CN117155717B - Authentication method based on identification password, and cross-network and cross-domain data exchange method and system - Google Patents
Authentication method based on identification password, and cross-network and cross-domain data exchange method and system Download PDFInfo
- Publication number
- CN117155717B CN117155717B CN202311432958.3A CN202311432958A CN117155717B CN 117155717 B CN117155717 B CN 117155717B CN 202311432958 A CN202311432958 A CN 202311432958A CN 117155717 B CN117155717 B CN 117155717B
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- access
- network
- cross
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 230000006854 communication Effects 0.000 claims abstract description 48
- 238000004891 communication Methods 0.000 claims abstract description 46
- 238000013475 authorization Methods 0.000 claims abstract description 22
- 238000011217 control strategy Methods 0.000 claims description 29
- 230000004044 response Effects 0.000 claims description 22
- 238000004422 calculation algorithm Methods 0.000 claims description 12
- 238000004364 calculation method Methods 0.000 claims description 11
- 238000006243 chemical reaction Methods 0.000 claims description 7
- 230000002457 bidirectional effect Effects 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 5
- 238000005538 encapsulation Methods 0.000 claims 1
- 230000005540 biological transmission Effects 0.000 abstract description 7
- 230000008569 process Effects 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 6
- 238000012795 verification Methods 0.000 description 5
- 238000001914 filtration Methods 0.000 description 4
- 238000002955 isolation Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000004888 barrier function Effects 0.000 description 2
- 230000004927 fusion Effects 0.000 description 2
- 210000001503 joint Anatomy 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention relates to an authentication method based on an identification password, a cross-network and cross-domain data exchange method and a system, and belongs to the technical field of information security. In the invention, all data messages used for communication across networks and domains are encapsulated by adopting encrypted UDP messages, and a front-end server arranged outside an intranet is used for carrying out single-package authorization authentication on an external network access user and then opening an identity authentication port to carry out identity authentication on the access user; before communication, the front-end server and the rear-end server deployed in the intranet adopt an authentication method based on an identification password to perform mutual authentication, each server performs identity authentication on an external network access user by using the authentication method based on the identification password, and each server performs access control on the access user and performs encryption transmission on communication data in communication. The method and the system can solve the problem of identity authentication consistency of the front server and the rear server during cross-network cross-domain data exchange and the problem of consistency of data access authority during execution of data exchange business.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an identification password-based authentication method, a cross-network and cross-domain data exchange method and a system.
Background
In the enterprise operation process, enterprise key assets refer to enterprise brands, intellectual capital and customer information, and all data generated in application and platform operations. Based on the consideration of different service requirements and data security, many enterprises establish networks bearing different service properties or different security protection levels, or protect enterprise key asset data by physically isolating an intranet, but in actual work, there are requirements of data security transmission among different networks, different network domains and different clouds, and data needs to be used by data exchange across networks and domains.
At present, data exchange among most different networks adopts an isolation barrier or a barrier device to realize bidirectional, unidirectional or bi-unidirectional transmission of data, and the development of simple data exchange products based on the data exchange is mature. However, the data security exchange system is a secure data exchange middleware product, and unlike the traditional software middleware product, the data security exchange system itself needs to perform two-way identity authentication and network security protection. To prevent malicious devices from accessing the system, two-way authentication needs to be performed on access devices/personnel and the like, and internal and external double-layer identity authentication is performed. The isolation gatekeeper or the optical gate device adopted in the current cross-network transmission mainly uses data exchange service and mainly depends on the data conversion capability of a front-end server and a rear-end server, and is not designed enough for the interactive capability of the application; for the front-end server, the front-end server is directly exposed to the outside, so that the front-end server becomes a key target of network attack, the risk of being attacked is increased, and an external attacker can use the external server to develop attack on the inside of the isolated network, so that the risk of losing secret disclosure is caused.
Disclosure of Invention
In view of the above analysis, the present invention aims to provide an authentication method based on an identification password, a cross-network cross-domain data exchange method and a system, which solve the problem of identity authentication consistency of front and rear servers during cross-network cross-domain data exchange, and the problem of consistency of data access authority during execution of data exchange service, and avoid data disclosure caused by attack.
In one aspect, the invention provides an authentication method based on an identification password, which specifically comprises the following steps:
user A based on user private key d A Public key W is declared to plaintext message M and to the user A Signing to obtain a signature result S A The method comprises the steps of carrying out a first treatment on the surface of the Wherein the user private key d A Generated by the system based on the identification cryptography and distributed to user a before communication begins;
user A is based on identity ID A Public key W is declared A And signature result S A Obtaining authentication messagingGiving the user B;
the user B calculates and obtains a binding coefficient l based on the received authentication message;
user B declares public key W based on system public key P A The binding coefficient l is calculated to obtain the public key P of the user A A ;
User B according to P A Decryption S A Obtaining signature information content M of A, and verifying the identity of A; the user A, B is both parties to the communication.
Further, the calculating the binding coefficient/based on the received authentication message includes:
obtaining an identity ID based on a received authentication message A Statement public key W A ;
Identification ID based on Hash algorithm A Calculating to obtain a system unique identifier H corresponding to the user A A ;
Statement public key W based on Hash algorithm A And sign H A The binding coefficient l is calculated by the following steps: l=h 256 (x WA ‖y WA ‖H A ) mod n, where x WA 、y WA To declare public key W A Is defined as the coordinates of the elliptic curve points.
Further, the H A The calculation method of (1) is as follows:
H A =H 256 (ENTL A ‖ID A ‖a‖b‖x G ‖y G ‖x Pub ‖y Pub ) Wherein, ENTL A Is ID A The lengths a and b are elliptic curve parameters, and x G 、y G Is the base point coordinate of elliptic curve, x Pub 、y Pub Is the elliptic curve point coordinates of the system public key P.
Further, the public key P A The calculation method of (1) is as follows: p (P) A =W A +[l]P。
The invention also provides a cross-network and cross-domain data exchange method, wherein all data messages used by the cross-network and cross-domain communication are encapsulated by adopting encrypted UDP messages, and the method specifically comprises the following steps:
a front server deployed outside an intranet and a rear server deployed inside the intranet are used as two communication parties to perform mutual authentication by adopting an authentication method based on an identification password so as to establish a control channel between the two communication parties;
the front-end server performs single-package authorization authentication on an external network access user, performs bidirectional authentication with the access user as two communication parties by adopting an authentication method based on an identification password after the single-package authorization authentication is passed, and sends the authentication information of the access user after the authentication is passed to the rear-end server;
the rear server is used as a user B, the access user is used as a user A, an authentication method based on an identification password is adopted for one-way authentication, the identity of the access user passing authentication is sent to a security center deployed in an intranet, a corresponding access control strategy issued by the security center is received, and meanwhile, the access control strategy is forwarded to a front server;
the front-end server controls the access request of the access user based on the access control strategy and forwards the access request to the rear-end server, and the rear-end server controls the access request of the access user based on the access control strategy and returns an encrypted response result and forwards the encrypted response result to the access user through the front-end server.
Furthermore, the front-end server and the back-end server are both used for realizing the encryption/decryption of UDP data and the conversion between UDP data and non-UDP protocol data.
Further, the front-end server performs single-packet authorization authentication on the external network access user, including: and taking the access user as a user A, taking the single-packet authorization authentication packet as a plaintext message, and taking the front-end server as a user B, and adopting an authentication method based on an identification password to carry out one-way authentication.
Further, the post server encrypts the response result according to the public key of the access user calculated when the access user is authenticated, and the access user decrypts the response result according to the private key of the access user.
On the other hand, the invention also provides a cross-network and cross-domain data exchange system, which comprises: the system comprises a security center and a rear server which are deployed inside a network, cross-network equipment which is deployed at the edge of the network, a front server and an application client which are deployed outside the network; wherein,
the security center is used for security management of the system and comprises the steps of realizing identification key distribution of the system, carrying out access control authorization aiming at a user and issuing a corresponding access control strategy;
the application client is used for providing the external network user with access to the network internal resources through the client program;
the front-end server is used for carrying out single-package authorization authentication on the external network access user, carrying out bidirectional authentication with the access user as two communication parties by adopting an authentication method based on an identification password after the single-package authorization authentication is passed, and sending the authentication information of the access user after the authentication is passed to the rear-end server; controlling the access request of the access user based on the received access control strategy and forwarding the access request to the rear-end server;
the post server is connected with the security center, and is used as a user B to carry out one-way authentication on the access user as a user A by adopting an authentication method based on an identification password, and sends the authenticated access user identity to the security center deployed in the intranet, receives a corresponding access control strategy issued by the security center and forwards the access control strategy to the pre server; controlling the access request of the access user based on the access control strategy, returning an encrypted response result, and forwarding the encrypted response result to the access user through a front-end server;
the cross-network device is used to block physical connections between the inside of the network and the outside of the network.
Furthermore, the front-end server and the rear-end server both use encrypted UDP messages to package the data messages when in communication, and the front-end server and the rear-end server can both realize the A encryption/decryption of UDP data and the conversion between UDP data and non-UDP protocol data.
The invention can realize at least one of the following beneficial effects:
aiming at the problem that the front-end service in the cross-network cross-domain access is easy to attack, a single-packet authorization technology is adopted to hide the address and the port of the front-end server, an authentication strategy of authentication before access is executed, and the firewall port opening or specific release rule is dynamically adjusted, so that the attack risk of the front-end server is reduced.
By using an asymmetric public key cryptosystem to carry out identity authentication on all parties in the communication process, certificates are not needed in the communication authentication process of all parties in the system, a public key is not needed to be directly transmitted, the public key of a user can be obtained in the authentication process in a calculation mode, namely, the identity authentication and the public key calculation process are combined, and man-in-the-middle attack can be effectively avoided.
By utilizing the technical characteristics of the off-line authentication of the identification key, the authentication is ensured not to depend on CA in the cross-network cross-domain communication, center authentication is not needed, the identity authentication of both communication parties is supported, and the method has the capabilities of the cross-domain authentication and the off-line authentication, so that the communication flow is simpler and the efficiency is higher. The encrypted UDP messages are adopted for packaging and transmitting during communication, and are in butt joint fusion with the existing cross-network cross-domain equipment, so that the overall safety of the system can be improved, the limit of cross-network cross-domain application access transmission data is broken through, and the application access efficiency is further improved.
The physical isolation of the internal network and the external network is realized by adopting the optical gate or the network gate, the special format UDP double unidirectional encryption communication protocol is adopted on the logic realization, only the double unidirectional connection between the front server and the rear server is supported, the TCP/IP protocol is refused to be adopted, all network connections with potential attacks on the internal network are physically isolated and blocked, the external attacker cannot directly invade, attack or destroy the internal network, and the safety of the internal host is ensured.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, like reference numerals being used to designate like parts throughout the drawings;
FIG. 1 is a flow chart of a method embodiment two of a cross-network and cross-domain data exchange method;
FIG. 2 is a schematic diagram of an authentication method based on an identification password according to an embodiment of the method;
fig. 3 is a block diagram of a cross-network and cross-domain data exchange system according to an embodiment of the system.
Detailed Description
Preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings, which form a part hereof, and together with the description serve to explain the principles of the invention, and are not intended to limit the scope of the invention.
Method embodiment one
The invention discloses an authentication method based on an identification password, which comprises the following steps:
user A based on user private key d A Public key W is declared to plaintext message M and to the user A Signing to obtain a signature result S A The method comprises the steps of carrying out a first treatment on the surface of the Wherein the user private key d A Generated by the system based on the identification cryptography and distributed to user a before communication begins;
user A is based on identity ID A Public key W is declared A And signature result S A The obtained authentication message is sent to the user B;
the user B calculates and obtains a binding coefficient l based on the received authentication message;
user B declares public key W based on system public key P A The binding coefficient l is calculated to obtain the public key P of the user A A ;
User B according to P A Decryption S A Obtaining signature information content M of A, and verifying the identity of A; the user A, B is both parties to the communication. User a is the sender of this authentication (authenticated party) and user B is the receiver of this authentication (authenticated party).
The authentication method can be used for bidirectional authentication or unidirectional authentication of both communication parties. When the method is used for two-way authentication of two communication parties, the user A and the user B in the method are transformed to perform two-time authentication; the user A is an authenticated party in the two authentications, and the user B is an authenticated party in the two authentications; in the case of one-way authentication, a sender (authenticated party) serves as user a, and a receiver (authenticated party) serves as user B to authenticate user a.
Specifically, the system where the two communication parties A, B are located is constructed by adopting a unified elliptic curve-based identification cryptography technology, and has globally unified system public and private keys and related elliptic curve parameters, wherein the system public key P and the elliptic curve parameters are disclosed.
According to the authentication method based on the identification password, when the receiver (user B) performs identity verification on the sender (user A), the user public key of the sender is obtained by calculation based on the verification message, and the system public key P is used in the calculation process, so that counterfeiting of a non-system public-private key pair can be avoided, and man-in-the-middle attack is effectively avoided.
Specifically, user A is based on user private key d A Public key W is declared to visible plaintext message content M (e.g. user name) and user a using an asymmetric digital signature algorithm (e.g. SM 2) A Digital signature is carried out on the content of (a), and the signature result is S A 。
Specifically, user A acts as the sender, based on its visible identity ID A Visible identification ID using Hash (e.g., SM 3) algorithm A Calculating and obtaining a system unique system identifier H with a fixed length A The calculation algorithm is as follows: h A =H 256 (ENTL A ‖ID A ‖a‖b‖x G ‖y G ‖x Pub ‖y Pub ) Wherein, ENTL A Is ID A The lengths a and b are elliptic curve parameters, and x G 、y G Is the base point coordinate of elliptic curve, x Pub 、y Pub Is the elliptic curve point coordinates of the system public key P.
Specifically, user A will identify the ID A Public key W is declared A And signature result S A Is packaged together to form an authentication message (ID A 、W A 、S A ) And sent to user B.
Specifically, user B receives an authentication message (ID A 、W A 、S A ) Then, H is calculated according to the Hash algorithm similar to the user A A 。
Specifically, the user B calculates and acquires a binding coefficient l by adopting a Hash algorithm, wherein the calculation algorithm is as follows: l=h 256 (x WA ‖y WA ‖H A ) mod n, where x WA 、y WA To declare public key W A Is defined as the coordinates of the elliptic curve points.
Specifically, public key P A The calculation method of (1) is as follows: p (P) A =W A +[l]P。
Specifically, user B uses a symmetric verification signature algorithm to verify the signature according to P A Decryption of signature result S A And obtaining signature information content M of A, thereby verifying the identity of A and completing one-way identity verification.
Fig. 1 is a schematic diagram of an authentication method based on an identification password according to this embodiment.
The authentication method based on the identification password disclosed by the embodiment ensures that authentication is not dependent on CA in cross-network cross-domain communication any more, supports identity authentication of both communication parties, has the capabilities of cross-domain authentication and off-line authentication, and can enable the communication flow to be simpler and the efficiency to be higher. The public key is generated by using the identification cipher algorithm and utilizing the user identity, so that the management of a public key cipher system is simple and low in complexity, and the public key cipher system has strong practicability in digital signature and digital encryption applications with limited resources.
Method embodiment II
Another embodiment of the present invention discloses a cross-network and cross-domain data exchange method (as shown in fig. 2), wherein all data messages used for cross-network and cross-domain communication are encapsulated by encrypted UDP messages, and the method specifically comprises the following steps:
a key manager performs management on a key system through a security center deployed in an intranet, generates identification keys for a cross-network front-end server, a rear-end server and a user, and distributes the keys to an external network access user and each server in an offline mode (for example, by using a U shield, optical disk recording and the like); (1 identification Key distribution as shown in FIG. 2)
A front-end server deployed outside an intranet and a rear-end server deployed inside the intranet perform data cross-network money transmission, and serve as two communication parties to perform mutual authentication (2 mutual identity authentication as shown in figure 2) by adopting an authentication method based on an identification password, and after authentication is successful, control channels are established between the two communication parties;
the front-end server performs single-package authorized authentication (3-package authorized authentication shown in figure 2) on an external network access user, performs two-way authentication (4-way identity authentication shown in figure 2) with the access user as two communication parties by adopting an authentication method based on an identification password after the single-package authorized authentication is passed, and sends the identity authentication information of the access user after the authentication is passed to the rear-end server;
the rear server is used as a user B, the access user is used as a user A, one-way authentication is carried out by adopting an authentication method based on an identification password (4 identity authentication shown in figure 2), the authenticated access user identity is sent to a security center deployed in an intranet, a corresponding access control strategy issued by the security center (5 access strategy issued shown in figure 2) is received, and meanwhile, the corresponding access control strategy is forwarded to a front server (5 access strategy issued shown in figure 2);
the front-end server controls the access request of the access user based on the access control strategy and forwards the access request to the rear-end server (6 application access request shown in fig. 2), and the rear-end server controls the access request of the access user based on the access control strategy and returns an encrypted response result (7 request response shown in fig. 2) and forwards the encrypted response result to the access user through the front-end server.
Specifically, the front-end server judges the validity of the request according to the URL of the access request and the identity authentication information of the access user and the received access control strategy (URL filtering shown in figure 2), and forwards the request message to the rear-end server; the post server judges the validity of the request according to the URL of the access request and the identity authentication information of the access user and the access control strategy (URL filtering shown in figure 2); the legal access request passing the double-layer check of the front-end server and the rear-end server is forwarded to the application server by the rear-end server; and the application server returns a response result according to the access request, encrypts through the rear-end server, transmits the response result to the front-end server across the network, and forwards the response result to the access user through the front-end server.
Furthermore, the front-end server and the back-end server are both used for realizing the encryption/decryption of UDP data and the conversion between UDP data and non-UDP protocol data.
Further, the front-end server performs single-packet authorization authentication on the external network access user, including: taking the access user as a user A, taking a single-packet authorization authentication packet sent by the user A as a plaintext message, and taking the front-end server as a user B, and performing one-way authentication by adopting an authentication method based on an identification password; when the authentication is passed, the firewall opens the authentication service port (the authentication between 3 and 4 shown in fig. 2), and performs subsequent authentication.
Further, the post server encrypts the response result according to the public key of the access user calculated when the access user is authenticated, and the access user decrypts the response result according to the private key of the access user.
According to the cross-network and cross-domain data exchange method disclosed by the embodiment, aiming at the problem that the front-end service is easy to attack in the cross-network and cross-domain access, a single-packet authorization technology is adopted to hide the address and the port of the front-end server, an authentication strategy of authentication before access is executed, and the firewall port opening is dynamically adjusted or a specific release rule is executed, so that the attack risk of the front-end server is reduced.
According to the embodiment, the identity authentication is carried out on each party in the communication process by using an asymmetric public key cryptosystem, certificates are not needed in the system, a public key is not needed to be directly transmitted, the public key of the user can be obtained in the authentication process in a calculation mode, namely, the identity authentication and the public key calculation process are combined, and man-in-the-middle attack can be effectively avoided.
According to the embodiment, the technical characteristics of the off-line authentication of the identification key are fully utilized, verification is not needed to be carried out in the cross-network and cross-domain communication without center authentication, identity authentication of both communication parties is supported, and the method has the capabilities of the cross-domain authentication and the off-line authentication, so that the communication flow is simpler and the efficiency is higher. The encrypted UDP messages are adopted for packaging and transmitting during communication, and are in butt joint fusion with the existing cross-network cross-domain equipment, so that the overall safety of the system can be improved, the limit of cross-network cross-domain application access transmission data is broken through, and the application access efficiency is further improved.
System embodiment
Another embodiment of the present invention discloses a cross-network and cross-domain data exchange system, as shown in fig. 3, including: the system comprises a security center and a rear server which are deployed inside a network, cross-network equipment which is deployed at the edge of the network, a front server and an application client which are deployed outside the network.
The security center is used for system security management, and comprises the steps of realizing system identification key distribution, carrying out access control authorization for users and issuing corresponding access control strategies.
Specifically, the application client is used for providing the external network user with access to the network internal resources through the client program. Specifically, an application client installs a special cross-network access client program, and an external network user uses an identification key distributed by an internal network security center to send a single-package authorization authentication package, identity authentication information and an access request through the client program.
Specifically, the front-end server is used for carrying out single-package authorization authentication on the external network access user, carrying out two-way authentication with the access user as two communication parties by adopting an authentication method based on an identification password after the single-package authorization authentication is passed, and sending the authentication information of the access user after the authentication is passed to the rear-end server; and controlling the access request of the access user based on the received access control strategy, executing data filtering of an application layer according to the URL of the request, directly acquiring static resources required by network access from an external network, and accessing the dynamic data resources required to be acquired into a gateway or transferring the gateway into a rear server of an internal network through a proxy.
Specifically, the post server is connected with the security center, and is used as a user B to perform one-way authentication on the access user as a user A by adopting an authentication method based on an identification password, and sends the authenticated access user identity to the security center deployed in the intranet, receives a corresponding access control strategy issued by the security center, and forwards the access control strategy to the pre server; and controlling the access request of the access user based on the access control strategy, realizing the secondary filtering of the application layer URL, encrypting the response result of the background application server, and forwarding the response result to the access user through the front-end server.
Furthermore, the front-end server and the rear-end server both use encrypted UDP messages to package the data messages when in communication, and the front-end server and the rear-end server can both realize the A encryption/decryption of UDP data and the conversion between UDP data and non-UDP protocol data.
In particular, the cross-network device is used to block physical connections between the inside of the network and the outside of the network. Specifically, the cross-network device is also implemented by using an optical gate or a network gate, where the optical gate/network gate is used to block the physical connection between the external network and the internal network, and in general, the network gate uses a solid-state switch read-write medium with multiple control functions to connect the information security devices of two independent host systems. Because the two independent host systems are isolated through the network gate, no physical connection exists between the internal network system and the external network system, the system logic is realized by adopting a special format UDP double unidirectional encryption communication protocol, only the double unidirectional connection between the front server and the rear server is supported, the TCP/IP protocol is refused to be adopted, all network connections with potential attacks on the internal network are physically isolated and blocked, the external attacker cannot directly invade, attack or destroy the internal network, and the safety of the internal host is ensured.
Specifically, the system realizes the access of the external network user to the internal network resource, realizes the cross-network secure communication, can exit the client after the access communication is completed, and the front and rear servers clear the access policy, release the related resource, return to the user identity authentication stage and wait for the next user access.
According to the cross-network and cross-domain data exchange system disclosed by the embodiment, the physical isolation of the internal network and the external network is realized by adopting the optical gate or the network gate, the special format UDP double unidirectional encryption communication protocol is adopted on the logic realization, only the double unidirectional connection between the front-end server and the rear-end server is supported, the TCP/IP protocol is refused to be adopted, all network connections with potential attacks on the internal network are physically isolated and blocked, the external attacker cannot directly invade, attack or destroy the internal network, and the safety of an internal host is ensured.
The embodiment provides a special cross-network access client program for an external network user, the external network user needs to use an identification key distributed by an internal network security center as an access credential to execute cross-network access, and the external network user implements single-package authorization authentication and identity authentication based on the identification key issued to the user, so that legal identities of all the cross-network users are ensured, and the security inside the network is ensured.
It should be noted that, the above embodiments are based on the same inventive concept, and the description is not repeated, and the description may be referred to each other.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention.
Claims (9)
1. An identification password-based authentication method is characterized by comprising the following steps:
user A based on user private key d A Public key W is declared to plaintext message M and to the user A Signing to obtain a signature result S A The method comprises the steps of carrying out a first treatment on the surface of the Wherein the user private key d A From the system baseGenerating an identification password technology and distributing the identification password technology to a user A before communication starts;
user A is based on identity ID A Public key W is declared A And signature result S A The obtained authentication message is sent to the user B;
the user B calculates and obtains a binding coefficient l based on the received authentication message; the calculating the binding coefficient/based on the received authentication message includes: obtaining an identity ID based on a received authentication message A Statement public key W A The method comprises the steps of carrying out a first treatment on the surface of the Identification ID based on Hash algorithm A Calculating to obtain a system unique identifier H corresponding to the user A A The method comprises the steps of carrying out a first treatment on the surface of the Statement public key W based on Hash algorithm A And sign H A The binding coefficient l is calculated by the following steps: l=h 256 (x WA ‖y WA ‖H A ) mod n, where x WA 、y WA To declare public key W A Coordinates of elliptic curve points;
user B declares public key W based on system public key P A The binding coefficient l is calculated to obtain the public key P of the user A A ;
User B according to P A Decryption S A Obtaining signature information content M of A, and verifying the identity of A; the user A, B is both parties to the communication.
2. The authentication method of claim 1, wherein the H A The calculation method of (1) is as follows: h A =H 256 (ENTL A ‖ID A ‖a‖b‖x G ‖y G ‖x Pub ‖y Pub ) Wherein, ENTL A Is ID A The lengths a and b are elliptic curve parameters, and x G 、y G Is the base point coordinate of elliptic curve, x Pub 、y Pub Is the elliptic curve point coordinates of the system public key P.
3. Authentication method according to claim 1 or 2, characterized in that the public key P A The calculation method of (1) is as follows: p (P) A =W A +[l]P。
4. The cross-network and cross-domain data exchange method is characterized in that all data messages used by cross-network and cross-domain communication are encapsulated by adopting encrypted UDP messages, and the method comprises the following steps:
a front-end server deployed outside an intranet and a rear-end server deployed inside the intranet are used as two communication parties to perform mutual authentication by adopting the authentication method according to any one of claims 1-3 so as to establish a control channel between each other;
the front-end server performs single-package authorized authentication on the external network access user, performs bidirectional authentication with the access user as two communication parties after the single-package authorized authentication is passed, and sends the authentication information of the access user after the authentication is passed to the rear-end server;
the rear server is used as a user B, the access user is used as a user A, the authentication method as set forth in any one of claims 1-3 is adopted to carry out one-way authentication, the identity of the access user passing authentication is sent to a security center deployed in an intranet, the corresponding access control strategy issued by the security center is received, and meanwhile, the access control strategy is forwarded to a front server;
the front-end server controls the access request of the access user based on the access control strategy and forwards the access request to the rear-end server, and the rear-end server controls the access request of the access user based on the access control strategy and returns an encrypted response result and forwards the encrypted response result to the access user through the front-end server.
5. The cross-network and cross-domain data exchange method according to claim 4, wherein the front-end server and the back-end server are both used for implementing encryption/decryption of UDP data and conversion between UDP data and non-UDP protocol data.
6. The method for cross-network and cross-domain data exchange according to claim 4, wherein the pre-server performs single-packet authorization authentication on the external network access user, comprising: the access user is taken as a user A, the single-package authorization authentication package is taken as a plaintext message, the front-end server is taken as a user B, and the authentication method as claimed in any one of claims 1-3 is adopted for one-way authentication.
7. The cross-network and cross-domain data exchange method according to claim 6, wherein the post server encrypts the response result according to the public key of the access user calculated when authenticating the access user, and the access user decrypts the response result according to the own user private key.
8. A cross-network, cross-domain data exchange system, comprising: the system comprises a security center and a rear server which are deployed inside a network, cross-network equipment which is deployed at the edge of the network, a front server and an application client which are deployed outside the network; wherein,
the security center is used for security management of the system and comprises the steps of realizing identification key distribution of the system, carrying out access control authorization aiming at a user and issuing a corresponding access control strategy;
the application client is used for providing the external network user with access to the network internal resources through the client program;
the front server is used for carrying out single-package authorization authentication on the external network access user, carrying out bidirectional authentication with the access user as two communication parties by adopting the authentication method according to any one of claims 1-3 after the single-package authorization authentication is passed, and sending the identity authentication information of the access user after the authentication is passed to the rear server; controlling the access request of the access user based on the received access control strategy and forwarding the access request to the rear-end server;
the rear server is connected with the security center, and is used as a user B to carry out one-way authentication on the access user serving as a user A by adopting the authentication method as set forth in any one of claims 1-3, and sends the authenticated access user identity to the security center deployed in the intranet, receives a corresponding access control strategy issued by the security center and forwards the access control strategy to the front server; controlling the access request of the access user based on the access control strategy, returning an encrypted response result, and forwarding the encrypted response result to the access user through a front-end server;
the cross-network device is used to block physical connections between the inside of the network and the outside of the network.
9. The cross-network and cross-domain data exchange system according to claim 8, wherein the front-end server and the rear-end server both use encrypted UDP messages for encapsulation, and both the front-end server and the rear-end server can implement encryption/decryption of UDP data and conversion between UDP data and non-UDP protocol data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311432958.3A CN117155717B (en) | 2023-11-01 | 2023-11-01 | Authentication method based on identification password, and cross-network and cross-domain data exchange method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311432958.3A CN117155717B (en) | 2023-11-01 | 2023-11-01 | Authentication method based on identification password, and cross-network and cross-domain data exchange method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117155717A CN117155717A (en) | 2023-12-01 |
| CN117155717B true CN117155717B (en) | 2024-01-05 |
Family
ID=88901291
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311432958.3A Active CN117155717B (en) | 2023-11-01 | 2023-11-01 | Authentication method based on identification password, and cross-network and cross-domain data exchange method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117155717B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005136965A (en) * | 2003-10-10 | 2005-05-26 | Matsushita Electric Ind Co Ltd | Encryption apparatus, decryption apparatus, secret key generation apparatus, and copyright protection system |
| CN101060530A (en) * | 2007-05-22 | 2007-10-24 | 赵运磊 | Repudiation Internet key exchange protocol |
| CN116961911A (en) * | 2022-04-13 | 2023-10-27 | 中国移动通信有限公司研究院 | Information processing method and device and communication equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| MXPA04002721A (en) * | 2001-09-27 | 2004-07-05 | Matsushita Electric Ind Co Ltd | An encryption device, a decrypting device, a secret key generation device,a copyright protection system and a cipher communication device. |
-
2023
- 2023-11-01 CN CN202311432958.3A patent/CN117155717B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005136965A (en) * | 2003-10-10 | 2005-05-26 | Matsushita Electric Ind Co Ltd | Encryption apparatus, decryption apparatus, secret key generation apparatus, and copyright protection system |
| CN101060530A (en) * | 2007-05-22 | 2007-10-24 | 赵运磊 | Repudiation Internet key exchange protocol |
| CN116961911A (en) * | 2022-04-13 | 2023-10-27 | 中国移动通信有限公司研究院 | Information processing method and device and communication equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117155717A (en) | 2023-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rescorla et al. | Guidelines for writing RFC text on security considerations | |
| Aiello et al. | Efficient, DoS-resistant, secure key exchange for internet protocols | |
| US7039713B1 (en) | System and method of user authentication for network communication through a policy agent | |
| Aiello et al. | Just fast keying: Key agreement in a hostile internet | |
| JP4847322B2 (en) | Double-factor authenticated key exchange method, authentication method using the same, and recording medium storing program including the method | |
| KR100811419B1 (en) | Countermeasure Against Denial-of-Service Attack in Authentication Protocols Using Public-Key Encryption | |
| CN1833403B (en) | Communication system, communication device and communication method | |
| Molva | Internet security architecture | |
| JP5334104B2 (en) | All exchange session security | |
| US20080028225A1 (en) | Authorizing physical access-links for secure network connections | |
| US7930542B2 (en) | MashSSL: a novel multi party authentication and key exchange mechanism based on SSL | |
| US7055170B1 (en) | Security mechanism and architecture for collaborative software systems using tuple space | |
| Petullo et al. | MinimaLT: minimal-latency networking through better security | |
| CN111740964B (en) | Remote synchronous communication method, mimicry virtual terminal, heterogeneous executive body and medium | |
| EP1687933B1 (en) | Method, system, network and computer program product for securing administrative transactions over a network | |
| CN112637136A (en) | Encrypted communication method and system | |
| CN111935213A (en) | Distributed trusted authentication virtual networking system and method | |
| WO2023174143A1 (en) | Data transmission method, device, medium and product | |
| Cheng | An architecture for the Internet Key Exchange protocol | |
| CN112769568B (en) | Security authentication communication system and method in fog computing environment and Internet of things equipment | |
| CN111224968B (en) | Secure communication method for randomly selecting transfer server | |
| CN117155717B (en) | Authentication method based on identification password, and cross-network and cross-domain data exchange method and system | |
| Wan et al. | DoS-resistant access control protocol with identity confidentiality for wireless networks | |
| Akhmetzyanova et al. | Continuing to reflect on TLS 1.3 with external PSK | |
| Rescorla et al. | RFC3552: Guidelines for Writing RFC Text on Security Considerations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |