CN115333781A - Access control security system, method and firewall based on environmental data certificate - Google Patents

Access control security system, method and firewall based on environmental data certificate Download PDF

Info

Publication number
CN115333781A
CN115333781A CN202210843206.5A CN202210843206A CN115333781A CN 115333781 A CN115333781 A CN 115333781A CN 202210843206 A CN202210843206 A CN 202210843206A CN 115333781 A CN115333781 A CN 115333781A
Authority
CN
China
Prior art keywords
access control
control security
accessed
application service
terminal device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210843206.5A
Other languages
Chinese (zh)
Other versions
CN115333781B (en
Inventor
何小林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Tailixin Technology Co ltd
Original Assignee
Beijing Tailixin Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Tailixin Technology Co ltd filed Critical Beijing Tailixin Technology Co ltd
Priority to CN202210843206.5A priority Critical patent/CN115333781B/en
Publication of CN115333781A publication Critical patent/CN115333781A/en
Application granted granted Critical
Publication of CN115333781B publication Critical patent/CN115333781B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及一种基于环境数据证书的访问控制安全系统,包括第一访问控制安全组件根据采集环境多因子信息和截取访问请求生成请求消息发送到第二访问控制安全组件;第二访问控制安全模块获取环境多因子信息和待访问应用服务,根据第三访问控制安全模块返回的访问控制结果,确定终端设备是否被允许访问应用服务,第三访问控制安全模块对环境因子信息进行验证得到访问控制结果。本发明实现了基于终端设备上的硬件环境、软件环境和网络环境进行环境数据认证,一旦终端设备上发生了可能会对访问的应用服务造成危害的变化时,阻止终端设备访问应用服务,构建更安全可靠的网络访问环境。本发明还涉及一种基于环境数据证书的访问控制安全方法和防火墙。

Figure 202210843206

The invention relates to an access control security system based on an environment data certificate, comprising a first access control security component generating a request message according to collecting environmental multi-factor information and intercepting an access request and sending it to a second access control security component; the second access control security component Obtain the environmental multi-factor information and the application service to be accessed, and determine whether the terminal device is allowed to access the application service according to the access control result returned by the third access control security module. The third access control security module verifies the environmental factor information to obtain the access control result . The invention realizes the environmental data authentication based on the hardware environment, software environment and network environment on the terminal device. Once the terminal device has a change that may cause harm to the accessed application service, the terminal device is prevented from accessing the application service, and a more Safe and reliable network access environment. The invention also relates to an access control security method and a firewall based on the environment data certificate.

Figure 202210843206

Description

基于环境数据证书的访问控制安全系统、方法和防火墙Access control security system, method and firewall based on environment data certificate

技术领域technical field

本发明涉及信息安全技术领域,尤其涉及基于环境数据证书的访问控制安全系统、方法和防火墙。The invention relates to the technical field of information security, in particular to an access control security system, method and firewall based on environmental data certificates.

背景技术Background technique

在互联网进行的各类业务,为了保障用户的信息安全,通常需要参与业务的各方(人、终端设备、服务器等)持有各类的数字证书。但是,终端设备上的硬件环境、软件环境和网络环境可能随时发生变化,一旦终端设备上发生了可能会对访问的应用服务造成危害的变化时,如何针对电子商务、网络金融等丰富的业务种类的不同安全需求,构建更安全可靠的网络访问环境是目前亟需解决的技术问题。In order to protect the information security of users, all kinds of businesses conducted on the Internet usually require all parties involved in the business (persons, terminal devices, servers, etc.) to hold various digital certificates. However, the hardware environment, software environment, and network environment on the terminal device may change at any time. Once there is a change on the terminal device that may cause harm to the accessed application services, how to target various business types such as e-commerce and online finance? Building a more secure and reliable network access environment is a technical problem that needs to be solved urgently.

发明内容Contents of the invention

本发明所要解决的技术问题是针对现有技术的不足,提供基于环境数据证书的访问控制安全系统、方法和防火墙。The technical problem to be solved by the present invention is to provide an access control security system, method and firewall based on environmental data certificates for the deficiencies of the prior art.

本发明解决上述技术问题的技术方案如下:The technical scheme that the present invention solves the problems of the technologies described above is as follows:

一种基于环境数据证书的访问控制安全系统,所述访问控制安全系统包括第一访问控制安全组件、第二访问控制安全组件和第三访问控制安全组件:An access control security system based on environmental data certificates, the access control security system includes a first access control security component, a second access control security component and a third access control security component:

所述第一访问控制安全组件,用于采集终端设备的环境多因子信息,截取终端设备向待访问应用服务发送的访问请求,根据所述环境多因子信息和所述访问请求生成请求消息,将所述请求消息发送到所述第二访问控制安全组件;The first access control security component is configured to collect environmental multi-factor information of the terminal device, intercept an access request sent by the terminal device to the application service to be accessed, generate a request message according to the environmental multi-factor information and the access request, and send sending the request message to the second access control security component;

所述第二访问控制安全模块,用于从所述请求消息中获取所述环境多因子信息和所述待访问应用服务,若所述待访问应用服务属于预设保护服务类时,则将所述环境多因子信息发送至所述第三访问控制安全模块,并根据所述第三访问控制安全模块返回的访问控制结果,确定所述终端设备是否被允许访问所述待访问应用服务;The second access control security module is configured to obtain the environment multi-factor information and the application service to be accessed from the request message, and if the application service to be accessed belongs to a preset protection service class, the Send the environment multi-factor information to the third access control security module, and determine whether the terminal device is allowed to access the application service to be accessed according to the access control result returned by the third access control security module;

所述第三访问控制安全模块,用于根据预设的所述待访问应用服务的身份验证策略,对所述环境因子信息进行验证,得到所述访问控制结果。The third access control security module is configured to verify the environmental factor information according to the preset identity verification policy of the application service to be accessed, and obtain the access control result.

本方法发明的有益效果是:提出了一种基于环境数据证书的访问控制安全系统,所述访问控制安全系统包括第一访问控制安全组件、第二访问控制安全组件和第三访问控制安全组件:所述第一访问控制安全组件,用于采集终端设备的环境多因子信息,截取终端设备向待访问应用服务发送的访问请求,根据所述环境多因子信息和所述访问请求生成请求消息,将所述请求消息发送到所述第二访问控制安全组件;所述第二访问控制安全模块,用于从所述请求消息中获取所述环境多因子信息和待访问应用服务,若所述待访问应用服务属于预设保护服务类时,则将所述环境多因子信息发送至所述第三访问控制安全模块,并根据所述第三访问控制安全模块返回的访问控制结果,确定所述终端设备是否被允许访问所述待访问应用服务;所述第三访问控制安全模块,用于根据预设的所述待访问应用服务的身份验证策略,对所述环境因子信息进行验证,得到所述访问控制结果。本发明实现了基于终端设备上的硬件环境、软件环境和网络环境进行环境数据认证,一旦终端设备上发生了可能会对访问的应用服务造成危害的变化时,阻止终端设备访问应用服务,构建更安全可靠的网络访问环境。The beneficial effect of the invention of the method is that an access control security system based on environmental data certificates is proposed, and the access control security system includes a first access control security component, a second access control security component and a third access control security component: The first access control security component is configured to collect environmental multi-factor information of the terminal device, intercept an access request sent by the terminal device to the application service to be accessed, generate a request message according to the environmental multi-factor information and the access request, and send The request message is sent to the second access control security component; the second access control security module is configured to obtain the environment multi-factor information and the application service to be accessed from the request message, if the to-be-access When the application service belongs to the preset protection service category, the environment multi-factor information is sent to the third access control security module, and the terminal device is determined according to the access control result returned by the third access control security module whether to be allowed to access the application service to be accessed; the third access control security module is configured to verify the environmental factor information according to the preset identity verification policy of the application service to be accessed, and obtain the access Control the outcome. The present invention realizes environmental data authentication based on the hardware environment, software environment and network environment on the terminal device, and once a change occurs on the terminal device that may cause harm to the accessed application service, it prevents the terminal device from accessing the application service, and builds a more Safe and reliable network access environment.

在上述技术方案的基础上,本发明还可以做如下改进。On the basis of the above technical solutions, the present invention can also be improved as follows.

进一步地,所述第一访问控制安全组件,具体用于通过设置于所述终端设备的客户端代理服务、浏览器插件或浏览器控件,采集所述终端设备的环境多因子信息,所述环境多因子信息包括终端编号、硬件环境参数类、系统环境参数类、用户使用习惯类、终端网络地址类、用户身份类和用户二次验证参数类。Further, the first access control security component is specifically configured to collect the environment multi-factor information of the terminal device through the client proxy service, browser plug-in or browser control set on the terminal device, the environment Multi-factor information includes terminal number, hardware environment parameters, system environment parameters, user usage habits, terminal network address, user identity and user secondary verification parameters.

进一步地,所述第二访问控制安全模块,具体用于对所述访问请求进行解析,得到所述终端设备的环境多因子信息和所述待访问应用服务的信息;Further, the second access control security module is specifically configured to parse the access request to obtain the environmental multi-factor information of the terminal device and the information of the application service to be accessed;

对所述访问请求进行单包授权认证,若所述访问请求通过所述单包授权认证,判断所述待访问应用服务是否是所述预设保护服务类;Perform single-package authorization authentication on the access request, and if the access request passes the single-package authorization authentication, determine whether the application service to be accessed is the preset protection service class;

若是,则将所述终端设备的环境多因子信息和所述待访问应用服务的信息发送到所述第三访问控制安全模块。If yes, send the environment multi-factor information of the terminal device and the information of the application service to be accessed to the third access control security module.

进一步地,所述第三访问控制安全模块,具体用于根据所述待访问应用服务的信息,确定所述待访问应用服务所对应的身份验证策略;Further, the third access control security module is specifically configured to determine the identity verification policy corresponding to the application service to be accessed according to the information of the application service to be accessed;

基于所述身份验证策略中的每一个子验证策略,分别对所述环境因子信息进行验证,得到每一个所述子验证策略的验证结果;Based on each sub-verification strategy in the identity verification strategy, verify the environmental factor information respectively, and obtain a verification result of each sub-verification strategy;

根据预设验证策略规则和每一个所述子验证策略的验证结果,得到所述访问控制结果。The access control result is obtained according to a preset verification policy rule and a verification result of each sub-verification policy.

进一步地,所述第二访问控制安全模块,具体用于对所述访问请求进行解析,得到所述终端设备的环境多因子信息和所述待访问应用服务的信息;Further, the second access control security module is specifically configured to parse the access request to obtain the environmental multi-factor information of the terminal device and the information of the application service to be accessed;

判断所述访问请求是否是标准协议;judging whether the access request is a standard protocol;

若是,则判断所述待访问应用服务是否属于所述预设保护服务类;If so, determine whether the application service to be accessed belongs to the preset protection service category;

若是,则将所述终端设备的环境多因子信息和所述待访问应用服务的信息发送到所述第三访问控制安全模块进行验证;If yes, sending the environmental multi-factor information of the terminal device and the information of the application service to be accessed to the third access control security module for verification;

当所述第三访问控制安全模块返回的访问控制结果是允许访问时,所述终端设备和所述待访问应用服务之间建立单包授权通道;When the access control result returned by the third access control security module is to allow access, a single-package authorization channel is established between the terminal device and the application service to be accessed;

若所述待访问应用服务未属于预设保护服务类时,则允许所述终端设备访问所述待访问应用服务。If the application service to be accessed does not belong to the preset protection service class, the terminal device is allowed to access the application service to be accessed.

本发明解决上述技术问题的另一技术方案如下:Another technical solution for the present invention to solve the problems of the technologies described above is as follows:

所述第一访问控制安全组件采集终端设备的环境多因子信息,截取终端设备向待访问应用服务发送的访问请求,根据所述环境多因子信息和所述访问请求生成请求消息,将所述请求消息发送到第二访问控制安全组件;The first access control security component collects environmental multi-factor information of the terminal device, intercepts an access request sent by the terminal device to the application service to be accessed, generates a request message according to the environmental multi-factor information and the access request, and sends the request the message is sent to the second access control security component;

所述第二访问控制安全模块从所述请求消息中获取所述环境多因子信息和所述待访问应用服务,若所述待访问应用服务属于预设保护服务类时,则将所述环境多因子信息发送至第三访问控制安全模块,并根据所述第三访问控制安全模块返回的访问控制结果,确定所述终端设备是否被允许访问所述待访问应用服务;The second access control security module obtains the environment multi-factor information and the application service to be accessed from the request message, and if the application service to be accessed belongs to a preset protection service class, the multi-factor information of the environment is Send the factor information to the third access control security module, and determine whether the terminal device is allowed to access the application service to be accessed according to the access control result returned by the third access control security module;

所述第三访问控制安全模块根据预设的所述待访问应用服务的身份验证策略,对所述环境因子信息进行验证,得到所述访问控制结果。The third access control security module verifies the environmental factor information according to the preset identity verification policy of the application service to be accessed, and obtains the access control result.

进一步地,所述方法还包括:Further, the method also includes:

所述第一访问控制安全组件通过设置于所述终端设备的客户端代理服务、浏览器插件或浏览器控件,采集所述终端设备的环境多因子信息,所述环境多因子信息包括终端编号、硬件环境参数类、系统环境参数类、用户使用习惯类、终端网络地址类、用户身份类和用户二次验证参数类。The first access control security component collects the environmental multi-factor information of the terminal device through the client proxy service, browser plug-in or browser control set on the terminal device, and the environmental multi-factor information includes terminal number, Hardware environment parameters, system environment parameters, user usage habits, terminal network addresses, user identity and user secondary verification parameters.

进一步地,所述方法还包括:Further, the method also includes:

所述第一访问控制安全组件通过设置于所述终端设备的客户端代理服务、浏览器插件或浏览器控件,采集所述终端设备的环境多因子信息,所述环境多因子信息包括终端编号、硬件环境参数类、系统环境参数类、用户使用习惯类、终端网络地址类、用户身份类和用户二次验证参数类。The first access control security component collects the environmental multi-factor information of the terminal device through the client proxy service, browser plug-in or browser control set on the terminal device, and the environmental multi-factor information includes terminal number, Hardware environment parameters, system environment parameters, user usage habits, terminal network addresses, user identity and user secondary verification parameters.

本申请提供一种防火墙,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如上述技术方案中任一项所述的基于环境数据证书的访问控制安全方法的步骤。The present application provides a firewall, including a memory, a processor, and a computer program stored in the memory and operable on the processor. When the processor executes the computer program, any of the above technical solutions can be implemented. The steps of the access control security method based on the environment data certificate described in the item.

此外,本申请还提供一种应用网关设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如上述技术方案中任一项所述的基于环境数据证书的访问控制安全方法的步骤。In addition, the present application also provides an application gateway device, including a memory, a processor, and a computer program stored in the memory and operable on the processor. When the processor executes the computer program, the above-mentioned The steps of the access control security method based on the environmental data certificate described in any one of the technical solutions.

发明附加的方面的优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本发明实践了解到。Advantages of additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面所描述的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following will briefly introduce the accompanying drawings that need to be used in the embodiments of the present invention or in the description of the prior art. Obviously, the accompanying drawings described below are only illustrations of the present invention For some embodiments, those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort.

图1为本发明实施例一种基于环境数据证书的访问控制安全系统的模块示意图;FIG. 1 is a block diagram of an access control security system based on an environmental data certificate according to an embodiment of the present invention;

图2为本发明中另一实施例一种基于环境数据证书的访问控制安全方法的流程示意图;FIG. 2 is a schematic flow diagram of an access control security method based on environmental data certificates according to another embodiment of the present invention;

图3为本发明另一实施例一种基于环境数据证书的访问控制安全系统中第二访问控制安全组件中的流程示意图。Fig. 3 is a schematic flow diagram of a second access control security component in an access control security system based on environment data certificates according to another embodiment of the present invention.

图4为本发明另一实施例一种基于环境数据证书的访问控制安全系统中第二访问控制安全组件中的流程示意图。Fig. 4 is a schematic flowchart of a second access control security component in an access control security system based on environment data certificates according to another embodiment of the present invention.

图5为本发明另一实施例一种应用网关设备的模块示意图。Fig. 5 is a schematic diagram of modules of an application gateway device according to another embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明的一部分实施例,而不是全部实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都应属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present invention.

如图1所述,本发明实施例所述的一种基于环境数据证书的访问控制安全系统,所述访问控制安全系统包括第一访问控制安全组件、第二访问控制安全组件和第三访问控制安全组件。As shown in Figure 1, an access control security system based on environmental data certificates according to an embodiment of the present invention, the access control security system includes a first access control security component, a second access control security component and a third access control security components.

所述第一访问控制安全组件,用于采集终端设备的环境多因子信息,截取终端设备向待访问应用服务发送的访问请求,根据所述环境多因子信息和所述访问请求生成请求消息,将所述请求消息发送到所述第二访问控制安全组件;The first access control security component is configured to collect environmental multi-factor information of the terminal device, intercept an access request sent by the terminal device to the application service to be accessed, generate a request message according to the environmental multi-factor information and the access request, and send sending the request message to the second access control security component;

所述第二访问控制安全模块,用于从所述请求消息中获取所述环境多因子信息和所述待访问应用服务,若所述待访问应用服务属于预设保护服务类时,则将所述环境多因子信息发送至所述第三访问控制安全模块,并根据所述第三访问控制安全模块返回的访问控制结果,确定所述终端设备是否被允许访问所述待访问应用服务;The second access control security module is configured to obtain the environment multi-factor information and the application service to be accessed from the request message, and if the application service to be accessed belongs to a preset protection service class, the Send the environment multi-factor information to the third access control security module, and determine whether the terminal device is allowed to access the application service to be accessed according to the access control result returned by the third access control security module;

所述第三访问控制安全模块,用于根据预设的所述待访问应用服务的身份验证策略,对所述环境因子信息进行验证,得到所述访问控制结果。The third access control security module is configured to verify the environmental factor information according to the preset identity verification policy of the application service to be accessed, and obtain the access control result.

基于上述实施例,进一步地,所述第一访问控制安全组件,具体用于通过设置于所述终端设备的客户端代理服务、浏览器插件或浏览器控件,采集所述终端设备的环境多因子信息,所述环境多因子信息包括终端编号、硬件环境参数类、系统环境参数类、用户使用习惯类、终端网络地址类、用户身份类和用户二次验证参数类。Based on the above embodiment, further, the first access control security component is specifically configured to collect the multi-factor of the environment of the terminal device through the client proxy service, browser plug-in or browser control set on the terminal device Information, the environment multi-factor information includes terminal number, hardware environment parameter category, system environment parameter category, user usage habit category, terminal network address category, user identity category and user secondary authentication parameter category.

具体地,本申请中的环境多因子信息可以具体包括以下:Specifically, the environmental multi-factor information in this application may specifically include the following:

Figure BDA0003751182240000061
Figure BDA0003751182240000061

Figure BDA0003751182240000071
Figure BDA0003751182240000071

Figure BDA0003751182240000081
Figure BDA0003751182240000081

表1环境多因子信息列表Table 1 Environmental multi-factor information list

基于上述实施例,进一步地,所述第二访问控制安全模块,具体用于对所述访问请求进行解析,得到所述终端设备的环境多因子信息和所述待访问应用服务的信息;Based on the above embodiment, further, the second access control security module is specifically configured to analyze the access request to obtain the environmental multi-factor information of the terminal device and the information of the application service to be accessed;

对所述访问请求进行单包授权认证,若所述访问请求通过所述单包授权认证时,判断所述待访问应用服务是否是所述预设保护服务类;Perform single-package authorization authentication on the access request, and if the access request passes the single-package authorization authentication, determine whether the application service to be accessed is the preset protection service class;

若是,则将所述终端设备的环境多因子信息和所述待访问应用服务的信息发送到所述第三访问控制安全模块。If yes, send the environment multi-factor information of the terminal device and the information of the application service to be accessed to the third access control security module.

基于上述实施例,进一步地所述第三访问控制安全模块,具体用于根据所述待访问应用服务,确定所述待访问应用服务所对应的身份验证策略;Based on the above embodiment, further, the third access control security module is specifically configured to determine the identity verification policy corresponding to the application service to be accessed according to the application service to be accessed;

基于所述身份验证策略中的每一个子验证策略,分别对所述环境因子信息进行验证,得到每一个所述子验证策略的验证结果;Based on each sub-verification strategy in the identity verification strategy, verify the environmental factor information respectively, and obtain a verification result of each sub-verification strategy;

根据预设验证策略规则,根据每一个所述子验证策略的验证结果,得到所述访问控制结果。The access control result is obtained according to the verification result of each sub-verification policy according to the preset verification policy rule.

基于上述实施例,进一步地,所述第二访问控制安全模块,具体用于对所述访问请求进行解析,得到所述终端设备的环境多因子信息和所述待访问应用服务的信息;Based on the above embodiment, further, the second access control security module is specifically configured to analyze the access request to obtain the environmental multi-factor information of the terminal device and the information of the application service to be accessed;

判断所述访问请求是否是标准协议;judging whether the access request is a standard protocol;

若是,则判断所述待访问应用服务是否属于预设保护服务类;If so, determine whether the application service to be accessed belongs to the preset protection service category;

若是,则将所述终端设备的环境多因子信息和所述待访问应用服务的信息发送到所述第三访问控制安全模块进行验证;If yes, sending the environmental multi-factor information of the terminal device and the information of the application service to be accessed to the third access control security module for verification;

当所述第三访问控制安全模块返回的访问控制结果时允许访问时,在所述终端设备和所述待访问应用服务之间建立单包授权通道;When the access control result returned by the third access control security module allows access, establish a single-package authorization channel between the terminal device and the application service to be accessed;

若所述待访问应用服务未属于预设保护服务类时,则允许所述终端设备访问所述待访问应用服务。If the application service to be accessed does not belong to the preset protection service class, the terminal device is allowed to access the application service to be accessed.

具体地,如图3-4所示,第二访问控制安全模块对终端设备P1发起的对目标应用服务P2的访问请求进行目标地址的解析,得到目标应用服务P2的地址。Specifically, as shown in Fig. 3-4, the second access control security module analyzes the target address of the access request for the target application service P2 initiated by the terminal device P1, and obtains the address of the target application service P2.

判断访问请求是否使用标准协议,若是,则判断是否访问目标应用服务P2,且目标应用服务P2是需要被保护的应用服务。Determine whether the access request uses a standard protocol, and if so, determine whether to access the target application service P2, and the target application service P2 is an application service that needs to be protected.

若是,则将终端设备P1的环境多因子信息和目标应用服务P2的信息发送到安全控制中心对终端设备P1进行身份验证认证,若认证成功,则允许终端设备P1和目标应用服务P2之间建立单包授权通道。If so, send the multi-factor information of the environment of the terminal device P1 and the information of the target application service P2 to the security control center to perform identity verification and authentication on the terminal device P1, and if the authentication is successful, allow the establishment of a network between the terminal device P1 and the target application service P2 Single package authorization channel.

若终端设备P1访问目标应用服务P1,且目标应用服务P1不是需要被保护的应用服务,则允许终端设备P1访问目标应用服务P1。If the terminal device P1 accesses the target application service P1, and the target application service P1 is not an application service that needs to be protected, then the terminal device P1 is allowed to access the target application service P1.

若访问请求不是使用标准协议,则终端设备P1和目标应用服务P2之间建立单包授权通道。If the access request does not use a standard protocol, a single-package authorization channel is established between the terminal device P1 and the target application service P2.

如图2所示,一种基于环境数据证书的访问控制安全方法,包括以下步骤:As shown in Figure 2, an access control security method based on environmental data certificates includes the following steps:

所述第一访问控制安全组件采集终端设备的环境多因子信息,截取终端设备向待访问应用服务发送的访问请求,根据所述环境多因子信息和所述访问请求生成请求消息,将所述请求消息发送到所述第二访问控制安全组件。The first access control security component collects environmental multi-factor information of the terminal device, intercepts an access request sent by the terminal device to the application service to be accessed, generates a request message according to the environmental multi-factor information and the access request, and sends the request A message is sent to the second access control security component.

所述第二访问控制安全模块从所述请求消息中获取所述环境多因子信息和待访问应用服务,若所述待访问应用服务属于预设保护服务类时,则将所述环境多因子信息发送至所述第三访问控制安全模块,并根据所述第三访问控制安全模块返回的访问控制结果,确定所述终端设备是否被允许访问所述待访问应用服务。The second access control security module obtains the environment multi-factor information and the application service to be accessed from the request message, and if the application service to be accessed belongs to the preset protection service class, the environment multi-factor information Send to the third access control security module, and determine whether the terminal device is allowed to access the application service to be accessed according to the access control result returned by the third access control security module.

所述第三访问控制安全模块根据预设的所述待访问应用服务的身份验证策略,对所述环境因子信息进行验证,得到所述访问控制结果。The third access control security module verifies the environmental factor information according to the preset identity verification policy of the application service to be accessed, and obtains the access control result.

进一步地,所述方法还包括:Further, the method also includes:

所述第一访问控制安全组件通过设置于所述终端设备的客户端代理服务、浏览器插件或浏览器控件,采集所述终端设备的环境多因子信息,所述环境多因子信息包括终端编号、硬件环境参数类、系统环境参数类、用户使用习惯类、终端网络地址类、用户身份类和用户二次验证参数类。The first access control security component collects the environmental multi-factor information of the terminal device through the client proxy service, browser plug-in or browser control set on the terminal device, and the environmental multi-factor information includes terminal number, Hardware environment parameters, system environment parameters, user usage habits, terminal network addresses, user identity and user secondary verification parameters.

进一步地,所述方法还包括:Further, the method also includes:

所述第二访问控制安全模块对所述访问请求进行解析,得到所述终端设备的环境多因子信息和所述待访问应用服务的信息;The second access control security module parses the access request to obtain environmental multi-factor information of the terminal device and information of the application service to be accessed;

对所述访问请求进行单包授权认证,若所述访问请求通过所述单包授权认证时,判断所述待访问应用服务是否是所述预设保护服务类;Perform single-package authorization authentication on the access request, and if the access request passes the single-package authorization authentication, determine whether the application service to be accessed is the preset protection service class;

若是,则将所述终端设备的环境多因子信息和所述待访问应用服务的信息发送到所述第三访问控制安全模块。If yes, send the environment multi-factor information of the terminal device and the information of the application service to be accessed to the third access control security module.

本申请提供一种防火墙,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如上述技术方案中任一项所述的基于环境数据证书的访问控制安全方法的步骤。The present application provides a firewall, including a memory, a processor, and a computer program stored in the memory and operable on the processor. When the processor executes the computer program, any of the above technical solutions can be implemented. The steps of the access control security method based on the environment data certificate described in the item.

此外,如图5所示,本申请还提供一种应用网关设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如上述技术方案中任一项所述的基于环境数据证书的访问控制安全方法的步骤。In addition, as shown in FIG. 5 , the present application also provides an application gateway device, including a memory, a processor, and a computer program stored in the memory and operable on the processor, and the processor executes the The computer program is the step of realizing the access control security method based on the environmental data certificate as described in any one of the above technical solutions.

在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述或记载的部分,可以参见其它实施例的相关描述。In the above-mentioned embodiments, the descriptions of each embodiment have their own emphases, and for parts that are not detailed or recorded in a certain embodiment, refer to the relevant descriptions of other embodiments.

本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present invention.

在本发明所提供的实施例中,应该理解到,所揭露的装置/终端设备和方法,可以通过其它的方式实现。例如,以上所描述的装置/终端设备实施例仅仅是示意性的,例如,所述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通讯连接可以是通过一些接口,装置或单元的间接耦合或通讯连接,可以是电性,机械或其它的形式。In the embodiments provided in the present invention, it should be understood that the disclosed apparatus/terminal equipment and method may be implemented in other ways. For example, the device/terminal device embodiments described above are only illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods, such as multiple units Or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

所述集成的模块/单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。If the integrated module/unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.

基于这样的理解,本发明实现上述实施例方法中的全部或部分流程,也可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一计算机可读存储介质中,该计算机程序在被处理器执行时,可实现上述各个方法实施例的步骤。其中,所述计算机程序包括计算机程序代码,所述计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质可以包括:能够携带所述计算机程序代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM,Read-OnlyMemory)、随机存取存储器(RAM,RandomAccessMemory)、电载波信号、电信信号以及软件分发介质等。需要说明的是,所述计算机可读介质包含的内容可以根据司法管辖区内立法和专利实践的要求进行适当的增减,例如在某些司法管辖区,根据立法和专利实践,计算机可读介质不包括是电载波信号和电信信号。Based on this understanding, the present invention realizes all or part of the processes in the methods of the above embodiments, and can also be completed by instructing related hardware through computer programs. The computer program can be stored in a computer-readable storage medium, and the computer When the program is executed by the processor, the steps in the above-mentioned various method embodiments can be realized. Wherein, the computer program includes computer program code, and the computer program code may be in the form of source code, object code, executable file or some intermediate form. The computer-readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer memory, a read-only memory (ROM, Read-OnlyMemory), Random access memory (RAM, RandomAccessMemory), electric carrier signal, telecommunication signal and software distribution medium, etc. It should be noted that the content contained in the computer-readable medium may be appropriately increased or decreased according to the requirements of legislation and patent practice in the jurisdiction. For example, in some jurisdictions, according to legislation and patent practice, computer-readable Excluding electrical carrier signals and telecommunication signals.

以上所述实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围,均应包含在本发明的保护范围之内。The above-described embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still carry out the foregoing embodiments Modifications to the technical solutions recorded in the examples, or equivalent replacement of some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention, and should be included in within the protection scope of the present invention.

以上,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the protection scope of the present invention is not limited thereto. Any person skilled in the art can easily think of various equivalent modifications or modifications within the technical scope disclosed in the present invention. Replacement, these modifications or replacements shall all fall within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (10)

1.一种基于环境数据证书的访问控制安全系统,其特征在于,所述访问控制安全系统包括第一访问控制安全组件、第二访问控制安全组件和第三访问控制安全组件:1. An access control security system based on environmental data certificates, characterized in that, the access control security system includes a first access control security component, a second access control security component and a third access control security component: 所述第一访问控制安全组件,用于采集终端设备的环境多因子信息,截取终端设备向待访问应用服务发送的访问请求,根据所述环境多因子信息和所述访问请求生成请求消息,将所述请求消息发送到所述第二访问控制安全组件;The first access control security component is configured to collect environmental multi-factor information of the terminal device, intercept an access request sent by the terminal device to the application service to be accessed, generate a request message according to the environmental multi-factor information and the access request, and send sending the request message to the second access control security component; 所述第二访问控制安全模块,用于从所述请求消息中获取所述环境多因子信息和所述待访问应用服务,若所述待访问应用服务属于预设保护服务类时,则将所述环境多因子信息发送至所述第三访问控制安全模块,并根据所述第三访问控制安全模块返回的访问控制结果,确定所述终端设备是否被允许访问所述待访问应用服务;The second access control security module is configured to obtain the environment multi-factor information and the application service to be accessed from the request message, and if the application service to be accessed belongs to a preset protection service class, the Send the environment multi-factor information to the third access control security module, and determine whether the terminal device is allowed to access the application service to be accessed according to the access control result returned by the third access control security module; 所述第三访问控制安全模块,用于根据预设的所述待访问应用服务的身份验证策略,对所述环境因子信息进行验证,得到所述访问控制结果。The third access control security module is configured to verify the environmental factor information according to the preset identity verification policy of the application service to be accessed, and obtain the access control result. 2.根据权利要求1所述的基于环境数据证书的访问控制安全系统,其特征在于,2. The access control security system based on environmental data certificate according to claim 1, characterized in that, 所述第一访问控制安全组件,具体用于通过设置于所述终端设备的客户端代理服务、浏览器插件或浏览器控件,采集所述终端设备的环境多因子信息,所述环境多因子信息包括终端编号、硬件环境参数类、系统环境参数类、用户使用习惯类、终端网络地址类、用户身份类和用户二次验证参数类。The first access control security component is specifically configured to collect the environmental multi-factor information of the terminal device through the client proxy service, browser plug-in or browser control set on the terminal device, and the environmental multi-factor information Including terminal number, hardware environment parameter category, system environment parameter category, user usage habit category, terminal network address category, user identity category and user secondary authentication parameter category. 3.根据权利要求1所述的基于环境数据证书的访问控制安全系统,其特征在于,3. The access control security system based on environmental data certificate according to claim 1, characterized in that, 所述第二访问控制安全模块,具体用于对所述访问请求进行解析,得到所述终端设备的环境多因子信息和所述待访问应用服务的信息;The second access control security module is specifically configured to analyze the access request to obtain the environmental multi-factor information of the terminal device and the information of the application service to be accessed; 对所述访问请求进行单包授权认证,若所述访问请求通过所述单包授权认证,判断所述待访问应用服务是否是所述预设保护服务类;Perform single-package authorization authentication on the access request, and if the access request passes the single-package authorization authentication, determine whether the application service to be accessed is the preset protection service class; 若是,则将所述终端设备的环境多因子信息和所述待访问应用服务的信息发送到所述第三访问控制安全模块。If yes, send the environment multi-factor information of the terminal device and the information of the application service to be accessed to the third access control security module. 4.根据权利要求3所述的基于环境数据证书的访问控制安全系统,其特征在于,4. The access control security system based on environmental data certificate according to claim 3, characterized in that, 所述第三访问控制安全模块,具体用于根据所述待访问应用服务的信息,确定所述待访问应用服务所对应的身份验证策略;The third access control security module is specifically configured to determine the identity verification policy corresponding to the application service to be accessed according to the information of the application service to be accessed; 基于所述身份验证策略中的每一个子验证策略,分别对所述环境因子信息进行验证,得到每一个所述子验证策略的验证结果;Based on each sub-verification strategy in the identity verification strategy, verify the environmental factor information respectively, and obtain a verification result of each sub-verification strategy; 根据预设验证策略规则和每一个所述子验证策略的验证结果,得到所述访问控制结果。The access control result is obtained according to a preset verification policy rule and a verification result of each sub-verification policy. 5.根据权利要求1所述的基于环境数据证书的访问控制安全系统,其特征在于,5. The access control security system based on environmental data certificate according to claim 1, characterized in that, 所述第二访问控制安全模块,具体用于对所述访问请求进行解析,得到所述终端设备的环境多因子信息和所述待访问应用服务的信息;The second access control security module is specifically configured to analyze the access request to obtain the environmental multi-factor information of the terminal device and the information of the application service to be accessed; 判断所述访问请求是否是标准协议;judging whether the access request is a standard protocol; 若是,则判断所述待访问应用服务是否属于所述预设保护服务类;If so, determine whether the application service to be accessed belongs to the preset protection service category; 若是,则将所述终端设备的环境多因子信息和所述待访问应用服务的信息发送到所述第三访问控制安全模块进行验证;If yes, sending the environmental multi-factor information of the terminal device and the information of the application service to be accessed to the third access control security module for verification; 当所述第三访问控制安全模块返回的访问控制结果是允许访问时,所述终端设备和所述待访问应用服务之间建立单包授权通道;When the access control result returned by the third access control security module is to allow access, a single-package authorization channel is established between the terminal device and the application service to be accessed; 若所述待访问应用服务未属于预设保护服务类时,则允许所述终端设备访问所述待访问应用服务。If the application service to be accessed does not belong to the preset protection service class, the terminal device is allowed to access the application service to be accessed. 6.一种基于环境数据证书的访问控制安全方法,基于权利要求1-5中任一项所述的基于环境数据证书的访问控制安全系统,其特征在于,所述方法包括:6. An access control security method based on environmental data certificates, based on the access control security system based on environmental data certificates according to any one of claims 1-5, characterized in that the method comprises: 所述第一访问控制安全组件采集终端设备的环境多因子信息,截取终端设备向待访问应用服务发送的访问请求,根据所述环境多因子信息和所述访问请求生成请求消息,将所述请求消息发送到第二访问控制安全组件;The first access control security component collects environmental multi-factor information of the terminal device, intercepts an access request sent by the terminal device to the application service to be accessed, generates a request message according to the environmental multi-factor information and the access request, and sends the request the message is sent to the second access control security component; 所述第二访问控制安全模块从所述请求消息中获取所述环境多因子信息和所述待访问应用服务,若所述待访问应用服务属于预设保护服务类时,则将所述环境多因子信息发送至第三访问控制安全模块,并根据所述第三访问控制安全模块返回的访问控制结果,确定所述终端设备是否被允许访问所述待访问应用服务;The second access control security module obtains the environment multi-factor information and the application service to be accessed from the request message, and if the application service to be accessed belongs to a preset protection service class, the multi-factor information of the environment is Send the factor information to the third access control security module, and determine whether the terminal device is allowed to access the application service to be accessed according to the access control result returned by the third access control security module; 所述第三访问控制安全模块根据预设的所述待访问应用服务的身份验证策略,对所述环境因子信息进行验证,得到所述访问控制结果。The third access control security module verifies the environmental factor information according to the preset identity verification policy of the application service to be accessed, and obtains the access control result. 7.根据权利要求6所述的基于环境数据证书的访问控制安全方法,其特征在于,所述方法还包括:7. The access control security method based on environmental data certificate according to claim 6, characterized in that, the method further comprises: 所述第一访问控制安全组件通过设置于所述终端设备的客户端代理服务、浏览器插件或浏览器控件,采集所述终端设备的环境多因子信息,所述环境多因子信息包括终端编号、硬件环境参数类、系统环境参数类、用户使用习惯类、终端网络地址类、用户身份类和用户二次验证参数类。The first access control security component collects the environmental multi-factor information of the terminal device through the client proxy service, browser plug-in or browser control set on the terminal device, and the environmental multi-factor information includes terminal number, Hardware environment parameters, system environment parameters, user usage habits, terminal network addresses, user identity and user secondary verification parameters. 8.根据权利要求6所述的基于环境数据证书的访问控制安全方法,其特征在于,所述方法还包括:8. The access control security method based on environmental data certificate according to claim 6, characterized in that, the method further comprises: 所述第二访问控制安全模块对所述访问请求进行解析,得到所述终端设备的环境多因子信息和所述待访问应用服务的信息;The second access control security module parses the access request to obtain environmental multi-factor information of the terminal device and information of the application service to be accessed; 对所述访问请求进行单包授权认证,若所述访问请求通过所述单包授权认证,判断所述待访问应用服务是否是所述预设保护服务类;Perform single-package authorization authentication on the access request, and if the access request passes the single-package authorization authentication, determine whether the application service to be accessed is the preset protection service class; 若是,则将所述终端设备的环境多因子信息和所述待访问应用服务的信息发送到所述第三访问控制安全模块。If yes, send the environment multi-factor information of the terminal device and the information of the application service to be accessed to the third access control security module. 9.一种防火墙,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求6至8中任一项所述的基于环境数据证书的访问控制安全方法的步骤。9. A firewall, comprising a memory, a processor, and a computer program stored in the memory and operable on the processor, characterized in that, when the processor executes the computer program, the computer program according to claim 6 is implemented. Steps of the access control security method based on the environment data certificate described in any one of 8 to 8. 10.一种应用网关设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求6至8中任一项所述的基于环境数据证书的访问控制安全方法的步骤。10. An application gateway device, comprising a memory, a processor, and a computer program stored in the memory and operable on the processor, characterized in that, when the processor executes the computer program, the The steps of the security method for access control based on environmental data certificates described in any one of requirements 6 to 8.
CN202210843206.5A 2022-07-18 2022-07-18 Access control security system, method and firewall based on environmental data certificate Active CN115333781B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210843206.5A CN115333781B (en) 2022-07-18 2022-07-18 Access control security system, method and firewall based on environmental data certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210843206.5A CN115333781B (en) 2022-07-18 2022-07-18 Access control security system, method and firewall based on environmental data certificate

Publications (2)

Publication Number Publication Date
CN115333781A true CN115333781A (en) 2022-11-11
CN115333781B CN115333781B (en) 2024-11-01

Family

ID=83918117

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210843206.5A Active CN115333781B (en) 2022-07-18 2022-07-18 Access control security system, method and firewall based on environmental data certificate

Country Status (1)

Country Link
CN (1) CN115333781B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801413A (en) * 2022-11-18 2023-03-14 中国电信股份有限公司 Communication method, communication device, electronic device, and non-volatile storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11082430B1 (en) * 2018-05-31 2021-08-03 Amazon Technologies, Inc. Device authorizations using certificates and service access policy templates
CN113312674A (en) * 2021-06-18 2021-08-27 北京泰立鑫科技有限公司 Access security method and system based on multi-factor environment perception digital certificate
WO2022062918A1 (en) * 2020-09-25 2022-03-31 统信软件技术有限公司 Control method for strategy implementation, strategy implementation system, and computing device
CN114553568A (en) * 2022-02-25 2022-05-27 重庆邮电大学 Resource access control method based on zero-trust single packet authentication and authorization

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11082430B1 (en) * 2018-05-31 2021-08-03 Amazon Technologies, Inc. Device authorizations using certificates and service access policy templates
WO2022062918A1 (en) * 2020-09-25 2022-03-31 统信软件技术有限公司 Control method for strategy implementation, strategy implementation system, and computing device
CN113312674A (en) * 2021-06-18 2021-08-27 北京泰立鑫科技有限公司 Access security method and system based on multi-factor environment perception digital certificate
CN114553568A (en) * 2022-02-25 2022-05-27 重庆邮电大学 Resource access control method based on zero-trust single packet authentication and authorization

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈建华;伍照华;: "基于PMI访问控制系统的设计", 电脑知识与技术(学术交流), no. 02, 27 January 2006 (2006-01-27) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801413A (en) * 2022-11-18 2023-03-14 中国电信股份有限公司 Communication method, communication device, electronic device, and non-volatile storage medium

Also Published As

Publication number Publication date
CN115333781B (en) 2024-11-01

Similar Documents

Publication Publication Date Title
US12192173B2 (en) Network traffic inspection
US10958662B1 (en) Access proxy platform
US11457040B1 (en) Reverse TCP/IP stack
CN112422532B (en) Service communication method, system and device and electronic equipment
US20220394026A1 (en) Network identity protection method and device, and electronic equipment and storage medium
CN108432180B (en) Method and system for PKI-based authentication
US8166534B2 (en) Incorporating network connection security levels into firewall rules
US20170289134A1 (en) Methods and apparatus for assessing authentication risk and implementing single sign on (sso) using a distributed consensus database
US9881304B2 (en) Risk-based control of application interface transactions
US11252190B1 (en) Limited access policy bypass
CN111355726A (en) Identity authorization login method and device, electronic equipment and storage medium
US8793773B2 (en) System and method for providing reputation reciprocity with anonymous identities
CN112968910B (en) Replay attack prevention method and device
WO2023116791A1 (en) Access control method, access control system, terminal and storage medium
CN115333781B (en) Access control security system, method and firewall based on environmental data certificate
CN111147447A (en) Data protection method and system
CN106534179A (en) Safety communication method and device and safety communication system
CN118802159A (en) Authentication and authorization method, device, electronic device, storage medium and product
CN116633562A (en) Network zero trust security interaction method and system based on WireGuard
US20210314172A1 (en) Validating integrity of private keys for on a data communications network using blockchain key registry
CN113297629B (en) Authentication method, device, system, electronic equipment and storage medium
TWI795148B (en) Device, method and system of handling access control
CN115580417B (en) Data processing method, device, electronic device and computer readable storage medium
KR102760760B1 (en) Approved contents providing method based on user network profile
US20230237171A1 (en) Securing web browsing on a managed user device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant