CN114301639A - Connection establishing method and device - Google Patents

Connection establishing method and device Download PDF

Info

Publication number
CN114301639A
CN114301639A CN202111521828.8A CN202111521828A CN114301639A CN 114301639 A CN114301639 A CN 114301639A CN 202111521828 A CN202111521828 A CN 202111521828A CN 114301639 A CN114301639 A CN 114301639A
Authority
CN
China
Prior art keywords
user
sdp
connection
service
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111521828.8A
Other languages
Chinese (zh)
Other versions
CN114301639B (en
Inventor
何辉海
赵旭东
秦德楼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202111521828.8A priority Critical patent/CN114301639B/en
Publication of CN114301639A publication Critical patent/CN114301639A/en
Application granted granted Critical
Publication of CN114301639B publication Critical patent/CN114301639B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The specification provides a connection establishment method, a connection establishment device and an access authentication system. The user sends the user information to the SDP controller, and the SDP controller carries out SDP authentication on the target user based on the user information; after the authentication is passed, the connection information of the service agent equipment is sent to the user side; the user client establishes a connection with the service agent device based on the connection information. When the user client accesses the isolated accessed user service through the service agent device, the connection information of the service agent device can be obtained only after the SDP authentication controlled by the SDP, so that the connection information of the service agent device is not directly exposed to the user client any more, and the risk of the service agent device being attacked can be reduced.

Description

Connection establishing method and device
Technical Field
The embodiment of the application relates to the field of communication, in particular to a connection establishment method.
Background
A conventional network is usually protected by an IPS, a firewall, and other devices, and if it is desired to access, from the outside, an isolated access service deployed inside the network, it is usually implemented by deploying a VPN device. Deployed VPN devices, however, may be at risk of being attacked.
Disclosure of Invention
In a first aspect of embodiments of the present application, a connection establishment method is provided, which is applied to a user client in an SDP access authentication system, where the SDP access authentication system includes at least one user client, at least one SDP controller, and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the method comprises the following steps:
responding to a connection establishing operation initiated by a target user, and acquiring user information of the target user;
sending the user information to the SDP controller so that the SDP controller performs SDP authentication on the target user based on the user information;
and acquiring the connection information of the service agent equipment, which is sent by the SDP controller after the SDP authentication of the target user passes, and establishing connection with the service agent equipment based on the connection information so as to further access the user service based on the established connection.
In a second aspect of the embodiments of the present application, a connection establishment method is provided, which is applied to an SDP controller of an SDP access authentication system, where the SDP access authentication system includes at least one user client, at least one SDP controller, and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the method comprises the following steps:
receiving user information sent by a user client, and carrying out SDP authentication on the target user based on the user information;
after the target user passes the SDP authentication, the connection information of the service agent equipment is sent to a user client; so that the user client establishes a connection with the service agent device.
In a third aspect of embodiments of the present application, there is provided a connection establishing apparatus, applied to a user client in an SDP access authentication system, where the SDP access authentication system includes at least one user client, at least one SDP controller, and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the device comprises:
the acquisition module is used for responding to the connection establishment operation initiated by a target user and acquiring the user information of the target user;
a first sending module, configured to send the user information to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information;
and the connection module is used for acquiring the connection information of the service agent equipment, which is sent by the SDP controller after the SDP authentication of the target user passes, and establishing connection with the service agent equipment based on the connection information so as to further access the user service based on the established connection.
In a fourth aspect of the embodiments of the present application, there is provided a connection establishing apparatus, applied to an SDP controller of an SDP access authentication system, where the SDP access authentication system includes at least one user client, at least one SDP controller, and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the device comprises:
the authentication module receives user information sent by a user client and carries out SDP authentication on the target user based on the user information;
the second sending module is used for sending the connection information of the service agent equipment to the user client after the SDP authentication of the target user is passed; so that the user client establishes a connection with the service agent device.
In a fifth aspect of embodiments of the present application, there is provided an SDP access authentication system comprising at least one user client, at least one SDP controller, and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the system comprises:
the user client side responds to the connection establishing operation initiated by a target user to acquire the user information of the target user;
the user client sends the user information to the SDP controller;
the SDP controller receives user information sent by a user client and carries out SDP authentication on the target user based on the user information;
after the SDP controller carries out SDP authentication on the target user, the SDP controller sends the connection information of the service agent equipment to a user client;
and the user client acquires the connection information of the service agent equipment, which is sent by the SDP controller after the SDP authentication of the target user passes, and establishes connection with the service agent equipment based on the connection information so as to further access the user service based on the established connection.
The above embodiments of the present application have at least the following advantageous effects:
when the user client accesses the isolated accessed user service through the service agent device, the connection information of the service agent device can be obtained only after the SDP authentication controlled by the SDP, so that the connection information of the service agent device is not directly exposed to the user client any more, and the risk of the service agent device being attacked can be reduced.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present application will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the present application are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
fig. 1 schematically shows a schematic diagram of an access authentication system of a service agent device according to an embodiment of the present application.
Fig. 2 schematically shows a login page provided by a service broker device according to an embodiment of the present application.
Fig. 3 schematically shows a schematic diagram of an access authentication system provided by another service agent device according to an embodiment of the application.
Fig. 4 schematically illustrates a login page provided by an SDP controller according to an embodiment of the present application.
Fig. 5 schematically shows a flow chart of a method of establishing a connection according to an embodiment of the present application.
Fig. 6 schematically shows a flow chart of another method of establishing a connection according to an embodiment of the present application.
Fig. 7 schematically shows a block diagram of a device for establishing a connection according to an embodiment of the present application.
Fig. 8 schematically shows a block diagram of another device for establishing a connection according to an embodiment of the application.
Detailed Description
The principles of the present application will be described below with reference to several exemplary embodiments. It should be understood that these embodiments are given solely for the purpose of enabling those skilled in the art to better understand and to practice the present application, and are not intended to limit the scope of the present application in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present application may be embodied as a system, apparatus, device, method, or computer program product. Thus, the present application may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
Application scenario overview
Referring to fig. 1, fig. 1 is a schematic diagram of an access authentication system of a service agent device shown in this specification. As shown in fig. 1, in the above access authentication system, a user client and a service agent device may be included. The user client can access the isolated access user service located in the network by establishing a connection with the service agent device and through the established connection.
For example, the service agent device may be specifically a VPN device, and the user client may access the isolated-access user service located inside the network through the VPN device.
When a user establishes a connection with the service proxy device through a client, the user may log in a login page provided by the service proxy device, please refer to fig. 2, where fig. 2 is a login page provided by a service proxy device shown in this specification. The page shows the server address of the service proxy device, the account number and password of the user. After a user inputs a server address of the service agent equipment through the user client, a user account and a password are input for logging in, the service agent equipment authenticates the user account and the password, and after the authentication is successful, the service agent equipment establishes connection with the user client. In the process, since the service agent device cannot hide the address of the server, a TCP connection port needs to be exposed in the network, and the service agent device is vulnerable to hacking.
Summary of The Invention
Referring to fig. 3, fig. 3 is a schematic diagram of an access authentication system provided by another service agent device shown in this specification. As shown in fig. 3, in the above access authentication system, in addition to the user client and the service agent device, an SDP controller may be included.
In the above access authentication system, the connection information of the service agent device may not be directly exposed to the user client. When a user establishes a connection with the service agent device through a client, the user may log in a login page provided by an SDP controller, please refer to fig. 4, where fig. 4 is a login page provided by an SDP controller shown in this specification, and the page shows a server address of the SDP controller, an account number of the user, and a password. After a user inputs a server address of the SDP controller through a user client, a user account and a password are input for logging in, and the SDP controller authenticates the user account and the password. After the authentication is successful, the SDP controller sends the connection information of the service agent equipment to the user client, and the user client establishes connection with the service agent equipment.
Therefore, the present specification provides a technical solution that the user client first sends the user information to the SDP controller, and after the SDP controller passes authentication, the user client establishes connection with the service agent device.
When the method is realized, a user firstly sends user information to an SDP controller, and the SDP controller carries out SDP authentication on a target user based on the user information; after the authentication is passed, the connection information of the service agent equipment is sent to the user side; the user client establishes a connection with the service agent device based on the connection information. When the user client accesses the isolated accessed user service through the service agent device, the connection information of the service agent device can be obtained only after the SDP authentication controlled by the SDP, so that the connection information of the service agent device is not directly exposed to the user client any more, and the risk of the service agent device being attacked can be reduced.
Exemplary method
The following is a detailed description through specific embodiments and with reference to specific application scenarios.
Referring to fig. 5, fig. 5 is a flowchart illustrating a method for establishing a connection according to an exemplary embodiment. The method can be applied to the user client in the above access authentication system shown in fig. 3. The method comprises the following execution steps:
step 501, responding to a connection establishing operation initiated by a target user, and acquiring user information of the target user;
when a target user initiates an operation of establishing connection, a user client can acquire user information of the target user, wherein the user information of the user can comprise information such as an account number and a password of the user to be authenticated by an SDP controller; the user client may obtain the user information through a login page provided by the SDP controller shown in fig. 4, or may obtain the user information through a configuration page at the client in a manner of a command line, and the like, which is not limited in the present application.
In one embodiment, the user client may generate a first SPA (single packet authentication) request message for SDP authentication by the SDP controller based on the user information. The first SPA request message may include the user information, i.e., a user account and a password, acquired by the user client; the method can also comprise information such as hardware serial number, local IP address, network card MAC address and the like; and encrypting all the information to generate a first SPA request message. The encryption may be performed by using an AES algorithm, or may be performed by using another algorithm, which is not limited in the present application.
For example, in practical applications, the content format of the first SPA request packet is: the random number is 6 bits + the client version number + the authentication interaction type + the client authentication request ID + the second timestamp + the user account + the password + the user intranet IPv4+ the verification code/the dynamic password issuing mode + the mobile phone/computer serial number + the operating system information + the hard disk information + the computer name. The data format of the first SPA request message is: random number 6 bits + attribute 1+ attribute 2+. + attribute N. Wherein, the user account, the password, the user intranet IPv4 and the like are taken as attributes. The data format of the attribute is 3-bit attribute ID + 3-bit attribute length + attribute value.
Referring to table 1, table 1 is an exemplary first SPA packet part attribute table.
Attribute ID Means of Encoding Length of Classification Attribute value
001 User account UTF-8 <001-255> Basic Properties
002 Cipher code UTF-8 <001-255> Basic Properties
003 Client version number UTF-8 <001-020> Basic Properties
004 IPv4 for user intranet UTF-8 <001-010> Basic Properties
TABLE 1
As shown in table 1, the attribute table of the first SPA request packet part may specifically include fields such as attribute ID, meaning, encoding, length, classification, and description.
Wherein the attribute ID is used to uniquely identify the attribute; the meaning is used for setting names for all attributes, and in practical application, a user can determine popular and easily understood names for all attributes based on the sources of the attributes; encoding, namely encoding of attribute values, wherein a common encoding format is UTF-8; length is different lengths set by the user for each attribute; the classification is used for marking whether the attribute is necessary, wherein the basic attribute such as the user account number, the password and the like is the attribute which is necessary to be contained in the message.
Step 502, sending the user information to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information;
after the user client generates the first SPA request message based on the user information, the first SPA request message may be sent to a first UDP port corresponding to an SDP authentication service, which is opened by the SDP controller to the user client. After receiving the first SPA request message, the SDP controller may decrypt the content of the message to obtain user information, such as a user account number and a password, in the message. The SDP controller authenticates the user information obtained by decrypting the message, namely, the SDP authentication is performed on the target user based on the user information. After the authentication is successful, the SDP controller may grant the access right of the first TCP port for establishing the TCP connection to the user client within a preset time. The preset time may be 30 seconds, or a corresponding time may be preset in the SDP controller configuration by a user, which is not limited in the present application. If the authentication fails, the SDP controller does not open any TCP port.
Step 503, acquiring connection information of the service agent device, which is sent by the SDP controller after the SDP authentication of the target user is passed, and establishing a connection with the service agent device based on the connection information, so as to further access the service based on the established connection;
and after the authentication of the user information in the SPA request message is passed, the SDP controller authorizes the access authority of the first TCP port for establishing the TCP connection to the user client. The user client may initiate a connection request to the first TCP port to establish a first TCP connection with the SDP controller. Through the first TCP connection, the user client can obtain the authentication result after the SDP authentication of the SDP controller facing the target user is passed. Wherein the authentication result includes connection information of the service agent device.
In an embodiment, the SDP controller further includes a token credential generated by the SDP control and used for indicating that the target user passes the SDP authentication. The connection information of the service agent device includes a second UDP port number, which is open to the user client and corresponds to the SDP authentication service, of the service agent device.
After receiving the authentication result, the user client may generate a second SPA request message for SDP authentication. The second SPA request message may include a token credential generated by the SDP controller; the method can also comprise information such as hardware serial number, local IP address, network card MAC address and the like; and encrypting all the information to generate a second SPA request message. The encryption may be performed by using an AES algorithm, or may be performed by using another algorithm, which is not limited in the present application. For example, in practical applications, the content format of the second SPA request packet is: the random number is 6 bits + session ID + client version number + second time stamp + intranet IPv4+ token.
After the user client generates the second SPA request packet based on the user information, the second SPA request packet may be sent to a second UDP port, which is opened by the service agent device for the user client and corresponds to the SDP authentication service. After receiving the second SPA request message, the service agent device may decrypt the message content to obtain the token credential in the message. And when the SDP controller generates a token certificate for indicating that the target user passes the SDP authentication, the token certificate is also sent to the service agent equipment. The service agent device may determine whether the token credential obtained by decryption is consistent with the received token credential issued by the SDP controller, and if so, the authentication is successful. The service agent device can authorize the access right of the second TCP port for establishing the TCP connection to the user client within the preset time. The preset time may be 30 seconds, or a corresponding time may be preset in the service agent device configuration by the user, which is not limited in the present application. And the service agent equipment returns the second TCP port number to the user client.
The user client receives the second TCP port number, may send a TCP connection establishment request to the second TCP port number, establishes a second TCP connection with the service agent device, and further accesses the user service provided by the service agent device based on the second TCP connection.
In another embodiment, the connection information of the service agent device in the authentication result after the SDP authentication is passed for the target user by the SDP controller includes a third UDP port number corresponding to the SDP authentication service, which is opened by the service agent device for the user client.
After receiving the authentication result, the user client may generate a third SPA request message for SDP authentication. The third SPA request message may include user information, that is, an account and a password; the method can also comprise information such as hardware serial number, local IP address, network card MAC address and the like; and encrypting all the information to generate a third SPA request message. For example, in practical application, the content format of the third SPA request message is: the random number is 6 bits + session ID + client version number + user account + password + second timestamp + intranet IPv 4.
After receiving the third SPA request message, the service agent device may decrypt the message content to obtain user information such as a user account number and a password in the message. The service agent device authenticates the user information obtained by decrypting the message, namely, performs SDP authentication on the target user based on the user information. After the authentication is successful, the service agent device may grant the access right of the second TCP port for establishing the TCP connection to the user client within a preset time. The preset time may be 30 seconds, or a corresponding time may be preset in the service agent device configuration by the user, which is not limited in the present application. If the authentication fails, the service agent device does not open any TCP port. And the service agent equipment returns the second TCP port number to the user client.
The user client receives the second TCP port number, can directly send a TCP connection establishment request to the second TCP port number, establishes a second TCP connection with the service agent device, and further accesses the user service provided by the service agent device based on the second TCP connection.
In another embodiment, the connection information of the service agent device in the authentication result after the SDP authentication is performed for the target user by the SDP controller may include a second TCP port number that is opened by the service agent device for the user client and is used for establishing a TCP connection with the service agent device.
That is, after the SDP controller passes authentication, the service agent device may directly grant the access right of the second TCP port for establishing the TCP connection to the user client within the preset time. The preset time may be 30 seconds, or a corresponding time may be preset in the service agent device configuration by the user, which is not limited in the present application
After receiving the authentication result, the user client may send a TCP connection establishment request to the second TCP port number, establish a second TCP connection with the service agent device, and further access the user service provided by the service agent device based on the second TCP connection.
Referring to fig. 6, fig. 6 is a flowchart illustrating a method for establishing a connection according to an exemplary embodiment. The method may be applied to an SDP controller in an SDP access authentication system shown in fig. 3. The method comprises the following execution steps:
601, receiving user information sent by a user client, and performing SDP authentication on the target user based on the user information;
and the SDP controller receives the user information sent by the user client and carries out SDP authentication on the account and the password in the user information.
In one embodiment, the user client may generate a first SPA (single packet authentication) request message for SDP authentication by the SDP controller based on the user information. The first SPA request message may include the user information, i.e., a user account and a password, acquired by the user client; the method can also comprise information such as hardware serial number, local IP address, network card MAC address and the like; and encrypting all the information to generate a first SPA request message. The encryption may be performed by using an AES algorithm, or may be performed by using another algorithm, which is not limited in the present application.
The SDP controller opens a UDP port corresponding to an SDP authentication service, and the user client may send the first SPA request packet to the SDP controller through the UDP port. After receiving the first SPA request message, the SDP controller may decrypt the content of the message to obtain user information, such as a user account number and a password, in the message. The SDP controller authenticates the user information obtained by decrypting the message, namely, the SDP authentication is performed on the target user based on the user information.
Step 602, after the SDP authentication is performed on the target user, the connection information of the service agent device is sent to the user client; so that the user client establishes a connection with the service agent device.
In an embodiment, after the target user passes the SDP authentication, the SDP controller may grant the access right of the first TCP port for establishing the TCP connection to the user client within a preset time. The preset time may be 30 seconds, or a corresponding time may be preset in the SDP controller configuration by a user, which is not limited in the present application. If the authentication fails, the SDP controller does not open any TCP port.
After the SDP controller successfully establishes TCP connection with the user client, the SDP controller sends the authentication result that the target user passes the SDP authentication to the user client. The authentication result may include connection information of the service agent device, where the connection information includes a second UDP port number corresponding to an SDP authentication service that the service agent device opens to the user client, and also includes a token credential generated by the SDP control to indicate that the target user passes SDP authentication. The user client may generate a second SPA request packet containing the token credential, and send the second SPA request packet to a second UDP port, which is opened by the service agent device for the user client and corresponds to the SDP authentication service.
In another embodiment, after the SDP controller successfully establishes a TCP connection with the user client, the connection information of the service agent device in the authentication result generated by the SDP controller may include a third UDP port number corresponding to an SDP authentication service that the service agent device opens to the user client. The user client may generate a third SPA request packet containing the user information, and send the third SPA request packet to a third UDP port, which is opened by the service agent device for the user client and corresponds to the SDP authentication service.
In another embodiment, after the SDP controller successfully establishes a TCP connection with the user client, the connection information of the service agent device in the authentication result generated by the SDP controller may include a second TCP port number, which is opened by the service agent device toward the user client and used for establishing a TCP connection with the service agent device. The user client can directly send a TCP connection establishment request to the second TCP port number, establish a second TCP connection with the service agent device, and further access the user service provided by the service agent device based on the second TCP connection.
In an exemplary embodiment of the present specification, a connection establishing apparatus is also provided. Referring to fig. 7, fig. 7 is a block diagram of a connection establishment apparatus according to an embodiment of the present disclosure. The device is applied to a user client in an SDP access authentication system, wherein the SDP access authentication system comprises at least one user client, at least one SDP controller and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the device comprises:
an obtaining module 710, configured to obtain user information of a target user in response to a connection establishment operation initiated by the target user;
a first sending module 720, configured to send the user information to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information;
a connection module 730, configured to acquire connection information of the service agent device, which is sent by the SDP controller after the SDP authentication is performed on the target user, and establish a connection with the service agent device based on the connection information, so as to further access the user service based on the established connection.
In an exemplary embodiment of the present specification, another connection establishment apparatus is also provided. Referring to fig. 8, fig. 8 is a block diagram of another access information synchronization apparatus according to an embodiment of the present disclosure. The device is applied to an SDP controller of an SDP access authentication system, wherein the SDP access authentication system comprises at least one user client, at least one SDP controller and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the device comprises:
the authentication module 810 receives user information sent by a user client, and performs SDP authentication on the target user based on the user information;
a second sending module 820, configured to send connection information of the service agent device to the user client after the SDP authentication is passed for the target user; so that the user client establishes a connection with the service agent device. The implementation process of the functions and actions of each module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It should be noted that although in the above detailed description several units/modules or sub-units/modules of the apparatus are mentioned, such a division is merely exemplary and not mandatory. Indeed, the features and functionality of two or more of the units/modules described above may be embodied in one unit/module, according to embodiments of the present description. Conversely, the features and functions of one unit/module described above may be further divided into embodiments by a plurality of units/modules.
Moreover, while the operations of the methods of the specification are depicted in the drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
While the spirit and principles of the specification have been described with reference to several particular embodiments, it is to be understood that the specification is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit from the description. The specification is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (22)

1. A connection establishment method is applied to a user client in an SDP access authentication system, wherein the SDP access authentication system comprises at least one user client, at least one SDP controller and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the method comprises the following steps:
responding to a connection establishing operation initiated by a target user, and acquiring user information of the target user;
sending the user information to the SDP controller so that the SDP controller performs SDP authentication on the target user based on the user information;
and acquiring the connection information of the service agent equipment, which is sent by the SDP controller after the SDP authentication of the target user passes, and establishing connection with the service agent equipment based on the connection information so as to further access the user service based on the established connection.
2. The method of claim 1, the SDP controller opening a first UDP port corresponding to an SDP authentication service to the user client;
the sending the user information to the SDP controller for SDP authentication of the target user by the SDP controller based on the user information includes:
generating a first SPA request message for SDP authentication; wherein, the first SPA request message comprises the user information;
and sending the first SPA request message to the first UDP port, so that the SDP controller responds to the received first SPA request message, performs SDP authentication on the target user based on the user information in the first SPA request message, and authorizes the access authority of the first TCP port for establishing TCP connection with the target user to the user client after the target user passes the local SDP authentication.
3. The method of claim 1, wherein obtaining the connection information of the service agent device, which is sent by the SDP controller after SDP authentication of the target user is passed, comprises:
sending a TCP connection request to the first TCP port, and establishing a first TCP connection with the SDP controller;
acquiring an authentication result sent by the SDP controller after the SDP authentication of the target user is passed through the first TCP connection; wherein the authentication result includes connection information of the service agent device.
4. The method of claim 3, the authentication result further comprising a token credential generated by the SDP controller indicating that the target user is authenticated by SDP; the connection information of the service agent equipment comprises a second UDP port number which is opened by the service agent equipment facing to the user client and corresponds to the SDP authentication service;
establishing a connection with the service broker device based on the connection information to further access the service based on the established connection, comprising:
generating a second SPA request message for SDP authentication; wherein the second SPA request message comprises the token credential;
sending the second SPA request message to the second UDP port, so that the service agent device responds to the received second SPA request message, performs SDP authentication on the target user based on the token certificate in the second SPA request message, authorizes the access authority of a second TCP port for establishing TCP connection with the target user to the user client after the target user passes through the local SDP authentication of the target user, and returns the second TCP port to the user client;
sending a TCP connection establishment request to the second TCP port to establish a second TCP connection with the service proxy device to further access the user service based on the established TCP connection.
5. The method of claim 3, wherein the connection information of the service proxy device comprises a third UDP port number opened by the service proxy device towards the user client for SDP authentication;
establishing a connection with the service broker device based on the connection information to further access the user service based on the established connection, comprising:
generating a third SPA request message for SDP authentication; wherein the third SPA request message comprises the user information;
sending the third SPA request message to the third UDP port, so that the service agent device performs SDP authentication for the target user in response to the received third SPA request message based on the user information in the third SPA request message, and authorizes an access right of a second TCP port of a TCP connection established between the user and the target user to the user client and returns the second TCP port to the user client after the target user passes through the local SDP authentication of the target user;
sending a TCP connection establishment request to the second TCP port to establish a second TCP connection with the service proxy device to further access the service based on the established second TCP connection.
6. The method according to claim 3, the connection information of the service proxy device comprising a second TCP port number that the service proxy device opens to the user client for establishing a TCP connection therewith;
establishing a connection with the service broker device based on the connection information to further access the service based on the established connection comprises:
sending a TCP connection establishment request to the second TCP port to establish a second TCP connection with the service proxy device to further access the user service based on the established second TCP connection.
7. The method according to any of claims 3-6, the TCP connection comprising a TLS connection.
8. The method of claim 1, the service proxy device comprising a VPN device.
9. The method of any of claims 2-6, wherein granting access rights of the TCP port to the user client comprises:
and authorizing the access authority of the TCP port in a preset time period to the user client.
10. A connection establishment method is applied to an SDP controller of an SDP access authentication system, wherein the SDP access authentication system comprises at least one user client, at least one SDP controller and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the method comprises the following steps:
receiving user information sent by a user client, and carrying out SDP authentication on the target user based on the user information;
after the target user passes the SDP authentication, the connection information of the service agent equipment is sent to a user client; so that the user client establishes a connection with the service agent device.
11. The method of claim 10, the user client generating a first SPA request message for SDP authentication; wherein, the first SPA request message comprises the user information;
the user client sends the first SPA request message to the SDP controller, and opens a UDP port corresponding to SDP authentication service to the user client;
the performing SDP authentication on the target user based on the user information includes:
and responding to the received first SPA request message, and carrying out SDP authentication on the target user based on the user information in the first SPA request message.
12. The method of claim 11, further comprising:
and after the target user passes the SDP authentication, authorizing the access authority of the first TCP port for establishing TCP connection with the target user to the user client.
13. The method of claim 12, the user client sending a TCP connection request to the first TCP port, establishing a first TCP connection with the SDP controller;
after the target user passes the SDP authentication, the method for sending the connection information of the service agent device to the user client comprises the following steps:
and sending an authentication result after the target user passes the SDP authentication to a user client through the first TCP connection, wherein the authentication result comprises the connection information of the service agent equipment.
14. The method of claim 13, the authentication result further comprising a token credential generated by the SDP controller indicating that the target user is authenticated by SDP; the connection information of the service agent device includes a second UDP port number corresponding to the SDP authentication service, which is opened by the service agent device toward the user client.
15. The method of claim 13, comprising a third UDP port number open to the user client by the service proxy device for SDP authentication.
16. The method of claim 13, the service proxy device opening to the user client a second TCP port number for establishing a TCP connection therewith.
17. The method according to any of claims 12-13, the TCP connection comprising a TLS connection.
18. The method of claim 10, the service proxy device comprising a VPN device.
19. The method of claim 13, wherein granting access rights to a TCP port to a user client comprises:
and authorizing the access authority of the TCP port in a preset time period to the user client.
20. A connection establishing device is applied to a user client in an SDP access authentication system, wherein the SDP access authentication system comprises at least one user client, at least one SDP controller and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the device comprises:
the acquisition module is used for responding to the connection establishment operation initiated by a target user and acquiring the user information of the target user;
a first sending module, configured to send the user information to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information;
and the connection module is used for acquiring the connection information of the service agent equipment, which is sent by the SDP controller after the SDP authentication of the target user passes, and establishing connection with the service agent equipment based on the connection information so as to further access the user service based on the established connection.
21. A connection establishing device is applied to an SDP controller of an SDP access authentication system, wherein the SDP access authentication system comprises at least one user client, at least one SDP controller and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the device comprises:
the authentication module receives user information sent by a user client and carries out SDP authentication on the target user based on the user information;
the second sending module is used for sending the connection information of the service agent equipment to the user client after the SDP authentication of the target user is passed; so that the user client establishes a connection with the service agent device.
22. An SDP access authentication system, the SDP access authentication system comprising at least one subscriber client, at least one SDP controller and at least one service agent device; the service agent device provides agent service corresponding to the isolated accessed user service to the user client, and the SDP controller is used for controlling the connection between the client and the service agent device; the system comprises:
the user client side responds to the connection establishing operation initiated by a target user to acquire the user information of the target user;
the user client sends the user information to the SDP controller;
the SDP controller receives user information sent by a user client and carries out SDP authentication on the target user based on the user information;
after the SDP controller carries out SDP authentication on the target user, the SDP controller sends the connection information of the service agent equipment to a user client;
and the user client acquires the connection information of the service agent equipment, which is sent by the SDP controller after the SDP authentication of the target user passes, and establishes connection with the service agent equipment based on the connection information so as to further access the user service based on the established connection.
CN202111521828.8A 2021-12-13 2021-12-13 Connection establishment method and device Active CN114301639B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111521828.8A CN114301639B (en) 2021-12-13 2021-12-13 Connection establishment method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111521828.8A CN114301639B (en) 2021-12-13 2021-12-13 Connection establishment method and device

Publications (2)

Publication Number Publication Date
CN114301639A true CN114301639A (en) 2022-04-08
CN114301639B CN114301639B (en) 2024-02-27

Family

ID=80966670

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111521828.8A Active CN114301639B (en) 2021-12-13 2021-12-13 Connection establishment method and device

Country Status (1)

Country Link
CN (1) CN114301639B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1835480A (en) * 2005-03-15 2006-09-20 合勤科技股份有限公司 Method of using SIP communicati protocal frame as mobile VPN
CN101155227A (en) * 2006-09-29 2008-04-02 北电网络有限公司 Method and system for trusted contextual communications
US20090132717A1 (en) * 2007-11-20 2009-05-21 Oracle International Corporation Session initiation protocol-based internet protocol television
CN107980216A (en) * 2017-05-26 2018-05-01 深圳前海达闼云端智能科技有限公司 Communication means, device, system, electronic equipment and computer-readable recording medium
CN111182537A (en) * 2019-12-31 2020-05-19 北京指掌易科技有限公司 Network access method, device and system for mobile application
US20200250009A1 (en) * 2019-02-01 2020-08-06 Virtustream Ip Holding Company Llc Partner enablement services for managed service automation
CN111901355A (en) * 2020-08-04 2020-11-06 北京天融信网络安全技术有限公司 Authentication method and device
CN113190828A (en) * 2021-05-25 2021-07-30 网宿科技股份有限公司 Request proxy method, client device and proxy service device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1835480A (en) * 2005-03-15 2006-09-20 合勤科技股份有限公司 Method of using SIP communicati protocal frame as mobile VPN
CN101155227A (en) * 2006-09-29 2008-04-02 北电网络有限公司 Method and system for trusted contextual communications
US20080083010A1 (en) * 2006-09-29 2008-04-03 Nortel Networks Limited Method and system for trusted contextual communications
US20090132717A1 (en) * 2007-11-20 2009-05-21 Oracle International Corporation Session initiation protocol-based internet protocol television
CN107980216A (en) * 2017-05-26 2018-05-01 深圳前海达闼云端智能科技有限公司 Communication means, device, system, electronic equipment and computer-readable recording medium
US20200250009A1 (en) * 2019-02-01 2020-08-06 Virtustream Ip Holding Company Llc Partner enablement services for managed service automation
CN111182537A (en) * 2019-12-31 2020-05-19 北京指掌易科技有限公司 Network access method, device and system for mobile application
CN111901355A (en) * 2020-08-04 2020-11-06 北京天融信网络安全技术有限公司 Authentication method and device
CN113190828A (en) * 2021-05-25 2021-07-30 网宿科技股份有限公司 Request proxy method, client device and proxy service device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杜平: "网络安全技术中VPN技术的应用探究", 《中国新通信》 *

Also Published As

Publication number Publication date
CN114301639B (en) 2024-02-27

Similar Documents

Publication Publication Date Title
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
EP3723399A1 (en) Identity verification method and apparatus
US9917829B1 (en) Method and apparatus for providing a conditional single sign on
CN109561066B (en) Data processing method and device, terminal and access point computer
KR101265873B1 (en) Distributed single sign-on service
US7228438B2 (en) Computer network security system employing portable storage device
WO2018000886A1 (en) Application program communication processing system, apparatus, method, and client terminal, and server terminal
US8532620B2 (en) Trusted mobile device based security
US8301876B2 (en) Techniques for secure network communication
US20060212928A1 (en) Method and apparatus to secure AAA protocol messages
EP3997849A1 (en) Data transport of encryption key used to secure communication between computing devices
JP2004288169A (en) Network connection system
US20180375648A1 (en) Systems and methods for data encryption for cloud services
US11323433B2 (en) Digital credential management method and device
CN113852681A (en) Gateway authentication method and device and security gateway equipment
CN113965425B (en) Access method, device and equipment of Internet of things equipment and computer readable storage medium
CN108989302B (en) OPC proxy connection system and connection method based on secret key
CN114301639B (en) Connection establishment method and device
CN111404680B (en) Password management method and device
CN105871788B (en) Password generation method and device for login server
US11095447B2 (en) Method for using cryptography and authentication methods and systems for carrying out said method
KR101448711B1 (en) security system and security method through communication encryption
JP2002328905A (en) Client authentication method, authentication device, program and storage medium
KR20180099992A (en) Consolidated Authentication Method based on Certificate
JP2017537580A (en) Dynamic data encryption method and related method for controlling decryption right

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant