FR3136075A1 - Security infrastructure; process and associated computer program product. - Google Patents

Abstract

Security infrastructure; process and associated computer program product. This infrastructure for securing the connection via the Internet between a client (10) and a server (24), the server providing a service (23), is a Darknet infrastructure comprising: a Darknet network (43); a client agent (41) executed by the client (10) and storing a client configuration file (T); a server agent (42) running on the server (24) and storing a server configuration file (F); and a controller (44), comprising a database (B) storing configuration information, the controller being accessible through the Darknet network (43) by the client agent (41), respectively by the server agent (42 ), to receive client or server configuration information, allowing the client or server configuration file to be updated. Figure for abstract: Figure 1

Description

Security infrastructure; process and associated computer program product.

The present invention relates to the field of computer network security.

The Internet has been largely based on the TCP/IP model since its inception. According to this model, the services made available to users on the internet are “exposed” to the whole world. As examples of service, we can cite a Web application – that is to say an application that can be manipulated directly online using a remote browser, a VPN application – that is to say an application allowing the establishment of a communication tunnel secure, an API application – that is to say an application providing basic functionality to a remote application, etc.

When a service is exposed, it has no choice but to “endure” connection requests from clients.

A service exposed on the internet is most often identifiable by an IPv4 address (4 bytes) and a port (2 bytes).

It is thus possible to scan the internet to have a map of all the services exposed.

This means that exposed services are findable by attackers. Attackers list exposed services of a given organization, search for vulnerabilities in these services, then launch a targeted attack on the service to compromise the information system. We note that more than a third of information system compromises are due to the exploitation of vulnerabilities which affect a service exposed on the internet of the compromised computer system.

Different ways of dealing with this problem have been proposed, such as: setting up firewalls that filter connection attempts; in-depth analysis of traffic and blocking of compromise attempts; the deployment of updating processes for exposed services (with the correction of identified vulnerabilities); reducing the exposure surface of the information system (by moving a service exposed on the Internet to the interior of the information system, then making it accessible through a single point of exposure, most often by means a VPN); the transfer of exposed services to the cloud of a third party, which takes responsibility for them and ensures their protection.

The aim of the present invention is to solve this problem, by proposing an alternative solution to the known solutions, which is based on the elimination of exposure points.

For this purpose, the invention relates to a security infrastructure intended to be deployed in an architecture based on the Internet and comprising a client connected to the Internet on one side and a server of a connected information system. to the Internet on the other hand, the information system providing a service, characterized in that the security infrastructure is a Darknet infrastructure comprising: a Darknet network overlaying the Internet to hide the service; a client agent executed by the client to access the service through the Darknet network, the client agent storing a client configuration file; a server agent executed on the information system server to allow access to the service through the Darknet network, the server agent storing a server configuration file; and, a controller, comprising a database storing configuration information, the controller being accessible through the Darknet network by the client agent, respectively by the server agent, to receive client configuration information, respectively server, allowing updating the client or server configuration file, the client configuration information comprising at least one address on the Darknet network allowing the client to access the service when the client actually has the right to access the service, and the server configuration information comprising at least identification information allowing the client to identify itself with the server in order to access the service.

Depending on particular embodiments, the infrastructure comprises one or more of the following characteristics, taken individually or in all technically possible combinations:

- an agent among the client agent and the server agent memorizes a token allowing a first connection, via the Darknet network, to the controller in order to receive authentication data in return, the agent then establishing a connection with the controller by using authentication data.

- the infrastructure includes an administration console for the controller and advantageously for the server agent, the administration console running an agent to access the controller and advantageously the server agent through the Darknet network.

- the infrastructure is based on a Tor implementation of the Darknet infrastructure.

- the Darknet network is a private network.

The invention also relates to a method of connection to a hidden service implemented in a security infrastructure conforming to the previous infrastructure, consisting of: filling in a client configuration file of the client agent and filling in a configuration file server of the server agent by connection to the controller, the client configuration file comprising at least one address on the Darknet network of the service, and the server configuration file comprising at least one identification information allowing the client to identify itself with from the server to be able to access the service; make the service available on the Darknet network through the server agent; establish by the client agent a connection with a so-called “meeting point” node of the Darknet network (43), using the information contained in the client configuration file; request access to the service from the Darknet network by the client agent by declaring the identifier of the “meeting point” node; verify by the server agent the identity of the client on which the client agent is running using the identification information contained in the server configuration file; and, in the event of positive verification, establish by the server agent a connection with the “meeting point” node of the Darknet network; associate the connections on either side of the “meeting point” node to establish communication between the client and the server.

According to particular embodiments, the process comprises one or more of the following characteristics, taken individually or in all technically possible combinations:

- the method further consists of: establishing a connection with the controller by the server agent; communicate by the server agent to the controller the address on the Darknet network of the service, said address having been generated by the server agent; establish a connection with the controller by the client agent; communicate by the controller to the client agent the address on the Darknet network of the service to fill in the client configuration file.

- the method further consists of: establishing a connection with the controller by the server agent; communicate by the controller to the server agent the user rights on the service to fill the server configuration file.

- to establish by an agent among the client agent and the server agent a connection with the controller, the method further consists of: receiving by the agent a connection token indicating an address on the Darknet network of the controller and a login ; establish by the agent a connection to the controller using the address on the Darknet network of the controller indicated in the token and identify itself by the agent to the controller using the identifier indicated in the token; provide authentication data in response by the controller to the agent; and the agent establishes a connection to the controller using the authentication data.

The invention also relates to a computer program product comprising software instructions which, when executed by a client, a server and a controller of an infrastructure conforming to the preceding infrastructure, implement a method conforming to the previous process.

The invention and its advantages will be better understood on reading the detailed description which follows of a particular embodiment, given solely by way of non-limiting example, this description being made with reference to the appended drawings in which:

There is a schematic representation of a preferred embodiment of a security infrastructure according to the invention, deployed to secure a computer architecture using the Internet;

There is a block representation of a first method implemented by the security infrastructure of the ;

There is a block representation of a second process implemented by the security infrastructure of the ;

There is a block representation of a third method implemented by the security infrastructure of the ; And,

There is a block representation of a fourth method implemented by the security infrastructure of the .

DEFINITIONS

“User”: this is the person who interacts with a computer connected to the Internet, called a “client computer” or “client”, to access a service. Unless otherwise stated, hereinafter we will speak without distinction of customer or user.

“Client application”: this is software executed by a client and must access a service to function correctly or offer a particular functionality to the client or user. Unless otherwise stated, we will hereinafter speak indiscriminately of client or client application.

“Service”: this is a functionality made available by an organization’s information system. This service is accessible via a server connected (directly or indirectly via a gateway) to the internet network. For example, the service is software run by the server computer. Unless otherwise stated, we will hereinafter speak indiscriminately of service or server.

“Darknet Network” or “Darknet”: it is a peer-to-peer, distributed computer network, superimposed (or “overlay” network in English) on the Internet network. It uses specific protocols integrating anonymity functions so that the IP addresses of the actors are not revealed publicly.

“Darknet infrastructure”: in addition to the Darknet network, the Darknet infrastructure includes the software (or agents) executed on machines to allow them to use the Darknet network by implementing the appropriate protocols.

“Tor implementation” (or “Tor technology”, or even “Tor software”) (acronym for “The “.onion” Router” or “the “.onion” router” in French): it is a particular implementation of Darknet infrastructure. The Tor implementation is a global, decentralized overlay computing network. It consists of a number of servers, called Darknet network nodes, the list of which is public. This network makes it possible to anonymize the origin of TCP connections. The Tor implementation is made up of free software, which is kept up to date by the organization “The Tor Project”, whose website (https://forum.torproject.net) offers various information and makes available to all software versions. The latest stable version of the Tor implementation is version 0.4.7.7 of April 27, 2022. It should be noted that the present invention is based on the basic functionalities of the Tor implementation, which can be found in a version to another.

“.onion” address: according to the Tor implementation, access to a hidden service requires the user to know its “.onion” address. The “.onion” address allows you to negotiate “a meeting point” with the Darknet infrastructure. This meeting point is a node in the Darknet network used as a connection intermediary between the user and the service. No one can negotiate a meeting point with the hidden service without knowing the “onion” address of this service. The “.onion” address is generated exclusively on the service side. Furthermore, the “onion” address of a service is certainly known to the client, but is not known to other machines in the Darknet infrastructure (by using “blind cryptography” mechanisms, a service manages to declare to the Darknet without having to reveal your “.onion” address. Since they are made up of 56 semi-alphanumeric characters, it is very difficult to crack an “onion” address with a force attack.

“Anonymity”: according to the current version of the Tor implementation, in order not to expose the IP address of a machine, the connection created between this machine and the meeting point is not direct, but goes through one or more Darknet relay nodes between the machine and the meeting point. Thus, the compromise of the meeting point does not make it possible to obtain the IP address of the machine, in particular on the service side. In addition, Tor technology provides end-to-end encryption between machine and meeting point. More precisely, the data passing through is encrypted as many times as the number of relay nodes crossed (so-called “onion” encryption), thus preventing the compromise of part of the access path to the meeting point from resetting. the confidentiality of the data in transit is at stake.

“Principle of indirection”: this involves indirectly establishing a connection between the client and the server. according to the current version of the Tor implementation, the client chooses the meeting point within the Darknet network, builds a connection to this meeting point, then communicates the meeting point identifier to the service via a specific mechanism of Tor technology which is not detailed here. The service verifies the identity of the client seeking to establish a connection. In Tor technology, this verification is carried out using certificates stored locally on the service side. If the customer has the right to establish a connection, then the service creates a connection to the meeting point chosen by the customer. The service thus becomes the last actor to establish the connection. It goes from a passive component (in TCP/IP, the service accepts a connection from a client) to an active component (in a Darknet infrastructure, the service establishes the connection to the meeting point). In addition, the meeting points are never the same because they are chosen randomly by the clients within the nodes of the Darknet network.

GENERAL

The invention consists of securing an IT architecture based on the Internet by deploying a suitable Darknet infrastructure, so as to remove the points of exposure of the services so as to make them invisible.

The security infrastructure according to the invention is based on the use of the principle of indirection: the sensitive actors of client-server communication only use outgoing flows. These flows converge on the Darknet network. In particular, the server becomes the last actor to decide whether or not to establish a connection with a client. This decision is made based on a number of criteria, including the client's access rights.

The security infrastructure according to the invention is based on the “ZTNA” model. The “ZTNA” model (for “Zero-Trust Network Access”) is a security concept, particularly applicable to computer networks, based on the systematic verification of user rights, considering that it does not It is not possible to trust a user by default. In this way, the compromise of part of the architecture does not call into question the confidentiality of the information exchanged between a client application and a server, does not call into question the anonymity of the service, nor the integrity of this service. .

In the preferred embodiment described in detail below, the security infrastructure implements the Tor implementation of a Darknet infrastructure. However, other implementations of a Darknet infrastructure could also be used, notably the I2P implementation (“Invisible Internet Project”).

ARCHITECTURE

Referring to the , the security infrastructure according to the invention is deployed in an architecture comprising the Internet 30, a client 10 connected to the Internet 30 on one side, and an information system 20 connected to the Internet on the other. other side.

The information system 20 includes a private network 21 connected to the Internet via a gateway 22. The information system 20 provides a service 23 to a set of remote users. The service 23 is for example executed on a server computer 24. The service 23 is for example a web application.

The client 10 is a computer (such as a personal computer, a mobile telephone, etc.) which runs an application 12 needing access to the service 23 so that the user 1 of the client 10 fully benefits from the functionality associated with the execution of the application 12. The application 12 is for example an internet browser.

The security infrastructure (generally referenced by the number 40 on the ) includes:

- a Darknet 43 network;

- a client-side agent (or client agent) 41;

- a service-side agent (or server agent) 42;

- a controller 44; and, preferably,

- an administration console 46.

Security infrastructure 40 is a Darknet infrastructure, conforming to the Tor implementation unless otherwise noted.

Darknet 43 network

The Darknet network 43 is a network composed of a plurality of nodes superimposed on the Internet 30. On the , we referenced nodes by the numbers 51 and 52, 61, 62 and 63, and 71 and 72.

The Darknet 43 network is advantageously deployed on several “cloud” networks, managed by different providers. Thus, on the , the nodes of the Darknet network 43 have been represented as belonging to three different cloud networks, respectively 50, 60 and 70. The suppliers are advantageously different entities from the organization managing the information system 20 or from the service provider providing this security solution. The distribution of the Darknet 43 network over a plurality of cloud networks ensures sufficient resilience, as well as extensive geographic coverage (for example global).

On the , is schematically represented the management system 45 of the Darknet network 43. This is only a representation, insofar as the management functions are in fact distributed within the Darknet network 43 itself between the nodes component.

Advantageously, in the present implementation, the Darknet 43 network is private and not public (as in the Tor implementation). This means that it is not possible to add a node to the Darknet 43 network without being authorized to do so. In addition to certain security problems that this can cause, adding malicious nodes can cause performance problems if the bandwidth of the added nodes is not controlled.

According to the Tor implementation, a candidate node is added to the network by declaring itself to nodes of the Darknet network having a high hierarchical level, also called “authority” nodes. To do this, the candidate node communicates a router description document (or “Router Descriptor”) to the “authority” nodes. The “authority” nodes include the information contained in the router description document within a consensus document, during a vote which takes place at regular intervals. The consensus document is a public document produced regularly by the Darknet network and which gives the list of all the nodes that compose it, as well as the cryptographic information associated with each of these nodes. The consensus document is notably used by the processes of the Tor implementation to construct the paths (also called "circuit" in the Tor implementation) to the meeting points, as will be described below.

According to the invention, in order to prevent the router description document of an unauthorized node from being accepted by the “authority” nodes, an additional certificate is integrated within the valid router description documents. This certificate is signed by a trusted authority and each “authority” node holds the authority certificate allowing it to validate the router description document of a candidate node by verifying its signature. The Common Name of the authority certificate of a candidate node specifies the public IP address of the candidate node and thus allows the “authority” nodes to verify the legitimacy of the candidate node requesting its integration into the Darknet network 43 Thus, the Darknet 43 network has the capacity to refuse candidate nodes that do not have a valid certificate signed by the trusted authority.

In this way, the Darknet 43 network is an alteration of the Tor implementation as defined by the current version of the standard.

Customer Agent 41

The client agent 41, which is installed and executed on a computer, like the client 10 of user 1, provides access to the services hidden by the security infrastructure 40.

The client agent 41 stores a client configuration file T.

The file T includes authentication data of the client 10, such as for example a private key, a public key and a certificate associated with the public key for connection to the controller 44.

The T file also stores the “.onion” addresses of the hidden services for which user 1 of client 10 has access rights.

Advantageously, the T file associates each “.onion” address on the one hand, with an IP address and/or a domain name on the other hand.

The client agent 41 advantageously memorizes a J1 token to allow a first connection to the controller 44.

The client agent 41 is composed of two processes.

The first 411 process is a Tor process. This is a local proxy (also called “.Onion Proxy” - OP) listening on the local loop. This first process 411 accepts connections from the SOCKS protocol. The first process 411 redirects the data packets coming from the client application 12 to the services hidden by the Darknet network 43. The SOCKS protocol is a standard protocol, used in the Tor implementation to provide applications running on a machine with a standard way to access the Darknet. In this implementation, instead of configuring applications to use Tor's local SOCKS proxy, the agent is responsible for negotiating a SOCKS connection with the local proxy each time a connection with a hidden service is necessary.

This first 411 process is similar to the local proxy of the Tor implementation, but is advantageously modified to ensure the creation of direct circuits to a meeting point so as to remove the anonymity of the client. Removing user anonymity allows the administrator of hidden services to know the real IP addresses of users. Thus, the connection between the client agent 41 and the meeting point is direct and does not use any intermediate relay node from the Darknet network 43. The hidden services remain anonymous. Removing client anonymity also increases the performance of the Darknet network, by reducing the relaying and encryption steps for client-side flows.

The second process 412 is specific to this security infrastructure. It establishes and maintains a connection to the controller 44, relying on the first process 411.

This second process 412 is capable of connecting to the controller 44 to retrieve all or part of the information from the configuration file T.

When it detects a request generated by the application 12, executed on the client 10, for a domain name or an IP address mentioned in the file T, the second process 412 modifies this request by substituting the “.onion” address associated with this domain name or IP address, and redirects the modified request to the Darknet network and the hidden service, via the first 411 process.

More precisely, the second process 412 intercepts DNS requests from the application 12 when these include a domain name from the file T. The second process forges a DNS response containing a “false” IP address associated with this domain name ( this “fake” IP address is either indicated in the T file or a default address assigned by the second process). When the second process 412 detects a request to this “fake” IP address, it redirects the packet to the local Tor proxy with the corresponding “.onion” address.

This functionality of the second process 412 is not essential to the invention, but it makes it possible to make the proposed solution easier to use for the user, who does not manipulate “.onion” addresses but IP addresses or domain names, as he is used to when using the Internet. But the 412 process itself is essential, in particular to communicate with the controller and receive information on the accessible services.

Server Agent 42

The server agent 42 is installed and executed on a machine of the information system 20, in order to conceal this or that service of the information system. For example, the server agent 42 is executed by the server 24 to hide the service 23. The server agent 42 then makes it possible to make the service accessible through the security infrastructure 40.

The server agent 42 stores a server configuration file F.

The file F includes authentication data from the server 24, such as for example a private key, a public key and a certificate associated with the public key, for connection to the controller 44.

The F file also stores the identification information associated with the users who can access the service 23. This identification information preferably includes authentication data of each client and the access rights associated with this client.

The server agent 42 memorizes a J2 token to allow a first connection to the controller 44.

Server agent 42 is made up of two processes.

The first 421 process is a Tor process. It makes it possible to generate the “.onion” addresses of the services to be hidden and to declare them to the management system 45 of the Darknet network 43 to make them accessible to authorized users via the Darknet [TO CHECK: there is communication of the addresses “.onion” on the Darknet]. To do this, the first process 421 reads the configuration file F containing this information. Just as for the client agent 41, this first process 421 executes a local proxy to provide access to the Darknet network 43. This first process 421 conforms to the local proxy according to the Tor implementation.

The second process 422 is specific to the present invention. It allows an administrator 28 of the information system 20 to communicate with the first process 421 in order to configure the services. Advantageously, the administrator 28 accesses the second process 422 as a hidden Darknet service.

The second process 422 also makes it possible to establish and maintain a connection with the controller 44 to receive information allowing the configuration file F to be updated.

Controller 44

Controller 44 is a machine connected to the internet.

The controller 44 includes a database B. This contains the information allowing the client and server configuration files to be updated. Database B references, for example, users, services and access rights to these services by users.

The controller 44 acts as a service hidden by the Darknet network 43.

The controller 44 is advantageously hosted in an information system different from the information system to be secured and managed by the supplier of this security solution.

Alternatively, it is hosted directly on the information system of the organization that wishes to use this security solution in order to have optimal control of its data.

Advantageously, there are as many controllers as there are organizations whose information system we seek to secure so that the services of these different organizations are not referenced within the same controller. This partitioning between organizations helps increase security.

The controller 44 executes a process 441 and two services of the network application type 442 and 443. These two applications act as services hidden by the Darknet network 43. They are themselves informed within the controller 44 and can be administered as any what other hidden service.

The 441 process is a Tor process, of the local proxy type. The process 441 makes it possible to generate the two “.onion” addresses of the two services 442 and 443 to make these services accessible to remote agents, clients of the controller services, through the Darknet 43 network.

The first application 442 listens to a first port on the local loop to allow agents to connect, authenticate and receive the information that interests them, such as for example, the “.onion” addresses of the services open to the user for client agent 41, or the domain names and/or IP addresses for the client agent 41, or the identities of the authorized users for the server agent 42.

Preferably, the controller 44 can be administered through the second application 443 which is a web application accessible via a second port, distinct from the first port. The administrator 28 of the security infrastructure knows the “.onion” address allowing him to access the second application 443 of the controller 44 and to manage the users, services and associated access rights, this is i.e. to update the contents of database B.

Administration console 46.

The administrator 28 accesses the information service 20 and the controller 44 by means of a console 46. The console 46 is a client, similar to the client 10 presented above. It executes an application 12' for administering the information system 20 and the controller 44 which can connect through the Darknet network 43 by executing a client agent 41' (comprising a first process 411' and a second process 412') in using the information grouped in a configuration file T'.

PROCESSES

Method of connecting to a hidden service

Referring to the , a connection method 100 is implemented to establish a connection (for example connection 101 of the ) between an application of a registered client, such as application 12 of client 10, and a hidden service, such as service 23 of server 24.

Step 110: when a user 1 seeks to use a hidden service 23, the client agent 41 reads the client configuration file T to extract the “.onion” address of the service to which he wishes to access. It establishes a connection with a Darknet meeting point, for example node 61. To do this, the client agent 41 arbitrarily chooses this node from the list of nodes which make up the Darknet network 43, this list being publicly available for example by querying the management system 45. The client agent 41 then establishes a connection with the chosen meeting node. In the present implementation, this connection is advantageously direct. That is to say that there is no relay node of the Darknet 43 network between client 10 and the chosen meeting point, to make it possible to break the anonymity of client 10.

Step 120: once the connection to the Darknet network has been established, the client agent 41 requests access to the service 24 and declares its meeting point to the management system 45, which is responsible for communicating to the associated server agent 42 to the requested service, the connection request from the customer agent 41 and the location of the chosen meeting point. This process, specific to the Tor implementation, is not described in more detail here.

Step 130: upon receiving a connection request to the service 23, the server agent 42 verifies the identity of the client 10 by consulting the server configuration file F.

Step 140: after positive verification of the identity of the client having initiated a connection request, the server agent 42 initiates a TCP connection to a first node of the Darknet network, for example node 52. Then the server agent 42 extends the previously established connection by indicating to the first relay node 52 of the circuit to establish a TCP connection to a second relay node, chosen by the first relay node, for example node 71. Finally, the server agent 42 extends the connection a time again, until the meeting point 61. Alternatively, the circuit between the information system 20 and the meeting point can have another number of hops (at least two to hide the IP of the server 24).

Step 150: the connections on either side of the meeting point are associated by the meeting point to allow the client agent 41 and the server agent 42 to establish a secure tunnel, and to allow the application 12 executed on the client 10 and the service 23 executed by the server 24 to communicate. Client 10 does not know the effective IP address of service 23, while service 23 knows that of the client which is transmitted to it by the meeting point.

We see that the service being the last to establish the connection, it chooses whether or not it must proceed to establish the connection to the meeting point based on the identity of the user: this is the principle of indirection.

Process of updating a user's rights and communicating the address of a service hidden

Referring to the , the steps of the method 200 are advantageously implemented to inform the client T and server F configuration files.

In a step 210, the administrator 28 connects to the identity and access controller 44. It adds to the database B a right to the client 10 of the user 1 to allow access to the hidden service 23. To do this, the console 46 as a client and the controller 44 as a server of a hidden service carries out the steps of the connection process 100 to establish the connection 401. Once this connection has been established, the second application 443 allows the administrator to have control over the database B.

In a step 220, the controller 44 communicates the identity of the user and his rights to the server agent 42. This step is for example executed at the request of the server agent 42 when it must verify a connection request ( step 130 of process 100). Thus, the server agent 42 knows that it can authorize the establishment of a connection to the meeting point to respond to a connection request from the client 10. The communication of this information is carried out by means of a connection 301 through the Darknet previously established and maintained between the server agent 42, as client, and the first application 442, of the controller 44 (circuit 301 on the ).

In a step 230, the controller 44 communicates the “.onion” address of the service 23 to the client agent 41. This communication is carried out via a secure tunnel previously established and maintained between the client agent 10 of user 1, as a client, and the first application 442 of the controller, as a hidden service (circuit 201 of the ).

Once it has the “.onion” address of the target service 23, the client 10 can then establish a secure tunnel to this service and the server agent 42 can verify the identity of the client and establish the connection to the meeting point in accordance with method 100.

Process of authentication from a customer with of a server agent

In order to ensure that the mere knowledge of a “.onion” address is not sufficient to make a connection with a hidden service, the implementation of the steps of the method 300 is advantageously provided to allow the authentication of a client 10 by the server agent 42 associated with the service 23 (step 130 of the method 100).

This elementary process 300 is illustrated by the .

In a step 310, the server agent 42 makes the service 23 available on the Darknet 43, by generating an “.onion” address for the service 23, and registers the service 23 with the system 45 of the Darknet 43 network. This functionality is native to the Tor implementation according to the current version and is not modified here.

In a step 320, the server agent 42 establishes and maintains a connection 301 through the Darknet network 43 with the first application 442 of the access and identity controller 44.

In step 330, the server agent 42 also communicates to the controller 44 the “.onion” address that it generated for the service 23.

In step 340, the controller 44 communicates to the server agent 42 all the identities of the users having the right to establish a connection with the service 23 (this corresponds to step 220 of the method of the ). At each modification of rights in the database B, the controller 44 notifies the server agent 42.

In a step 350, during a connection attempt by the client agent 41, the server agent 42 verifies that the client 10 actually has the right to connect. If yes, it establishes a connection to the meeting point chosen by the latter, following the principle of indirection (step 140 of the method of the ).

It should be noted that step 330 makes it possible to centralize the “.onion” addresses of the services of a given organization within the database B stored by the controller 44. The controller 44 thus references the users of the organization , services and access rights. This allows the controller 44 to indicate to clients the “.onion” addresses of the accessible services, as described with reference to the . On the contrary, in the Tor implementation according to the current version, “.onion” addresses are considered information outside the scope of the standard, which it is the responsibility of service administrators to communicate to their users.

First token login

Since the client 41 and server 43 agents need to know the “.onion” address of the first application 442 of the controller 44, they must have certain initial configuration information, such as a certificate, a key and the “.onion” address. .onion” of controller 44.

In order to facilitate the deposit of this initial configuration information on the machine on which the agent is executed, the agent can advantageously retrieve this information directly from the controller 44 by implementing the steps of the method 400 of the .

In a step 410, the user (respectively the administrator of the service to be hidden) receives an initialization token. This is for example composed of the “.onion” address of controller 44 and a unique identifier. This pair of information is for example generated by the controller 44 at the request of the administrator 28. This pair of information is communicated to the user 1 (or to the administrator of the service to be hidden) by an additional means of communication with the appropriate level of security, for example by transmitting an encrypted email containing the token.

In a step 420, by means of this token, the client agent 41 (respectively the server agent 42) connects to the controller 44. It reads the “.onion” address of the controller 4 indicated by the token, connects to the controller 44 and transmits to controller 44 the unique identifier indicated by the token.

In return, in a step 430, the controller 44 generates a certificate and a key and transmits this authentication data to the client agent (or the server agent). The token is then “consumed” (invalidated) by the controller 44. A token is only valid for a limited time and can only be used once to guarantee security.

Subsequently, in a step 440, thanks to this configuration information, which is stored in the file T (respectively in the file F), the client agent 41 (respectively the server agent 42) has the possibility of establishing a new connection with the controller 44 and to authenticate with the controller 44 using the information from the file T (respectively in the file F). Preferably, an agent maintains this connection with the controller.

In a step 450, the client agent 41 retrieves general configuration information such as the “.onion” addresses of the hidden services open to it. It stores this information in the T file. The server agent 42 retrieves general configuration information such as the identification of each user. It stores this information in the F file.

Finally, in a step 460, the client 10 accesses the desired hidden service using its “.onion” address, by negotiating a meeting point with the Darknet network, then by establishing a connection with the hidden service via the usual process. of the Tor implementation (implementation of method 100).

With method 400, the client and server agents know the “.onion” address of the controller 44.

At any time, as soon as a modification is made to access rights in the database B, the controller 44 indicates this modification to the clients concerned: a new “.onion” address is available, a “.onion” address is available. onion” must be invalidated, a user has the right to access all or part of a hidden service or, on the contrary, no longer has the right to access all or part of a hidden service.

BENEFITS

The invention therefore relates to an infrastructure based on a private Darknet network making it possible to remove the exposure of services on the internet.

The Tor implementation of a Darknet infrastructure is modified, in particular to remove the anonymity of users, while keeping that of hidden services. It is also modified to Make the darknet network private, that is to say, prevent actors other than the administrator from adding machines to it.

Customer agents advantageously allow users to access hidden services as if they were accessing services exposed on the internet.

The proposed infrastructure has the following properties:

- It is technically impossible for anyone with access to part or all of the machines in the infrastructure to establish a connection with the hidden services without holding the rights to these machines specified in the management database. organization.

- It is impossible to determine the public IP addresses of hidden services.

- The administration console is no longer exposed on the Internet and uses the infrastructure itself to hide itself.

These properties mean that the infrastructure is an infrastructure respecting the ZTNA model.

Claims (10)

Security infrastructure intended to be deployed in an architecture based on the Internet and comprising a client (10) connected to the Internet (30) on one side and a server (24) of an information system ( 20) connected to the Internet on the other hand, the information system (20) providing a service (23),
characterized in that the security infrastructure is a Darknet infrastructure comprising:
- a Darknet network (43) overlaying the Internet (30) to hide the service (23);
- a client agent (41) executed by the client (10) to access the service (23) through the Darknet network (43), the client agent storing a client configuration file (T);
- a server agent (42) executed on the server (24) of the information system (20) to allow access to the service (23) through the Darknet network (43), the server agent storing a server configuration file (F); And,
- a controller (44), comprising a database (B) storing configuration information, the controller being accessible through the Darknet network (43) by the client agent (41), respectively by the server agent (42 ), to receive client or server configuration information, allowing the client or server configuration file to be updated,
the client configuration information comprising at least one address on the Darknet network allowing the client to access the service (23) when the client actually has the right to access the service, and the server configuration information comprising at least information identification allowing the client to identify himself to the server in order to access the service (23). Infrastructure according to claim 1, in which an agent among the client agent and the server agent memorizes a token (J1, J2) allowing a first connection, via the Darknet network (23), to the controller (44) in order to receive in returning the authentication data, the agent then establishing a connection with the controller using the authentication data. Infrastructure according to any one of claims 1 to 2, comprising an administration console (46) of the controller (44) and advantageously of the server agent (42), the administration console running an agent to access the controller and advantageously to the server agent through the Darknet network (43). Infrastructure according to any of the preceding claims, based on a Tor implementation of the Darknet infrastructure. Infrastructure according to any one of the preceding claims, wherein the Darknet network is a private network. Method of connection to a hidden service implemented in a security infrastructure according to any one of claims 1 to 5, consisting of:
- enter (230) a client configuration file (T) of the client agent and enter (220) a server configuration file (F) of the server agent by connection to the controller (44), the client configuration file comprising at least one address on the Darknet network of the service (23), and the server configuration file comprising at least one identification information allowing the client to identify itself to the server in order to access the service (23);
- make the service available on the Darknet network (43) by the server agent (42);
- establish (110) by the client agent (41) a connection with a so-called “meeting point” node of the Darknet network (43), using the information contained in the client configuration file;
- request (120) by the client agent (41) access to the service (23) from the Darknet network (43) by declaring the identifier of the “meeting point” node;
- verify (130) by the server agent (42) the identity of the client (10) on which the client agent (41) is executed using the identification information contained in the server configuration file; and, in the event of a positive verification,
- establish (140) by the server agent (42) a connection with the “meeting point” node of the Darknet network (43);
- associate (150) the connections on either side of the “meeting point” node to establish communication (101) between the client and the server. A method according to claim 6, wherein the method further comprises:
- establish (320) by the server agent (42) a connection with the controller (44);
- communicate (330) by the server agent (42) to the controller (44) the address on the Darknet network of the service (23), said address having been generated by the server agent;
- establish by the client agent (41) a connection with the controller (44);
- communicate by the controller to the client agent the address on the Darknet network of the service (23) to fill in the client configuration file. A method according to claim 6 or claim 7, wherein the method further comprises:
- establish (320) by the server agent (42) a connection with the controller (44);
- communicate (340) by the controller to the server agent the rights of the users on the service (23) to inform the server configuration file. Method according to any one of claims 6 to 8, in which, to establish by an agent among the client agent and the server agent a connection with the controller (44), the method further consists of:
- receive (410) by the agent a connection token indicating an address on the Darknet network of the controller and an identifier;
- establish (420) by the agent a connection to the controller using the address on the Darknet network of the controller indicated in the token and identify itself by the agent to the controller using the identifier indicated in the token;
- provide (430) in response by the controller to the agent authentication data; And
- establish (440) by the agent a connection to the controller using the authentication data. Computer program product comprising software instructions which, when executed by a client (10), a server (24) and a controller (44) of an infrastructure according to any one of claims 1 to 5, implement implementing a method according to any one of claims 6 to 9.