CN114257471B - Authentication method, network device and storage medium - Google Patents
Authentication method, network device and storage medium Download PDFInfo
- Publication number
- CN114257471B CN114257471B CN202111322491.8A CN202111322491A CN114257471B CN 114257471 B CN114257471 B CN 114257471B CN 202111322491 A CN202111322491 A CN 202111322491A CN 114257471 B CN114257471 B CN 114257471B
- Authority
- CN
- China
- Prior art keywords
- host
- identifier
- initiating
- receiving
- controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 76
- 230000000977 initiatory effect Effects 0.000 claims abstract description 175
- 238000012795 verification Methods 0.000 claims abstract description 116
- 238000013475 authorization Methods 0.000 claims abstract description 36
- 238000001514 detection method Methods 0.000 claims description 35
- 230000002159 abnormal effect Effects 0.000 claims description 9
- 239000000523 sample Substances 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 abstract description 4
- 239000003999 initiator Substances 0.000 description 6
- 238000009434 installation Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000005242 forging Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application relates to the technical field of communication and discloses a verification method, which comprises the following steps: receiving a first SPA data packet sent when an initiating host requests authorization for the first time; judging whether the first SPA data packet comprises an initial unique identifier or not and whether the initial unique identifier is valid or not; if yes, the service port is opened to the first initiating host and the state of the initial unique identifier is set as invalid. The embodiment of the application also discloses a network device and a storage medium. The verification method, the network device and the storage medium provided by the embodiment of the application can improve the safety of the SDP controller.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an authentication method, a network device, and a storage medium.
Background
With the development of cloud computing and remote access, enterprise security boundaries are gradually collapsing, and traditional boundary-based network security architectures are difficult to accommodate with modern enterprise network infrastructure. Therefore, the industry provides a concept of zero trust security, and the zero trust security guides the network security architecture to move from network centralization to identity centralization, thereby realizing dynamic access control by taking the identity as the center.
The software defined boundary (Software Defined Perimeter, abbreviated as SDP) is a security framework proposed by the cloud security alliance, is a floor implementation of the zero trust security concept, and the basic components include: an initiating host (connection initiating host, i.e. client), a receiving host (connection receiving host, i.e. security gateway) and an SDP controller. In the SDP framework, before the initiating host establishes a connection with the receiving host and the SDP controller, the initiating host needs to perform single-packet authorization authentication (Single Packet Authorization, abbreviated as SPA), specifically: the receiving host and the SDP controller realize network stealth of the server by closing the service port, and can not be connected and scanned from the network, if the service is needed to be used, the receiving host and the SDP controller sequentially send authentication message information to the SDP controller and the receiving host for authentication, and after the authentication is passed, the receiving host and the SDP controller open the relevant service port for the initiating host.
In the existing implementation, different initiating hosts and SDP controllers can use SPA verification information consistent with default to verify, so that if the information is leaked, an attacker can forge a large number of initiating hosts to attack the service ports of the SDP controllers, and the safety of the SDP controllers is reduced.
Disclosure of Invention
An object of the embodiments of the present application is to provide an authentication method, a network device, and a storage medium, which can improve the security of an SDP controller.
In order to solve the above technical problems, the embodiments of the present application provide an authentication method, which may be applied in a scenario where security control is required based on SDP, for example, in a scenario where a client requests to connect to a VPN proxy server in a process of accessing an intranet by a user, where the client may correspond to an initiating host in the embodiments of the present application, and the VPN proxy server may correspond to an accepting host. The verification method provided by the embodiment of the present application will be described below from the perspective of the SDP controller and the initiating host, respectively.
The embodiment of the application provides a verification method which is applied to an SDP controller, and comprises the following steps: receiving a first SPA data packet sent when an initiating host requests authorization for the first time; judging whether the first SPA data packet comprises an initial unique identifier and the initial unique identifier is valid; if yes, the service port is opened to the initiating host and the state of the initial unique identifier is set as invalid.
According to the verification method provided by the embodiment of the application, the SPA verification is performed by judging whether the SPA data packet sent by the initiating host contains the initial unique identifier and the initial unique identifier is valid, and after the SPA verification is passed, the service port is opened and the initial unique identifier is set to be invalid. The SPA verification is carried out through the effective initial unique identifier, the state of the initial unique identifier is set to be invalid after the SPA verification, and the service port is opened for the corresponding initiating host after the SPA verification is passed, so that even if an attacker acquires the initial unique identifier and falsifies a large number of initiating hosts to attack the SDP controller, the SDP controller only opens the service port for one initiating host because the initial unique identifier is effective only once, and other initiating hosts still cannot initiate attack on the service port, thereby improving the safety of the SDP controller.
In addition, after the service port is opened to the initiating host and the state of the initial unique identifier is set as invalid, the method further comprises: receiving identity authentication information sent by an initiating host through a service port; and authenticating the identity authentication information, if the authentication is passed, sending a checking identification of the receiving host to the initiating host and the receiving host, wherein the checking identification of the receiving host is the checking basis of the receiving host to the initiating host, and closing the service port to the initiating host. By authenticating the identity authentication information of the initiating host, the user identity corresponding to the initiating host can be confirmed to be legal; on the premise of confirming that the user identity is legal, the receiving host verification identification is sent to the initiating host and the receiving host, so that the safety of the receiving host is further ensured.
In addition, sending an accept host check identifier to the initiating host and the accept host includes: and sending the receiving host verification identifier and the receiving host information to the initiating host, and sending the receiving host verification identifier and the initiating host information to all receiving hosts included in the receiving host information, so that the receiving host verifies the initiating host based on the receiving host verification identifier and the initiating host information. By sending the receiving host verification identifier to the receiving hosts included in the receiving host information, the initiating host can randomly select one of the receiving hosts to perform SPA verification, and can be normally verified, if the network condition of the receiving host is poor or the service is abnormal, the initiating host can also select other receiving hosts to perform SPA verification and connect, so that the initiating host can obtain the services of all the receiving hosts included in the receiving host information, and the high availability of the services is ensured.
In addition, before sending the host verification identification to the initiating host and the receiving host, the method further comprises: generating a controller verification identifier; sending an accept host check identifier to an initiate host and an accept host, comprising: when sending an accept host check identifier to the initiating host, a controller check identifier is also sent. The SPA verification is carried out on the initiating host when the initiating host is not first requested to be authorized by the subsequent SDP controller by generating the controller verification identifier and transmitting the controller verification identifier to the initiating host together when the receiving host verification identifier is transmitted.
In addition, after the controller check identifier is sent, the method further comprises: receiving a second SPA data packet sent by the initiating host when the initiating host does not first request authorization; judging whether the second SPA data packet comprises a controller check mark or not and whether the controller check mark is valid or not; if yes, the service port is opened to the initiating host. In general, when the SDP controller completes information transmission to the initiating host and the receiving host, the service port opened to the initiating host may be directly closed, and when the initiating host requests authorization again, the SDP controller may further improve the security of the SDP controller by determining whether the second SPA packet sent by the initiating host includes the controller check identifier and the controller check identifier is valid, and when the result of the determination is yes, reopening the service port to the initiating host.
In addition, the first SPA data packet further includes a device identifier of the initiating host, and after the controller check identifier is generated, the method further includes: establishing a corresponding relation between the equipment identifier and the controller verification identifier; judging whether the second SPA data packet comprises a controller check mark and the controller check mark is valid or not, comprising: acquiring a device identifier of an initiating host; when the second SPA data packet comprises the controller verification mark, judging whether the acquired device mark is the same as the device mark corresponding to the controller verification mark, and if not, judging that the controller verification mark is invalid. By judging whether the equipment identifier of the initiating host is the same as the equipment identifier of the prior corresponding relation, the SPA data packet of the non-first authorization request can be enabled to be effective only when the original initiating host is initiated, so that an attacker is further prevented from forging the initiating host to attack, and the safety of the SDP controller is improved.
Correspondingly, the embodiment of the application also provides a verification method which is applied to terminal software, wherein the terminal software is configured with an initial unique identifier and is installed on an initiating host, and the terminal software is operated by the initiating host to realize the verification method, and the method comprises the following steps: and when the request is authorized for the first time, sending a first SPA data packet to the SDP controller for the SDP controller to verify the first SPA data packet based on the initial unique identifier, wherein the first SPA data packet comprises the initial unique identifier.
In addition, the terminal software is downloaded through a download platform deployed in the intranet. Because the initial unique identifier is configured in the terminal softly, and the terminal software needs to be downloaded through a download platform of the intranet, an attacker performs effective attack by forging a large number of initiating hosts, the corresponding number of terminal software is downloaded and installed from the intranet, and the initial unique identifier configured in each terminal software is generally provided with a security access control mechanism of the intranet, so that the technical difficulty of the attacker is certainly increased, the downloading flow and the installation time are consumed, the attack cost is improved, and the security of the SDP controller is improved.
In addition, after sending the first SPA packet to the SDP controller, the method further includes: transmitting identity authentication information to an SDP controller; if the receiving host verification identifier and the receiving host information which are sent by the SDP controller after the identity authentication information is verified are received, a second SPA data packet is sent to the receiving host included in the receiving host information, and the second SPA data packet includes the receiving host verification identifier so that the receiving host can verify the second SPA data packet based on the receiving host verification identifier. By sending identity authentication information to the SDP controller for authentication, illegal users can be difficult to pass through the verification of the SDP controller, and the use rights and interests of legal users can be ensured; after receiving the receiving host verification identifier and the receiving host information sent by the SDP controller, sending a second SPA data packet comprising the receiving host verification identifier to the receiving host included in the receiving host information to perform SPA verification, so that the safety of the receiving host can be ensured on the premise of ensuring that the user identity is legal.
In addition, after transmitting the second SPA packet to the receiving host included in the receiving host information, the method further includes: detecting the service quality of each receiving host, wherein the service quality detection comprises at least one of time delay, jitter, packet loss rate and detection of service port state; and selecting a proper receiving host as a target receiving host according to the service quality detection. By detecting the service quality of each receiving host, the initiating host can select a proper receiving host as a target receiving host according to the service quality detection, thereby ensuring the subsequent service quality of the business.
In addition, after selecting an appropriate receiving host as a target receiving host according to the quality of service probe, the method further includes: sending service flow to a service port of a target receiving host; if the target receiving host is abnormal in service, detecting the service quality of other receiving hosts in the information of the receiving host, and selecting a proper receiving host as a new target receiving host according to the service quality detection. By re-performing SPA verification and service quality detection when the target receiving host is abnormal, and selecting a new target receiving host according to the result of service quality detection, the initiating host can be switched to other healthy receiving hosts with proper service quality when the connected receiving host is abnormal, so that the initiating host can be ensured to obtain the service of the receiving host, and the high availability of the service is ensured.
In addition, the method for detecting the service quality of other receiving hosts in the information of the butt-joint receiver, selecting a proper receiving host as a new target receiving host according to the service quality detection, comprises the following steps: if the response of the service quality detection is not received, a third SPA data packet is sent to the SDP controller, the third SPA data packet comprises a controller verification identifier, and the controller verification identifier is sent to the initiating host after the SDP controller verifies the identity authentication information. By sending the third SPA packet to the SDP controller, the valid receiver verification identifier may be reacquired, thereby legally accessing the receiver again.
Based on the same inventive concept, embodiments of the present application provide a network device, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the authentication method or the authentication method.
In addition, embodiments of the present application also provide a computer-readable storage medium storing a computer program that implements the above-described verification method or the above-described verification method when executed by a processor.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings.
FIG. 1 is a schematic flow chart of a verification method provided in an embodiment of the present application;
FIG. 2 is a schematic diagram of a verification method provided in an embodiment of the present application;
FIG. 3 is another flow chart of the verification method provided in the embodiment of the present application;
FIG. 4 is another schematic diagram of the verification method provided in the embodiment of the present application;
fig. 5 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, embodiments of the present application will be described in detail below with reference to the accompanying drawings. However, as will be appreciated by those of ordinary skill in the art, in the various embodiments of the present application, numerous technical details have been set forth in order to provide a better understanding of the present application. However, the technical solutions claimed in the present application can be implemented without these technical details and with various changes and modifications based on the following embodiments.
The first embodiment of the application relates to a verification method, which is applied to an SDP controller, and judges whether the first SPA data packet comprises an initial unique identifier and the initial unique identifier is valid or not by receiving the first SPA data packet sent by an initiating host, if so, a service port is opened to the initiating host and the state of the initial unique identifier is set to be invalid.
The specific flow of the verification method provided in the embodiment of the application is shown in fig. 1, and includes the following steps:
s101: and receiving a first SPA data packet sent when the initiating host requests authorization for the first time.
In an implementation, when determining whether the initiating host is first-time request authorization, the SDP controller may determine according to a request record of each initiating host, if there is no record of the initiating host, determine that the initiating host is first-time request authorization, and if not, determine that the initiating host is not first-time request authorization, so that verification of the SPA data packet may be synchronously controlled based on the access record, for example, if it is determined that the current initiating host already has an authorization request record, even if an initial unique identifier carried by the current initiating host is valid, it may also be directly determined that the SPA data packet is not authenticated.
In another implementation, the SDP controller may directly determine whether the received SPA packet is sent when the initiating host requests authorization for the first time according to whether the first SPA packet includes the initial unique identifier, and if so, may determine that the received SPA packet is sent when the initiating host requests authorization for the first time.
S102: and judging whether the first SPA data packet comprises an initial unique identifier and the initial unique identifier is valid.
The initial unique identifier refers to an identifier which is used for SPA verification when the initiating host initiates the authorization request for the first time, and the identifier is unique and is different from each initiating host. Preferably, the initial unique identifier may be generated by the terminal download platform and configured in the terminal software, and may be obtained only after the initiating host installs the terminal software. Of course, in other embodiments of the present application, other generation manners may be used, for example, the initial unique identifier may be sent to the initiating host in advance by the background management center, or may be obtained from the initiating host to the designated network location, and the manner in which the initiating host obtains the initial unique identifier may be set according to actual needs, which is not specifically limited in embodiments of the present application.
In an implementation, when the terminal download platform or the background management center synchronizes all the generated initial unique identifiers to the SDP controller, when the SDP controller receives the first SPA data packet, the initial unique identifiers may be obtained by parsing the first SPA data packet, for example, a value of a specific field in the data packet is obtained and determined to be the initial unique identifier, and if the initial unique identifiers cannot be obtained, for example, the specific field value is null or the format is not matched, it may be determined that the SPA data packet does not include the initial unique identifier. In this case, the SDP controller may determine that the first SPA packet is not sent when the first request for authorization is made, and if in step 101, it has been determined that the first SPA packet is sent when the first request for authorization is made according to the request record, then it may directly determine that the SPA packet is invalid at this time, and no subsequent verification is required, so as to improve processing efficiency.
After determining that the first SPA packet includes the initial unique identifier, the method may continue to determine whether the initial unique identifier is valid. Specifically, the SDP controller may set a state for the locally recorded initial unique identifier, where the initial state is valid, and may set the state to be invalid when the initial unique identifier is verified. When judging whether the initial unique identifier is valid, the judgment can be directly performed according to the state value of the initial unique identifier.
Further, whether the initial unique identifier is valid or not can be determined by combining a timestamp carried in the first SPA data packet, wherein the timestamp records the time when the initiating host sends the first SPA data packet, the SDP controller can calculate the time length of the first SPA data packet transmitted from the initiating host to the SDP controller according to the real time when the first SPA data packet is received and the timestamp carried in the first SPA data packet, whether the first SPA data packet is intercepted in the transmission process or not is further determined by determining whether the time length is reasonable or not, if the time length is not reasonable, the first SPA data packet transmission abnormality can be determined, and potential safety hazards exist, so that the initial unique identifier in the first SPA data packet is determined to be invalid.
S103: if yes, the service port is opened to the initiating host and the state of the initial unique identifier is set as invalid.
In practice, if the initial unique identifier is determined to be invalid based on the time stamp, the state of the initial unique identifier needs to be set to be invalid. After the state of the initial unique identifier is set to be invalid, the initiating host or other initiating hosts can not pass the verification of the SDP controller based on the initial unique identifier, so that the safety of the SDP controller is improved.
Optionally, if the result of the determination is no, that is, the first SPA packet does not include the initial unique identifier or the initial unique identifier is invalid, no action is performed, that is, the SDP controller will not open the service port to the initiating host, and any packet sent by the initiating host to the service port of the SDP controller will be directly discarded.
In a specific example, after S103, the method further includes: and receiving identity authentication information sent by the initiating host through the service port, authenticating the identity authentication information, and if the authentication is passed, sending a checking identification of the receiving host to the initiating host and the receiving host, and closing the service port to the initiating host, wherein the checking identification of the receiving host is the checking basis of the receiving host to the initiating host.
The identity authentication information sent by the initiating host may include information for determining the identity of the user, such as a user name, a password, and/or a short message check code, and specifically included content may be set according to an actual security requirement, which is not specifically limited in the embodiment of the present application.
Optionally, if the SDP controller does not pass the authentication of the identity authentication information, no response is made, or the user authentication failure information can be responded to the initiating host, if the authentication is still unsuccessful for more than a preset period of time or times, the service port can be directly closed to the initiating host.
By authenticating the identity authentication information of the initiating host, the user identity corresponding to the initiating host can be confirmed to be legal; on the premise of confirming that the user identity is legal, the verification identifier of the receiving host is sent to the initiating host and the receiving host, so that the legitimacy of the identity of the initiating host can be ensured, and the safety of the receiving host is ensured.
In a specific example, the sending the receiver verification identifier to the initiator and the receiver may include: and sending the receiving host verification identifier and the receiving host information to the initiating host, and sending the receiving host verification identifier and the initiating host information to all receiving hosts included in the receiving host information, so that the receiving host verifies the initiating host based on the receiving host verification identifier and the initiating host information.
The receiving host information may be preconfigured in the SDP controller and used for serving the receiving host information of the initiating host, or may be selected by the SDP controller based on the location of the initiating host and in combination with a nearby rule and a load balancing policy. The receiver information may include IP addresses of the respective receiver hosts, so that the initiator host may access the receiver hosts according to the corresponding IP address information, and the receiver hosts included in the receiver host information may be one or more receiver hosts, which is not limited herein.
By sending the checking identification of the receiving host to each receiving host included in the information of the receiving host, the initiating host can arbitrarily select one of the receiving hosts to perform SPA verification and connect, if the current selected receiving host has poor network condition or abnormal service, the initiating host can select other receiving hosts to perform SPA verification and connect, the initiating host can be ensured to obtain the service of the receiving host, and the service availability is improved.
In a specific example, before the SDP controller sends the receiver verification identifier and the receiver information to the initiator and the receiver, the SDP controller further includes: generating a controller check identifier, and correspondingly, when sending the receiver check identifier and receiver information to the initiating host and the receiver, further comprises: and sending the controller check identifier to the initiating host, namely the SDP controller simultaneously sends the receiving host check identifier, the receiving host information and the controller check identifier to the initiating host.
In a specific example, after the controller check identifier is sent, the method further includes: receiving a second SPA data packet sent by the initiating host when the initiating host does not first request authorization; judging whether the second SPA data packet comprises a controller check identifier or not and whether the controller check identifier is valid, if yes, opening a service port to the initiating host.
In a specific application process, when the initiating host needs to establish communication connection with the receiving host, or finds that normal communication with the checked receiving host is impossible, authorization can be re-requested from the SDP controller, and authentication through SPA is required to be performed each time authorization is requested. In general, when terminal software of an initiating host sends an SPA data packet to an SDP controller based on a user request, it will automatically determine whether the SPA data packet is sent by first request authorization, if yes, an initial unique identifier will be obtained locally and carried in the SPA data packet, and if not, a latest controller check identifier received from the SDP controller will be obtained locally and carried in the SPA data packet. It will be appreciated that for ease of subsequent verification, the distinction may be made by storing the initial unique identification and the controller verification identification in different fields, or by different data formats.
In one implementation, upon receiving a second SPA packet, the SDP controller may determine whether the second SPA packet was sent when an authorization was first requested or when an authorization was not first requested based on the history of the initiating host. In another implementation, the SDP controller may also determine whether the SPA packet was sent when the authorization was first requested or not when the authorization was first requested based on whether the content was available from the initial unique identifier or the field corresponding to the controller check identifier, or the format of the content data that was available.
When judging whether the controller check mark is valid, the method can refer to the judging mode of the initial unique mark, namely, whether the controller check mark is valid is judged by the state value of the controller check mark or further combining with a time stamp, and the description is omitted.
The safety of the SDP controller can be improved by judging whether the SPA data packet sent by the initiating host comprises the controller check identifier and the controller check identifier is effective, and opening the service port to the initiating host again when the judging result is yes.
In a specific example, the first SPA data packet further includes a device identifier of the initiating host, and after the controller check identifier is generated, the method may further include: establishing a corresponding relation between the first equipment identifier and the controller verification identifier, judging whether the second SPA data packet comprises the controller verification identifier and the controller verification identifier is valid or not, and comprising the following steps: and acquiring the equipment identifier of the initiating host, judging whether the equipment identifier is the same as the equipment identifier when the second SPA data packet comprises the controller check identifier, and judging that the controller check identifier is invalid if the equipment identifier is different from the equipment identifier.
The device identifier of the initiating host refers to data that can uniquely identify the initiating host, and may be, for example, a MAC (Media Access Control ) address, etc., which is not particularly limited herein.
By judging whether the equipment identifier of the initiating host is the same as the equipment identifier of the prior corresponding relation, the SPA data packet of the non-first authorization request can be enabled to be effective only when the original initiating host is initiated, so that the difficulty of an attacker forging the initiating host to attack is further improved, and the safety of the SDP controller is improved.
When the SDP controller reopens the service port to the initiating host, the user identity information is again authenticated, and after the authentication is passed, corresponding information is sent to the initiating host and the related receiving host, which is described above, and details are omitted. Notably, the SDP controller can regenerate the controller check identifier for subsequent verification, and delete or set the controller check identifier passing the current verification to an invalid state, so as to prevent potential safety hazards caused to the SDP controller after the controller check identifier is illegally acquired.
In the above embodiments, the verification method provided in the present embodiment is described from the perspective of the SDP controller, and the verification method provided in the present embodiment will be described from the perspective of the initiating host.
In one embodiment, the invention relates to a verification method applied to terminal software, wherein the terminal software is configured with an initial unique identifier and is installed on an initiating host, and the verification method is realized by the initiating host running the terminal software; the verification method comprises the steps of sending a first SPA data packet comprising an initial unique identifier to an SDP controller when a request is authorized for the first time, so that the SDP controller can verify the first SPA data packet based on the initial unique identifier.
In a specific example, the terminal software is downloaded through a download platform deployed in an intranet.
Please refer to fig. 2, which is a schematic diagram of a verification method according to an embodiment of the present application. Specifically, the initiating host downloads an installation package of the terminal software from the terminal downloading platform, the installation package comprises an initial unique identifier of the terminal software, the installation package is operated by the initiating host to complete the installation of the terminal software, and after the installation of the terminal software is completed, a user can request related services by operating the terminal software. When it is determined that connection needs to be established with the receiving host according to the received end user request, and connection is established for the first time, a first SPA data packet including an initial unique identifier may be sent to the SDP controller to perform SPA verification.
The specific flow of the verification method provided in the embodiment of the application is shown in fig. 3, and includes the following steps:
s201: a first authorization request is generated.
S202: and sending the first SPA data packet to the SDP controller according to the first authorization request so as to enable the SDP controller to verify the first SPA data packet based on the initial unique identifier, wherein the first SPA data packet comprises the initial unique identifier.
According to the verification method provided by the embodiment of the application, when the terminal software needs to request the SDP controller for authorization, whether the request is the first request authorization or not can be automatically determined according to the history record, if so, a first SPA data packet is sent to the SDP controller, an initial unique identifier is obtained from the local and carried in the first SPA data packet, and the SDP controller can conduct SPA verification according to the initial unique identifier. Specifically, the initial unique identifier may be set in a specific field of the first SPA packet according to a preset rule, or the initial unique identifier may be set in the first SPA packet according to a preset data format.
In a specific example, after S202, that is, after sending the first SPA packet to the SDP controller, the method further includes: transmitting identity authentication information to a service port of the SDP controller; if the receiving host verification identifier and the receiving host information which are sent by the SDP controller after the identity authentication information is verified are received, a second SPA data packet is sent to the receiving host included in the receiving host information so that the receiving host can verify the second SPA data packet based on the receiving host verification identifier, wherein the second SPA data packet comprises the receiving host verification identifier.
By sending identity authentication information to the SDP controller for authentication, illegal users can be difficult to pass through the verification of the SDP controller, and the use rights and interests of legal users can be ensured; after receiving the receiving host verification identifier and the receiving host information sent by the SDP controller, sending a second SPA data packet comprising the receiving host verification identifier to the receiving host included in the receiving host information to perform SPA verification, so that the safety of the receiving host can be ensured on the premise of ensuring that the user identity is legal.
The receiving host can verify the second SPA data packet based on the initiating host information and the receiving host verification identifier received from the SDP controller, and if the second SPA data packet passes the verification, the service port is opened to the initiating host, otherwise, no operation is performed.
In a specific example, when the received receiver host information includes a plurality of receiver hosts, the initiator host, after sending the second SPA packet to the receiver host included in the receiver host information, further includes: performing quality of service detection on each receiving host, wherein the quality of service detection comprises at least one of time delay, jitter, packet loss rate and detection of service port status; and selecting a proper receiving host as a target receiving host according to the service quality detection.
When a suitable receiver host is selected as a target receiver host according to the quality of service detection, any receiver host satisfying a preset condition may be selected as a target receiver host, where the preset condition may be set as needed, and the preset condition is not limited herein.
Alternatively, when an appropriate receiver host is selected as the target receiver host according to the quality of service detection, it may be: and sequencing all the receiving hosts according to the service quality detection result, and selecting the receiving host with the best service quality detection result as a target receiving host.
Alternatively, the terminal software of the initiating host may evaluate the results of quality of service probes for each receiving host according to the following equation (1):
detection quality = α loss rate 100+ β/delay + γ jitter formula (1);
wherein, alpha, beta and gamma are parameter weights, and the default values can be all 1, or the numerical values can be customized by a user. It should be understood that the lower the value, the better the quality of service, and the larger the inverse, according to the result of the quality of service detection calculated in the above formula (1).
Please refer to fig. 4, which is another schematic diagram illustrating a verification method according to an embodiment of the present application. Specifically, the SDP controller sends an accept host verification identifier to the accept hosts in the information of the initiate host after the identity authentication information of the initiate host is verified, the initiate host sends a second SPA data packet to each accept host for verification, and each accept host opens a service port to the initiate host after the identity authentication information of the initiate host is verified; and the initiating host detects the service quality of the service ports of the receiving hosts, and finally selects one receiving host with the best service quality detection result as a target receiving host to be connected.
By performing quality of service detection on each receiver host, the initiator host can select an appropriate receiver host as a target receiver host according to the quality of service detection.
In a specific example, after selecting the appropriate receiver host as the target receiver host for the quality of service probe, the method further includes: and establishing connection with the target receiving host, sending service flow to a service port of the target receiving host through the connection, detecting service quality of other receiving hosts in the information of the receiving host if the service of the target receiving host is abnormal, and selecting a proper receiving host as a new target receiving host according to the service quality detection. Wherein the connection established between the initiating host and the target recipient host may be a TCP connection. It should be noted that, after the connection between the initiating host and the target receiving host is established successfully, the target receiving host may close the service port to the initiating host, so that the initiating host cannot establish a new connection with the target receiving host, and only data interaction can be performed through the established connection.
When the target receiving host is abnormal, the service quality detection is carried out on other receiving hosts, and a new target receiving host is selected according to the result of the service quality detection, so that the initiating host can be switched to other healthy receiving hosts when the connected receiving host is abnormal, the initiating host can be ensured to obtain the service of the receiving host, and the availability of the receiving host is improved.
In a specific example, performing quality of service detection on other receiving hosts in the receiving host information, selecting an appropriate receiving host as a new target receiving host according to the quality of service detection includes: if the response of the service quality detection is not received, a third SPA data packet is sent to the SDP controller, wherein the third SPA data packet comprises a controller verification identifier, and the controller verification identifier is sent to the initiating host after the identity authentication information of the initiating host is verified by the SDP controller.
In implementation, after verifying the second SPA packet, each receiving host develops a service port to the initiating host, and automatically closes the service port after a preset period of time has elapsed. When the response of the service quality detection is not received, the receiving host is indicated to close the service port, the current receiving host verification identifier is invalid, and the initiating host needs to verify the SPA data packet to the SDP controller again, and then acquires a new receiving host verification identifier.
By sending the third SPA packet to the SDP controller, the valid receiver verification identifier may be reacquired, thereby legally accessing the receiver again.
It should be noted that the "first", "second" and "third" in the "first SPA packet", "second SPA packet" and "third SPA packet" are merely for distinguishing different objects, and are not used as other restrictions such as sequence or number.
It is to be noted that this embodiment is an embodiment of a method on the initiator side corresponding to the foregoing embodiment, and this embodiment may be implemented in cooperation with the foregoing embodiment. The related technical details mentioned in the foregoing embodiments are still valid in this embodiment, and are not repeated here for reducing repetition. Accordingly, the related technical details mentioned in the present embodiment can also be applied to the foregoing embodiments.
The above steps of the methods are divided, for clarity of description, and may be combined into one step or split into multiple steps when implemented, so long as they contain the same logic relationship, and they are all within the protection scope of this patent; it is within the scope of this patent to add insignificant modifications to the algorithm or flow or introduce insignificant designs, but not to alter the core design of its algorithm and flow.
In one embodiment, a network device is contemplated, as shown in FIG. 5, comprising at least one processor 301; and a memory 302 communicatively coupled to the at least one processor 301; the memory 302 stores instructions executable by the at least one processor 301, the instructions being executable by the at least one processor 301 to enable the at least one processor 301 to perform the authentication method described above.
Where the memory 302 and the processor 301 are connected by a bus, the bus may comprise any number of interconnected buses and bridges, the buses connecting the various circuits of the one or more processors 301 and the memory 302 together. The bus may also connect various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or may be a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor 301 is transmitted over a wireless medium via an antenna, which further receives the data and transmits the data to the processor 301.
The processor 301 is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And memory 302 may be used to store data used by processor 301 in performing operations.
In one embodiment, a computer-readable storage medium is provided, in which a computer program is stored. The computer program implements the above-described method embodiments when executed by a processor.
That is, it will be understood by those skilled in the art that implementing all or part of the steps in the methods of the embodiments described above may be accomplished by a program stored in a storage medium, including several instructions for causing a device (which may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the methods of the embodiments described herein. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific embodiments in which the present application is implemented and that various changes in form and details may be made therein without departing from the spirit and scope of the present application.
Claims (12)
1. An authentication method, applied to an SDP controller, the method comprising:
Receiving a first SPA data packet sent when an initiating host requests authorization for the first time;
judging whether the first SPA data packet comprises an initial unique identifier or not and whether the initial unique identifier is valid or not;
if yes, opening a service port to the initiating host and setting the state of the initial unique identifier as invalid;
wherein the method further comprises:
judging whether the initiating host is first request authorization or not according to the request record of the initiating host;
if the initiating host is not authorized by the first request, determining that the authentication of the first SPA data packet is not passed;
the determining whether the first SPA data packet includes an initial unique identifier and the initial unique identifier is valid includes:
if the initiating host requests authorization for the first time, judging whether the first SPA data packet comprises the initial unique identifier and the initial unique identifier is valid;
the initial unique identifier is an identifier which is used for SPA verification when the initiating host initiates an authorization request for the first time and is unique, and the initial unique identifiers of different initiating hosts are different;
wherein after the state of opening the service port to the initiating host and setting the initial unique identifier as invalid, the method further comprises:
Receiving identity authentication information sent by the initiating host through the service port;
authenticating the identity authentication information, and if the authentication is passed, sending a verification identifier of an accepting host to the initiating host and the accepting host, wherein the verification identifier of the accepting host is the verification basis of the accepting host for the initiating host;
and closing the service port to the initiating host.
2. The authentication method of claim 1, wherein the sending an accept-host check identity to the initiating host and accept host comprises:
and sending the receiving host verification identifier and the receiving host information to the initiating host, and sending the receiving host verification identifier and the initiating host information to all receiving hosts included in the receiving host information, so that the receiving host verifies the initiating host based on the receiving host verification identifier and the initiating host information.
3. The authentication method of claim 1, further comprising, prior to said sending of an accept-host check identity to said initiating host and accept host:
generating a controller verification identifier;
the sending the receiving host verification identifier to the initiating host and the receiving host includes:
And when the receiving host check identifier is sent to the initiating host, the controller check identifier is also sent.
4. A verification method according to claim 3, further comprising, after said transmitting said controller verification identification:
receiving a second SPA data packet sent by the initiating host when the initiating host does not first request authorization;
judging whether the second SPA data packet comprises the controller check mark or not and whether the controller check mark is valid or not;
if yes, the service port is opened to the initiating host.
5. The authentication method of claim 4, wherein the first SPA packet further includes a device identifier of the initiating host, and further comprising, after the generating the controller check identifier:
establishing a corresponding relation between the equipment identifier and the controller verification identifier;
the determining whether the second SPA data packet includes the controller check identifier and the controller check identifier is valid includes:
acquiring the equipment identifier of the initiating host;
when the second SPA data packet comprises the controller verification identifier, judging whether the equipment identifier of the initiating host is the same as the equipment identifier corresponding to the controller verification identifier, and if so, judging that the controller verification identifier is invalid.
6. A method of authentication, characterized in that it is applied to terminal software, said terminal software is configured with an initial unique identifier, and is installed on an initiating host, and said method is implemented by said initiating host running said terminal software, said method comprising:
determining whether the request is authorized for the first time according to the history record;
when a request is authorized for the first time, a first SPA data packet is sent to an SDP controller, wherein the first SPA data packet comprises the initial unique identifier so that the SDP controller can verify the first SPA data packet based on the initial unique identifier;
the initial unique identifier is an identifier which is used for SPA verification when the initiating host initiates an authorization request for the first time and is unique, and the initial unique identifiers of different initiating hosts are different;
wherein after the first SPA packet is sent to the SDP controller, the method further includes:
transmitting identity authentication information to a service port of the SDP controller;
and if receiving the receiving host verification identifier and the receiving host information which are sent by the SDP controller after the identity authentication information is verified, sending a second SPA data packet to the receiving host included in the receiving host information, wherein the second SPA data packet comprises the receiving host verification identifier so that the receiving host can verify the second SPA data packet based on the receiving host verification identifier.
7. The authentication method of claim 6, wherein the terminal software is downloaded via a download platform deployed in an intranet.
8. The authentication method of claim 6, further comprising, after said sending the second SPA packet to the recipient host included in the recipient host information:
performing quality of service detection on each receiving host, wherein the quality of service detection comprises at least one of time delay, jitter, packet loss rate and detection of service port state;
and selecting the proper receiving host as a target receiving host according to the service quality detection.
9. The authentication method according to claim 8, further comprising, after selecting an appropriate one of the accepting hosts as a target accepting host based on the quality of service probe:
sending service flow to a service port of the target receiving host;
and if the service of the target receiving host is abnormal, detecting the service quality of other receiving hosts in the receiving host information, and selecting the proper receiving host as a new target receiving host according to the service quality detection.
10. The authentication method according to claim 9, wherein said performing a quality of service probe on other of said receiver hosts in said receiver host information, selecting an appropriate receiver host as a new target receiver host based on said quality of service probe, comprises:
And if the response of the service quality detection is not received, a third SPA data packet is sent to the SDP controller, wherein the third SPA data packet comprises a controller verification identifier, and the controller verification identifier is sent to the initiating host after the SDP controller verifies the identity authentication information.
11. A network device, comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the authentication method of any one of claims 1 to 5 or the authentication method of any one of claims 6 to 10.
12. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the authentication method according to any one of claims 1 to 5 or the authentication method according to any one of claims 6 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111322491.8A CN114257471B (en) | 2021-11-09 | 2021-11-09 | Authentication method, network device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111322491.8A CN114257471B (en) | 2021-11-09 | 2021-11-09 | Authentication method, network device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114257471A CN114257471A (en) | 2022-03-29 |
| CN114257471B true CN114257471B (en) | 2024-04-05 |
Family
ID=80790647
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111322491.8A Active CN114257471B (en) | 2021-11-09 | 2021-11-09 | Authentication method, network device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114257471B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830447A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | SPA single packet authorization method and device |
| CN111131307A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Method and system for controlling access authority |
| CN111770090A (en) * | 2020-06-29 | 2020-10-13 | 深圳市联软科技股份有限公司 | Single package authorization method and system |
| CN112822158A (en) * | 2020-12-25 | 2021-05-18 | 网神信息技术(北京)股份有限公司 | Network access method and device, electronic equipment and storage medium |
| CN112968971A (en) * | 2021-03-15 | 2021-06-15 | 北京数字认证股份有限公司 | Method and device for establishing session connection, electronic equipment and readable storage medium |
| CN113094677A (en) * | 2021-06-10 | 2021-07-09 | 天聚地合(苏州)数据股份有限公司 | Identity authentication method, identity authentication device, storage medium and equipment |
| CN113572738A (en) * | 2021-06-29 | 2021-10-29 | 中孚安全技术有限公司 | Zero trust network architecture and construction method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8413248B2 (en) * | 2006-03-22 | 2013-04-02 | Michael B. Rash | Method for secure single-packet remote authorization |
| JP2023514736A (en) * | 2020-02-21 | 2023-04-07 | エスディーエスイー ネットワークス インコーポレイテッド | Method and system for secure communication |
-
2021
- 2021-11-09 CN CN202111322491.8A patent/CN114257471B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110830447A (en) * | 2019-10-14 | 2020-02-21 | 云深互联(北京)科技有限公司 | SPA single packet authorization method and device |
| CN111131307A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Method and system for controlling access authority |
| CN111770090A (en) * | 2020-06-29 | 2020-10-13 | 深圳市联软科技股份有限公司 | Single package authorization method and system |
| CN112822158A (en) * | 2020-12-25 | 2021-05-18 | 网神信息技术(北京)股份有限公司 | Network access method and device, electronic equipment and storage medium |
| CN112968971A (en) * | 2021-03-15 | 2021-06-15 | 北京数字认证股份有限公司 | Method and device for establishing session connection, electronic equipment and readable storage medium |
| CN113094677A (en) * | 2021-06-10 | 2021-07-09 | 天聚地合(苏州)数据股份有限公司 | Identity authentication method, identity authentication device, storage medium and equipment |
| CN113572738A (en) * | 2021-06-29 | 2021-10-29 | 中孚安全技术有限公司 | Zero trust network architecture and construction method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114257471A (en) | 2022-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2705642B1 (en) | System and method for providing access credentials | |
| CN107579966B (en) | Control method, device and system for remotely accessing intranet and terminal equipment | |
| CN111131242A (en) | Authority control method, device and system | |
| CN111093197A (en) | Authority authentication method, authority authentication system and computer readable storage medium | |
| CN110266642A (en) | Identity identifying method and server, electronic equipment | |
| CN103152400A (en) | Method and system for logging in through mobile terminal and cloud server | |
| CN104917727A (en) | Account authentication method, system and apparatus | |
| CN101986598B (en) | Authentication method, server and system | |
| KR102519627B1 (en) | Method for authenticating legacy service based on token and platform service server supporting the same | |
| CN111641607A (en) | Proxy system and access request forwarding method | |
| CN117118841A (en) | Network slice connection management method, terminal and computer readable storage medium | |
| CN111600906A (en) | Data processing method, device, system, medium, and program | |
| KR20100101887A (en) | Method and system for authenticating in communication system | |
| CN105681258A (en) | Session method and session device based on third-party server | |
| CN113051539A (en) | Method and device for calling digital certificate | |
| CN110602130A (en) | Terminal authentication system and method, equipment terminal and authentication server | |
| CN111726328A (en) | Method, system and related device for remotely accessing a first device | |
| CN114257471B (en) | Authentication method, network device and storage medium | |
| KR102020488B1 (en) | An apparatus for Internet access control of IoT devices and a method therefor | |
| US20160294558A1 (en) | Information collection system and a connection control method in the information collection system | |
| CN116962149A (en) | Network fault detection method and device, storage medium and electronic equipment | |
| CN111835504A (en) | Identification code generation method and server | |
| CN111107078B (en) | Application access method, robot control unit, server and storage medium | |
| CN115941795A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN107045603A (en) | Control method and device are called in a kind of application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |