In the step, the connection state between the client and the target server can be judged by selecting the ICMP package, and the operation system of the target server can be further verified by the feedback information, so that the effect of achieving two purposes is achieved.
S2, receiving a second data packet returned by the target server according to the first data packet.
After receiving the ICMP packet sent by the client, the destination server returns an ACK acknowledgement message ACK (Acknowledge character), which is an acknowledgement character, where the second data packet refers to an ACK packet returned by the destination server, and in data communication, the receiving station sends a transmission control character to the sending station, which indicates that the sent data has been acknowledged and received without errors.
In the TCP/IP protocol, if the receiver successfully receives data, an ACK data is replied. Typically, the ACK signal has its own fixed format and length, and is returned to the sender by the receiver.
S3, analyzing the operating system identification information from the second data packet. The returned ACK packet includes TTL information, from which the type of the operating system can be primarily determined according to its return value.
TTL is an abbreviation of Time To Live, which designates the maximum number of segments allowed To pass before the IP packet is discarded by the router, TTL is a value in the IP protocol packet, when the Ping command is used for network connectivity test or network speed test, the local computer sends the data packet To the destination host, but some data packets cannot be normally transmitted To the destination host for some special reasons, if no TTL value is set, the data packet is always transmitted on the network, and network resources are wasted. The data packet will pass through at least more than one router when it is transmitted, the TTL will be automatically reduced by 1 when it passes through one router, if it is reduced to 0 or not transmitted to the destination host, the data packet will be automatically lost, and the router will send an ICMP message to the original sender.
S4, judging the type of the target operating system of the target server according to the operating system identification information.
Corresponding TTL values of different operating systems are different, so that the operating system of the host can be judged through the TTL values. In general, the TTL field value of the ICMP echo response of the UNIX and UNIX-like operating system is 255, the TTL field value of the ICMP echo response of the Microsoft Windows NT/2K operating system is 128, and the TTL field value of the ICMP echo response of the Microsoft Windows 95 operating system is 32. So the Ping instruction can be used to preliminarily and simply judge what operating system a server is using.
S5, generating a digital certificate according to the type of the target operating system.
In the above step, after the operating system type of the corresponding target server has been determined, a certificate corresponding to the operating system type is generated.
S6, sending the digital certificate to the target server.
Because the digital certificate is generated according to the type of the operating system, the target server firstly confirms whether the digital certificate is correct after receiving the digital certificate, if the correct server confirms whether the correct server has the installation, the TLS handshake is finished, if the correct server has the installation, the TLS handshake is finished after the correct server has the installation, and if the correct server has the installation, the TLS handshake is finished.
In the method, the type of the operating system of the target server is primarily judged through interaction of data information, the type of the operating system of the target server is determined through feedback of operating system identification information, then a digital certificate is generated for the target server of the specific type, the digital certificate is sent to the server for verification, and the type of the operating system in the target platform is analyzed through a packet.
As a further embodiment, although the operating system of the host may be determined by the TTL value, this value is not completely accurate, and may also cause that the type of the target operating system determined according to the correspondence relationship is not accurate for some reasons, and an erroneous determination is generated, in this case, further identification of the type of the operating system is required, and in this embodiment, on the basis of the above method, the method further includes the following steps, as shown in fig. 2, including:
and S7, receiving information of whether the digital certificate fed back by the target server is correct or not. After the target server receives the digital certificate sent by the client, the target server firstly confirms whether the certificate is correct or not and returns information about whether the certificate is correct or not.
If the client is right, the handshake between the client and the target server is completed, and if the client is not right, the step S8 is executed.
S8, if the digital certificate is incorrect, determining a plurality of alternative operating system types according to the operating system identification information and the target operating system type.
In this way, since the operating system type is identified by the operating system identification information fed back by the packet, hundred percent accuracy cannot be achieved, and there is a small probability that the operating system type fed back according to the operating system identification information is inaccurate, so that the digital certificate generated based on the operating system type cannot meet the requirement of the target server, in this case, by receiving the information about whether the digital certificate fed back by the target server is correct, whether the previously determined operating system type is correct or not can be obtained, if not, a plurality of alternative operating system types are selected for trial, and this way is an effective supplement of the above scheme, and provides conditions for further determining the correct operating system type in the case that the operating system type given in the preliminary determination is incorrect.
The alternative operating system types are possible operating system types in the existing operating system, and when the operating system type judged according to the TTL value is inaccurate, the rest one or more operating system types are taken as the alternative operating system types, and further attempts are made.
S9, selecting one operating system type from a plurality of alternative operating system types to generate a corresponding digital certificate;
s10, sending the digital certificate to the target server;
s11, receiving information of whether the digital certificate fed back by the target server is correct or not;
s12, judging whether the digital certificate is correct, if so, stopping the subsequent attempt of the alternative operating system type, and finishing the handshake between the client and the target server;
and if the digital certificate is incorrect, executing S9-S11, selecting another operating system type from the alternative operating system types, generating a corresponding digital certificate, and repeating the steps until the target server feeds back that the digital certificate is correct.
In the method, multiple alternative operating system types are judged one by one, and attempts are sequentially made in a polling mode, so that the correct operating system type is finally obtained, and cross-platform TLS interconnection is smoothly realized.
As a further embodiment, in the step S9, selecting one of the plurality of alternative operating system types to generate the corresponding digital certificate includes:
sorting the probabilities of a plurality of alternative operating system types according to the operating system identification information;
and selecting alternative operating system types according to the sequence from the big probability to the small probability, and generating corresponding digital certificates.
In the method, in the process of sequentially trying a plurality of alternative operating system types, in order to acquire the correct operating system type as soon as possible, the probability of the alternative operating system type can be determined according to the operating system identification information, and the operating system type with the high probability is preferentially tried, so that an accurate result can be obtained in the shortest time, and the efficiency of the try is improved.
As another optional implementation manner, in step S8, determining a plurality of candidate operating system types according to the operating system identification information and the target operating system type, further includes:
first, the operating system types which do not belong to the corresponding range are excluded according to the TTL information. Although the correspondence between the TTL value and the operating system type is not completely accurate, some cases may be explicitly excluded according to the TTL value, for example, the TTL value is 240-255, and generally does not correspond to the Windows operating system, and the Windows system may be excluded and a selection may be made among other operating systems.
Then, the target operating system type is excluded. Since the target operating system type has received feedback that the certificate is incorrect, it also needs to be excluded.
Finally, an alternative operating system type is selected from the remaining operating system types. And after the types of the operating systems of the target server are eliminated, the other operating system types are used as alternatives to be selected.
In the scheme, if the primarily judged target operating system type is incorrect, the obviously non-corresponding operating system type can be eliminated firstly according to TTL information returned by the target server when the candidate operating system type is further obtained, meanwhile, the incorrect target operating system type is eliminated, the types of the rest operating systems can be used as the candidate operating system type and used as the basis of sequential trial, the data processing amount can be reduced, the efficiency is improved, and the target platform operating system type can be obtained more quickly during cross-platform interaction.
In order to better illustrate the authentication method provided in the embodiments of the present application, the embodiments of the present application further provide a specific authentication method, which is used for a client, as shown in fig. 3, including:
s301, establishing connection with a target server, and sending a first data packet to the target server; the first data packet is an ICMP packet.
S302, receiving a second data packet returned by the target server according to the first data packet.
S303, analyzing the operating system identification information from the second data packet; the operating system identification information includes TTL information.
S304, judging the type of the target operating system of the target server according to the operating system identification information.
S305, generating a digital certificate according to the type of the target operating system.
S306, sending the digital certificate to the target server.
S307, receiving information of whether the digital certificate fed back by the target server is correct.
S308, if the digital certificate is incorrect, determining a plurality of alternative operating system types according to the operating system identification information and the target operating system type. Wherein it comprises
And excluding the types of the operating systems which do not belong to the corresponding range according to the TTL information.
And eliminating the type of the target operating system.
An alternate operating system type is selected from the remaining operating system types.
S309, selecting one operating system type from a plurality of the alternative operating system types to generate a corresponding digital certificate; comprising the following steps:
and ordering the probabilities of a plurality of alternative operating system types according to the operating system identification information.
And selecting alternative operating system types according to the sequence from the big probability to the small probability, and generating corresponding digital certificates.
S310, the digital certificate is sent to the target server.
S311, receiving information of whether the digital certificate fed back by the target server is correct.
S312, if the digital certificate is incorrect, selecting another operating system type from the alternative operating system types, generating a corresponding digital certificate, and repeating the steps until the target server feeds back that the digital certificate is correct.
The specific embodiments of the above steps are the same as those of the previous steps, and are not repeated here.
In the scheme, the type of the operating system of the target server is primarily judged through interaction of data information, the type of the operating system of the target server is determined through feedback of the operating system identification information, if the primarily judged type of the target operating system is incorrect, the type of the operating system which is obviously not corresponding can be firstly eliminated according to TTL information returned by the target server when the type of the alternative operating system is further obtained, meanwhile, the incorrect type of the target operating system is eliminated, and the types of the rest operating systems can be used as alternative operating system types and serve as bases for sequential trial. By the method, the cross-platform security authentication can be realized, the problem that the cross-platform security authentication cannot be performed in the prior art, the problem that the authentication cannot be successful and the connection cannot be established after the handshake failure when the TLS faces different platforms in the prior art is solved, and the smooth interaction of the TLS among a plurality of platforms is realized.
It should be understood that, although the steps in the flowcharts of fig. 1-3 are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in fig. 1-3 may include multiple steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the steps or stages in other steps or other steps.
An embodiment of the present invention further provides an authentication device, configured to be used by a client, as shown in fig. 4, including:
a first sending unit 401, configured to establish a connection with a target server, and send a first data packet to the target server; the first data packet is an ICMP packet.
A receiving unit 402, configured to receive a second data packet returned by the target server according to the first data packet;
a parsing unit 403, configured to parse the operating system identification information from the second data packet; the operating system identification information includes TTL information.
An identifying unit 404, configured to determine a target operating system type of the target server according to the operating system identification information;
a generating unit 405, configured to generate a digital certificate according to the target operating system type;
a second sending unit 406, configured to send the digital certificate to the target server.
In a further embodiment, as shown in fig. 5, the authentication device further includes:
a feedback unit 407, configured to receive information about whether the digital certificate fed back by the target server is correct;
an alternative unit 408, configured to determine a plurality of alternative operating system types according to the operating system identification information and the target operating system type if the digital certificate is incorrect.
To achieve TLS interaction in this case, the authentication apparatus, as shown in fig. 6, further includes:
a selecting unit 409, configured to select one operating system type from a plurality of the candidate operating system types, and generate a corresponding digital certificate;
a third transmitting unit 410, configured to transmit the digital certificate to the target server;
a feedback judging unit 411, configured to receive information about whether the digital certificate fed back by the target server is correct;
and a loop unit 412, if the digital certificate is incorrect, selecting another operating system type from the alternative operating system types, generating a corresponding digital certificate, and repeating the above steps until the target server feeds back that the digital certificate is correct.
As a specific implementation, the selecting unit 409 includes:
the probability sorting subunit is used for sorting the probabilities of a plurality of alternative operating system types according to the operating system identification information;
and the selection subunit is used for selecting the alternative operating system types according to the order of the probability from high to low and generating corresponding digital certificates.
As a specific embodiment, the alternative unit 408 includes:
a first exclusion subunit, configured to exclude, according to the TTL information, an operating system type that does not belong to a corresponding range thereof;
a second exclusion subunit, configured to exclude the target operating system type;
and the screening subunit is used for selecting an alternative operating system type from the rest operating system types.
The specific limitation of the authentication device and the beneficial effects can be referred to the limitation of the authentication method hereinabove, and will not be described herein. The various modules described above may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
Fig. 7 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention, where the device includes one or more processors 710 and a memory 720, and the memory 720 includes a persistent memory, a volatile memory and a hard disk, and one processor 710 is illustrated in fig. 7. The apparatus may further include: an input device 730 and an output device 740.
Processor 710, memory 720, input device 730, and output device 740 may be connected by a bus or other means, for example in fig. 7.
The processor 710 may be a central processing unit (Central Processing Unit, CPU). The processor 710 may also be a chip such as other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or a combination thereof. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 720, which is a non-transitory computer readable storage medium, includes persistent memory, volatile memory, and hard disk, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the service management method in the embodiments of the present application. The processor 710 performs various functional applications of the server and data processing, i.e., implements the authentication method described above, by running non-transitory software programs, instructions, and modules stored in the memory 720.
Memory 720 may include a storage program area that may store an operating system, at least one application program required for functionality, and a storage data area; the storage data area may store data, etc., as needed, used as desired. In addition, memory 720 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 720 may optionally include memory located remotely from processor 710, which may be connected to the data processing apparatus via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 730 may receive input numeric or character information and generate key signal inputs related to user settings and function control. The output device 740 may include a display device such as a display screen.
The one or more modules are stored in the memory 720 that, when executed by the one or more processors 710, perform the methods illustrated in fig. 1-3.
The product can execute the method provided by the embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method. Technical details which are not described in detail in the present embodiment can be found in the embodiments shown in fig. 1 to 3.
The embodiments of the present invention also provide a non-transitory computer storage medium storing computer executable instructions that can perform the authentication method in any of the above-described method embodiments. Wherein the storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
It will be appreciated by those skilled in the art that implementing all or part of the above-described embodiment method may be implemented by a computer program to instruct related hardware, where the program may be stored in a computer readable storage medium, and the program may include the above-described embodiment method when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a random-access memory (RAM), or the like.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations are within the scope of the invention as defined by the appended claims.

Claims (8)

1. An authentication method for a client, comprising:
establishing connection with a target server, and sending a first data packet to the target server;
receiving a second data packet returned by the target server according to the first data packet;
analyzing the operating system identification information from the second data packet;
judging the type of a target operating system of the target server according to the operating system identification information;
generating a digital certificate according to the type of the target operating system;
transmitting the digital certificate to the target server;
receiving information of whether the digital certificate fed back by the target server is correct or not;
if the digital certificate is incorrect, determining a plurality of alternative operating system types according to the operating system identification information and the target operating system type;
selecting one operating system type from a plurality of the alternative operating system types to generate a corresponding digital certificate;
transmitting the digital certificate to the target server;
receiving information of whether the digital certificate fed back by the target server is correct or not;
if the digital certificate is incorrect, selecting another operating system type from the alternative operating system types, generating a corresponding digital certificate, and repeating the steps until the target server feeds back that the digital certificate is correct.
2. The method of claim 1, wherein selecting one of the plurality of alternative operating system types to generate the corresponding digital certificate comprises:
sorting the probabilities of a plurality of alternative operating system types according to the operating system identification information;
and selecting alternative operating system types according to the sequence from the big probability to the small probability, and generating corresponding digital certificates.
3. The method according to claim 1 or 2, wherein the first data packet is an ICMP packet.
4. The method of claim 3 wherein said operating system identification information comprises TTL information.
5. The method of claim 4, wherein determining a plurality of alternative operating system types from the operating system identification information and the target operating system type comprises:
excluding the types of the operating systems which do not belong to the corresponding range according to the TTL information;
excluding the target operating system type;
an alternate operating system type is selected from the remaining operating system types.
6. An authentication apparatus for a client, comprising:
the sending unit is used for establishing connection with a target server and sending a first data packet to the target server;
the receiving unit is used for receiving a second data packet returned by the target server according to the first data packet;
the analyzing unit is used for analyzing the operating system identification information from the second data packet;
the identification unit is used for judging the type of the target operating system of the target server according to the operating system identification information;
a generation unit for generating a digital certificate according to the target operating system type;
a transmitting unit configured to transmit the digital certificate to the target server;
the feedback unit is used for receiving the information of whether the digital certificate fed back by the target server is correct or not;
an alternative unit, configured to determine a plurality of alternative operating system types according to the operating system identification information and the target operating system type if the digital certificate is incorrect;
the selection unit is used for selecting one operating system type from a plurality of alternative operating system types to generate a corresponding digital certificate;
a third transmitting unit configured to transmit the digital certificate to the target server;
the feedback judging unit is used for receiving the information of whether the digital certificate fed back by the target server is correct or not;
and the circulation unit is used for selecting another operating system type from the alternative operating system types to generate a corresponding digital certificate if the digital certificate is incorrect, and repeating the steps until the target server feeds back that the digital certificate is correct.
7. A computer device comprising a memory and a processor, the memory and the processor being communicatively coupled to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the authentication method of any of claims 1-5.
8. A computer-readable storage medium storing computer instructions for causing the computer to perform the authentication method of any one of claims 1-5.
CN202111151422.5A 2021-09-29 2021-09-29 Authentication method, authentication device, computer equipment and storage medium Active CN114024712B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111151422.5A CN114024712B (en) 2021-09-29 2021-09-29 Authentication method, authentication device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111151422.5A CN114024712B (en) 2021-09-29 2021-09-29 Authentication method, authentication device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114024712A CN114024712A (en) 2022-02-08
CN114024712B true CN114024712B (en) 2023-08-04

Family

ID=80055279

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111151422.5A Active CN114024712B (en) 2021-09-29 2021-09-29 Authentication method, authentication device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114024712B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111526161A (en) * 2020-05-27 2020-08-11 联想(北京)有限公司 Communication method, communication equipment and proxy system
CN112395579A (en) * 2020-11-13 2021-02-23 中国工商银行股份有限公司 Electronic signature generation method and device based on face recognition and cloud certificate

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111526161A (en) * 2020-05-27 2020-08-11 联想(北京)有限公司 Communication method, communication equipment and proxy system
CN112395579A (en) * 2020-11-13 2021-02-23 中国工商银行股份有限公司 Electronic signature generation method and device based on face recognition and cloud certificate

Also Published As

Publication number Publication date
CN114024712A (en) 2022-02-08

Similar Documents

Publication Publication Date Title
US8448233B2 (en) Dealing with web attacks using cryptographically signed HTTP cookies
KR101741866B1 (en) Method and system for reliable protocol tunneling over http
US7921215B2 (en) Method and apparatus for optimizing and prioritizing the creation of a large number of VPN tunnels
US20190268764A1 (en) Data transmission method, apparatus, and system
WO2022099683A1 (en) Data transmission method and apparatus, device, system, and storage medium
US20160156623A1 (en) Method and System for Transmitting and Receiving Data, Method and Device for Processing Message
CN112491776A (en) Security authentication method and related equipment
CN104539587A (en) Thing access and group interaction method used for Internet of things
CN104468265A (en) Method and device for detecting online states of local area network terminals
CN112152880A (en) Link health detection method and device
CN112202795A (en) Data processing method, gateway equipment and medium
CN112087475B (en) Message pushing method and device for cloud platform component application and message server
CN1898649A (en) Preventing network reset denial of service attacks
CN114024712B (en) Authentication method, authentication device, computer equipment and storage medium
CN113014610B (en) Remote access method, device and system
EP3361691B1 (en) Method and device for verifying validity of identity of entity
CN110324302B (en) IOT equipment communication method
US7526797B2 (en) System and method for processing callback requests included in web-based procedure calls through a firewall
CN111726332A (en) Transmission device and method for transmitting data between two networks
KR101971995B1 (en) Method for decryping secure sockets layer for security
CN115632963A (en) Method, device, apparatus and medium for confirming tunnel connection state
US9083586B2 (en) Verifying availability and reachability through a network device
CN115333782A (en) Data transmission method, data reception method, storage medium, and computer device
CN112532663B (en) Household intelligent gateway login method and device
CN114357456A (en) Safety protection capability detection system, method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant