CN116074128A - SFTP (Small form-factor pluggable) authorization method and system based on portable operation and maintenance gateway - Google Patents
SFTP (Small form-factor pluggable) authorization method and system based on portable operation and maintenance gateway Download PDFInfo
- Publication number
- CN116074128A CN116074128A CN202310347102.XA CN202310347102A CN116074128A CN 116074128 A CN116074128 A CN 116074128A CN 202310347102 A CN202310347102 A CN 202310347102A CN 116074128 A CN116074128 A CN 116074128A
- Authority
- CN
- China
- Prior art keywords
- information
- authorization
- sftp
- uploading
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 67
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012423 maintenance Methods 0.000 title claims abstract description 32
- 238000012795 verification Methods 0.000 claims abstract description 28
- 238000004458 analytical method Methods 0.000 claims abstract description 10
- 238000012545 processing Methods 0.000 claims description 30
- 238000007405 data analysis Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 8
- 230000000694 effects Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 8
- 230000006399 behavior Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000001914 filtration Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a SFTP authorization method and system based on a portable operation and maintenance gateway, which comprises the steps of obtaining verification information and request information, wherein the request information is an uploading request or a downloading request; analyzing the verification information according to a preset analysis rule to obtain identity information; when the request information is an upload request: acquiring uploading information, and storing the uploading information in a preset cache area; based on a preset first authorization rule, authorizing uploading according to the identity information; when the request information is a download request: acquiring downloading information and backing up the downloading information; based on a preset second authorization rule, the downloading is authorized according to the identity information. The invention has the effect of being capable of supervising the behavior of the user.
Description
Technical Field
The application relates to the technical field of SFTP data audit, in particular to an SFTP authorization method and system based on a portable operation and maintenance gateway.
Background
SFTP is an encryption method that can provide a secure network for transmitting files, in the sense that SFTP is not a server program, but rather a client program, and it is very secure to use SFTP because SFTP encrypts transmission authentication information and data.
However, even if encryption is performed during the data transmission process, the occurrence of a security event cannot be avoided. It is counted that more than 75% of the threats come from inside in the event of a lost security, including unauthorized access by inside personnel, misuse, and mishandling. The factors causing the problems are analyzed, and most importantly, a process for supervising the user behaviors is lacking, so that the safety of the data cannot be ensured from the source.
Disclosure of Invention
The invention aims to provide an SFTP authorization method and system based on a portable operation and maintenance gateway, which have the characteristic of being capable of supervising user behaviors.
The first object of the present application is achieved by the following technical solutions:
an SFTP authorization method based on a portable operation and maintenance gateway comprises the following steps:
acquiring verification information and request information, wherein the request information is an uploading request or a downloading request;
analyzing the verification information according to a preset analysis rule to obtain identity information;
when the request information is an upload request:
acquiring uploading information, and storing the uploading information in a preset cache area;
based on a preset first authorization rule, authorizing uploading according to the identity information;
when the request information is a download request:
acquiring downloading information and backing up the downloading information;
based on a preset second authorization rule, the downloading is authorized according to the identity information.
By adopting the technical scheme, because the unique identity information is built in the USBkey equipment, the USBkey equipment is connected with the server, the identity information is encrypted and transmitted to the server, the user can select uploading or downloading operation according to the needs after analysis, a buffer file is newly built during uploading, data in the file to be uploaded is written into the buffer file, then uploading authorization is applied, the buffer file is uploaded after approval, likewise, a backup file is newly built during downloading of the file, the data in the file to be downloaded is written into the backup file, downloading authorization is applied, the backup file is directly transmitted after approval, in the process, each operation can be successfully performed after approval, the behavior of the user can be monitored to a certain extent, and the safety of the data is improved.
Optionally, the identity information is built in the USBkey device;
and encrypting the identity information by using a private key built in the USBkey equipment to obtain verification information.
By adopting the technical scheme, the USBkey is internally provided with the singlechip or the intelligent card chip, has a certain storage space, can store the private key of the user and the digital certificate, and can not be read in any way theoretically because the private key of the user is stored in the coded lock, so that the safety of user authentication is ensured.
Optionally, decrypting the verification information according to a preset public key to obtain the identity information of the user.
By adopting the technical scheme, the authentication of the user identity is realized by utilizing the built-in public key algorithm of the USBKey, so that the user identity is determined, and a data foundation is laid for later reading of the user authority and limiting of the user operation.
Optionally, obtaining the uploading information;
creating a cache file according to the uploading information;
and reading target data in the uploading information, and writing the target data into a cache file.
By adopting the technical scheme, when uploading operation is carried out, the cache file is established at the server side and data are stored, only the cache file is needed to be uploaded during uploading, the data are also checked during the establishment of the cache file, and when dangerous data exist in the file to be uploaded, the data can be processed in time, so that the safety of data transmission is further improved.
Optionally, according to the identity information, inquiring and judging whether the user has the uploading authority:
if yes, grant authorization is granted, and the cache file is uploaded to a storage end.
By adopting the technical scheme, the uploading information comprises the file to be uploaded and the identity information, the identity information is extracted, the identity of the user is authenticated, the authority of the user is accessed, whether the user has the uploading authority is judged, if yes, the uploading authority is authorized, if not, the uploading authority is refused, the cached file is cleaned, the unauthorized operation of the user can be reduced to a certain extent, and the service program is safer and more orderly.
Optionally, obtaining download information;
creating a backup file according to the download information;
acquiring data corresponding to the storage end according to the download information to obtain download data;
and writing the downloaded data into the backup file.
By adopting the technical scheme, after the download information is acquired, the backup file is established at the server side and data is stored, and the backup file is transmitted during downloading, so that the probability that the user downloads the backup file to establish connection between the internal data and other devices can be reduced to a certain extent, the internal data is protected to a certain extent, and the safety coefficient is improved.
Optionally, according to the identity information, inquiring and judging whether the user has the downloading authority:
if yes, grant authorization is granted, and the backup file is transmitted to the request end.
By adopting the technical scheme, the downloading request comprises the basic information and the identity information of the file to be downloaded, the identity information is extracted, the identity of the user is authenticated, the authority of the user is accessed, whether the user has the downloading authority is judged, if yes, the downloading authority is authorized, the unauthorized operation of the user can be reduced to a certain extent, the risk of data leakage is reduced, and the safety coefficient of the data is improved.
The second object of the present application is achieved by the following technical solutions:
an SFTP authorization system based on a portable operation and maintenance gateway, comprising:
the port forwarding module is used for forwarding the verification information to the sftp analysis module based on a preset forwarding rule;
the sftp data analysis module is used for analyzing the verification information based on a preset data analysis rule to obtain identity information;
the sftp data processing module is used for caching uploading information and downloading information based on preset uploading and downloading rules;
and the gateway authorization module is used for carrying out authorization processing on the request information of the client based on a preset authorization rule.
By adopting the technical scheme, the port forwarding module forwards the verification information to the sftp data analysis module, the sftp data analysis module analyzes the verification information to obtain the identity information of the user, and the sftp data processing module and the operation and maintenance equipment are established; when the operation and maintenance equipment performs uploading or downloading operation, the files to be uploaded and downloaded are cached, and then are checked and authorized by the gateway authorization module, and the sftp data processing module performs relevant processing on the cached files after obtaining the authorization of the gateway authorization module, so that the safety of data is ensured.
In summary, the present application includes at least one of the following beneficial technical effects:
1. because the unique identity information is built in the USBkey equipment, the USBkey equipment is connected with the server, the identity information is encrypted and transmitted to the server, the identity of a user is authenticated after analysis, the user can select uploading or downloading operation according to the needs, a buffer file is newly built during uploading, data in the file to be uploaded is written into the buffer file, then uploading authorization is applied, the buffer file is uploaded after approval of the authorization, likewise, a backup file is newly built during downloading of the file, the data in the file to be downloaded is written into the backup file, downloading authorization is applied, the backup file is directly transmitted after approval of the authorization, and in the process, each operation needs to be successfully carried out through authorization, so that the behavior of the user can be monitored to a certain extent, and the safety of the data is improved;
2. the uploading information comprises a file to be uploaded and identity information, the identity information in the file to be uploaded and the identity information are extracted, the identity of a user is authenticated, the authority of the user is accessed, whether the user has the uploading authority is judged, if yes, the uploading authority is granted, if not, the uploading authority is refused and the cached file is cleaned, so that the unauthorized operation of the user can be reduced to a certain extent, and the service program is safer and more orderly;
3. the downloading request comprises basic information and identity information of the file to be downloaded, the identity information is extracted, the identity of the user is authenticated, the authority of the user is accessed, whether the user has downloading authority is judged, if yes, the downloading authority is granted, if not, the downloading authority is refused, the cached file is cleaned, the unauthorized operation of the user can be reduced to a certain extent, the risk of data leakage is reduced, and the safety coefficient of the data is improved.
Drawings
Fig. 1 is a flowchart of an SFTP authorization method based on a portable operation and maintenance gateway provided in the present application.
Fig. 2 is a system block diagram of an SFTP authorization system based on a portable operation and maintenance gateway provided in the present application.
Fig. 3 is a schematic structural diagram of an electronic device provided in the present application.
In the figure, 100, a port forwarding module; 200. an sftp data analysis module; 300. an sftp data processing module; 400. a gateway authorization module; 501. a CPU; 502. a ROM; 503. a RAM; 504. an I/O interface; 505. an input section; 506. an output section; 507. a storage section; 508. a communication section; 509. a driver; 510. removable media.
Detailed Description
The present application is described in further detail below with reference to the accompanying drawings.
The present embodiment is merely illustrative of the present application and is not intended to be limiting, and those skilled in the art, after having read the present specification, may make modifications to the present embodiment without creative contribution as required, but is protected by patent laws within the scope of the claims of the present application.
The embodiment of the application provides an SFTP authorization system based on a portable operation and maintenance gateway, which comprises the following components:
the port forwarding module 100 is configured to forward the verification information to the sftp data analysis module based on a preset forwarding rule;
the sftp data analysis module 200 is configured to analyze the verification information based on a preset data analysis rule, and analyze the verification information to obtain identity information;
the sftp data processing module 300 is configured to cache a file to be uploaded and a file to be downloaded based on preset uploading and downloading rules;
the gateway authorization module 400 is configured to perform authorization processing on request information of the client based on a preset authorization rule.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the described modules may refer to corresponding procedures in the following method embodiments, and are not described herein again.
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In this context, unless otherwise specified, the term "/" generally indicates that the associated object is an "or" relationship.
Embodiments of the present application are described in further detail below with reference to the drawings attached hereto.
The embodiment of the application provides an SFTP authorization method based on a portable operation and maintenance gateway, and the main flow of the method is described as follows.
As shown in fig. 1:
step S1: and acquiring verification information and request information, wherein the request information is an uploading request or a downloading request.
Specifically, in order to ensure the safety of the basic network environment, a firewall is firstly established, namely, based on the Iptables rule, an information packet filtering rule is set so as to realize the preliminary filtering of dangerous information, and in the filtering process, a user with modification authority can change the filtering rule according to the need, so that the filtering information meets the actual requirement.
In order to further control the SFTP operation and maintenance equipment, thereby realizing the control of the behaviors of operation and maintenance personnel, the SFTP operation and maintenance equipment and the USBkey equipment are connected through an interface, unique identity information is arranged in the USBkey equipment, the identity information is encrypted through a built-in private key, and encrypted identity information, namely verification information, is obtained, wherein the identity information comprises a user name, a user mobile phone number and a user code in the embodiment, and can be other information which can be used as an identity mark in other embodiments.
After the verification information is obtained, the SFTP operation and maintenance equipment is connected with the gateway through the USBkey equipment, the verification information is transmitted to the SFTP data analysis module, and the next step is carried out.
Step S2: and analyzing the verification information according to a preset analysis rule to obtain identity information.
Specifically, the verification information is transmitted to the SFTP data analysis module after being filtered by the firewall, the public key of the USBkey device is stored in the SFTP data analysis module, the verification information is decrypted by using the public key, so that the identity information of the USBkey device is obtained, the identity of the operation and maintenance personnel is verified, the SFTP operation and maintenance device and the SFTP data processing module are successfully connected, and the SFTP data processing module sends a connection success notification to the sfTP operation and maintenance device. The authentication method can authenticate the identity of the user, intercept the login and connection of the illegal user, and ensure the security of the network environment to a greater extent.
After the sftp data processing module is connected with the sftp operation and maintenance equipment, a user can further perform related operations on the sftp operation and maintenance equipment according to the needs, wherein the operations comprise uploading and downloading of files.
Since the user sends the upload or download request to the operation and maintenance device, the following operation and maintenance devices are replaced by the request end.
When the user needs to perform uploading operation, the next step is entered.
Step S3: when the request information is an upload request: and obtaining uploading information, and storing the uploading information in a preset buffer area.
Specifically, a user sends a file uploading request to an sftp analysis module, the sftp analysis module receives uploading information and analyzes the uploading information, wherein the uploading information comprises identity information, file basic information and file data, an sftp data processing module receives an SSH_FXP_OPEN message, creates a cache file, accesses SSH_FXP_OPEN data, completes configuration of the basic information of the cache file, acquires the SSH_FXP_WRITE message, WRITEs data carried in the SSH_FXP_WRITE message into the cache file until receiving the SSH_FXP_CLOSE message, completes writing of the file at the moment, forms a complete cache file, is consistent with file data stored in the uploading information, is cached in a cache area of the sftp data processing module, so as to complete the process of establishing the cache file, and simultaneously checks data.
After the cache file is established, the sftp data processing module sends uploading request information.
Step S4: based on a preset first authorization rule, the uploading is authorized according to the identity information.
Specifically, the gateway authorization module receives the uploading request information, accesses the database according to the identity information obtained in the steps, checks various authorities under the user, and judges whether the user has the uploading authorities: if yes, the gateway authorization module sends an authorization notice, the sftp data processing module reads the cache file, constructs an SSH_FXP_WRITE message until the file data is completely transmitted to the storage end, constructs an SSH_FXP_CLOSE message to show that the data transmission is completed, and can call and apply the uploaded file through an input instruction in the later period. If the user does not have the uploading authority, the gateway authorization module refuses the authorization of the uploading request information, sends refusing authorization notification information, and the sftp data processing module clears the cache file after receiving the refusing authorization notification information so as to reduce the occupation of the network management disk space. The behavior of uploading the file by the user is controlled, the possibility of unauthorized operation of the user is reduced, and the safety of the data is further improved.
In addition, the request end can also perform downloading operation on the file and enter the next step.
Step S5: when the request information is a download request: and obtaining the download information and backing up the download information.
Specifically, a user sends a file downloading request at a request end, an sftp data processing module receives an SSH_FXP_OPEN message, creates a backup file, accesses SSH_FXP_OPEN data, completes configuration of basic information of the backup file, caches the SSH_FXP_READ message into a memory, starts writing data into the backup file, analyzes the message to obtain an offset and a byte section length when receiving a first SSH_FXP_READ message, constructs SSH_FXP_READ messages through offset, lenght, continuously sends 10 SSH_FXP_READ messages to the request end, and stores each message into a queue, wherein the length is the same, and the offset is accumulated. It should be noted that, the ssh_fxp_read message is intended to process the downloaded file, and the sftp protocol processing flow is as follows: the request end sends SSH_FXP_READ information to the sftp DATA processing module, the sftp DATA processing module replies SSH_FXP_DATA information, the information contains file information, until the file is completely replied, the SSH_FXP_ STATUS (End of file) information is replied, 10 reading instructions are selected to take an intermediate value, and the number of the transmitted reading instructions can be changed according to the size of the file.
The request end receives SSH_FXP_DATA and SSH_FXP_STATUS messages replied by the SFTP DATA processing module, writes file DATA into the backup file by analyzing the SSH_FXP_DATA DATA, and deletes corresponding messages in the queue. If the number of messages in the queue is less than 2 and the SSH_FXP_ STATUS (End of file) message sent by the SFTP data processing module is not received, repeating the backup step. That is, the above step transmits 10 read instructions, but if the file exceeds the budget value, the entire file data cannot be backed up, and at this time, the backup step needs to be repeated to backup the entire file data. After receiving the SSH_FXP_ STATUS (Endof file) message, the request end sends the SSH_FXP_close message to the SFTP data processing module, so as to finish the backup of the file to be downloaded. The user can download the backup file, so that the probability of establishing connection between the internal data and other devices can be reduced to a certain extent, the internal data is protected to a certain extent, and the safety coefficient is improved.
Step S6: based on a preset second authorization rule, the downloading is authorized according to the identity information.
Specifically, the gateway authorization module accesses the database, checks each authority under the user according to the identity information obtained in the steps, and judges whether the user has the downloading authority: if yes, the gateway authorization module sends authorization information, the sftp DATA processing module constructs SSH_FXP_DATA DATA through dump on the gateway and sends the SSH_FXP_DATA DATA to the request end, and if the size of the file is exceeded, the SSH_FXP_ STATUS (End of file) message is responded. Wherein exceeding the file size means that 10 ssh_fxp_read messages have been sent by the requesting end, but when replying to ssh_fxp_data to 8 th, the file has been sent completely, this time replying to the following ssh_fxp_read construct ssh_fxp_ STATUS (End of file) message. If the user does not have the downloading authority, the gateway authorization module refuses the authorization of the uploading request information, sends refusing authorization notification information, and the sftp data processing module clears the backup file after receiving the refusing authorization notification information so as to reduce the occupation of the disk space of the gateway.
The embodiment of the application discloses electronic equipment. Referring to fig. 3, the electronic apparatus includes a Central Processing Unit (CPU) 501, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 507 into a Random Access Memory (RAM) 505. In the RAM 503, various programs and data required for the system operation are also stored. The CPU 501, ROM 502, and RAM 503 are connected to each other by a bus. An I/O (input/output) interface 504 is also connected to the bus.
The following components are connected to the I/O interface 504: an input section 505 including a keyboard, a mouse, and the like; an output portion 506 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage portion 507 including a hard disk or the like; and a communication section 508 including a network interface card such as a LAN card, a modem, and the like. The communication section 508 performs communication processing via a network such as the internet. The drive 509 is also connected to the I/O interface 504 as needed. A removable medium 510 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed on the drive 509 as needed, so that a computer program read therefrom is installed into the storage section 507 as needed.
In particular, according to embodiments of the present application, the process described above with reference to flowchart fig. 1 may be implemented as a computer software program. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a machine-readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such embodiments, the computer program may be downloaded and installed from a network via the communication portion 508, and/or installed from the removable media 510. The above-described functions defined in the apparatus of the present application are performed when the computer program is executed by a Central Processing Unit (CPU) 501.
It should be noted that the computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The foregoing description is only of the preferred embodiments of the present application and is presented as a description of the principles of the technology being utilized. It will be appreciated by persons skilled in the art that the scope of the application referred to in this application is not limited to the specific combinations of features described above, but it is intended to cover other embodiments in which any combination of features described above or their equivalents is possible without departing from the spirit of the application. Such as the above-mentioned features and the technical features having similar functions (but not limited to) applied for in this application are replaced with each other.
Claims (10)
1. An SFTP authorization method based on a portable operation and maintenance gateway is characterized by comprising the following steps:
acquiring verification information and request information, wherein the request information is an uploading request or a downloading request;
analyzing the verification information according to a preset analysis rule to obtain identity information;
when the request information is an upload request:
acquiring uploading information, and storing the uploading information in a preset cache area;
based on a preset first authorization rule, authorizing uploading according to the identity information;
when the request information is a download request:
acquiring downloading information and backing up the downloading information;
based on a preset second authorization rule, the downloading is authorized according to the identity information.
2. The SFTP authorization method based on a portable operation and maintenance gateway according to claim 1, wherein the method for obtaining verification information comprises:
the USBkey equipment is internally provided with identity information;
and encrypting the identity information by using a private key built in the USBkey equipment to obtain verification information.
3. The SFTP authorization method based on a portable operation and maintenance gateway according to claim 2, wherein the method for resolving the verification information according to a preset resolving rule to obtain identity information comprises the following steps:
decrypting the verification information according to a preset public key to obtain the identity information of the user.
4. The SFTP authorization method based on a portable operation and maintenance gateway according to claim 1, wherein the method for acquiring the upload information and storing the upload information in a preset buffer area comprises the following steps:
acquiring uploading information;
creating a cache file according to the uploading information;
and reading target data in the uploading information, and writing the target data into a cache file.
5. The SFTP authorization method based on a portable operation and maintenance gateway according to claim 4, wherein the method for authorizing uploading based on the identity information based on the preset first authorization rule comprises:
inquiring and judging whether the user has uploading authority according to the identity information:
if yes, grant authorization is granted, and the cache file is uploaded to a storage end.
6. The SFTP authorization method based on a portable operation and maintenance gateway according to claim 1, wherein the method for obtaining the download information and backing up the download information comprises the following steps:
acquiring downloading information;
creating a backup file according to the download information;
acquiring data corresponding to the storage end according to the download information to obtain download data;
and writing the downloaded data into the backup file.
7. The SFTP authorization method based on a portable operation and maintenance gateway according to claim 6, wherein the method for authorizing downloading based on the identity information based on the preset second authorization rule comprises:
inquiring and judging whether the user has downloading permission according to the identity information:
if yes, grant authorization is granted, and the backup file is transmitted to the request end.
8. An SFTP authorization system based on a portable operation and maintenance gateway, which is characterized by comprising,
the port forwarding module (100) is used for forwarding the verification information to the sftp analysis module based on a preset forwarding rule;
the sftp data analysis module (200) is used for analyzing the verification information based on a preset data analysis rule to obtain identity information;
the sftp data processing module (300) is used for caching uploading information and downloading information based on preset uploading and downloading rules;
and the gateway authorization module (400) is used for carrying out authorization processing on the request information of the client based on a preset authorization rule.
9. An intelligent terminal comprising a memory and a processor, the memory having stored thereon a computer program capable of being loaded by the processor and performing the method according to any of claims 1 to 7.
10. A computer readable storage medium, characterized in that a computer program is stored which can be loaded by a processor and which performs the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310347102.XA CN116074128A (en) | 2023-04-04 | 2023-04-04 | SFTP (Small form-factor pluggable) authorization method and system based on portable operation and maintenance gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310347102.XA CN116074128A (en) | 2023-04-04 | 2023-04-04 | SFTP (Small form-factor pluggable) authorization method and system based on portable operation and maintenance gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116074128A true CN116074128A (en) | 2023-05-05 |
Family
ID=86175335
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310347102.XA Pending CN116074128A (en) | 2023-04-04 | 2023-04-04 | SFTP (Small form-factor pluggable) authorization method and system based on portable operation and maintenance gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116074128A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117651043A (en) * | 2024-01-30 | 2024-03-05 | 天津创意星球网络科技股份有限公司 | Multimedia file uploading method, device and system based on OSS service |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080320471A1 (en) * | 2006-03-23 | 2008-12-25 | Mitsubishi Electric Corporation | System-Program Download System |
| CN105323295A (en) * | 2014-08-22 | 2016-02-10 | 航天恒星科技有限公司 | Content distribution method, content transmission method, server, end node |
| CN106874399A (en) * | 2017-01-16 | 2017-06-20 | 厦门天锐科技股份有限公司 | One kind networking standby system and backup method |
| CN106936898A (en) * | 2017-02-23 | 2017-07-07 | 中国银行股份有限公司 | A kind of transregional document transmission method and system |
| CN107566407A (en) * | 2017-10-20 | 2018-01-09 | 哈尔滨工程大学 | A kind of two-way authentication Security Data Transmission and storage method based on USBkey |
| CN108881222A (en) * | 2018-06-15 | 2018-11-23 | 郑州信大壹密科技有限公司 | Strong identity authentication system and method based on PAM framework |
| CN112738167A (en) * | 2020-12-18 | 2021-04-30 | 福建新大陆软件工程有限公司 | File service opening method, device, equipment and medium based on API gateway |
| CN112866415A (en) * | 2021-02-24 | 2021-05-28 | 上海泰宇信息技术股份有限公司 | Data backup private cloud storage and downloading method |
| CN113010474A (en) * | 2021-03-16 | 2021-06-22 | 中国联合网络通信集团有限公司 | File management method, instant messaging method and storage server |
-
2023
- 2023-04-04 CN CN202310347102.XA patent/CN116074128A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080320471A1 (en) * | 2006-03-23 | 2008-12-25 | Mitsubishi Electric Corporation | System-Program Download System |
| CN105323295A (en) * | 2014-08-22 | 2016-02-10 | 航天恒星科技有限公司 | Content distribution method, content transmission method, server, end node |
| CN106874399A (en) * | 2017-01-16 | 2017-06-20 | 厦门天锐科技股份有限公司 | One kind networking standby system and backup method |
| CN106936898A (en) * | 2017-02-23 | 2017-07-07 | 中国银行股份有限公司 | A kind of transregional document transmission method and system |
| CN107566407A (en) * | 2017-10-20 | 2018-01-09 | 哈尔滨工程大学 | A kind of two-way authentication Security Data Transmission and storage method based on USBkey |
| CN108881222A (en) * | 2018-06-15 | 2018-11-23 | 郑州信大壹密科技有限公司 | Strong identity authentication system and method based on PAM framework |
| CN112738167A (en) * | 2020-12-18 | 2021-04-30 | 福建新大陆软件工程有限公司 | File service opening method, device, equipment and medium based on API gateway |
| CN112866415A (en) * | 2021-02-24 | 2021-05-28 | 上海泰宇信息技术股份有限公司 | Data backup private cloud storage and downloading method |
| CN113010474A (en) * | 2021-03-16 | 2021-06-22 | 中国联合网络通信集团有限公司 | File management method, instant messaging method and storage server |
Non-Patent Citations (3)
| Title |
|---|
| YUJINQIONG: ""SFTP协议"", Retrieved from the Internet <URL:https://blog.csdn.net/yujinqiong/article/details/6665311> * |
| 丛林隐者: "\"SFTP协议\"", Retrieved from the Internet <URL:https://blog.csdn.net/ly131420/article/details/8741155> * |
| 皮子2: ""sftp协议内容"", Retrieved from the Internet <URL:https://blog.csdn.net/pzqingchong/article/details/73863275> * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117651043A (en) * | 2024-01-30 | 2024-03-05 | 天津创意星球网络科技股份有限公司 | Multimedia file uploading method, device and system based on OSS service |
| CN117651043B (en) * | 2024-01-30 | 2024-06-18 | 天津创意星球网络科技股份有限公司 | Multimedia file uploading method, device and system based on OSS service |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111316278B (en) | Secure identity and profile management system | |
| EP3438902B1 (en) | System for issuing public certificate on basis of block chain, and method for issuing public certificate on basis of block chain by using same | |
| US11876807B2 (en) | Secure online access control to prevent identification information misuse | |
| US9954687B2 (en) | Establishing a wireless connection to a wireless access point | |
| KR100989487B1 (en) | Method for authenticating a user to a service of a service provider | |
| CN111416822B (en) | Method for access control, electronic device and storage medium | |
| AU2021203598A1 (en) | Systems and mechanism to control the lifetime of an access token dynamically based on access token use | |
| US8910241B2 (en) | Computer security system | |
| CN106452782A (en) | Method and system for producing a secure communication channel for terminals | |
| CN111080858A (en) | Bluetooth key logout method and device | |
| KR20190030317A (en) | IoT Security System Based on the BlockChain and Security Method thereof | |
| CN109729000B (en) | Instant messaging method and device | |
| CN112566121B (en) | Method for preventing attack, server and storage medium | |
| CN106302332A (en) | The access control method of user data, Apparatus and system | |
| CN116074128A (en) | SFTP (Small form-factor pluggable) authorization method and system based on portable operation and maintenance gateway | |
| CN109462572B (en) | Multi-factor authentication method, system, storage medium and security gateway based on encryption card and UsbKey | |
| CN112968910A (en) | Replay attack prevention method and device | |
| KR20190111261A (en) | Security Management System using Block Chain Technology and Method thereof | |
| KR102131976B1 (en) | User terminal apparatus and method for providing personal information thereby | |
| CN103152326A (en) | Distributed authentication method and authentication system | |
| CN108989331B (en) | Use authentication method of data storage device, device and storage medium thereof | |
| CN116260656B (en) | Main body trusted authentication method and system in zero trust network based on blockchain | |
| CN112579998B (en) | Webpage access method, management system and electronic equipment in information interaction platform | |
| KR101651563B1 (en) | Using history-based authentication code management system and method thereof | |
| CN117494151A (en) | Improved memory system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230505 |
|
| RJ01 | Rejection of invention patent application after publication |