CN117478392A - Software definition boundary implementation method and system for scanning two-dimension code by using client APP - Google Patents
Software definition boundary implementation method and system for scanning two-dimension code by using client APP Download PDFInfo
- Publication number
- CN117478392A CN117478392A CN202311465038.1A CN202311465038A CN117478392A CN 117478392 A CN117478392 A CN 117478392A CN 202311465038 A CN202311465038 A CN 202311465038A CN 117478392 A CN117478392 A CN 117478392A
- Authority
- CN
- China
- Prior art keywords
- authentication
- service
- spa
- packet
- application service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012795 verification Methods 0.000 claims description 55
- 230000008569 process Effects 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 6
- 230000000903 blocking effect Effects 0.000 claims description 5
- 238000001914 filtration Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 2
- 230000004044 response Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002087 whitening effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a software definition boundary realization method and a system for scanning two-dimension codes by using a client APP, which only need to deploy an SDP system, realize SPA single-package authentication service logic by a specific authentication flow, and enable a user to conveniently access protected application services after rapidly completing SPA authentication by using a special client APP code scanning by using a browser without installing a client program on a computer. By adopting bypass deployment, the mirror images are accessed into the switch flow, data forwarding is not performed, the performance is high, only the mirror image flow related to the protected application service is monitored, and the unauthorized flow is blocked, so that the problems of single-point deployment performance and normal access error interception can be effectively solved, and the situation that once single-point faults occur, the application service protected by an SDP system is inaccessible is avoided; the control end of the SDP system does not need to establish pre-connection with the client end, and further does not need to expose the Internet, so that any user is authorized to access after the control end is prevented from being controlled by attack.
Description
Technical Field
The invention relates to the technical field of data security transmission, in particular to a software defined boundary realization method and system for scanning two-dimensional codes by using a client APP.
Background
The software defined boundary (Software Defined Perimeter, SDP) is a network security architecture for providing secure access and connectivity to cloud environments and mobile devices. The main goal of SDP is to protect network resources and applications from external attacks while providing more flexible, extensible, and customizable security.
SDP implements a "Zero Trust" security model that allows only authenticated users and devices to connect to network resources. In the SDP architecture, network resources and applications are not visible and only authorized users and devices can access them. In addition, SDP provides some other security functions such as dynamic access control, encrypted communications, and threat detection.
The software defined boundary (SDP) is a network security solution with stronger innovation provided by the Cloud Security Alliance (CSA), and the access to resources is controlled according to the identity of a user, and the security stealth is used for protecting a target instead of the security protection. The core idea is to create a logical access boundary based on identity and context around an application or a group of applications, the applications protected by SDP are hidden from direct discovery and access, and a group of designated entities are restricted from accessing by a trust proxy or device; each entity must pass Single Packet Authentication (SPA) before access is allowed. The solution conceals the application resources, so that an attacker cannot see the attack target in the network space and cannot attack the attack target, and the agent or the device can verify the identity, the context and the policy compliance of the appointed visitor so as to protect the application resources and obviously reduce the attack surface.
The architecture of the conventional SDP software definition boundary is shown in fig. 1:
(1) The SDP controller is responsible for establishing and maintaining access rules of the client and the protected application service, opening policies for the authorized client and the service, wherein the access rules comprise keys and policies, and the access rules are dynamically generated and only used for a single time;
(2) The SDP gateway is responsible for controlling and maintaining network access of the client and the protected application service;
(3) The SDP client is responsible for initiating SPA authentication, establishing connection with the SDP gateway after authentication is completed, and normally communicating with the protected application service.
With this form of access control, network access by unauthorized users is masked and denied during the TCP three-way handshake phase, and network connection cannot be established. The traditional SDP architecture completely shields the protected application service from unauthorized users in a single access control mode, can resist DDoS denial of service attack, APT attack, exploit attack, scanning detection and the like, and effectively reduces the exposed surface of the network.
However, the SDP client only supports the manner in which the client program is executable, and the user must install the corresponding client program on the computer in order to use the SDP service. And secondly, the SDP gateway is connected in series in a network for single-point deployment, and is used as a unified flow inlet of the protected application service to forward all network flows, so that the network performance pressure is high, and once the network is down, the protected application service is inaccessible. In addition, the SDP controller is used as an SPA control center, and the client and the protected application service are required to be connected with the SDP controller through a network, so that the SDP controller is required to be exposed to the Internet and is easy to be hacked, and once the SDP controller is controlled, any user can be authorized, and the security of the protected application service is threatened; if maliciously shut down may result in the protected application service not being normally accessible. Furthermore, the SDP gateway adopts a serial deployment scheme, so that only external network attacks can be defended, and attacks from an intranet cannot be effectively defended.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to provide a software defined boundary realization method and system for scanning a two-dimensional code by using a client APP.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
a software defined boundary implementation method for scanning a two-dimensional code by using a client APP comprises the following steps:
(1) Generating special registration information for each protected application service in an SDP system, wherein the special registration information comprises a service IP, a service port, an SPA authentication port, a service binding verification code, a single authentication effective duration, a public and private key pair and a symmetric encryption key;
(2) The user accesses the protected target application service through the browser;
(3) The SDP system monitors the access flow of the unauthenticated user browser, intercepts the access and returns a two-dimensional code generated based on the access service to the user browser;
(4) A user installs a client APP on mobile equipment, and the client APP acquires service authentication information comprising an SPA authentication port, a service binding verification code and a public key;
(5) The user scans the two-dimensional code loaded by the browser in the step (3) by using the client APP;
(6) The client APP analyzes the information of the two-dimensional code, constructs an authentication token by using the service binding verification code obtained in the step (4), and sends an SPA single-packet authentication data packet containing the authentication token to the target application service;
(7) The SDP system monitors the flow in real time, and when the SPA single-packet authentication data packet is monitored, if the SPA single-packet authentication data packet can be successfully analyzed, and the authentication token is checked, the SPA single-packet authentication is passed;
(8) After SPA single-packet authentication is passed, the SDP system binds the IP of the access user with the service IP and the service port of the target application service, adds a white list in pairs between the IP of the user and the target application service, completes the SPA authentication process, authorizes the user, and when the IP of the current authorized user is monitored to access the protected application service in the subsequent network flow monitoring, the access message is released to the target application service.
Further, in the method, for the access flow of the user browser which does not pass through the SPA single packet authentication, when the SDP system monitors that the user browser which does not pass through the SPA single packet authentication tries to establish connection with the target application service to carry out TCP three-way handshake, the SDP system can simultaneously send a reset packet to the user browser which does not pass through the SPA single packet authentication and the target application service respectively to block network connection.
Further, in step (1), the process of generating the special registration information for the protected application service in the SDP system is as follows:
1) Newly creating a protected application service in an SDP system, and inputting a service name, a service IP, a service port, an SPA authentication port, a service binding verification code and a single authentication effective duration;
2) Generating a pair of asymmetric encryption public and private key pairs and a symmetric encryption key for the protected application service; the public key is transmitted to the client APP for storage and is used for the client APP to generate an authentication token; the private key is stored by the SDP system and used for decrypting the received authentication token to obtain plaintext data of the authentication token; the SDP system and the client APP both need to store the symmetric encryption key, wherein the SDP system generates unique check data and encrypts the check data by using a symmetric encryption algorithm, and the client APP decrypts the check data by using the symmetric encryption algorithm to confirm the authenticity of the two-dimensional code;
3) After the information of the protected application service is recorded, the SDP system starts to monitor all SPA single-packet authentication data packets sent to the service IP and SPA authentication ports of the protected application service.
Further, in step (4), the user obtains the service IP, the service port, the public key, the service binding verification code, and the SPA authentication port from the SDP system administrator in an offline manner or an online manner, and the client APP must obtain the above information to use.
Further, in step (6), after the client APP calculates and generates an authentication token by using a built-in token algorithm, the token is assembled into an SPA single-packet authentication data packet, and the SPA single-packet authentication data packet is sent to the service IP and the SPA authentication port of the protected application service.
Further, the authentication token is ciphertext data encrypted by the client APP with a public key, the content of which includes a timestamp, a service binding verification code and verification data.
Further, in step (7), the specific process of the SDP system checking the authentication token is:
after the SDP system monitors the SPA single-packet authentication data packet in the network flow, filtering the matched SPA single-packet authentication data packet according to the service IP and the corresponding SPA authentication port in the configuration list to obtain an authentication token in the SPA single-packet authentication data packet, and confirming the public and private key pair;
then, the SDP system decrypts the authentication token by adopting a private key, if decryption fails, the current SPA single-packet authentication data packet is discarded, if decryption is successful, plaintext data of the authentication token can be obtained, at the moment, verification is further performed by verifying verification data, a service binding verification code and a time stamp in the authentication token, if any one of incorrect verification data, incorrect service binding verification code and difference value between the time stamp in the authentication token and the current time stamp of the system is larger than or equal to a preset difference value threshold value occurs, verification is not passed, and otherwise verification is passed.
Further, in step (8), after authentication is successful, the user browser can normally access the protected application service, the SDP system continuously monitors the flow, and the request of the user browser IP to the protected application service end can be released, and the data is normally interacted; after the effective duration of single authentication is exceeded, the paired whitelists of the user browser and the target application service fail, the SDP system blocks the access of the user browser IP, and the user needs to reuse the client APP to scan codes and re-perform SPA single-packet authentication.
The invention also provides a system for realizing the method, which comprises an SDP system, a switch, application services, a user browser and a client APP; the SDP system, the application service, the user browser and the client APP interact through a switch;
the SDP system is used for generating special registration information for the protected application service, monitoring the access request of the unauthorized user browser to the protected application service, authenticating and authorizing the unauthorized user browser according to the steps (3), (7) and (8) of the method, releasing the access of the authorized user browser to the protected application service, and blocking the access of the unauthorized user browser to the protected application service;
the client APP is installed on the mobile equipment of the user and used for completing the authentication of the user browser through interaction with the SDP system in the steps (4) - (6) of the method.
The invention has the beneficial effects that: the invention only needs to deploy the SDP system, realizes SPA single-packet authentication service logic through a specific authentication flow, and has the following advantages:
(1) The user can conveniently access the protected application service after the SPA authentication is completed rapidly through the browser by using the special client APP code scanning, and the user does not need to install a client program on the computer;
(2) Bypass deployment, mirror image access switch flow, no data forwarding, strong performance, monitoring only mirror image flow related to protected application service, blocking unauthenticated flow, effectively solving single-point deployment performance problem and normal access error interception problem, avoiding that once single-point failure occurs, the SDP system protected application service is inaccessible;
(3) In the invention, the control end of the SDP system does not need to establish pre-connection with the client end, and further does not need to expose the Internet, so that any user is authorized to access after the SDP system is prevented from being controlled by attack;
(4) The SDP system not only can mirror the flow of the external network to access the internal network to realize the defense of the external network to access the internal network, but also can mirror the flow of the internal network to access the internal network to realize the SDP function when the internal user accesses the internal application, realize the protection of the internal service and effectively resist the internal attack;
(5) The SDP system can realize the protection function only by connecting the switches in parallel and mirroring the access flow, does not change the network structure of the user, does not need to reform the protected application service, and can realize transparent deployment.
Drawings
Fig. 1 is a diagram of a conventional SDP software defined boundary;
FIG. 2 is a flow chart of the method of embodiment 1 of the present invention;
FIG. 3 is a flow chart of the method of embodiment 2 of the present invention;
FIG. 4 is a schematic diagram of the method of example 3 of the present invention;
fig. 5 is a flow chart of the method of embodiment 3 of the present invention.
Detailed Description
The present invention will be further described with reference to the accompanying drawings, and it should be noted that, while the present embodiment provides a detailed implementation and a specific operation process on the premise of the present technical solution, the protection scope of the present invention is not limited to the present embodiment.
Example 1
The embodiment provides a software definition boundary implementation method for scanning a two-dimensional code by using a client APP, which protects applications and services through an SDP system, realizes stealth of the protected applications and services, performs authorization authentication on a user, and authorizes the SDP system to access the applications and services after confirming legal identity of a requester. As shown in fig. 2, the method comprises the following steps:
(1) And generating special registration information for each protected application service in the SDP system, wherein the special registration information comprises a service IP, a service port, an SPA authentication port, a service binding verification code, a single authentication effective duration, a public and private key pair and a symmetric encryption key. In this embodiment, the SDP system is integrated hardware, and bypasses the access switch in a parallel manner to access the mirror traffic.
(2) The user accesses the protected target application service through the browser.
(3) The SDP system monitors the access flow of the unauthenticated user browser, intercepts the access, and returns the two-dimensional code generated based on the access service to the user browser.
(4) The user installs a client APP on the mobile device, and the client APP acquires service authentication information comprising an SPA authentication port, a service binding verification code and a public key.
(5) And (3) the user scans the two-dimensional code loaded by the browser in the step (3) by using the client APP.
(6) And (3) the client APP analyzes the information of the two-dimensional code, constructs an authentication token by using the service binding verification code obtained in the step (4), and sends an SPA single-packet authentication data packet containing the authentication token to the target application service.
(7) The SDP system monitors the flow in real time, and when the SPA single-packet authentication data packet is monitored, if the SPA single-packet authentication data packet can be successfully analyzed, and the authentication token is checked, the SPA single-packet authentication is passed.
(8) After SPA single-packet authentication is passed, the SDP system binds the IP of the access user with the service IP and the service port of the target application service, adds a white list in pairs between the IP of the user and the target application service, completes the SPA authentication process, authorizes the user, and when the IP of the current authorized user is monitored to access the protected application service in the subsequent network flow monitoring, the access message is released to the target application service.
Aiming at the access flow of the user browser which does not pass through SPA single packet authentication, when the SDP system monitors that the user browser which does not pass through SPA single packet authentication tries to establish connection with the target application service to carry out TCP three-way handshake, the SDP system can simultaneously send a reset packet to the user browser which does not pass through SPA single packet authentication and the target application service respectively to block network connection.
Any unauthorized user browser access will be blocked directly.
In this embodiment, in step (1), the process of generating the private registration information for the protected application service in the SDP system is:
1) Newly creating a protected application service in an SDP system, and inputting a service name, a service IP, a service port, an Internet mapping IP, an Internet mapping port, an SPA authentication port, an interface jump URL, a service binding verification code, a single authentication effective duration, creation time, remarks and states.
2) Generating a pair of asymmetric encryption public and private key pairs and a symmetric encryption key for the protected application service; the public key is transmitted to the client APP for storage and is used for the client APP to generate an authentication token; the private key is stored by the SDP system and used for decrypting the received authentication token to obtain plaintext data of the authentication token; the SDP system and the client APP both need to store the symmetric encryption key, wherein the SDP system generates unique verification data and encrypts the verification data by using a symmetric encryption algorithm, and the client APP decrypts the verification data by using the symmetric encryption algorithm to confirm the authenticity of the two-dimensional code.
3) After the information of the protected application service is entered, the SDP system starts to monitor all UDP messages sent to the service IP and SPA authentication ports of the protected application service.
More specifically, the client APP is a mobile application that can run on a mobile device such as a user's mobile phone, PAD, etc.
In this embodiment, in step (4), the user may obtain information such as service IP, service port, public key, service binding verification code, SPA authentication port, etc. from the SDP system administrator in an offline manner (e.g., usb disk copy) or an online manner (e.g., email, social software, network disk, etc.), and the client APP must obtain the information to use.
Further, in step (6), after the client APP calculates and generates an authentication token by using a built-in token algorithm, the token is assembled into an SPA single-packet authentication data packet, and the SPA single-packet authentication data packet, specifically, a UDP authentication data packet is sent to the service IP and the SPA authentication port of the protected application service.
The client APP can effectively resist reverse analysis through the modes of source code confusion, shell adding and the like, so that source code leakage is avoided, and the safety of a client authentication flow is protected.
In this embodiment, in step (3), the data returned by the two-dimensional code is a ciphertext encrypted by the SM4 symmetric encryption algorithm, and the decrypted structure is: the IP version |check data| authenticates the ip|authentication port| service port.
In this embodiment, the authentication Token (Token) is ciphertext data encrypted by the public key of the client APP, where the content includes a timestamp (a local system timestamp when the client APP initiates the SPA authentication request), a service binding verification code, and check data, and asymmetric encryption is performed by using the SM2 algorithm.
Specifically, the calculation formula of the authentication token is: token= Publ icKeyEncrypt (timestamp-service binding verification code-check data).
In this embodiment, in step (7), the specific process of verifying the authentication token by the SDP system is:
after the SDP system monitors the SPA single-packet authentication data packet in the network flow, filtering the matched SPA single-packet authentication data packet according to the service IP and the corresponding SPA authentication port in the configuration list to obtain an authentication token in the SPA single-packet authentication data packet, and confirming the public and private key pair;
then, the SDP system adopts a private key to decrypt the authentication Token (Token), if decryption fails, the current SPA single-packet authentication data packet is abandoned, if decryption is successful, plaintext data of the authentication Token can be obtained, at the moment, the correctness of check data in the authentication Token is further verified, if the verification is incorrect, the current SPA single-packet authentication data packet is abandoned, if verification is successful, the SDP system takes out a timestamp in the authentication Token, calculates a difference value with the current timestamp of the system, if the difference value is smaller than 10 minutes, the authentication Token is considered to be valid, thereby further verifying a service binding verification code, otherwise, the current SPA single-packet authentication data packet is abandoned; when checking the service binding verification code, the SDP system uses the locally stored service binding verification code of the protected application service to compare with the service binding verification code in the authentication token sent by the client APP, and if the service binding verification code is the same, the SDP system considers that the verification is passed.
It should be noted that the checking order of the checking data, the time stamp and the service binding verification code may be exchanged, and only one embodiment of the checking order is given in this embodiment.
Further, in the embodiment, in step (8), after authentication is successful, the user browser can normally access the protected application service, the SDP system continuously monitors traffic, and the request of the user browser IP to the protected application service end is passed, and data is normally interacted; after the effective duration of single authentication is exceeded, the paired whitelists of the user browser and the target application service fail, the SDP system blocks the access of the user browser IP, and the user needs to reuse the client APP to scan codes and re-perform SPA single-packet authentication.
Example 2
This embodiment provides a specific application example of the method described in embodiment 1, as shown in fig. 3, including the following steps:
the first step: without verification, the browser initiates connection to the Server, after the connection is established successfully, the SDP system will block the connection, i.e. send a blocking packet to the Server.
And a second step of: and when blocking the Server end, if the detected protocol is HTTP, generating two-dimensional code pictures from information such as a request source IP, a destination port, an authentication IP, an authentication port, a service port (when deployed in a core switch, the destination IP and the destination port are the IP and the port of an intranet), and the like, and constructing a response packet and returning the response packet to the browser.
And a third step of: when the Brower receives the data returned by K01, the request is started to be sent to the Server at regular time, and the access failure is not whitened.
Fourth step: meanwhile, the browser page displays the two-dimension code, and the verification data (comprising the source IP, the destination IP and the port), the authentication IP, the authentication port and the service port are obtained by decrypting the two-dimension code after the client APP of the mobile phone scans the two-dimension code.
Fifth step: the mobile phone constructs an authentication packet of UDP, then sends the authentication packet to an authentication port of the authentication IP, and the K01 equipment checks the authentication packet and whitens the source IP after the verification is successful.
Sixth step: and requesting again by the Brower, wherein the request carries the feature for judging the two-dimensional code request, and if the hit is whitened and contains the feature and the policy configuration jumps to the URL, a response packet for redirecting the URL needs to be returned to the Brower.
Seventh step: if a redirect URL is returned, the Brower will access the redirected URL.
Example 3
In this embodiment, taking the scenario of accessing the database and VPN to the SDP system as an example, an application instance of performing SPA single packet authentication and access control by the SDP system is provided, as shown in fig. 4 and 5.
The first step: the SDP system continuously monitors network traffic and judges the network access authority of the user based on the access control list: 1) If the network access flow of the user is matched with the allowed access rule, the SDP system releases the access; 2) If the network access flow of the user is matched with the access prohibition rule, the SDP system directly blocks access; 3) And if the network access traffic of the user is not matched with the rule in the access control list, executing the second step.
And a second step of: when the SDP system continuously monitors network traffic accessed by the mirror image, and when the UDP message is monitored, detecting whether a destination port of the UDP message is matched with an SPA authentication port or not: if so, executing a third step; if not, discarding the UDP message.
And a third step of: the SDP system uses the private key to decrypt the data part of the UDP message according to the destination address of the UDP message and the private key corresponding to the authentication port match: if the decryption is successful, acquiring a plaintext authentication token, and continuing to execute the fourth step; if the decryption fails, discarding the UDP message.
Fourth step: the SDP system acquires an authentication time stamp, a service binding verification code and verification data from the plaintext authentication token, and verifies the verification code: if the verification is passed, executing a fifth step; if the check is not passed, discarding the UDP message.
Fifth step: the SDP system checks the check data: if the verification is passed, executing a sixth step; if the check is not passed, discarding the UDP message.
Sixth step: the SDP system checks whether the authentication time stamp contained in the UDP message is within the valid authentication time: if the authentication packet is valid, finishing single packet authentication, adding an access control rule to the source IP, the destination IP and the destination port of the UDP packet, and realizing the paired whitening of the client and the service; if the authentication time stamp has timed out, discarding the UDP message.
Various modifications and variations of the present invention will be apparent to those skilled in the art in light of the foregoing teachings and are intended to be included within the scope of the following claims.
Claims (9)
1. The software defined boundary implementation method for scanning the two-dimensional code by using the client APP is characterized by comprising the following steps:
(1) Generating special registration information for each protected application service in an SDP system, wherein the special registration information comprises a service IP, a service port, an SPA authentication port, a service binding verification code, a single authentication effective duration, a public and private key pair and a symmetric encryption key;
(2) The user accesses the protected target application service through the browser;
(3) The SDP system monitors the access flow of the unauthenticated user browser, intercepts the access and returns a two-dimensional code generated based on the access service to the user browser;
(4) A user installs a client APP on mobile equipment, and the client APP acquires service authentication information comprising an SPA authentication port, a service binding verification code and a public key;
(5) The user scans the two-dimensional code loaded by the browser in the step (3) by using the client APP;
(6) The client APP analyzes the information of the two-dimensional code, constructs an authentication token by using the service binding verification code obtained in the step (4), and sends an SPA single-packet authentication data packet containing the authentication token to the target application service;
(7) The SDP system monitors the flow in real time, and when the SPA single-packet authentication data packet is monitored, if the SPA single-packet authentication data packet can be successfully analyzed, and the authentication token is checked, the SPA single-packet authentication is passed;
(8) After SPA single-packet authentication is passed, the SDP system binds the IP of the access user with the service IP and the service port of the target application service, adds a white list in pairs between the IP of the user and the target application service, completes the SPA authentication process, authorizes the user, and when the IP of the current authorized user is monitored to access the protected application service in the subsequent network flow monitoring, the access message is released to the target application service.
2. The method of claim 1, wherein for the user browser access traffic that is not authenticated by the SPA single packet, when the SDP system monitors that the user browser that is not authenticated by the SPA single packet tries to establish a connection with the target application service to perform TCP three-way handshake, the SDP system sends a reset packet to the user browser that is not authenticated by the SPA single packet and the target application service, respectively, and blocks network connection.
3. The method of claim 1, wherein in step (1), the private registration information generation procedure in the SDP system for the protected application service is:
1) Newly creating a protected application service in an SDP system, and inputting a service name, a service IP, a service port, an SPA authentication port, a service binding verification code and a single authentication effective duration;
2) Generating a pair of asymmetric encryption public and private key pairs and a symmetric encryption key for the protected application service; the public key is transmitted to the client APP for storage and is used for the client APP to generate an authentication token; the private key is stored by the SDP system and used for decrypting the received authentication token to obtain plaintext data of the authentication token; the SDP system and the client APP both need to store the symmetric encryption key, wherein the SDP system generates unique check data and encrypts the check data by using a symmetric encryption algorithm, and the client APP decrypts the check data by using the symmetric encryption algorithm to confirm the authenticity of the two-dimensional code;
3) After the information of the protected application service is recorded, the SDP system starts to monitor all SPA single-packet authentication data packets sent to the service IP and SPA authentication ports of the protected application service.
4. The method of claim 1, wherein in step (4), the user obtains the service IP, the service port, the public key, the service binding verification code, the SPA authentication port from the SDP system administrator in an offline manner or an online manner, and the client APP must obtain the above information to use.
5. The method of claim 1, wherein in step (6), after the client APP calculates and generates the authentication token using a built-in token algorithm, the token is assembled into an SPA single packet authentication packet, and the SPA single packet authentication packet is sent to the service IP and SPA authentication port of the protected application service.
6. The method of claim 1, wherein the authentication token is ciphertext data encrypted by the client APP with a public key, the contents of which include a timestamp, a service binding verification code, and verification data.
7. The method of claim 6, wherein in step (7), the specific process of verifying the authentication token by the SDP system is:
after the SDP system monitors the SPA single-packet authentication data packet in the network flow, filtering the matched SPA single-packet authentication data packet according to the service IP and the corresponding SPA authentication port in the configuration list to obtain an authentication token in the SPA single-packet authentication data packet, and confirming the public and private key pair;
then, the SDP system decrypts the authentication token by adopting a private key, if decryption fails, the current SPA single-packet authentication data packet is discarded, if decryption is successful, plaintext data of the authentication token can be obtained, at the moment, verification is further performed by verifying verification data, a service binding verification code and a time stamp in the authentication token, if any one of incorrect verification data, incorrect service binding verification code and difference value between the time stamp in the authentication token and the current time stamp of the system is larger than or equal to a preset difference value threshold value occurs, verification is not passed, and otherwise verification is passed.
8. The method of claim 1, wherein in step (8), after authentication is successful, the user browser can normally access the protected application service, the SDP system continuously monitors traffic, and the request of the user browser IP to the protected application service is passed, and the data is normally interacted; after the effective duration of single authentication is exceeded, the paired whitelists of the user browser and the target application service fail, the SDP system blocks the access of the user browser IP, and the user needs to reuse the client APP to scan codes and re-perform SPA single-packet authentication.
9. A system implementing the method of any of claims 1-8, comprising an SDP system, a switch, an application service, a user browser, and a client APP; the SDP system, the application service, the user browser and the client APP interact through a switch; the SDP system adopts a parallel bypass access switch to access mirror image flow;
the SDP system is used for generating special registration information for the protected application service, monitoring the access request of the unauthorized user browser to the protected application service, authenticating and authorizing the unauthorized user browser according to the steps (3), (7) and (8) of the method of any one of claims 1-8, releasing the access of the authorized user browser to the protected application service, and blocking the access of the unauthorized user browser to the protected application service;
a client APP is installed on a mobile device of a user for completing authentication of a user browser through interaction with an SDP system according to steps (4) - (6) of the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311465038.1A CN117478392A (en) | 2023-11-06 | 2023-11-06 | Software definition boundary implementation method and system for scanning two-dimension code by using client APP |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311465038.1A CN117478392A (en) | 2023-11-06 | 2023-11-06 | Software definition boundary implementation method and system for scanning two-dimension code by using client APP |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117478392A true CN117478392A (en) | 2024-01-30 |
Family
ID=89636010
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311465038.1A Pending CN117478392A (en) | 2023-11-06 | 2023-11-06 | Software definition boundary implementation method and system for scanning two-dimension code by using client APP |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117478392A (en) |
-
2023
- 2023-11-06 CN CN202311465038.1A patent/CN117478392A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114553568B (en) | Resource access control method based on zero-trust single-package authentication and authorization | |
| US11647003B2 (en) | Concealing internal applications that are accessed over a network | |
| US7752320B2 (en) | Method and apparatus for content based authentication for network access | |
| US8407462B2 (en) | Method, system and server for implementing security access control by enforcing security policies | |
| US7716331B2 (en) | Method of gaining secure access to intranet resources | |
| Degraaf et al. | Improved port knocking with strong authentication | |
| CN114615328A (en) | Safety access control system and method | |
| EP3646553A1 (en) | Introducing middleboxes into secure communications between a client and a server | |
| Kumar et al. | Performance analysis of sdp for secure internal enterprises | |
| KR20050002632A (en) | Reducing network configuration complexity with transparent virtual private networks | |
| Al-Bahadili et al. | Network security using hybrid port knocking | |
| Samociuk | Secure communication between OpenFlow switches and controllers | |
| Dóczi et al. | Increasing ROS 1. x communication security for medical surgery robot | |
| JP2015536061A (en) | Method and apparatus for registering a client with a server | |
| Wu et al. | SGX-UAM: A secure unified access management scheme with one time passwords via Intel SGX | |
| CN113645115B (en) | Virtual private network access method and system | |
| CN117834218A (en) | Uniform identity authentication method and platform based on zero trust architecture | |
| CN200962603Y (en) | A trustable boundary security gateway | |
| Sung et al. | Security analysis of mobile authentication using qr-codes | |
| CN106576050B (en) | Three-tier security and computing architecture | |
| Tutubala et al. | A hybrid framework to improve data security in cloud computing | |
| CN115242430A (en) | Method and system for realizing software defined boundary | |
| CN116248405A (en) | Network security access control method based on zero trust and gateway system and storage medium adopting same | |
| CN117478392A (en) | Software definition boundary implementation method and system for scanning two-dimension code by using client APP | |
| JP2005516471A (en) | Protecting data traffic in a mobile network environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |