KR20160132609A - Access Control Method to Server - Google Patents

Access Control Method to Server Download PDF

Info

Publication number
KR20160132609A
KR20160132609A KR1020150065350A KR20150065350A KR20160132609A KR 20160132609 A KR20160132609 A KR 20160132609A KR 1020150065350 A KR1020150065350 A KR 1020150065350A KR 20150065350 A KR20150065350 A KR 20150065350A KR 20160132609 A KR20160132609 A KR 20160132609A
Authority
KR
South Korea
Prior art keywords
access control
password
control device
server
user
Prior art date
Application number
KR1020150065350A
Other languages
Korean (ko)
Inventor
서정철
임철환
장경수
양준선
Original Assignee
이니텍(주)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 이니텍(주) filed Critical 이니텍(주)
Priority to KR1020150065350A priority Critical patent/KR20160132609A/en
Publication of KR20160132609A publication Critical patent/KR20160132609A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The access control method according to the present invention is performed by the access control device in an environment including a user terminal, an administrator terminal, an access control device, and a management server, and the access control device transmits an access control ID And a first step of receiving first data including password information; The access control apparatus reassembles the authentication packet including the access control ID and the password among the packets of the first data received in the first step to generate second data including an ID and a password connectable to the management server A second step; And a third step of the access control device transmitting the second data to the managed server.

Description

{Access Control Method to Server}

The present invention relates to a user access control method for a managed server, and more particularly, to an access control method which can be accessed without directly exposing an access code accessible to a user to a managed server.

In order to securely access the in-house information server used by a corporation or a financial institution, it is necessary to restrict authority and detour access by user, work or role. As a typical method for allowing a user to access a management server through a terminal and performing a predetermined operation, there is an approach using an ID / password. However, such an old method has a drawback in that it is very vulnerable because it can be easily leaked through the possibility of high ID / password leakage and keyboard hooking program.

In order to compensate for this security vulnerability, additional authentication method using SMS authentication number and additional authentication method using one time password (OTP) are used.

If the number of IDs and passwords to be managed by the user surges, the user's ID / password-based user authentication method inconveniences the user from managing the ID / password history, thereby allowing many users to access the plurality of managed servers In many cases, the same ID / password is used.

If the user is hooked up even by the additional authentication method using the SMS authentication number or the one-time password, there is a possibility that the ID / password information for accessing the managed server is exposed. If the user directly accesses the managed server, There is still the possibility of working.

It is an object of the present invention to provide an access control method for solving the above-described problem that can be caused by directly exposing an access code to a managed server to a user.

The access control method according to the present invention is performed by the access control device in an environment including a user terminal, an administrator terminal, an access control device, and a management server, and the access control device transmits an access control ID And a first step of receiving first data including password information; The access control apparatus reassembles the authentication packet including the access control ID and password among the packets of the first data received in the first step to generate second data including an ID and a password connectable to the managed server A second step; And a third step of the access control device transmitting the second data to the managed server.

Wherein the authentication packet recombination process of the second step includes a step 2-1 of replacing the field of the authentication packet including the access control ID and the password with an ID and a password connectable to the management server, And (2-2) modifying other information.

Step 2-2 of modifying the other information may be a step of modifying size information of the authentication packet, modifying the packet arrangement according to the size information, and modifying the inner CRC value.

It is preferable that the password is composed of disposable password information.

According to the present invention, security and management efficiency are improved because IDs and passwords connectable to the managed server 40 are not exposed to the user, and data communication between the user terminal, the virtual server, and the virtual client- It is safe because it is encrypted and decrypted by the session key. Users also do not need to manage many passwords.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 shows an environment in which the present invention is carried out.
2 is a flowchart of an access control method according to the present invention;
3 is a flowchart of a process of generating a session key used in the access control method according to the present invention.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

Encryption / decryption may be applied to the information (data) transmission process performed in the present specification, and expressions describing the process of transmitting information (data) in the present specification and claims are not limited to encryption / decryption Should be construed as including. As used herein, the term " A to B transmission "or" A reception from B "includes other intermediate transmission mediums, ) ≪ / RTI > or received. In the description of the present invention, the order of each step should be understood to be non-limiting, unless the preceding step must be performed logically and temporally before the next step. That is to say, except for the exceptional cases mentioned above, even if the process described in the following stage is performed before the process described in the preceding stage, it does not affect the essence of the invention and the scope of the right should be defined regardless of the order of the stages.

FIG. 1 shows an environment for performing the access control method according to the present invention and a relationship among the respective components.

As shown in FIG. 1, the environment in which the present invention is performed includes an administrator terminal 10, a user terminal 20, an access control device 30, and a managed server 40. The administrator terminal 10 and the user terminal 20 are electronic devices capable of data communication and capable of computer operation by a central processing unit, such as a PC, a mobile communication device such as a smart phone, and a tablet PC.

The access control device 30 includes an account management unit 32, an access control management unit 34, and an access policy management unit 36. [ The account management unit 32 manages access control device account information 32-1 and management server account information 32-2 for managing a user ID and password for accessing the access control device 30 . Also, the account management unit 32 plays a role of generating and managing a disposable password (OTP) provided to the user as described later.

The access control management unit 34 includes a packet extraction / analysis unit 34-1 and an authentication packet processing unit 34-2. The packet extracting / analyzing unit 34-1 extracts and analyzes the authentication packet in the received packet. The authentication packet processing unit 34-2 re-processes the authentication packet in a form that can be recombined and transmitted to the managed server.

The access policy management unit 36 manages security policies such as protocol / command / directory / file / SQL / table / field / link / application / masking as well as IP available for each user, The access range and the usable range to the managed server are defined for each user.

Next, the access control method according to the present invention will be described.

The administrator accesses the access control device through the administrator terminal 10 to perform account management, security policy management, and the like. Administrators can change the password periodically, and perform system management within the granted authority, such as initializing the system account. In accordance with the operation of the administrator, the access control device 30 communicates with the managed server 40 to perform operations such as account initialization and password change.

For example, the following table is recorded in the access control device account 32-1.

User IP User ID PWD 192.168.0.3 USER_001 ENC (***) 192.168.0.4 USER_002 ENC (***)

Manage ID and password for each user IP. This ID and password means an ID and a password that a user can access to the access control device 30 through the user terminal 20 and is not an ID / password that can be connected to the managed server 40. [ The password is naturally encrypted and managed.

For example, the following table is recorded in the management target server account 32-2.

System classification Account separation System ID Org PWD OTP 10.10.0.1
(Unix) Public account ROOT ENC (***) ENC (xxx) General account SYS1_01 ENC (***) ENC (xxx) 10.10.0.2
(Network) Public account JEUS ENC (***) ENC (xxx) General account SYS2_02 ENC (***) ENC (xxx)

For each server, the system ID and password of the public account and the general account are recorded, and the user-entered one-time password (OTP) field is also provided.

The account management unit 32 and the access control management unit 34 are synchronized with each other in security policy and access policy, and can perform access control described later through the one-time password-based authentication and the transfer of the password of the managed server.

When the user inputs an ID and a password that can be connected to the access control apparatus 30 through the user terminal 20, the account management unit 32 authenticates the user ID and password at step 220. Then, the user requests a one-time password for the management server, inquires the same, and inputs the password through the user terminal 20 (230). The access control management unit 34 inquires the one-time password to the account management unit 32 to determine whether the inputted one-time password matches or not, and performs authentication for the access control apparatus. For convenience of explanation, the password and the one-time password are described as being separate from each other, but in the present specification, the password is defined as a concept including not only a fixed password but also a password which is changed every time, such as a one-time password.

In step 240, the authentication packet processor 34-2 analyzes and recombines the received packet. In the packet, the field value of the authentication packet including the ID and password of the access control device account 32-1 is changed to the ID and password of the management server account 32-2, and other information related to this field For example, it performs a packet reconfiguration process such as changing the size of the authentication packet, changing the packet arrangement according to the size information, and changing the internal CRC value.

The reassembled data of the authentication packet is transmitted to the managed server 40 (step 250), and the managed server 40 performs authentication (step 260)

The access control device 30 is provided with a virtual server 31 and a virtual client 33 to perform data communication between the user terminal 20 and the managed server 40.

The virtual server 31 is a component for processing connection and response with the user terminal 20 in the access control device 30 and the virtual client 33 is a component for processing connection and response to the managed server 40 to be.

  3 shows a process of generating a session key between the user terminal 20, the virtual server 31, the virtual client 33, and the managed server 40.

Before generating the session key, the security protocol exchange process is performed first.

The user terminal 20 generates (300) a first random value and encrypts (305) the first random value with the public key of the access control device. The encrypted value is transferred to the virtual server 31 (310), and the virtual server 31 decrypts it with the private key of the access control device and extracts the first random value (315). The user terminal 20 and the virtual server 31 respectively generate a first session key 320 and 325. The first session key encrypts data transmitted between the user terminal 20 and the virtual server 31 It is used for decoding.

The virtual client 33 generates a second random value 330 and encrypts it with the public key of the managed server 40 (335). The encrypted value is transmitted to the managed server 40 (340), and the managed server 40 decrypts the encrypted value with the private key of the managed server to extract the second random value (345). The virtual client 33 and the managed server 40 respectively generate the second session key (350, 355). The second session key is used for encrypting and decrypting data transmitted between the virtual client 33 and the managed server 40.

According to the present invention, security and management efficiency are improved because IDs and passwords connectable to the managed server 40 are not exposed to the user, and data communication between the user terminal, the virtual server, and the virtual client- It is safe because it is encrypted and decrypted by the session key. Users also do not need to manage many passwords.

While the present invention has been described with reference to the accompanying drawings, it is to be understood that the scope of the present invention is defined by the claims that follow, and should not be construed as limited to the above-described embodiments and / or drawings. It is to be expressly understood that improvements, changes and modifications that are obvious to those skilled in the art are also within the scope of the present invention as set forth in the claims.

10: Administrator terminal
20: User terminal
30: access control device
40: Managed Server

Claims (4)

1. An access control method performed by the access control device in an environment including a user terminal, an administrator terminal, an access control device, and a managed server,
A first step in which the access control device receives first data including an access control ID and password information from the user terminal;
The access control apparatus reassembles the authentication packet including the access control ID and the password among the packets of the first data received in the first step to generate second data including an ID and a password connectable to the management server A second step,
And a third step of the access control device transmitting the second data to the managed server.
Access control method.
The method according to claim 1,
The second step is a step 2-1 of replacing the authentication packet reconfiguration process with an ID and a password connectable to the management server in a field of an authentication packet including an access control ID and a password,
And (2-2) modifying other information related to the field of the authentication packet.
The method of claim 2,
In the second step (2-2) of modifying the other information,
An authentication packet size information modification step, a packet sequence modification step according to the size information, and an internal CRC value modification step,
Access control method.
The method according to any one of claims 1 to 3,
The password is one-time password information,
Access control method.
KR1020150065350A 2015-05-11 2015-05-11 Access Control Method to Server KR20160132609A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150065350A KR20160132609A (en) 2015-05-11 2015-05-11 Access Control Method to Server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150065350A KR20160132609A (en) 2015-05-11 2015-05-11 Access Control Method to Server

Publications (1)

Publication Number Publication Date
KR20160132609A true KR20160132609A (en) 2016-11-21

Family

ID=57537857

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150065350A KR20160132609A (en) 2015-05-11 2015-05-11 Access Control Method to Server

Country Status (1)

Country Link
KR (1) KR20160132609A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200095146A (en) * 2019-01-31 2020-08-10 (주)아이티 노매즈 Method for blocking loop around connection between servers and managing password utilizing imaginary account

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200095146A (en) * 2019-01-31 2020-08-10 (주)아이티 노매즈 Method for blocking loop around connection between servers and managing password utilizing imaginary account

Similar Documents

Publication Publication Date Title
US8448238B1 (en) Network security as a service using virtual secure channels
JP7086327B2 (en) Securely transfer user information between applications
US11936776B2 (en) Secure key exchange electronic transactions
US9419799B1 (en) System and method to provide secure credential
US20130332724A1 (en) User-Space Enabled Virtual Private Network
US20150318998A1 (en) Methods and systems for client-enhanced challenge-response authentication
US10503918B2 (en) Process to access a data storage device of a cloud computer system
US10050944B2 (en) Process to access a data storage device of a cloud computer system with the help of a modified Domain Name System (DNS)
US9742561B2 (en) Secure remote authentication of local machine services using secret sharing
JP2015536061A (en) Method and apparatus for registering a client with a server
JP2017112604A (en) Method for improving encryption/decryption speed by complexly applying symmetric key encryption and asymmetric key double encryption
Junghanns et al. Engineering of secure multi-cloud storage
US20170295142A1 (en) Three-Tiered Security and Computational Architecture
Reimair et al. MoCrySIL-Carry your Cryptographic keys in your pocket
CN105518696A (en) Performing an operation on a data storage
US20220337591A1 (en) Controlling command execution in a computer network
WO2014106028A1 (en) Network security as a service using virtual secure channels
KR20160132609A (en) Access Control Method to Server
KR102539418B1 (en) Apparatus and method for mutual authentication based on physical unclonable function
Basu et al. Strengthening Authentication within OpenStack Cloud Computing System through Federation with ADDS System
KR102167575B1 (en) Method for blocking loop around connection between servers utilizing imaginary accoun
US11968302B1 (en) Method and system for pre-shared key (PSK) based secure communications with domain name system (DNS) authenticator
Chakraborti et al. A Review of Security Challenges in Home Automation Systems
Aiken et al. KaaSP: keying as a service provider for small and medium enterprises using untrusted cloud services
Patalbansi et al. Cloud storage system for mobile cloud computing using blockchain

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application