CN117375841A - Network access control method, system, electronic equipment and program product - Google Patents
Network access control method, system, electronic equipment and program product Download PDFInfo
- Publication number
- CN117375841A CN117375841A CN202311307851.6A CN202311307851A CN117375841A CN 117375841 A CN117375841 A CN 117375841A CN 202311307851 A CN202311307851 A CN 202311307851A CN 117375841 A CN117375841 A CN 117375841A
- Authority
- CN
- China
- Prior art keywords
- request
- terminal
- authentication key
- key
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000012795 verification Methods 0.000 claims abstract description 14
- 238000004590 computer program Methods 0.000 claims description 8
- 230000004044 response Effects 0.000 claims description 3
- 230000006854 communication Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/54—Presence management, e.g. monitoring or registration for receipt of user log-on information, or the connection status of the users
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network access control method, which comprises the following steps of receiving a request data packet: if the identification information exists in the request data packet, matching the identification information to an authentication key corresponding to the request sender; calculating a verification value based on the authentication key and comparing the verification value with a value to be verified, which is calculated based on the authentication key in the request message; if the verification value is consistent with the value to be verified, establishing connection or maintaining connection; if the verification value is inconsistent with the comparison to be verified, the connection is not responded or ended; if the identification information does not exist in the request data packet, the request is not responded.
Description
Technical Field
The invention belongs to the technical field of network communication security, and particularly relates to a network access control method, a network access control system, electronic equipment and a program product.
Background
Existing network access control schemes, either firewall or proxy approaches, are typically deployed on network portals and critical nodes to protect the internal network from external threats.
Only when the traffic passes through the firewall, the control filtering can be performed, so that the traffic and the interview between the terminals in the network cannot be controlled. If the terminal is located on the Internet outside the firewall, protection cannot be performed.
Network access control is generally performed according to an IP address, which represents the identity of an access terminal. An attacker can easily steal the IP address, and access control according to the IP address cannot reliably recognize the authenticity of the source terminal.
Disclosure of Invention
The invention solves the problem that the access source control is carried out on the terminal, so that the access control is not limited by the network topology.
In the scheme, the public key/private key certificate is used for identifying the identity of the terminal, and the network access control is carried out according to the identity of the terminal instead of the IP address by verifying the authentication data.
In order to solve the problems, the invention adopts the following technical scheme:
a network access control method, comprising:
accepting the request data packet;
if identification information is present in the request packet,
matching the authentication key corresponding to the request sender according to the identification information;
calculating a verification value based on the authentication key and comparing the verification value with a value to be verified, which is calculated based on the authentication key in the request message;
if the verification value is consistent with the value to be verified, establishing connection or maintaining connection;
if the verification value is inconsistent with the comparison to be verified, the connection is not responded or ended;
if the identification information does not exist in the request data packet, the request is not responded.
Further, the identification information is generated by the control center based on the registration request and issued to the requesting terminal.
Further, the authentication key is generated based on authentication response information decryption, and the authentication response information is generated and issued by the control center based on an authentication request.
Further, matching to a unique authentication key according to the identification information.
Further, the authentication key obtaining method comprises the following steps: uploading the public key of the public-private key pair to the control center,
reserving a private key of the public-private key pair in the public-private key pair generating terminal;
the control center randomly generates an authentication key;
the control center encrypts the authentication key by using the public key and transmits the authentication key to the generating terminal;
and the generating terminal decrypts the authentication key ciphertext based on the private key in the public-private key pair to obtain a corresponding authentication key.
Further, the trusted terminal requests the authentication key from the control center according to the preset duration.
Further, the method for requesting the authentication key comprises the following steps:
based on a preset duration, the control center responds to a request sent by at least one trusted terminal;
based on the access strategy, the control center searches all the trusted terminal authentication keys, encrypts all the trusted terminal authentication keys based on the public key of the requester and transmits the encrypted trusted terminal authentication keys to the trusted terminal sending the request;
and decrypting the authentication key based on the private key of the trusted terminal, and acquiring the authentication keys of all the trusted terminals by the trusted terminal sending the request.
The invention also provides a network control system, which comprises:
and the control center: the control center responds to the registration request, generates identification information and transmits the identification information to the registration request transmitting terminal;
the control center obtains a public key of a request registration terminal in a registration request message;
the control center encrypts an authentication key by using the public key and sends the authentication key to the terminal generating the public key;
the control center searches the trusted device authentication key based on the request and sends the trusted device authentication key to the requesting party according to a preset rule.
The invention also provides an electronic device, comprising:
the system comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the network access control method when executing the computer program.
The invention also provides a computer program product comprising a computer program/instruction which when executed by a processor implements the network access control method.
The beneficial effects of the invention are as follows:
1. the access strategy is configured in the control center in a centralized way, the communication access control is realized on the terminal, and the corresponding access control rule can be obtained as long as the terminal can access the control center, and the terminal is not limited by the network topology structure;
2. when the terminal is located in the external network, the access control rule is still valid as long as the terminal can access the control center.
3. Access control or isolation between internal network terminals can be achieved.
4. Access control or isolation between virtual machines can be achieved.
5. The private key certificate is used for identifying the identity of the terminal, so that IP address spoofing is effectively avoided.
6. Signature data is carried in the initial communication process, and the identity of the access source terminal is identified more accurately and reliably by verifying the signature data.
Drawings
FIG. 1 is a schematic diagram of a control direction of an embodiment of the present invention;
FIG. 2 is a schematic diagram of a terminal registration process according to one embodiment of the present invention;
FIG. 3 is a schematic diagram of an embodiment of the present invention for obtaining an authentication key for authenticating a guest;
FIG. 4 is a flow chart of access authentication according to one embodiment of the invention;
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments.
A preferred embodiment of the present invention will be described in detail below with reference to the accompanying drawings. As shown in fig. 2:
when a new terminal joins the network, firstly registering with an access control center;
the requesting terminal computationally generates a pair of public/private keys.
The private key is stored in the request terminal and can not be output, and each device in the network has a private key certificate for identifying the identity of the device.
In the registration request message, the requesting terminal uploads the public key to the access control center, and the control center manages public key certificates of all terminals.
The control center distributes a 'device ID' as identification information for the request terminal, the device ID is used as an index of the request terminal in a network, and the index is downloaded to the registration request terminal;
in one embodiment of the present invention, the "device ID" as the identification information is a random number issued by the control center.
The requesting terminal stores the "device ID" while keeping the "device ID" unchanged in communication.
The device after obtaining the device ID is a trusted terminal in the network.
The data signed by the public key/private key certificate is usually longer, and is difficult to manage and transmit, and in the embodiment, a symmetric authentication key is adopted to replace the public key/private key certificate signature.
The trusted terminal requests an authentication key from the access control center;
the access control center generates a piece of data as an authentication key for encrypting the authentication information;
the control center encrypts an authentication key by using the public key of the terminal and sends the authentication key to a trusted terminal sending a request;
the request terminal decrypts the private key to obtain the authentication key, and only the terminal with the corresponding private key can obtain the correct authentication key.
Through the steps, the request terminal obtains the authentication key of the request terminal, and each terminal has the authentication key and is different from each other.
The authentication key is valid only for a period of time and needs to be updated periodically.
As shown in fig. 3, the flow of obtaining the guest authentication key is as follows:
s1, a trusted terminal in a controlled network requests an authentication key of a visitor from a control center;
s2, the control center searches authentication keys of all the trusted terminals according to the configured access strategy;
and S3, the control center encrypts the authentication keys of all the trusted terminals by using the public key of the request terminal and sends the encrypted authentication keys to the request terminal.
S4, the request terminal decrypts and stores the authentication keys of all the trusted terminals by using the private key of the request terminal, and thus the request terminal obtains the authentication keys of all the visitors.
The request terminal executes the above-mentioned flow at regular time. The authentication key of the visitor terminal is updated regularly through the flow because the authentication key has timeliness or the access policy is changed.
As shown in fig. 4, the flow of data channels between terminals in the controlled network describes the flow of communication interactions between terminals. As shown in fig. 4, in this embodiment, the request source terminal is defined as a, the request party is defined as a request party in fig. 4, the authentication key of the request source terminal a is defined as KeyA, the target terminal is defined as B, the receiving party is defined as a receiving party in fig. 4, and the authentication key is defined as KeyB.
The terminal A generates a random number random A;
constructing authentication data plaintext "random+additional data";
encrypting and calculating 'random plus additional data' by using Key A to obtain CipherVA as a value to be verified;
constructing an authentication information domain, wherein the authentication information domain is compressed into a device ID, random A and CipherVA;
through the steps, authentication information is generated and is additionally transmitted in the IP message.
The terminal B receives the request message and matches the authentication key Key A of the requester according to the source 'equipment ID';
calculating random plus additional data by using an encryption algorithm to serve as a verification value;
comparing the calculated verification value with a value to be verified transmitted in the IP message;
and if the comparison results are consistent, confirming that the request message is the request message sent by the trusted terminal A, and allowing the request message to pass.
If the comparison result is inconsistent, the request message is from an untrusted terminal, and the request message is refused.
The foregoing description is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art, who is within the scope of the present invention, should make equivalent substitutions or modifications according to the technical solution of the present invention and the inventive concept thereof, and should be covered by the scope of the present invention.
Claims (10)
1. A network access control method, comprising:
accepting the request data packet;
if identification information is present in the request packet,
matching the authentication key corresponding to the request sender according to the identification information;
calculating a verification value based on the authentication key and comparing the verification value with a value to be verified, which is calculated based on the authentication key in the request message;
if the verification value is consistent with the value to be verified, establishing connection or maintaining connection;
if the verification value is inconsistent with the value to be verified, the connection is not responded or ended;
if the identification information does not exist in the request data packet, the request is not responded.
2. The network access control method according to claim 1, wherein the identification information is generated by the control center based on the registration request and issued to the requesting terminal.
3. The network access control method according to claim 1, wherein the authentication key is generated based on decryption of authentication response information generated and issued by a control center based on an authentication request.
4. The network access control method according to any one of claims 1, wherein the matching to a unique authentication key is based on the identification information.
5. The network access control method according to claim 3, wherein the authentication key obtaining method is: uploading a public key in a public-private key pair to the control center, and reserving a private key in the public-private key pair generation terminal;
the control center randomly generates an authentication key;
the control center encrypts the authentication key by using the public key and transmits the authentication key to the generating terminal;
and the generating terminal decrypts the authentication key ciphertext based on the private key in the public-private key pair to obtain a corresponding authentication key.
6. The network access control method according to claim 1, wherein the trusted terminal requests the authentication key from the control center according to a preset time length.
7. The network access control method according to claim 6, wherein the method of requesting an authentication key is:
based on a preset duration, the control center responds to a request sent by at least one trusted terminal;
based on the access strategy, the control center searches authentication keys of all the trusted terminals, encrypts the authentication keys of all the trusted terminals based on the public key of the requester and transmits the authentication keys to the trusted terminals sending the request;
and decrypting the authentication key based on the private key of the trusted terminal, and acquiring the authentication keys of all the trusted terminals by the trusted terminal sending the request.
8. A network control system, comprising:
and the control center: the control center responds to the registration request, generates identification information and transmits the identification information to the registration request transmitting terminal;
the control center obtains a public key of a request registration terminal in a registration request message;
the control center encrypts an authentication key by using the public key and sends the authentication key to the terminal generating the public key;
the control center searches the trusted device authentication key based on the request and sends the trusted device authentication key to the requesting party according to a preset rule.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 7 when executing the computer program.
10. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311307851.6A CN117375841A (en) | 2023-10-10 | 2023-10-10 | Network access control method, system, electronic equipment and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311307851.6A CN117375841A (en) | 2023-10-10 | 2023-10-10 | Network access control method, system, electronic equipment and program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117375841A true CN117375841A (en) | 2024-01-09 |
Family
ID=89397553
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311307851.6A Pending CN117375841A (en) | 2023-10-10 | 2023-10-10 | Network access control method, system, electronic equipment and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117375841A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117938544A (en) * | 2024-03-19 | 2024-04-26 | 杭州海康威视数字技术股份有限公司 | Flow control method, device and equipment |
-
2023
- 2023-10-10 CN CN202311307851.6A patent/CN117375841A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117938544A (en) * | 2024-03-19 | 2024-04-26 | 杭州海康威视数字技术股份有限公司 | Flow control method, device and equipment |
| CN117938544B (en) * | 2024-03-19 | 2024-06-07 | 杭州海康威视数字技术股份有限公司 | Flow control method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108964919B (en) | Lightweight anonymous authentication method with privacy protection based on Internet of vehicles | |
| JP6168415B2 (en) | Terminal authentication system, server device, and terminal authentication method | |
| US7231526B2 (en) | System and method for validating a network session | |
| KR20190073472A (en) | Method, apparatus and system for transmitting data | |
| US8683209B2 (en) | Method and apparatus for pseudonym generation and authentication | |
| JP6548172B2 (en) | Terminal authentication system, server device, and terminal authentication method | |
| US20160344725A1 (en) | Signal haystacks | |
| US20210167963A1 (en) | Decentralised Authentication | |
| US11917081B2 (en) | Issuing device and method for issuing and requesting device and method for requesting a digital certificate | |
| CN117375841A (en) | Network access control method, system, electronic equipment and program product | |
| CN114726583B (en) | Trusted hardware cross-chain transaction privacy protection system and method based on blockchain distributed identification | |
| CN115515127A (en) | Vehicle networking communication privacy protection method based on block chain | |
| CN116388995A (en) | Lightweight smart grid authentication method based on PUF | |
| CN117793670A (en) | Internet of vehicles secure communication method under block chain architecture | |
| CN110752934B (en) | Method for network identity interactive authentication under topological structure | |
| KR20080005344A (en) | System for authenticating user's terminal based on authentication server | |
| KR20070035342A (en) | Method for mutual authentication based on the user's password | |
| CN112069487B (en) | Intelligent equipment network communication safety implementation method based on Internet of things | |
| CN110572257B (en) | Identity-based data source identification method and system | |
| KR20140004703A (en) | Controlled security domains | |
| JP2002051036A (en) | Key escrow system | |
| CN100596066C (en) | Entity identification method based on H323 system | |
| CN114218555B (en) | Method and device for enhancing password security strength of password management APP (application) password and storage medium | |
| CN114005190B (en) | Face recognition method for class attendance system | |
| CN116996234B (en) | Method for accessing terminal to authentication gateway, terminal and authentication gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |