CN115118442B - Port protection method and device under software defined boundary framework - Google Patents

Port protection method and device under software defined boundary framework Download PDF

Info

Publication number
CN115118442B
CN115118442B CN202211043829.0A CN202211043829A CN115118442B CN 115118442 B CN115118442 B CN 115118442B CN 202211043829 A CN202211043829 A CN 202211043829A CN 115118442 B CN115118442 B CN 115118442B
Authority
CN
China
Prior art keywords
key
spa
client
port
authentication code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211043829.0A
Other languages
Chinese (zh)
Other versions
CN115118442A (en
Inventor
陆舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN202211043829.0A priority Critical patent/CN115118442B/en
Publication of CN115118442A publication Critical patent/CN115118442A/en
Application granted granted Critical
Publication of CN115118442B publication Critical patent/CN115118442B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The application discloses a port protection method and device under a software defined boundary frame, comprising the following steps: the client generates a first SPA key obtaining request according to the IP address of a service server to be accessed, a target port and the IP address of the client, generates and issues a first SPA key if a first access strategy exists in a control server to access the target port, generates a port access request based on a random number, the first SPA key, the target port and the IP address of the client and sends the port access request to the service server, the service server generates a second SPA key obtaining request according to parameters in an analysis result, issues a second SPA key if a second access strategy exists in the control server to access the target port, generates a second Hash message authentication code according to the random number and the second SPA key, and opens the target port if the second Hash message authentication code is the same as the first Hash message authentication code. The method can effectively prevent malicious attacks.

Description

Port protection method and device under software defined boundary framework
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for protecting a port under a software-defined framework.
Background
Application services typically require binding of a pair of external ports for receiving service requests. But this port can usually be scanned and service or data destruction, stealing are carried out by DDOS, code attack, sql injection and other attack modes. The attack usually causes the service to be down, unable to respond or abnormal in response, and brings a great safety risk. How to provide a protection method to effectively protect services from malicious attacks is an urgent technical problem to be solved.
Disclosure of Invention
The embodiment of the application provides a port protection method and device under a software defined boundary framework. The technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a method for protecting a port under a software-defined boundary framework, where the method includes:
step S1: the client generates an identity authentication request and sends the identity authentication request to the control server;
step S2: the control server verifies the identity authentication request, if the identity authentication request passes the verification, the verification passing result is returned to the client, and the step S3 is executed, otherwise, the verification failing result is returned to the client and the verification is finished;
and step S3: the client generates a first SPA key acquisition request according to the IP address of the service server to be accessed, the target port to be accessed and the IP address of the client, and sends the first SPA key acquisition request to the control server;
and step S4: the control server judges whether a first access strategy exists in a database according to the received first SPA key acquisition request so that the IP address of the client can access the IP address of the service server and the target port, if so, a first SPA key is generated, the first SPA key is associated with the first access strategy, the first SPA key is issued to the client, the step S5 is executed, and if not, a key acquisition failure response is returned to the client;
step S5: the client acquires target data, generates a first Hash message authentication code according to the target data and the first SPA key, generates a port access request based on the target port, the client IP address and the first Hash message authentication code, and sends the port access request to a service server;
step S6: the service server analyzes the port access request, generates a second SPA key acquisition request according to a target port, a client IP address and a service server IP address in an analysis result, and sends the second SPA key acquisition request to the control server;
step S7: the control server judges whether a second access strategy exists in a database according to the received second SPA key acquisition request so that the client IP address in the second SPA key acquisition request can access the IP address of the service server and the target port, if so, the control server issues the second SPA key related to the second access strategy to the service server, and executes the step S8, and if not, a key acquisition failure response is returned to the service server;
step S8: the service server generates a second Hash message authentication code based on the second SPA key, judges whether the second Hash message authentication code is the same as the first Hash message authentication code in the analysis result or not, executes the step S9 if the second Hash message authentication code is the same as the first Hash message authentication code in the analysis result, and returns a port access failure response to the client if the second Hash message authentication code is not the same as the first Hash message authentication code in the analysis result;
step S9: and the service server opens the target port and returns the opening result of the target port to the client.
In a second aspect, an embodiment of the present application provides a port protection device under a software-defined boundary framework, where the port protection device includes:
the authentication request generation module is used for generating an identity authentication request and sending the identity authentication request to the control server;
the authentication request verification module is used for verifying the identity authentication request, if the identity authentication request passes the verification, the verification passing result is returned to the client side, the key request generation module is triggered, and if the identity authentication request does not pass the verification, the verification failing result is returned to the client side and the verification is finished;
the key request generation module is used for generating a first SPA key acquisition request according to the IP address of the service server to be accessed, the target port to be accessed and the IP address of the client, and sending the first SPA key acquisition request to the control server;
a key issuing module, configured to determine, according to the received first SPA key acquisition request, whether a first access policy exists in a database, so that the client IP address can access the service server IP address and the target port, if so, generate a first SPA key, associate the first SPA key with the first access policy, issue the first SPA key to the client, trigger an access request generation module, and if not, return a key acquisition failure response to the client;
the access request generation module is used for acquiring target data, generating a first Hash message authentication code according to the target data and the first SPA key, generating a port access request based on the target port, the client IP address and the first Hash message authentication code, and sending the port access request to a service server;
the key request generation module is further configured to analyze the port access request, generate a second SPA key acquisition request according to a target port, a client IP address, and a service server IP address in an analysis result, and send the second SPA key acquisition request to the control server;
the key issuing module is further configured to determine, according to the received second SPA key acquisition request, whether a second access policy exists in the database, so that the client IP address in the second SPA key acquisition request can access the service server IP address and the target port, if so, issue the second SPA key associated with the second access policy to the service server, and trigger the authentication code determination module, and if not, return a key acquisition failure response to the service server;
the authentication code judging module is used for generating a second hash message authentication code based on the second SPA key, judging whether the second hash message authentication code is the same as the first hash message authentication code in the analysis result, if so, triggering the port opening module, and if not, returning a port access failure response to the client;
and the port opening module is used for opening the target port and returning the opening result of the target port to the client.
In a third aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of any one of the above methods.
In a fourth aspect, an embodiment of the present application provides a chip system, which includes a processor and an interface, where the processor is configured to implement the steps of any one of the above methods through the interface.
The beneficial effects brought by the technical scheme provided by some embodiments of the application at least comprise:
according to the port protection method under the software defined boundary framework, when the access strategy exists on the control server, the client can access the IP address and the target port of the service server, and the service server successfully verifies the hash message authentication code sent by the client, the service server opens the target port to the client.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 to fig. 2 are schematic flowcharts of a port protection method under a software-defined boundary framework according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the claims that follow.
In the description of the present application, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. The specific meaning of the above terms in this application will be understood to be a specific case for those of ordinary skill in the art. Further, in the description of the present application, "a plurality" means two or more unless otherwise specified. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The port protection method under the software-defined boundary framework provided by the embodiment of the present application will be described in detail below with reference to fig. 1 and fig. 2.
Please refer to fig. 1 to fig. 2, which are schematic flow charts of a port protection method under a software-defined boundary framework according to an embodiment of the present application.
As shown in fig. 1, the method of the embodiment of the present application may include the steps of:
step S1': the control server determines the service server IP and the target port which can be accessed by the client IP address, and builds and stores an access strategy among the client IP address, the service server IP address and the target port.
The client may have access to only one service server or may have access to multiple service servers.
When a client accesses a service server, only one port of the service server may be accessed, or a plurality of ports of the service server may be accessed; when the client can access only one port of the service server, the control server constructs an access strategy, and when the client can access a plurality of ports of the service server, the control server correspondingly constructs a plurality of different access strategies.
When the client accesses a plurality of service servers, the control server correspondingly constructs a plurality of different access strategies.
The control server builds an access strategy among the IP address of the client, the IP address of the service server and the target port, namely builds the access right of the IP address of the client to the IP address of the service server and the target port.
Step S1: the client generates an identity authentication request and sends the identity authentication request to the control server.
The identity authentication request generated by the client is, for example:
ew0KICAiY29uZmlnVHlwZXMiOiBbDQogICAgInBhc3N3b3JkIg0KICBdLA0KICAiZW52SW5mbyI6IHsNCiAgICAiYXJjaCI6ICJ3aW5kb3dzIiwNCiAgICAib3MiOiAid2luZG93cyIsDQogICAgIm9zUmVsZWFzZSI6ICIxMCIsDQogICAgIm9zVmVyc2lvbiI6ICIxMC4xIg0KICB9LA0KICAicGFzc3dvcmQiOiAiVTJGc2RHVmtYMTg2Mmd1bVVscVdjZFNIRFdxZ2ZGY0F5K2d0R1hwUEUwYz0iLA0KICAic2RrSW5mbyI6IHsNCiAgICAiYXBwSWQiOiAiOTg3NjU0MzIxIiwNCiAgICAiYXBwVmVyc2lvbiI6ICIxLjAiLA0KICAgICJicmFuY2giOiAiMS4wIiwNCiAgICAicmV2aXNpb24iOiAiMS4wIiwNCiAgICAidHlwZSI6ICJjbGllbnQiLA0KICAgICJ2ZXJzaW9uIjogIjEuMCINCiAgfSwNCiAgInVzZXJuYW1lIjogInRlc3QiDQp9。
step S2: and the control server verifies the identity authentication request, if the identity authentication request passes the verification, the verification passing result is returned to the client, the step S3 is executed, otherwise, the verification failing result is returned to the client, and the operation is finished.
In detail, step S2 includes:
step S21: the control server analyzes the identity authentication request to obtain identity authentication data, wherein the identity authentication data at least comprises a user name and a user password.
The user name is for example: and (6) Test.
The user password is, for example: ftsafe.
The data that can be used to verify the identity of the client may be used as authentication data, and in other embodiments, the control server parses the obtained authentication data, which may also be a one-time password, a shared key, and so on.
The one-time password is, for example: 739245.
the shared secret is for example:
FJSHFKAJSBFUEWKAB123945JHGF2344D。
step S22: and the control server performs identity authentication on the client based on the user name and the user password, returns an authentication passing result to the client if the authentication passes, and executes the step S3, otherwise, returns an authentication failing result to the client and ends.
And step S3: the client generates a first SPA key acquisition request according to the IP address of the service server to be accessed, the target port to be accessed and the IP address of the client, and sends the first SPA key acquisition request to the control server.
The IP address of the service server to be accessed is, for example:
www.ftsafesdp.com。
the target ports to be accessed are for example:
443。
the client IP address is for example:
192.168.22.19。
the first SPA key acquisition request generated according to the service server IP address, the target port, and the client IP address is, for example:
ew0KICAibG9jYWxpcCI6ICIxOTIuMTY4LjIyLjE5IiwNCiAgImRpc3RpcCI6ICJ3d3cuZnRzYWZlc2RwLmNvbSIsDQogICJkaXN0cG9ydCI6ICI0NDMiLA0KICAic2RrSW5mbyI6IHsNCiAgICAiYXBwSWQiOiAiOTg3NjU0MzIxIiwNCiAgICAiYXBwVmVyc2lvbiI6ICIxLjAiLA0KICAgICJicmFuY2giOiAiMS4wIiwNCiAgICAicmV2aXNpb24iOiAiMS4wIiwNCiAgICAidHlwZSI6ICJjbGllbnQiLA0KICAgICJ2ZXJzaW9uIjogIjEuMCINCiAgfQ0KfQ。
the IP address of the service server to be accessed and the target port to be accessed are preset data, or in an optional embodiment, before the step S3, the method further includes:
step S3' -1: and the client generates a data acquisition request to be accessed according to the user name and the service type, and sends the data acquisition request to be accessed to the control server.
The user name is for example: and (6) Test.
The service types are for example: oaworker.
The data to be accessed acquisition request is, for example:
ew0KICAiYnVzaW5lc3N0eXBlIjogIm9hd29ya2VyIiwNCiAgInVzZXJuYW1lIjogIlRlc3QiLA0KICAic2RrSW5mbyI6IHsNCiAgICAiYXBwSWQiOiAiOTg3NjU0MzIxIiwNCiAgICAiYXBwVmVyc2lvbiI6ICIxLjAiLA0KICAgICJicmFuY2giOiAiMS4wIiwNCiAgICAicmV2aXNpb24iOiAiMS4wIiwNCiAgICAidHlwZSI6ICJjbGllbnQiLA0KICAgICJ2ZXJzaW9uIjogIjEuMCINCiAgfQ0KfQ。
step S3' -2: the control server analyzes the data acquisition request to be accessed, determines the IP address of the service server to be accessed and the target port to be accessed according to the user name and the service type in the analysis result, and returns the determination result to the client.
And step S4: the control server judges whether a first access strategy exists in the database according to the received first SPA key acquisition request so that the IP address of the client can access the IP address of the service server and the target port, if so, the control server generates a first SPA key, associates the first SPA key with the first access strategy, issues the first SPA key to the client, executes the step S5, and if not, returns a key acquisition failure response to the client.
The generation mode of the first SPA key is specifically as follows:
the control server acquires system time and counting factors;
and the control server calculates the system time and the counting factor according to a preset calculation mode to generate a first SPA key.
And carrying out exclusive OR operation on the system time and the counting factor, and taking a value obtained by shifting the operation result by 8 bits to the left as an SPA key.
For example, the system time factor is: 1658201545;
the counting factors are: 2534;
the SPA key calculated based on the above example is: 4F76E76BE0F1C60a002370E5C3C880C1.
The first SPA key in this application is, for example:
OSPENDJDBGJK21350ADSD84N992N93NS。
in an optional embodiment, in addition to generating the first SPA key according to a preset operation manner, the control server may also generate the first SPA key in a random manner.
In an optional embodiment, after the controlling server generates the first SPA key, the method further includes:
the control server records and saves the generation time of the first SPA key.
Step S5: the client acquires target data, generates a first Hash message authentication code according to the target data and a first SPA key, generates a port access request based on a target port, a client IP address and the first Hash message authentication code, and sends the port access request to the service server.
A specific implementation manner of step S5 is:
the client generates a random number, generates a first Hash message authentication code according to the random number and a first SPA key, generates a port access request based on the target port, the client IP address, the random number and the first Hash message authentication code, and sends the port access request to the service server.
The random number generated by the client is, for example:
1322794328。
the first hashed message authentication code is, for example:
127164。
the port access request is, for example:
ew0KICAibG9jYWxpcCI6ICIxOTIuMTY4LjIyLjE5IiwNCiAgImRpc3RpcCI6ICJ3d3cuZnRzYWZlc2RwLmNvbSIsDQogICJkaXN0cG9ydCI6ICI0NDMiLA0KICAiY2hhbGxhZ2UiOiAiMTMyMjc5NDMyOCINCiAgImhtYWMiOiAiMTI3MTY0Ig0KICAic2RrSW5mbyI6IHsNCiAgICAiYXBwSWQiOiAiOTg3NjU0MzIxIiwNCiAgICAiYXBwVmVyc2lvbiI6ICIxLjAiLA0KICAgICJicmFuY2giOiAiMS4wIiwNCiAgICAicmV2aXNpb24iOiAiMS4wIiwNCiAgICAidHlwZSI6ICJjbGllbnQiLA0KICAgICJ2ZXJzaW9uIjogIjEuMCINCiAgfQ0KfQ。
step S6: and the service server analyzes the port access request, generates a second SPA key acquisition request according to the target port, the client IP address and the service server IP address in the analysis result, and sends the second SPA key acquisition request to the control server.
Step S7: the control server judges whether a second access strategy exists in the database according to the received second SPA key acquisition request so that the client IP address in the second SPA key acquisition request can access the IP address of the service server and the target port, if so, the control server issues the second SPA key associated with the second access strategy to the service server, and executes the step S8, and if not, a key acquisition failure response is returned to the service server.
In an optional embodiment, when it is determined that the second access policy exists in the database, so that the client IP address in the second SPA key acquisition request can access the service server IP address and the target port, the control server may further perform the following operations:
step S71: the control server acquires the current system time and the generation time of a second SPA key, and acquires the effective time length of the key from a second access strategy;
it should be noted that, in the port protection method provided in this embodiment, if the control server determines the timeliness of the key, the control server needs to configure the valid duration of the key in advance and record the valid duration of the key in the access policy; if the service server determines the key timeliness (i.e., step S8 described below), the access policy does not include content related to the key timeliness.
The key validity duration preconfigured by the control server is, for example, 120s.
Step S72: the control server judges whether the current system time is more than or equal to the sum of the generation time of the second SPA key and the key effective duration, if not, the second SPA key associated with the second access strategy is effective, the second SPA key is issued to the service server, and step S8 is executed, if so, the second SPA key associated with the second access strategy is invalidated, and a key acquisition failure response is returned to the service server.
In a possible embodiment, when the service server receives a key acquisition failure response returned by the control server, the service server feeds the response back to the client, and the client requests the control server to generate a new SPA key again and accesses the port of the service server based on the new SPA key.
In the prior art, a key transmission process does not exist between a server and a client, namely two pieces of equipment share the same key which is a static fixed key, the key is easy to break, and when the key of one piece of equipment is leaked, the account of a user is hijacked; compared with a static fixed key in the prior art, the dynamic non-fixed key is generated by the control server, so that the possibility of being broken is greatly reduced, the security of the key is improved, the client side sends a request to the control server to generate the SPA key when needed, the risk of hijacking the user account is greatly reduced, and the safety coefficient is high.
Step S8: and the service server generates a second hash message authentication code based on the second SPA key, judges whether the second hash message authentication code is the same as the first hash message authentication code in the analysis result, executes the step S9 if the second hash message authentication code is the same as the first hash message authentication code in the analysis result, and returns a port access failure response to the client if the second hash message authentication code is not the same as the first hash message authentication code in the analysis result.
A specific implementation manner of the service server generating the second hash message authentication code based on the second SPA key is as follows:
and the service server generates a second Hash message authentication code according to the random number in the analysis result and the second SPA key.
Step S9: and the service server records the IP address of the client and the target port in the analysis result into a local database, completes the opening operation of the target port and returns the opening result of the target port to the client.
In the application, the port opened by the service server is a TCP port.
The method comprises the following steps that after the service server records the IP address of the client and the port opening operation when the target port finishes data entering the service server, the service server also comprises the port opening operation when the data is sent out from the service server, and the method specifically comprises the following steps:
a service server acquires data to be sent to any client IP address or any client port;
the service server keeps the target port in an open state to send the data.
In an optional embodiment, another specific implementation manner of the step S5 is:
the client acquires a first time, generates a first Hash message authentication code according to the first time and a first SPA key, generates a port access request based on a target port, a client IP address and the first Hash message authentication code, and sends the port access request to a service server, wherein the first time is the current time of the client.
And calculating the first time and the first SPA key based on an RFC6238 specification algorithm to generate a first hash message authentication code.
The step S8 specifically includes:
the service server acquires second time, and generates a second Hash message authentication code according to the second time and a second SPA key, wherein the second time is the current time of the service server;
and the service server judges whether the second hash message authentication code is the same as the first hash message authentication code in the analysis result, if so, the step S9 is executed, and if not, a port access failure response is returned to the client.
And if the second hash message authentication code is the same as the first hash message authentication code in the analysis result, determining that the second SPA key is in the validity period and the key is correct and has not been tampered, and executing the step S9.
Further, if it is determined that the second hash message authentication code is not the same as the first hash message authentication code in the analysis result, returning a port access failure response to the client, including:
if the second hash message authentication code is judged to be different from the first hash message authentication code in the analysis result, acquiring a preset time window, calculating and acquiring a third time and a fourth time based on the second time and the time window, respectively generating a third hash message authentication code according to the third time and a second SPA key, and generating a fourth hash message authentication code according to the fourth time and a second SPA key;
and judging whether the first Hash message authentication code in the analysis result is the same as the third Hash message authentication code or the fourth Hash message authentication code, if not, determining that the second SPA key is tampered, retransmitting a second SPA key acquisition request to the control server, if so, determining that the second SPA key is overtime and invalid, invalidating the second SPA key, and returning a key acquisition failure response to the service server.
The time window preset by the service server is the validity period of the key, and is, for example, 120s.
The time window preset by the service server needs to be consistent with the effective time length of the key configured by the control server.
Forward calculating the current time (i.e. the second time) of the service server by a time window to obtain an overtime: and thirdly, calculating a time window backwards from the current time of the service server to obtain an overtime: at the fourth time, if the first Hash message authentication code in the analysis result is the same as the third Hash message authentication code/the fourth Hash message authentication code generated based on the third time/the fourth time, determining that the second SPA key is overtime and invalid, and returning a port access failure response to the client; otherwise, when the first hash message authentication code in the analysis result is different from the second hash message authentication code, the third hash message authentication code and the fourth hash message authentication code, the second SPA key is determined to be tampered in the transmission process, and the second SPA key acquisition request is sent to the control server again.
In an optional embodiment, after step S9, the method further includes:
step S10: and the service server receives the service request sent by the client and analyzes the service request to obtain the IP address of the client, the port to be accessed and the service data.
Step S11: and the service server matches the client IP address and the port to be accessed obtained by analysis with the client IP address and the target port recorded in the local database, if the matching is successful, the service server allows the service data to pass through the route and access the target port, and step S12 is executed, otherwise, a port access failure response is returned to the client.
Step S12: and the service server generates a service response result aiming at the service request and returns the service response result to the client.
Specifically, the service request sent by the client may be, for example, a binding request, the client encrypts to-be-bound data by using a manufacturer public key built in when the device leaves a factory to obtain service data, the client generates a service request based on the client IP address, a port to be accessed (i.e., a port obtained by the client from an open result), and the service data and sends the service request to the service server, when the client IP address and the port to be accessed in the service request are recorded in the local database of the service server, the service data is received through the port, the service data is decrypted by using an internally stored manufacturer private key to obtain the binding data, and the binding result is returned to the client.
The service request sent by the client may also be, for example, an authentication request, etc., similar to the processing procedure of the binding request, and the specific procedure of processing other service requests through the open port is not described in detail here.
In an optional embodiment, after the service server opens the target port, the method further includes:
the service server acquires the opening duration of a target port;
and the service server judges whether the opening time reaches the preset time, closes the target port if the opening time reaches the preset time, and keeps the target port in an opening state if the opening time does not reach the preset time.
The preset time period is, for example: and 5min.
The preset duration of the target port can be set by the service server, and can also be configured by the control server.
When a preset time length is set by the service server, the preset time length is a fixed value; when the configuration is performed by the control server (the service server needs to send a request to the control server to obtain the open duration), the preset duration is a variable value, and can be flexibly configured according to actual conditions.
Further, when it is determined that the open duration reaches the preset duration, closing the target port may include:
and judging whether the target port is accessed currently, if so, keeping the target port in an open state until the access is finished, otherwise, deleting the recorded client IP address and the target port from the local database, and closing the target port.
According to the port protection method under the software defined boundary framework, when the access strategy exists on the control server, the client can access the IP address and the target port of the service server, and the service server successfully verifies the hash message authentication code sent by the client, the service server opens the target port to the client.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
An exemplary embodiment of the present application provides a port protection device under a software-defined boundary framework, including:
the authentication request generation module is used for generating an identity authentication request and sending the identity authentication request to the control server;
the authentication request verification module is used for verifying the identity authentication request, if the identity authentication request passes the verification, the verification passing result is returned to the client side, the key request generation module is triggered, and if the identity authentication request does not pass the verification, the verification failing result is returned to the client side and the verification is finished;
the key request generation module is used for generating a first SPA key acquisition request according to the IP address of the service server to be accessed, the target port to be accessed and the IP address of the client, and sending the first SPA key acquisition request to the control server;
a key issuing module, configured to determine, according to the received first SPA key acquisition request, whether a first access policy exists in a database, so that the client IP address can access the service server IP address and the target port, if so, generate a first SPA key, associate the first SPA key with the first access policy, issue the first SPA key to the client, trigger an access request generation module, and if not, return a key acquisition failure response to the client;
the access request generation module is used for acquiring target data, generating a first Hash message authentication code according to the target data and the first SPA key, generating a port access request based on the target port, the client IP address and the first Hash message authentication code, and sending the port access request to a service server;
the key request generating module is further configured to parse the port access request, generate a second SPA key acquisition request according to a target port, a client IP address, and a service server IP address in a parsing result, and send the second SPA key acquisition request to the control server;
the key issuing module is further configured to determine, according to the received second SPA key acquisition request, whether a second access policy exists in the database, so that the client IP address in the second SPA key acquisition request can access the service server IP address and the target port, if so, issue the second SPA key associated with the second access policy to the service server, and trigger the authentication code determination module, and if not, return a key acquisition failure response to the service server;
the authentication code judging module is used for generating a second Hash message authentication code based on the second SPA secret key, judging whether the second Hash message authentication code is the same as the first Hash message authentication code in the analysis result or not, if so, triggering the port opening module, and if not, returning a port access failure response to the client;
and the port opening module is used for opening the target port and returning the opening result of the target port to the client.
In an optional embodiment, the port opening module is specifically configured to:
recording the IP address of the client and the target port in the analysis result into a local database, and completing the opening operation of the target port;
and returning the opening result of the target port to the client.
In an optional embodiment, the apparatus further comprises:
the request analysis module is used for receiving the service request sent by the client and analyzing the service request to obtain the IP address of the client, the port to be accessed and the service data;
the information matching module is used for matching the client IP address and the port to be accessed which are obtained by analysis with the client IP address and the target port recorded in the local database, if the matching is successful, the service data is allowed to pass through the route and access the target port, and the service response module is triggered, otherwise, a port access failure response is returned to the client;
and the service response module is used for generating a service response result aiming at the service request and returning the service response result to the client.
In an optional embodiment, the apparatus further includes a port open duration module, which specifically includes:
an open duration acquiring unit, configured to acquire an open duration of the target port;
and the port operation unit is used for judging whether the opening time length reaches a preset time length, closing the target port if the opening time length reaches the preset time length, and keeping the target port in an opening state if the opening time length does not reach the preset time length.
In an optional embodiment, the port operating unit is specifically configured to:
judging whether the opening time length reaches a preset time length, if so, continuing to judge whether the target port is accessed currently, if so, keeping the target port in an opening state until the access is finished, if not, closing the target port, and if not, keeping the target port in an opening state.
In an optional embodiment, the key issuing module is specifically configured to:
judging whether a first access strategy exists in a database according to the received first SPA key acquisition request so that the client IP address can access the service server IP address and the target port, if so, acquiring system time and a counting factor, and operating the system time and the counting factor according to a preset operation mode to generate a first SPA key;
and associating the first SPA key with the first access policy, issuing the first SPA key to the client, triggering an access request generation module, and if the first SPA key does not exist, returning a key acquisition failure response to the client.
In an optional embodiment, the key issuing module is specifically configured to:
judging whether a first access strategy exists in a database according to the received first SPA key acquisition request so that the client IP address can access the service server IP address and the target port, and if so, generating a first SPA key in a random mode;
and associating the first SPA key with the first access policy, issuing the first SPA key to the client, triggering an access request generation module, and if the first SPA key does not exist, returning a key acquisition failure response to the client.
In an optional embodiment, the key issuing module is specifically configured to:
judging whether a second access strategy exists in a database according to the received second SPA key acquisition request so that the client IP address in the second SPA key acquisition request can access the service server IP address and the target port, if so, acquiring the current system time and the generation time of a second SPA key of the second access strategy, and acquiring the key effective duration from the second access strategy;
judging whether the current system time is more than or equal to the sum of the generation time of the second SPA key and the key validity duration, if not, enabling the second SPA key associated with the second access policy to be valid, issuing the second SPA key to the service server, triggering an authentication code judging module, if so, invalidating the second SPA key associated with the second access policy, and returning a key acquisition failure response to the service server;
and if not, returning a key acquisition failure response to the service server.
In an optional embodiment, the access request generating module is specifically configured to:
acquiring first time, generating a first Hash message authentication code according to the first time and the first SPA key, generating a port access request based on the target port, the client IP address and the first Hash message authentication code, and sending the port access request to a service server, wherein the first time is the current time of the client;
in an optional embodiment, the authentication code determining module is specifically configured to:
acquiring second time, and generating a second hash message authentication code according to the second time and the second SPA key, wherein the second time is the current time of the service server;
and judging whether the second hash message authentication code is the same as the first hash message authentication code in the analysis result, if so, executing the step S9, and if not, returning a port access failure response to the client.
In an optional embodiment, if it is determined that the second hash message authentication code is different from the first hash message authentication code in the analysis result, returning a port access failure response to the client, specifically includes:
if the second hash message authentication code is judged to be different from the first hash message authentication code in the analysis result, acquiring a preset time window, calculating and acquiring a third time and a fourth time based on the second time and the time window, respectively generating a third hash message authentication code according to the third time and the second SPA key, and generating a fourth hash message authentication code according to the fourth time and the second SPA key;
and judging whether the first Hash message authentication code in the analysis result is the same as the third Hash message authentication code or the fourth Hash message authentication code, if not, determining that the second SPA key is tampered, retransmitting a second SPA key acquisition request to the control server, if so, determining that the second SPA key is overtime and invalid, invalidating the second SPA key, and returning a key acquisition failure response to the service server.
In an optional embodiment, the apparatus further comprises:
the data request generating module is used for generating a data acquisition request to be accessed according to a user name and a service type and sending the data acquisition request to be accessed to the control server;
and the data issuing module is used for analyzing the data acquisition request to be accessed, determining the IP address of the service server to be accessed and the target port to be accessed according to the user name and the service type in the analysis result, and returning the determination result to the client.
In an optional embodiment, the apparatus further comprises:
and the strategy construction module is used for determining the service server IP and the target port which can be accessed by the client IP address, and constructing and storing an access strategy among the client IP address, the service server IP address and the target port.
It should be noted that, when the port protection device under the software-defined boundary frame provided in the foregoing embodiment executes the port protection method under the software-defined boundary frame, only the division of the functional modules is taken as an example, and in practical applications, the functions may be allocated to different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the functions described above. In addition, the port protection device under the software-defined boundary frame and the port protection method under the software-defined boundary frame provided in the above embodiments belong to the same concept, and details of implementation processes thereof are referred to in the method embodiments and are not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
According to the port protection device under the software defined boundary frame, when the access strategy exists on the control server, the client can access the IP address and the target port of the service server, and the service server successfully verifies the hash message authentication code sent by the client, the service server opens the target port to the client, the device realizes the protection of the server through port protection, and malicious attack can be effectively prevented.
The embodiments of the present application also provide a computer-readable storage medium, on which a computer program is stored, and the computer program is executed by a processor to implement the steps of the method of any one of the foregoing embodiments. The computer-readable storage medium may include, but is not limited to, any type of disk including floppy disks, optical disks, DVDs, CD-ROMs, microdrive, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, DRAMs, VRAMs, flash memory devices, magnetic or optical cards, nanosystems (including molecular memory ICs), or any type of media or device suitable for storing instructions and/or data.
An embodiment of the present application further provides a chip system, which includes a processor and an interface, where the processor is configured to implement the steps of any one of the above methods through the interface.
In this application, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or order; the term "plurality" means two or more unless expressly limited otherwise. The terms "mounted," "connected," "fixed," and the like are to be construed broadly, and for example, "connected" may be a fixed connection, a removable connection, or an integral connection; "coupled" may be direct or indirect through an intermediary. The specific meaning of the above terms in the present application can be understood by those of ordinary skill in the art as appropriate.
In the description of the present application, it is to be understood that the terms "upper", "lower", and the like indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience in describing the present application and simplifying the description, but do not indicate or imply that the referred device or unit must have a specific direction, be configured and operated in a specific orientation, and thus, should not be construed as limiting the present application.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Accordingly, all equivalent changes made by the claims of this application are intended to be covered by this application.

Claims (15)

1. A method for port protection under a software defined boundary frame, the method comprising:
step S1: the client generates an identity authentication request and sends the identity authentication request to the control server;
step S2: the control server verifies the identity authentication request, if the identity authentication request passes the verification, the verification passing result is returned to the client, and the step S3 is executed, otherwise, the verification failing result is returned to the client;
and step S3: the client generates a first SPA key acquisition request according to the IP address of the service server to be accessed, the target port to be accessed and the IP address of the client, and sends the first SPA key acquisition request to the control server;
and step S4: the control server judges whether a first access strategy exists in a database according to the received first SPA key acquisition request so that the IP address of the client can access the IP address of the service server and the target port, if so, a first SPA key is generated, the first SPA key is associated with the first access strategy, the first SPA key is issued to the client, the step S5 is executed, and if not, a key acquisition failure response is returned to the client;
step S5: the client acquires target data, generates a first Hash message authentication code according to the target data and the first SPA key, generates a port access request based on the target port, the client IP address and the first Hash message authentication code, and sends the port access request to a service server;
step S6: the service server analyzes the port access request, generates a second SPA key acquisition request according to a target port, a client IP address and a service server IP address in an analysis result, and sends the second SPA key acquisition request to the control server;
step S7: the control server judges whether a second access strategy exists in a database according to the received second SPA key acquisition request so that a client IP address in the second SPA key acquisition request can access a service server IP address and a target port, if so, the control server issues a second SPA key related to the second access strategy to the service server, and executes the step S8, and if not, a key acquisition failure response is returned to the service server;
step S8: the service server generates a second Hash message authentication code based on the second SPA key, judges whether the second Hash message authentication code is the same as the first Hash message authentication code in the analysis result or not, executes the step S9 if the second Hash message authentication code is the same as the first Hash message authentication code in the analysis result, and returns a port access failure response to the client if the second Hash message authentication code is not the same as the first Hash message authentication code in the analysis result;
step S9: and the service server opens the target port and returns the opening result of the target port to the client.
2. The method of claim 1, wherein the traffic server opening the destination port comprises:
the service server records the IP address of the client and the target port in the analysis result into a local database to complete the opening operation of the target port;
after the step S9, the method further includes:
step S10: the service server receives a service request sent by the client, and analyzes the service request to obtain a client IP address, a port to be accessed and service data;
step S11: the service server matches the client IP address and the port to be accessed obtained by analysis with the client IP address and the target port recorded in a local database, if the matching is successful, the service data is allowed to pass through a route and access the target port, and step S12 is executed, otherwise, a port access failure response is returned to the client;
step S12: and the service server generates a service response result aiming at the service request and returns the service response result to the client.
3. The method of claim 1, wherein after said opening the target port, further comprising:
the service server acquires the opening duration of the target port;
and the service server judges whether the open time reaches a preset time, if so, the target port is closed, and if not, the target port is kept in an open state.
4. The method of claim 3, wherein said shutting down the target port comprises:
and judging whether the target port is accessed currently, if so, keeping the target port in an open state until the access is finished, and if not, closing the target port.
5. The method of claim 1, wherein generating the first SPA key comprises:
the control server acquires system time and counting factors;
and the control server calculates the system time and the counting factor according to a preset operation mode to generate a first SPA key.
6. The method of claim 1, wherein generating the first SPA key comprises:
the control server generates a first SPA key in a random manner.
7. The method of claim 1, wherein issuing the second SPA key associated with the second access policy to the service server comprises:
the control server acquires the current system time and the generation time of a second SPA key associated with the second access strategy, and acquires the effective time length of the key from the second access strategy;
and the control server judges whether the current system time is more than or equal to the sum of the generation time of the second SPA key and the key validity duration, if not, the second SPA key associated with the second access policy is valid, the second SPA key is issued to the service server, and step S8 is executed, if so, the second SPA key associated with the second access policy is invalidated, and a key acquisition failure response is returned to the service server.
8. The method according to claim 1, wherein the target data is specifically a random number, and the step S5 includes:
the client acquires a random number, generates a first Hash message authentication code according to the random number and the first SPA key, generates a port access request based on the target port, the client IP address, the random number and the first Hash message authentication code, and sends the port access request to a service server;
the step S8 includes:
and the service server generates a second Hash message authentication code according to the random number in the analysis result and the second SPA key, judges whether the second Hash message authentication code is the same as the first Hash message authentication code in the analysis result, executes the step S9 if the second Hash message authentication code is the same as the first Hash message authentication code in the analysis result, and returns a port access failure response to the client if the second Hash message authentication code is not the same as the first Hash message authentication code in the analysis result.
9. The method according to claim 1, wherein the target data is specifically a first time, and the step S5 includes:
the client acquires first time, generates a first Hash message authentication code according to the first time and the first SPA key, generates a port access request based on the target port, the client IP address and the first Hash message authentication code, and sends the port access request to a service server, wherein the first time is the current time of the client;
the step S8 includes:
the service server acquires second time, and generates a second Hash message authentication code according to the second time and the second SPA key, wherein the second time is the current time of the service server;
and the service server judges whether the second hash message authentication code is the same as the first hash message authentication code in the analysis result, if so, the step S9 is executed, and if not, a port access failure response is returned to the client.
10. The method of claim 9, wherein if it is determined that the second hashed message authentication code is not the same as the first hashed message authentication code in the parsing result, returning a port access failure response to the client, comprising:
if the second hash message authentication code is judged to be different from the first hash message authentication code in the analysis result, acquiring a preset time window, calculating and acquiring a third time and a fourth time based on the second time and the time window, respectively generating a third hash message authentication code according to the third time and the second SPA key, and generating a fourth hash message authentication code according to the fourth time and the second SPA key;
and judging whether the first Hash message authentication code in the analysis result is the same as any one of the third Hash message authentication code and the fourth Hash message authentication code, if not, determining that the second SPA key is tampered, retransmitting a second SPA key acquisition request to the control server, if so, determining that the second SPA key is overtime and invalid, and returning a port access failure response to the client.
11. The method according to claim 1, wherein the step S3 is preceded by:
step S3' -1: the client generates a data acquisition request to be accessed according to the user name and the service type, and sends the data acquisition request to be accessed to the control server;
step S3' -2: the control server analyzes the data acquisition request to be accessed, determines the IP address of the service server to be accessed and the target port to be accessed according to the user name and the service type in the analysis result, and returns the determination result to the client.
12. The method according to claim 1, wherein the step S1 is preceded by:
step S1': the control server determines a service server IP and a target port which can be accessed by a client IP address, and an access strategy is constructed and stored among the client IP address, the service server IP address and the target port.
13. A port protection device under a software defined boundary framework, the device comprising:
the authentication request generation module is used for generating an identity authentication request and sending the identity authentication request to the control server;
the authentication request verification module is used for verifying the identity authentication request, if the identity authentication request passes the verification, the verification passing result is returned to the client side, the key request generation module is triggered, and if the identity authentication request does not pass the verification, the verification failing result is returned to the client side and the verification is finished;
the key request generating module is used for generating a first SPA key acquisition request according to the IP address of the service server to be accessed, the target port to be accessed and the IP address of the client, and sending the first SPA key acquisition request to the control server;
a key issuing module, configured to determine, according to the received first SPA key acquisition request, whether a first access policy exists in a database, so that the client IP address can access the service server IP address and the target port, if so, generate a first SPA key, associate the first SPA key with the first access policy, issue the first SPA key to the client, trigger an access request generation module, and if not, return a key acquisition failure response to the client;
the access request generation module is used for acquiring target data, generating a first Hash message authentication code according to the target data and the first SPA key, generating a port access request based on the target port, the client IP address and the first Hash message authentication code, and sending the port access request to a service server;
the key request generating module is further configured to parse the port access request, generate a second SPA key acquisition request according to a target port, a client IP address, and a service server IP address in a parsing result, and send the second SPA key acquisition request to the control server;
the key issuing module is further configured to determine, according to the received second SPA key acquisition request, whether a second access policy exists in the database, so that the client IP address in the second SPA key acquisition request can access the service server IP address and the target port, if so, issue the second SPA key associated with the second access policy to the service server, and trigger the authentication code determination module, and if not, return a key acquisition failure response to the service server;
the authentication code judging module is used for generating a second hash message authentication code based on the second SPA key, judging whether the second hash message authentication code is the same as the first hash message authentication code in the analysis result, if so, triggering the port opening module, and if not, returning a port access failure response to the client;
and the port opening module is used for opening the target port and returning the opening result of the target port to the client.
14. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 12.
15. A chip system comprising a processor and an interface, wherein the processor is configured to implement the steps of the method according to any one of claims 1 to 12 via the interface.
CN202211043829.0A 2022-08-30 2022-08-30 Port protection method and device under software defined boundary framework Active CN115118442B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211043829.0A CN115118442B (en) 2022-08-30 2022-08-30 Port protection method and device under software defined boundary framework

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211043829.0A CN115118442B (en) 2022-08-30 2022-08-30 Port protection method and device under software defined boundary framework

Publications (2)

Publication Number Publication Date
CN115118442A CN115118442A (en) 2022-09-27
CN115118442B true CN115118442B (en) 2022-11-22

Family

ID=83336246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211043829.0A Active CN115118442B (en) 2022-08-30 2022-08-30 Port protection method and device under software defined boundary framework

Country Status (1)

Country Link
CN (1) CN115118442B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116707807B (en) * 2023-08-09 2023-10-31 中电信量子科技有限公司 Distributed zero-trust micro-isolation access control method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007058455A (en) * 2005-08-23 2007-03-08 Dainippon Printing Co Ltd Access management system and access management method
CN107911381A (en) * 2017-12-01 2018-04-13 济南浪潮高新科技投资发展有限公司 Access method, system, server-side and the client of application programming interface
CN114553568A (en) * 2022-02-25 2022-05-27 重庆邮电大学 Resource access control method based on zero-trust single packet authentication and authorization

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8413248B2 (en) * 2006-03-22 2013-04-02 Michael B. Rash Method for secure single-packet remote authorization
JP4993122B2 (en) * 2008-01-23 2012-08-08 大日本印刷株式会社 Platform integrity verification system and method
CN111262830B (en) * 2020-01-07 2022-08-19 广州虎牙科技有限公司 Security authentication method, device, system, electronic equipment and storage medium
CN112261067A (en) * 2020-12-21 2021-01-22 江苏易安联网络技术有限公司 Method and system for multi-stage single-packet authorization
CN112866297B (en) * 2021-04-02 2023-02-24 中国工商银行股份有限公司 Method, device and system for processing access data

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007058455A (en) * 2005-08-23 2007-03-08 Dainippon Printing Co Ltd Access management system and access management method
CN107911381A (en) * 2017-12-01 2018-04-13 济南浪潮高新科技投资发展有限公司 Access method, system, server-side and the client of application programming interface
CN114553568A (en) * 2022-02-25 2022-05-27 重庆邮电大学 Resource access control method based on zero-trust single packet authentication and authorization

Also Published As

Publication number Publication date
CN115118442A (en) 2022-09-27

Similar Documents

Publication Publication Date Title
US7526654B2 (en) Method and system for detecting a secure state of a computer system
CN106060796B (en) The backup destroying method and device of terminal
CN109150907B (en) Vehicle-mounted industrial personal computer login method, device, system, computer equipment and medium
US9961077B2 (en) System and method for biometric authentication with device attestation
US20220203933A1 (en) Method for Authenticating Identity of Digital Key, Terminal Device, and Medium
JP2018121328A (en) Event certificate for electronic device
CN109787988A (en) A kind of identity reinforces certification and method for authenticating and device
CN109361668A (en) A kind of data trusted transmission method
CN111510453B (en) Business system access method, device, system and medium
CN107948204A (en) One key login method and system, relevant device and computer-readable recording medium
US20100250921A1 (en) Authorizing a Login Request of a Remote Device
CN109155784A (en) Distinguish longitudinal brute force attack and benign mistake
CN111314381A (en) Safety isolation gateway
CN110177134A (en) A kind of security password manager and its application method based on cloudy storage
CN115118442B (en) Port protection method and device under software defined boundary framework
CN106878335A (en) A kind of method and system for login authentication
CN113572773A (en) Access equipment and terminal access control method
CN111611620B (en) Access request processing method and related device of access platform
CN116192497B (en) Network access and user authentication safe interaction method based on zero trust system
CN116418538A (en) Single-packet authorization state detection method, terminal equipment and storage medium
CN114266080A (en) Data integrity protection method and system based on state cryptographic algorithm
CN112422527A (en) Safety protection system, method and device of transformer substation electric power monitoring system
CN112437088B (en) Internet terminal login double-factor security authentication system
CN117544322B (en) Browser identification method, device, equipment and storage medium
CN116961967A (en) Data processing method, device, computer readable medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant