CN117319023A - Method and device for establishing secure connection - Google Patents

Method and device for establishing secure connection Download PDF

Info

Publication number
CN117319023A
CN117319023A CN202311240955.XA CN202311240955A CN117319023A CN 117319023 A CN117319023 A CN 117319023A CN 202311240955 A CN202311240955 A CN 202311240955A CN 117319023 A CN117319023 A CN 117319023A
Authority
CN
China
Prior art keywords
password
component
mac information
connection request
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311240955.XA
Other languages
Chinese (zh)
Inventor
李金英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202311240955.XA priority Critical patent/CN117319023A/en
Publication of CN117319023A publication Critical patent/CN117319023A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The disclosure provides a method and a device for establishing a secure connection, which can be applied to a first component in a zero trust system. The method comprises the following steps: calculating a first password according to the locally stored system identifier and the first MAC information; sending a first connection request to a second component in the zero trust system, wherein the first connection request comprises a first password and first MAC information; receiving a first response which is sent by the second component and corresponds to the first connection request, wherein the first response comprises a second password and second MAC information; calculating a first reference password according to the second MAC information and the locally stored system identifier; if the first reference password and the second password are consistent, a secure connection is established with the second component.

Description

Method and device for establishing secure connection
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and an apparatus for establishing a secure connection.
Background
The zero trust architecture (Zero Trust Architecture) is a network security concept and architecture model that aims to improve the security of data and systems. While traditional security models typically place trust in an enterprise's internal network, a zero trust architecture considers that no user, device, or network should be trusted, but rather verifies identity and rights at each access request.
The core principle of the zero trust architecture is to consider every resource and user within the network as a potential security risk and require authentication and authorization. Unlike traditional boundary defense, the zero trust architecture protects networks and data through multiple levels of authentication, access control, quarantine, and monitoring.
SDP (Software Definition Peremeter), a software defined boundary, is a network security architecture that aims to ensure secure access to network resources and applications in a dynamic and programmable manner. Traditional network boundary security relies on fixed firewalls and VPNs, while SDP protects enterprise networks more flexibly and securely by creating a software defined, transparent access control boundary.
In existing zero trust architectures, controllers, gateways, etc. are not trusted to a user's client, but are default trusted to the gateway, controllers, or other non-user components. When these non-user components are attacked or counterfeited, the act of authenticating and authorizing the user's client is lost, and thus it can be seen that the security of the existing zero trust architecture of the components is low.
Disclosure of Invention
In view of this, the present disclosure provides a method and apparatus for establishing a secure connection, so as to improve the security of a system.
In a first aspect, the present disclosure provides a method of establishing a secure connection, for use with a first component in a zero trust system, the method comprising: calculating a first password according to the locally stored system identifier and the first MAC information; sending a first connection request to a second component in the zero trust system, wherein the first connection request comprises a first password and first MAC information; receiving a first response which is sent by the second component and corresponds to the first connection request, wherein the first response comprises a second password and second MAC information; calculating a first reference password according to the second MAC information and the locally stored system identifier; if the first reference password and the second password are consistent, a secure connection is established with the second component.
In a second aspect, the present disclosure provides an apparatus for establishing a secure connection for use with a first component in a zero trust system, the apparatus comprising: the first computing module is used for computing a first password according to the locally stored system identifier and the first MAC information; the first sending module is used for sending a first connection request to a second component in the zero trust system, wherein the first connection request comprises a first password and first MAC information; the first receiving module is used for receiving a first response which is sent by the second component and corresponds to the first connection request, and the first response comprises a second password and second MAC information; the second calculation module is used for calculating a first reference password according to the second MAC information and the locally stored system identifier; and the connection module is used for establishing a secure connection with the second component if the first reference password is consistent with the second password.
In a third aspect, the present disclosure provides a network device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to cause the processor to perform the method provided in the first aspect of the present disclosure.
Therefore, by applying the method and the device for establishing the secure connection, which are provided by the invention, the password is carried in the connection request and the response between the components, so that the mutual authentication between the components can be realized, and the security of the system is enhanced.
Drawings
FIG. 1 is a schematic diagram of a system architecture shown in the present specification according to an exemplary embodiment;
FIG. 2 is a flow chart of a method of establishing a secure connection provided by an embodiment of the present disclosure;
FIG. 3 is a flow chart of another method of establishing a secure connection provided by an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of establishing a secure connection provided by an embodiment of the present disclosure;
fig. 5 is a device for establishing a secure connection according to an embodiment of the present disclosure;
fig. 6 is a hardware structure of a network device according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.
The terminology used in the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used in this disclosure to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The following describes, with reference to fig. 1, a system architecture to which a method and an apparatus for establishing a secure connection may be applied according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.
Fig. 1 is a schematic diagram of a system architecture shown in the present specification according to an exemplary embodiment.
As shown in fig. 1, the system may be a zero trust system, and the system architecture may include, for example, a controller, a terminal device, a gateway, and a server.
According to embodiments of the present disclosure, a gateway may be a device responsible for providing resource access services to authorized users. The gateway may provide resource access services to users authorized by the controller.
According to embodiments of the present disclosure, the controller may be a device responsible for authenticating the identity of the user and authenticating the user's access rights. The controller can have its own identity and rights management system, and an administrator can configure the identity information of the user and the access rights to the resources in the controller.
According to embodiments of the present disclosure, the server may be, for example, an application server or an API (Application Programming Interface ) server. An application server may be used to deploy, manage, and execute an application's execution environment, which provides a series of services and middleware that enable the application to run and process requests from clients. The API server may be used to provide a programming interface for applications that provides a channel for unified access to data and operations, and applications may communicate with the API server via HTTP (Hypertext Transfer Protocol ) or other protocols to obtain the desired data or perform the desired operations.
According to embodiments of the present disclosure, the terminal device may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like. Various applications, such as an enode client, a browser, etc., may be installed on the terminal device.
According to the embodiment of the disclosure, a user can use an iNode client or a browser in the terminal equipment to access an authentication center of the controller for user authentication.
After passing the authentication, the controller can issue all accessible gateway addresses and applications and APIs protected by each gateway to the terminal device.
The controller issues and dynamically updates the user's rights to access applications and APIs to the gateway.
The user may access the resource server behind the gateway through a WEB proxy or SSL (Secure Socket Layer, secure socket layer tunnel) VPN (Virtual Private Network ).
The method for establishing the secure connection provided by the embodiments of the present disclosure is described in detail below. Referring to fig. 2, fig. 2 is a flowchart of a method for establishing a secure connection according to an embodiment of the present disclosure. The method is applied to a first component, which may be any component in a zero trust system, and illustratively the component may include, for example, a terminal device, a gateway, a controller, etc. The method for establishing the secure connection provided by the embodiment of the disclosure can comprise the following steps.
Step 210, calculating a first password according to the locally stored system identification and the first MAC information.
According to embodiments of the present disclosure, the system identification may include, for example, an identification code (Identity Document, ID). The first MAC information is MAC information of the first component. The MAC information may include, for example, a MAC address or information generated with a MAC address.
According to embodiments of the present disclosure, a system identification may be generated from the system identification parameters of each component in the zero trust system as a unique identification of the entire zero trust environment. And then distributed to each component and stored locally on the component.
According to the embodiment of the disclosure, the locally stored system identifier and the first MAC information may be calculated based on a predetermined algorithm to obtain the first password. The predetermined algorithm may comprise, for example, a hash algorithm. The predetermined algorithm may be pre-distributed to each component and stored locally to the component.
Step 220, a first connection request is sent to a second component in the zero trust system, where the first connection request includes a first password and first MAC information.
According to an embodiment of the present disclosure, the first connection request may be a connection request sent by the first component. The connection request may be used, for example, to request that a secure connection be established. The secure connection may comprise, for example, an SSL connection. The first MAC information may include, for example, MAC information of the first component.
Step 230, receiving a first response sent by the second component and corresponding to the first connection request, where the first response includes the second password and the second MAC information.
According to an embodiment of the present disclosure, after the second component receives the first connection request, the first password and the first MAC information in the first connection request may be verified. If the verification is passed, a first response may be returned to the first component.
According to an embodiment of the present disclosure, the second password may be calculated by the second component from the locally stored system identification and the second MAC information, for example.
Step 240, calculating the first reference password according to the second MAC information and the locally stored system identifier.
According to the embodiment of the disclosure, the first reference password may be obtained by calculating the second MAC information and the locally stored system identifier according to the same algorithm as the first password.
Step 250, determining whether the first reference password and the second password are identical.
If the first reference password and the second password are identical, step 260 is performed, and if the first reference password and the second password are not identical, step 270 is performed.
Step 260, establish a secure encrypted connection with the second component.
According to an embodiment of the present disclosure, if the first reference password and the second password are identical, it indicates that the second component is trusted and may be connected with the second component.
Step 270, refusing to connect with the second component.
According to embodiments of the present disclosure, if the first reference password and the second password are not consistent, indicating that the second component is not trusted, connection with the second component may be denied. If a connection is currently established with the second component, the connection may be disconnected.
According to the embodiment of the disclosure, the mutual authentication between the components can be realized by carrying the password in the connection request and the response between the components. Compared with unidirectional authentication, the security of the zero trust system can be enhanced by a mutual authentication method among components.
The more components in a zero trust system, the more important the secure connection between each other. According to the embodiment of the disclosure, the password is generated through the unique identification of the whole zero trust system, and the password carried in the connection request and the response between the components can reduce the risk of the system being attacked and improve the security.
Optionally, the connection request may include an extension field (extensions). Based thereon, the first connection request may include a first extension field. The first cipher and the first MAC information may be added in the first extension field. Correspondingly, the second component may obtain the first password and the first MAC information by identifying the first extension field in the first connection request.
Alternatively, component identification of each component in the zero trust system may be obtained, for example. A system identification is then generated based on the component identifications of each component. In this embodiment, the component identifier of each component in the zero trust system may be hashed to obtain a system identifier.
Referring to fig. 3, fig. 3 is a flowchart of another method for establishing a secure connection according to an embodiment of the present disclosure. The method is applied to a first component, which may be any component in a zero trust system. The method for establishing the secure connection provided by the embodiment of the disclosure may further include the following steps.
Step 310, receiving a second connection request sent by the third component, where the second connection request includes a third password and third MAC information.
According to an embodiment of the present disclosure, the second connection request may be a connection request sent by the third component. The third MAC information may include, for example, a MAC address of the third component. The third password may be calculated by the third component according to a preset algorithm, where the third component calculates MAC information and a system identifier of the third component.
Step 320, calculating a second reference password according to the locally stored system identifier and the third MAC information.
According to the embodiment of the disclosure, for example, the locally stored system identifier and the third MAC information may be calculated according to a preset algorithm to obtain the second reference password.
Step 330, determining whether the second reference local password is consistent with the third password. If the second reference local password is consistent with the third password, steps 340-350 are performed, otherwise step 360 is performed.
Step 340, generating a fourth password according to the locally stored system identification and the local first MAC information.
Step 350, send a second response to the third component, the second response including the native fourth password and the first native MAC information.
According to embodiments of the present disclosure, if the second reference local password is consistent with the third password, indicating that the third component is trusted, the corresponding response may be returned to the third component.
Step 360, refusing to connect with the third component.
If the second reference local password is not consistent with the third password, indicating that the third component is not trusted, connection with the third component may be denied. If a connection is currently established with the second component, the connection may be disconnected.
Optionally, the second response may include a second extension field. Based on this, a fourth cipher and the first MAC information may be added in the second extension field. Correspondingly, the third component may obtain the fourth password and the first MAC information by identifying the second extension field in the second response.
The method for establishing the secure connection provided by the embodiments of the present disclosure is described in detail below. Referring to fig. 4, fig. 4 is a schematic diagram of establishing a secure connection according to an embodiment of the present disclosure. In the context of the figure of the drawings,
each component in the zero trust scheme is used as a client and a server of each other, is not trusted, and can establish secure connection after mutual authentication, and the flow is as follows:
when the zero trust system is deployed, after each component is installed and links among the components are communicated, a system identification systemID is generated according to the component identification of each component in the system and is used as a unique identification of the whole zero trust system.
The systemID may then be distributed to each component in the entire zero trust system and maintained locally to the component. The zero trust system regenerates the systemID and updates to each component if updated or new components are added.
When SSL connection is established between every two components, the components are a client and a server. And the client initiates a connection request client hello to the server. The client adds two extension fields in the extensions field of the connection request, wherein one of the extension fields is marked as own MAC information, and the other extension field is marked as a password obtained by calculating own MAC information and systemID. The calculation method can be set in advance, and the whole system is known.
After receiving the client hello, the server acquires the information of the extension field, calculates a reference password by using the local system ID and the MAC message sent by the client, compares the reference password with the password carried by the client, and directly disconnects if the reference password is inconsistent with the password carried by the client; if the two fields are consistent, responding to the response server hello, and finally adding two extension fields in the extension field of the response, wherein one field is marked as own MAC information, and the other field is marked as a password obtained by calculating own MAC information and systemID.
After receiving the server hello, the client acquires the information of the extension field, and calculates the comparison between the reference password and the password carried by the server by using the local systemID and the MAC sent by the server. If the two types of the service are consistent, the negotiation is completed to establish the ssl connection, otherwise, the connection is disconnected.
Based on the same inventive concept, the embodiment of the disclosure also provides a device for establishing a secure connection, which corresponds to the method for establishing the secure connection. Referring to fig. 5, fig. 5 is a schematic diagram of an apparatus for establishing a secure connection according to an embodiment of the present disclosure, where the apparatus is applied to a first component in a zero trust system, and the first component may be any component in the zero trust system. The apparatus may include;
a first calculating module 510, configured to calculate a first password according to the locally stored system identifier and the first MAC information;
a first sending module 520, configured to send a first connection request to a second component in the zero trust system, where the first connection request includes a first password and first MAC information;
a first receiving module 530, configured to receive a first response sent by the second component and corresponding to the first connection request, where the first response includes the second password and the second MAC information;
a second calculating module 540, configured to calculate a first reference password according to the second MAC information and the locally stored system identifier;
a connection module 550 for establishing a secure connection with the second component if the first reference password and the second password are identical.
Optionally, the means for establishing a secure connection may further include:
the second receiving module is used for receiving a second connection request sent by the third component, and the second connection request comprises a third password and third MAC information;
the third calculation module is used for calculating a second reference password according to the locally stored system identifier and third MAC information;
the fourth calculation module is used for calculating a fourth password according to the locally stored system identifier and the first MAC information if the second reference password is consistent with the third password;
and the second sending module is used for sending a second response to the third component, wherein the second response comprises the fourth password and the first MAC information.
Optionally, the first connection request may include a first extension field, and the apparatus for establishing a secure connection may further include:
and the second adding module is used for adding the first password and the first MAC information in the first extension field.
Optionally, the second response includes a second extension field, and the apparatus for establishing a secure connection may further include:
and the second adding module is used for adding the fourth password and the first MAC information in the second extension field.
Optionally, the means for establishing a secure connection may further include:
the acquisition module is used for acquiring the component identification of each component in the zero trust system;
and the generating module is used for generating a system identifier according to the component identifier of each component. According to the embodiment of the disclosure, the mutual authentication between the components can be realized by carrying the password in the connection request and the response between the components. Compared with unidirectional authentication, the security of the zero trust system can be enhanced by a mutual authentication method among components.
The more components in a zero trust system, the more important the secure connection between each other. According to the embodiment of the disclosure, the password is generated through the unique identification of the whole zero trust system, and the password carried in the connection request and the response between the components can reduce the risk of the system being attacked and improve the security.
Based on the same inventive concept, the disclosed embodiments also provide a network device, as shown in fig. 6, including a processor 610, a transceiver 620, and a machine-readable storage medium 630, the machine-readable storage medium 630 storing machine-executable instructions capable of being executed by the processor 610, the processor 610 being caused by the machine-executable instructions to perform the method of establishing a secure connection provided by the disclosed embodiments. The device for establishing the secure connection shown in fig. 5 may be implemented by using a hardware structure of a network device as shown in fig. 6.
The computer readable storage medium 630 may include a random access Memory (in english: random Access Memory, abbreviated as RAM) or a nonvolatile Memory (in english: non-volatile Memory, abbreviated as NVM), such as at least one magnetic disk Memory. Optionally, the computer readable storage medium 630 may also be at least one storage device located remotely from the aforementioned processor 610.
The processor 610 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; it may also be a digital signal processor (English: digital Signal Processor; DSP; for short), an application specific integrated circuit (English: application Specific Integrated Circuit; ASIC; for short), a Field programmable gate array (English: field-Programmable Gate Array; FPGA; for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
In the presently disclosed embodiments, processor 610, by reading machine-executable instructions stored in machine-readable storage medium 630, is caused by the machine-executable instructions to implement processor 610 itself and invoke transceiver 620 to perform the method of establishing a secure connection described in the presently disclosed embodiments.
Additionally, the disclosed embodiments provide a machine-readable storage medium 630, the machine-readable storage medium 630 storing machine-executable instructions that, when invoked and executed by the processor 610, cause the processor 610 itself and the invoking transceiver 620 to perform the method of establishing a secure connection described in the foregoing disclosed embodiments.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the objectives of the disclosed solution. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
For the device for establishing a secure connection and the machine-readable storage medium embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for relevant points, since the method content involved is substantially similar to that of the method embodiments described above.
The foregoing description of the preferred embodiments of the present disclosure is not intended to limit the disclosure, but rather to cover all modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present disclosure.

Claims (10)

1. A method of establishing a secure connection for a first component in a zero trust system, the method comprising:
calculating a first password according to the locally stored system identifier and the first MAC information;
sending a first connection request to a second component in the zero trust system, wherein the first connection request comprises a first password and first MAC information;
receiving a first response which is sent by the second component and corresponds to the first connection request, wherein the first response comprises a second password and second MAC information;
calculating a first reference password according to the second MAC information and the locally stored system identifier;
if the first reference password and the second password are consistent, a secure connection is established with the second component.
2. The method according to claim 1, wherein the method further comprises:
receiving a second connection request sent by a third component, wherein the second connection request comprises a third password and third MAC information;
calculating a second reference password according to the locally stored system identifier and the third MAC information;
if the second reference password is consistent with the third password, calculating a fourth password according to the locally stored system identifier and the first MAC information;
and sending a second response to the third component, wherein the second response comprises the fourth password and the first MAC information.
3. The method of claim 1, wherein the first connection request includes a first extension field, the method further comprising:
the first password and the first MAC information are added in the first extension field.
4. The method of claim 2, wherein the second response includes a second extension field, the method further comprising:
and adding the fourth password and the first MAC information in the second extension field.
5. The method according to claim 1, wherein the method further comprises:
acquiring a component identifier of each component in the zero trust system;
and generating the system identification according to the component identification of each component.
6. An apparatus for establishing a secure connection for use with a first component in a zero trust system, the apparatus comprising:
the first computing module is used for computing a first password according to the locally stored system identifier and the first MAC information;
the first sending module is used for sending a first connection request to a second component in the zero trust system, wherein the first connection request comprises a first password and first MAC information;
the first receiving module is used for receiving a first response which is sent by the second component and corresponds to the first connection request, and the first response comprises a second password and second MAC information;
the second calculation module is used for calculating a first reference password according to the second MAC information and the locally stored system identifier;
and the connection module is used for establishing a secure connection with the second component if the first reference password is consistent with the second password.
7. The apparatus of claim 6, wherein the apparatus further comprises:
the second receiving module is used for receiving a second connection request sent by a third component, and the second connection request comprises a third password and third MAC information;
a third calculation module, configured to calculate a second reference password according to the locally stored system identifier and the third MAC information;
a fourth calculation module, configured to calculate a fourth password according to a locally stored system identifier and the first MAC information if the second reference password is consistent with the third password;
and a second sending module, configured to send a second response to the third component, where the second response includes the fourth password and the first MAC information.
8. The apparatus of claim 6, wherein the first connection request comprises a first extension field, the apparatus further comprising:
and a second adding module, configured to add the first password and the first MAC information in the first extension field.
9. The apparatus of claim 7, wherein the second response comprises a second extension field, the apparatus further comprising:
and a second adding module, configured to add the fourth password and the first MAC information in the second extension field.
10. The apparatus of claim 6, wherein the apparatus further comprises:
the acquisition module is used for acquiring the component identification of each component in the zero trust system;
and the generation module is used for generating the system identification according to the component identification of each component.
CN202311240955.XA 2023-09-22 2023-09-22 Method and device for establishing secure connection Pending CN117319023A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311240955.XA CN117319023A (en) 2023-09-22 2023-09-22 Method and device for establishing secure connection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311240955.XA CN117319023A (en) 2023-09-22 2023-09-22 Method and device for establishing secure connection

Publications (1)

Publication Number Publication Date
CN117319023A true CN117319023A (en) 2023-12-29

Family

ID=89296477

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311240955.XA Pending CN117319023A (en) 2023-09-22 2023-09-22 Method and device for establishing secure connection

Country Status (1)

Country Link
CN (1) CN117319023A (en)

Similar Documents

Publication Publication Date Title
JP7457173B2 (en) Internet of Things (IOT) device management
US20210392111A1 (en) Network traffic inspection
US20210297410A1 (en) Mec platform deployment method and apparatus
JP6222592B2 (en) Mobile application identity verification for mobile application management
US20200004946A1 (en) Secretless and secure authentication of network resources
US9674173B2 (en) Automatic certificate enrollment in a special-purpose appliance
US8347374B2 (en) Adding client authentication to networked communications
US20200186358A1 (en) Persistent network device authentication
US20200259667A1 (en) Distributed management system for remote devices and methods thereof
US11477188B2 (en) Injection of tokens or client certificates for managed application communication
WO2017209859A1 (en) System, apparatus and method for scalable internet of things (iot) device on-boarding with quarantine capabilities
CN113343210A (en) Identity agent providing access control and single sign-on
JP2016530814A (en) Gateway device to block a large number of VPN connections
US11184336B2 (en) Public key pinning for private networks
WO2015102872A1 (en) Split-application infrastructure
CN113614719A (en) Computing system and method for providing session access based on authentication tokens having different authentication credentials
US11171964B1 (en) Authentication using device and user identity
US20220345311A1 (en) Computing system and related methods providing multiple endpoint connections based upon connection leases
CN115473648A (en) Certificate signing and issuing system and related equipment
US11153099B2 (en) Reestablishing secure communication with a server after the server's certificate is renewed with a certificate authority unknown to the client
CN116192483A (en) Authentication method, device, equipment and medium
US11509465B2 (en) Computing device and related methods providing virtual session access using group connection leases and user interface (UI) caches
US11429489B2 (en) Device recovery mechanism
WO2023283499A1 (en) Computing session multi-factor authentication
CN117319023A (en) Method and device for establishing secure connection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination