TWI662817B - Connection method and connection system - Google Patents

Connection method and connection system Download PDF

Info

Publication number
TWI662817B
TWI662817B TW107100158A TW107100158A TWI662817B TW I662817 B TWI662817 B TW I662817B TW 107100158 A TW107100158 A TW 107100158A TW 107100158 A TW107100158 A TW 107100158A TW I662817 B TWI662817 B TW I662817B
Authority
TW
Taiwan
Prior art keywords
program
proxy host
connection
client device
verification
Prior art date
Application number
TW107100158A
Other languages
Chinese (zh)
Other versions
TW201931827A (en
Inventor
Fu-Hau Hsu
許富皓
Dong-Yue Lee
李東岳
Chia-Hao Lee
李家豪
Chun-Yi Wang
王駿逸
Original Assignee
National Central University
國立中央大學
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Central University, 國立中央大學 filed Critical National Central University
Priority to TW107100158A priority Critical patent/TWI662817B/en
Application granted granted Critical
Publication of TWI662817B publication Critical patent/TWI662817B/en
Publication of TW201931827A publication Critical patent/TW201931827A/en

Links

Abstract

一種連線方法及連線系統。連線系統包括伺服器、代理主機以及客戶端裝置。在代理主機接收到自客戶端裝置的初始化程式所傳送的連線請求之後,代理主機對連線程式及驗證程式進行加密而獲得加密資料,並傳送加密資料至客戶端裝置。客戶端裝置對加密資料進行解密而獲得連線程式及驗證程式。在客戶端裝置中,連線程式與代理主機進行連線,驗證程式傳送驗證碼至代理主機。當代理主機判定驗證碼正確時,透過代理主機來建立客戶端裝置與伺服器之間的連線。A connection method and a connection system. The connection system includes a server, a proxy host, and a client device. After the proxy host receives the connection request sent from the initialization program of the client device, the proxy host encrypts the connection program and the verification program to obtain encrypted data, and sends the encrypted data to the client device. The client device decrypts the encrypted data to obtain a connection program and a verification program. On the client device, the connection program connects with the proxy host, and the verification program sends a verification code to the proxy host. When the proxy host determines that the verification code is correct, the proxy host establishes a connection between the client device and the server.

Description

連線方法及連線系統Connection method and connection system

本發明是有關於一種連線機制,且特別是有關於一種驗證連線安全性的連線方法及連線系統。The present invention relates to a connection mechanism, and more particularly, to a connection method and a connection system for verifying connection security.

物聯網(Internet of Things,IoT)本意是指萬物基於某種方式從而達致萬物互聯之效,而後衍生為讓所有能行使獨立功能的普通物體實現互聯互通的網路。通過物聯網可以用中心電腦對機器、裝置、人員進行集中管理、控制,也可以對家庭裝置、汽車進行遙控,以及搜尋位置、防止物品被盜等,類似自動化操控系統。例如,物件藉由安裝感測器、智能晶片等,使物品能主動向中控台發出某種訊息,而人類透過中控台接收這些訊息,從而了解到物件本身的感知行為:例如透過中控台我們可以得知由傳感器辨識的汽車引擎資訊,進而安排維修作業等。The Internet of Things (IoT) originally meant that everything was connected to each other based on a certain method, and then it was derived as a network that allows all ordinary objects that can perform independent functions to achieve interconnection. Through the Internet of Things, you can use a central computer to centrally manage and control machines, devices, and personnel. You can also remotely control home devices and cars, search for locations, and prevent theft of items. Similar automated control systems. For example, objects are installed with sensors, smart chips, etc., so that items can actively send certain messages to the center console, and humans receive these messages through the center console to understand the perception behavior of the object itself: for example, through the center controller We can learn the information of the car engine identified by the sensors, and then arrange maintenance operations.

隨著物聯網日漸發達與流行,安全的問題也隨之增高。無論物聯網架構單純或複雜,仍需透過一個系統以便處理各種要求及訊息,再向中控台傳送,而由於此系統欠缺統一性,因此傳統的防禦方法均難以有效地對此系統進行安全防護。據此,如何識別布建在外的感測器的真偽為目前安全考量的課題。With the development and popularity of the Internet of Things, security issues have also increased. Regardless of the simple or complex IoT architecture, a system is still needed to process various requests and messages, and then transmit them to the center console. Because this system lacks uniformity, it is difficult for traditional defense methods to effectively protect the system. . According to this, how to identify the authenticity of the sensors installed outside is a subject of current security considerations.

本發明提供一種連線方法及連線系統,可確認客戶端裝置是否為安全可信任的裝置。The invention provides a connection method and a connection system, which can confirm whether a client device is a safe and trusted device.

本發明的連線方法,包括:透過客戶端裝置的初始化程式向代理主機傳送連線請求;在代理主機接收到連線請求之後,透過代理主機對連線程式及驗證程式進行加密而獲得加密資料,並傳送加密資料至客戶端裝置;透過客戶端裝置對加密資料進行解密而獲得連線程式及驗證程式;在客戶端裝置中透過連線程式與代理主機進行連線,並且透過驗證程式傳送驗證碼至代理主機;以及當代理主機判定驗證碼正確時,透過代理主機來建立客戶端裝置與伺服器之間的連線。The connection method of the present invention includes: sending a connection request to the proxy host through an initialization program of the client device; after the proxy host receives the connection request, encrypting the connection program and the verification program through the proxy host to obtain encrypted data , And send encrypted data to the client device; decrypt the encrypted data through the client device to obtain the connection program and verification program; connect to the proxy host through the connection program in the client device, and send verification through the verification program To the proxy host; and when the proxy host determines that the verification code is correct, establish a connection between the client device and the server through the proxy host.

在本發明的一實施例中,在代理主機接收到連線請求之後,更包括:由代理主機傳送加密程式至客戶端裝置;透過客戶端裝置執行加密程式以獲得公開金鑰與私密金鑰;以及透過客戶端裝置傳送公開金鑰至代理主機。其中,代理主機利用公開金鑰對連線程式及驗證程式進行加密而獲得加密資料,而客戶端裝置利用私密金鑰對加密資料進行解密。In an embodiment of the present invention, after the proxy host receives the connection request, the method further includes: transmitting the encryption program to the client device by the proxy host; and executing the encryption program through the client device to obtain a public key and a private key; And sending the public key to the proxy host via the client device. The proxy host uses a public key to encrypt the connection program and the verification program to obtain encrypted data, and the client device uses a private key to decrypt the encrypted data.

在本發明的一實施例中,在代理主機接收到連線請求之後,更包括:透過代理主機對加密程式寫入識別碼並進行編譯而獲得編譯後資料,並傳送編譯後資料至客戶端裝置;以及透過客戶端裝置對編譯後資料進行解譯而獲得識別碼與加密程式。在透過客戶端裝置執行加密程式以獲得公開金鑰與私密金鑰之後,更包括:透過客戶端裝置傳送公開金鑰與識別碼至代理主機;透過代理主機判斷是否接收到識別碼;當在預設時間內代理主機判定未接收到識別碼,則代理主機中斷與客戶端裝置之間的通訊;以及當在預設時間內代理主機判定接收到識別碼,則透過代理主機利用公開金鑰對連線程式及驗證程式進行加密而獲得加密資料。In an embodiment of the present invention, after the proxy host receives the connection request, the method further includes: writing the encrypted code through the proxy host and compiling to obtain the compiled data, and transmitting the compiled data to the client device. ; And interpreting the compiled data through a client device to obtain an identification code and encryption program. After the encryption program is executed on the client device to obtain the public and private keys, the method further includes: sending the public key and the identification code to the proxy host through the client device; judging whether the identification code is received through the proxy host; If the proxy host determines that the identification code is not received within the set time, the proxy host interrupts communication with the client device; and when the proxy host determines that the identification code is received within the preset time, it uses the public key to connect through the proxy host. Threaded and authentication programs are encrypted to obtain encrypted data.

在本發明的一實施例中,在代理主機接收到連線請求之後,更包括:由代理主機設定連接埠以對應至客戶端裝置;透過代理主機寫入所設定的連接埠的埠號碼至連線程式;透過代理主機產生驗證碼,並寫入驗證碼至驗證程式以及儲存驗證碼至代理主機的儲存裝置中;以及透過代理主機對連線程式以及驗證程式進行加密而獲得加密資料。In an embodiment of the present invention, after the proxy host receives the connection request, the method further includes: setting a port by the proxy host to correspond to the client device; and writing the port number of the set port to the connection through the proxy host. Threaded; generate a verification code through the proxy host, write the verification code to the verification program and store the verification code in the storage device of the proxy host; and encrypt the connection program and verification program through the proxy host to obtain encrypted data.

在本發明的一實施例中,在客戶端裝置中透過連線程式與代理主機進行連線,並且透過驗證程式傳送驗證碼至代理主機的步驟包括:基於埠號碼,透過連線程式與連接埠建立連線;以及透過驗證程式傳送驗證碼至連接埠。In an embodiment of the present invention, the step of connecting the client device to the proxy host through a connection program in the client device and transmitting the verification code to the proxy host through the verification program includes: based on the port number, through the connection program and the port Establish a connection; and send a verification code to the port via a verification program.

在本發明的一實施例中,所述連線方法更包括:透過代理主機監聽連接埠,以判斷是否自客戶端裝置接收到驗證碼;在連接埠接收到驗證碼,且判定驗證碼正確時,透過代理主機與伺服器連線,使得客戶端裝置經由代理主機提供的連接埠與伺服器建立連線;以及在連接埠接收到驗證碼,且判定驗證碼不正確時,透過代理主機關閉連接埠以中斷客戶端裝置與代理主機之間的連線。In an embodiment of the present invention, the connection method further includes: monitoring the port through the proxy host to determine whether a verification code is received from the client device; when the port receives a verification code and determining that the verification code is correct , Connecting to the server through the proxy host, so that the client device establishes a connection with the server through the port provided by the proxy host; and when the port receives a verification code and determines that the verification code is incorrect, the connection is closed through the proxy host Port to disconnect the client device from the proxy host.

在本發明的一實施例中,在透過客戶端裝置對加密資料進行解密而獲得連線程式及驗證程式之後,更包括:在客戶端裝置中,每隔第一固定時間透過驗證程式傳送驗證碼至代理主機的連接埠;在代理主機中,每隔第二固定時間監聽連接埠是否接收到驗證碼;倘若每隔第二固定時間未監聽到連接埠接收到驗證碼,則關閉連接埠;倘若每隔第二固定時間監聽到連接埠接收到驗證碼,判斷驗證碼是否正確;倘若驗證碼正確,則持續每隔第二固定時間監聽連接埠是否接收到驗證碼;以及倘若驗證碼不正確,則關閉連接埠。In an embodiment of the present invention, after decrypting the encrypted data through the client device to obtain the connection program and the verification program, the method further includes: in the client device, transmitting a verification code through the verification program at a first fixed time. The port to the proxy host; in the proxy host, every second fixed time monitors whether the port receives a verification code; if no second port receives a verification code, the port is closed; if Listening to the port receiving a verification code every second fixed time to determine whether the verification code is correct; if the verification code is correct, continuously monitoring whether the port receives a verification code every second fixed time; and if the verification code is incorrect, The port is closed.

在本發明的一實施例中,上述加密資料更包括自動重啟程式。所述連線方法更包括:在客戶端裝置對加密資料進行解密而獲得自動重啟程式之後,透過自動重啟程式判斷驗證程式是否正常運作;以及在判定驗證程式未正常運作時,透過自動重啟程式重新啟動初始化程式,以中斷與代理主機之間的連線而重新透過初始化程式來傳送連線請求。In an embodiment of the present invention, the encrypted data further includes an automatic restart program. The connection method further includes: after the client device decrypts the encrypted data to obtain an automatic restart program, the automatic restart program determines whether the verification program works normally; and when it is determined that the verification program does not work normally, the automatic restart program restarts Start the initialization program to re-send the connection request through the initialization program to interrupt the connection with the proxy host.

本發明的連線系統,包括:伺服器;代理主機,與伺服器連線,其中代理主機儲存有連線程式以及驗證程式;以及客戶端裝置,安裝有初始化程式,透過初始化程式與代理主機的主控程式進行溝通。在此,客戶端裝置透過初始化程式向代理主機傳送連線請求;在代理主機接收到連線請求之後,對連線程式及驗證程式進行加密而獲得加密資料,並傳送加密資料至客戶端裝置;客戶端裝置在對加密資料進行解密而獲得連線程式及驗證程式之後,透過連線程式與代理主機進行連線,並且透過驗證程式傳送驗證碼至代理主機;當代理主機判定驗證碼正確時,透過代理主機來建立客戶端裝置與伺服器之間的連線。The connection system of the present invention includes: a server; a proxy host connected with the server, wherein the proxy host stores a connection program and a verification program; and a client device, which is installed with an initialization program, and communicates with the proxy host through the initialization program. The master program communicates. Here, the client device sends a connection request to the proxy host through the initialization program; after the proxy host receives the connection request, it encrypts the connection program and the verification program to obtain encrypted data, and sends the encrypted data to the client device; After the client device decrypts the encrypted data to obtain the connection program and verification program, it connects to the proxy host through the connection program, and sends the verification code to the proxy host through the verification program. When the proxy host determines that the verification code is correct, Establish a connection between the client device and the server through a proxy host.

基於上述,在伺服器與客戶端裝置之間設置代理主機,代理主機會與客戶端裝置及伺服器分別進行連線,透過代理主機在客戶端裝置與伺服器之間協助傳遞資料。據此,透過代理主機來驗證客戶端裝置的身分,以確保客戶端裝置為安全可信任的裝置。Based on the above, a proxy host is set up between the server and the client device, and the proxy host will connect with the client device and the server separately, and assist the transfer of data between the client device and the server through the proxy host. Accordingly, the identity of the client device is verified through the proxy host to ensure that the client device is a secure and trusted device.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above features and advantages of the present invention more comprehensible, embodiments are hereinafter described in detail with reference to the accompanying drawings.

本發明分為兩個主要階段,即佈署階段與認證階段。在佈署階段中,客戶端裝置最開始只有初始化程式,透過初始化程式向代理主機索取相關程式並執行。第二階段為認證階段,在此階段中判斷客戶端裝置是否為安全可信任的裝置,當代理主機偵測到異常時,便會主動將與客戶端裝置的連線移除。為了使本發明之內容更為明瞭,以下特舉實施例作為本發明確實能夠據以實施的範例。The invention is divided into two main phases, namely the deployment phase and the authentication phase. In the deployment phase, the client device initially only has an initialization program, and the related program is obtained from the proxy host and executed by the initialization program. The second phase is the authentication phase. In this phase, it is determined whether the client device is a secure and trusted device. When the proxy host detects an abnormality, it will actively remove the connection with the client device. In order to make the content of the present invention more clear, the following specific embodiments are given as examples in which the present invention can be implemented.

圖1是依照本發明一實施例的連線系統的方塊圖。請參照圖1,連線系統100包括伺服器110、代理主機120以及多個客戶端裝置130(包括客戶端裝置130-1、130-2等)。在本實施例中,客戶端裝置130必須通過代理主機120的檢查才能夠與伺服器110建立連線。具體而言,代理主機120會與客戶端裝置130及伺服器110分別進行連線,當代理主機120收到客戶端裝置130所傳送的資料時,必須將此資料導向伺服器110,反之亦然。FIG. 1 is a block diagram of a connection system according to an embodiment of the present invention. Referring to FIG. 1, the connection system 100 includes a server 110, a proxy host 120, and a plurality of client devices 130 (including client devices 130-1 and 130-2). In this embodiment, the client device 130 must pass the inspection of the proxy host 120 to establish a connection with the server 110. Specifically, the proxy host 120 will separately connect with the client device 130 and the server 110. When the proxy host 120 receives the data transmitted by the client device 130, it must direct this data to the server 110, and vice versa .

代理主機120例如為具有運算功能的硬體裝置,包括有控制器以及儲存裝置,由控制器來執行儲存裝置中的程式碼片段以達成特定功能。另外,代理主機120亦可以是安裝在伺服器110上的軟體,透過伺服器110的處理器來執行。代理主機120主要負責與客戶端裝置130之間的溝通,代理主機120擁有佈署階段中客戶端裝置130所需的程式,以及在認證階段中擔任驗證工作的角色。The proxy host 120 is, for example, a hardware device with a computing function, and includes a controller and a storage device. The controller executes code fragments in the storage device to achieve a specific function. In addition, the proxy host 120 may also be software installed on the server 110 and executed by a processor of the server 110. The proxy host 120 is mainly responsible for communication with the client device 130. The proxy host 120 has the programs required by the client device 130 during the deployment phase, and plays the role of verification during the authentication phase.

客戶端裝置130例如為設置在各種物品上的感測器,其包括有控制器以及儲存裝置,由控制器來執行儲存裝置中的程式碼片段以達成特定功能。The client device 130 is, for example, a sensor provided on various items, and includes a controller and a storage device. The controller executes code fragments in the storage device to achieve a specific function.

例如,以物聯網(Internet of Things,IoT)系統而言,伺服器110為IoT系統的中控台,客戶端裝置130為IoT系統下的感測器,感測器安裝在IoT系統中的各個物件。For example, in the case of an Internet of Things (IoT) system, the server 110 is the center console of the IoT system, the client device 130 is a sensor under the IoT system, and the sensors are installed in each of the IoT systems. object.

客戶端裝置130與代理主機120兩者的控制器例如為中央處理單元(Central Processing Unit,CPU)、圖像處理單元(Graphic Processing Unit,GPU)、物理處理單元(Physics Processing Unit,PPU)、可程式化之微處理器(Microprocessor)、嵌入式控制晶片、數位訊號處理器(Digital Signal Processor,DSP)、特殊應用積體電路(Application Specific Integrated Circuits,ASIC)或其他類似裝置。The controllers of the client device 130 and the proxy host 120 are, for example, a central processing unit (CPU), an image processing unit (Graphic Processing Unit, GPU), a physical processing unit (Physics Processing Unit, PPU), Programmable Microprocessor, Embedded Control Chip, Digital Signal Processor (DSP), Application Specific Integrated Circuits (ASIC) or other similar devices.

客戶端裝置130與代理主機120兩者的儲存裝置可以是任意型式的固定式構件或可移動式構件,儲存器120例如為隨機存取記憶體(Random Access Memory,RAM)、唯讀記憶體(Read-Only Memory,ROM)、快閃記憶體(Flash memory)、安全數位卡(Secure Digital Memory Card,SD)、硬碟或其他類似裝置或這些裝置的組合。The storage device of both the client device 130 and the proxy host 120 may be any type of fixed component or movable component. The storage 120 is, for example, Random Access Memory (RAM), read-only memory ( Read-Only Memory (ROM), Flash memory, Secure Digital Memory Card (SD), hard disk, or other similar devices or a combination of these devices.

圖2是依照本發明一實施例的連線系統的代理主機與客戶端裝置內部構成的方塊圖。在本實施例中,代理主機120的儲存裝置中包括主控程式221、加密程式223、驗證程式225、連線程式227以及自動重啟程式229。客戶端裝置130的儲存裝置在初始階段並不存在加密程式223’、驗證程式225’、連線程式227’以及自動重啟程式229’,只包括初始化程式211。FIG. 2 is a block diagram of an internal configuration of a proxy host and a client device of a connection system according to an embodiment of the present invention. In this embodiment, the storage device of the agent host 120 includes a main control program 221, an encryption program 223, a verification program 225, a connection program 227, and an automatic restart program 229. In the initial stage, the storage device of the client device 130 does not include the encryption program 223 ', the verification program 225', the connection program 227 ', and the automatic restart program 229', and only includes the initialization program 211.

代理主機120的處理器僅會執行主控程式221來實現後述的連線方法。代理主機120的處理器並不會執行加密程式223、驗證程式225、連線程式227以及自動重啟程式229,而是將這些程式加密後傳送至客戶端裝130,以提供客戶端裝置130來使用。The processor of the proxy host 120 only executes the main control program 221 to implement the connection method described later. The processor of the proxy host 120 does not execute the encryption program 223, the verification program 225, the connection program 227, and the automatic restart program 229. Instead, these programs are encrypted and sent to the client device 130 to provide the client device 130 for use. .

而客戶端裝置130在尚未發送連線請求至代理主機120之前,只存在有初始化程式211,而加密程式223’、驗證程式225’、連線程式227’以及自動重啟程式229’則是由代理主機120傳送過來,在後續將會進行詳細的說明。舉例來說,以IoT系統而言,在部署客戶端裝置130的階段便會在客戶端裝置130中安裝初始化程式211,只有安裝有合法的初始化程式211的裝置才能夠成功與代理主機120建立連線,進而透過代理主機120與伺服器110進行溝通。底下再舉例來詳細說明本案的連線方法各步驟。Before the client device 130 has sent the connection request to the proxy host 120, only the initialization program 211 exists, and the encryption program 223 ', the verification program 225', the connection program 227 ', and the automatic restart program 229' are provided by the proxy. The host 120 transmits it, which will be described in detail later. For example, in the case of an IoT system, an initialization program 211 is installed in the client device 130 at the stage of deploying the client device 130. Only a device with a valid initialization program 211 can successfully establish a connection with the proxy host 120. And communicate with the server 110 through the proxy host 120. Below is an example to explain in detail the steps of the connection method in this case.

圖3是依照本發明一實施例的一種連線方法的流程圖。請同時參照圖1~圖3,在步驟S305中,客戶端裝置130的初始化程式211向代理主機120傳送連線請求。即,客戶端裝置130的處理器透過初始化程式211傳送連線請求給主控程式221。在此,客戶端裝置130中更包括連線設備,透過連線設備來與代理主機傳遞訊息。連線設備例如為網路卡、WiFi模組、藍芽模組、紅外線模組、用戶辨識模組(Subscriber Identity Module,SIM)卡等。FIG. 3 is a flowchart of a connection method according to an embodiment of the present invention. Please refer to FIGS. 1 to 3 at the same time. In step S305, the initialization program 211 of the client device 130 sends a connection request to the proxy host 120. That is, the processor of the client device 130 sends a connection request to the main control program 221 through the initialization program 211. Here, the client device 130 further includes a connection device, and transmits information to the proxy host through the connection device. The connected devices are, for example, a network card, a WiFi module, a Bluetooth module, an infrared module, a Subscriber Identity Module (SIM) card, and the like.

在代理主機120接收到連線請求之後,在步驟S310中,代理主機120透過主控程式221對連線程式227及驗證程式225進行加密而獲得加密資料,並傳送加密資料至客戶端裝置130。接著,在步驟S315中,客戶端裝置130對加密資料進行解密而獲得連線程式227’及驗證程式225’。在此,代理主機120與客戶端裝置130可利用非對稱加密演算法來進行加密與解密。After the proxy host 120 receives the connection request, in step S310, the proxy host 120 encrypts the connection program 227 and the verification program 225 through the main control program 221 to obtain encrypted data, and sends the encrypted data to the client device 130. Next, in step S315, the client device 130 decrypts the encrypted data to obtain a connection program 227 'and a verification program 225'. Here, the proxy host 120 and the client device 130 may use an asymmetric encryption algorithm to perform encryption and decryption.

非對稱加密演算法需要兩個金鑰,即公開金鑰與私密金鑰,其中一個用作加密的時候,另一個則用作解密。使用其中一個金鑰把明文加密後所得的密文,只能用相對應的另一個金鑰才能解密得到原本的明文。例如,代理主機120利用公開金鑰對連線程式227及驗證程式225進行加密而獲得加密資料,而客戶端裝置130利用私密金鑰對加密資料進行解密而獲得連線程式227’及驗證程式225’。驗證程式225’用以提供驗證碼。連線程式227’用以與代理主機120建立連線。The asymmetric encryption algorithm requires two keys, a public key and a private key, one of which is used for encryption and the other is used for decryption. The ciphertext obtained by using one of the keys to encrypt the plaintext can only be decrypted with the corresponding other key to obtain the original plaintext. For example, the proxy host 120 uses the public key to encrypt the connection program 227 and the verification program 225 to obtain encrypted data, and the client device 130 uses the private key to decrypt the encrypted data to obtain the connection program 227 'and the verification program 225. '. The verification program 225 'is used to provide a verification code. The connection program 227 'is used to establish a connection with the agent host 120.

而客戶端裝置130在獲得連線程式227’與驗證程式225’之後,在步驟S320中,在客戶端裝置130中透過連線程式227’與代理主機120進行連線,並且透過驗證程式225’傳送驗證碼至代理主機120。在步驟S325中,當代理主機120判定所接收的驗證碼正確時,透過代理主機120來建立客戶端裝置130與伺服器110之間的連線。After the client device 130 obtains the connection program 227 'and the verification program 225', in step S320, the client device 130 connects to the proxy host 120 through the connection program 227 'and the verification program 225' Send the verification code to the proxy host 120. In step S325, when the proxy host 120 determines that the received verification code is correct, a connection between the client device 130 and the server 110 is established through the proxy host 120.

底下基於上述實施例,進一步說明安全性更高的另一實施方式。圖4是依照本發明一實施例的另一種連線方法的流程圖。請同時參照圖1、圖2及圖4,在步驟S405中,客戶端裝置130透過初始化程式211傳送連線請求至代理主機120。代理主機120在接收到連線請求之後,在步驟S410中,會將加密程式223傳送至客戶端裝置130。在此,加密程式223(223’)是負責提供公開金鑰與私密金鑰。代理主機120將加密程式223傳送至客戶端裝置130。客戶端裝置130在接收到加密程式223(即,加密程式223’)之後,在步驟S415中,透過初始化程式211來執行加密程式223’,進而獲得公開金鑰與私密金鑰。之後,在步驟S420中,客戶端裝置130透過加密程式223’傳送公開金鑰至代理主機120。Based on the above embodiment, another embodiment with higher security is further described below. FIG. 4 is a flowchart of another connection method according to an embodiment of the present invention. Please refer to FIGS. 1, 2 and 4 at the same time. In step S405, the client device 130 sends a connection request to the proxy host 120 through the initialization program 211. After receiving the connection request, the proxy host 120 sends the encryption program 223 to the client device 130 in step S410. Here, the encryption program 223 (223 ') is responsible for providing a public key and a private key. The proxy host 120 transmits the encryption program 223 to the client device 130. After receiving the encryption program 223 (that is, the encryption program 223 '), the client device 130 executes the encryption program 223' through the initialization program 211 in step S415, thereby obtaining a public key and a private key. After that, in step S420, the client device 130 transmits the public key to the proxy host 120 through the encryption program 223 '.

另外,在代理主機120將加密程式223傳送至客戶端裝置130(步驟S410)之前,還可進一步對加密程式進行強化,以防止中間人攻擊。具體而言,代理主機120對加密程式223寫入識別碼(例如為亂數產生的亂碼)並進行編譯而獲得編譯後資料,並傳送編譯後資料至客戶端裝置130。而客戶端裝置130在接收到編譯後資料,會先對編譯後資料進行解譯,進而獲得識別碼與加密程式223’。之後,在透過初始化程式211來執行加密程式223’(步驟S415)。而在步驟S420中,客戶端裝置130則同時傳送公開金鑰與識別碼至代理主機120。在此,還可進一步利用認證金鑰交換(authenticated key exchange)機制來結合公開金鑰與識別碼。In addition, before the proxy host 120 sends the encryption program 223 to the client device 130 (step S410), the encryption program can be further strengthened to prevent man-in-the-middle attacks. Specifically, the proxy host 120 writes an identification code (such as a garbled generated by random numbers) to the encryption program 223 and compiles to obtain the compiled data, and transmits the compiled data to the client device 130. When the client device 130 receives the compiled data, it first interprets the compiled data, and then obtains an identification code and an encryption program 223 '. After that, the encryption program 223 'is executed through the initialization program 211 (step S415). In step S420, the client device 130 transmits the public key and the identification code to the proxy host 120 at the same time. Here, an authentication key exchange (authenticated key exchange) mechanism can be further used to combine the public key and the identification code.

而代理主機120會利用是否接收到識別碼來決定是否要中斷與客戶端裝置130之間的通訊。即,當在預設時間內代理主機120判定未接收到識別碼,代理主機120中斷與客戶端裝置130之間的通訊。而當在預設時間內代理主機120判定接收到識別碼,則客戶端裝置130透過主控程式221利用公開金鑰對連線程式227及驗證程式225進行加密而獲得加密資料。The proxy host 120 determines whether the communication with the client device 130 is to be interrupted by using the received identification code. That is, when the proxy host 120 determines that the identification code is not received within a preset time, the proxy host 120 interrupts communication with the client device 130. When the proxy host 120 determines that the identification code is received within a preset time, the client device 130 encrypts the connection program 227 and the verification program 225 by using the public key through the main control program 221 to obtain encrypted data.

由於代理主機120在傳送加密程式時,是透過明碼(plain code)進行傳遞,若此時攻擊者對傳送的封包進行監聽,便能看到加密程式中的識別碼。為了避免此種型態的攻擊,還可進一步對編譯後資料(編譯後的加密程式)進行加殼(shell)或對齊(alignment)等動作來進行防禦。Since the proxy host 120 transmits the encrypted program through the plain code, if the attacker listens to the transmitted packet at this time, the identification code in the encrypted program can be seen. In order to avoid this type of attack, the compiled data (compiled encryption program) can be further shelled or aligned for defense.

加殼過後的加密程式(執行檔)是能夠直接執行的,但執行檔本身是被加密的。所以當攻擊者想透過觀看封包特定的偏移值位置來取得資訊,攻擊者所得到的是加密後的密文。而對齊的作用是要讓識別碼在記憶體的位置為特定數的倍數,因此編譯器會依據使用者訂的對齊數來產生填充(padding),進而改變了識別碼在加密程式(執行檔)中的偏移值。The packed encryption program (executable file) can be directly executed, but the executable file itself is encrypted. So when the attacker wants to obtain information by watching the specific offset value of the packet, the attacker gets the encrypted ciphertext. The function of alignment is to make the position of the identification code in the memory a multiple of a specific number, so the compiler will generate padding according to the number of alignments set by the user, thereby changing the identification code in the encryption program (executing file). Offset value in.

回到圖4,在步驟S425,代理主機120設定連接埠以對應至客戶端裝置130,並寫入所設定的連接埠的埠號碼至連線程式227。並且,在步驟S430,代理主機120產生驗證碼,並寫入驗證碼至驗證程式225,同時亦將驗證碼儲存至代理主機120的儲存裝置中,以供後續進行檢查用。所述驗證碼例如為一次性密碼,針對不同的客戶端裝置130而言,其所對應的驗證碼皆不相同,並且每一次的連線所使用的驗證碼也不相同。在此,並不限定步驟S425與步驟S430的執行順序,例如,亦可先執行步驟S430,再執行步驟S425;或者同時執行步驟S425與步驟S430。Returning to FIG. 4, in step S425, the proxy host 120 sets a port to correspond to the client device 130 and writes the set port number to the connection program 227. Furthermore, in step S430, the proxy host 120 generates a verification code and writes the verification code to the verification program 225, and also stores the verification code in the storage device of the proxy host 120 for subsequent inspection. The verification code is, for example, a one-time password. For different client devices 130, the corresponding verification codes are different, and the verification codes used for each connection are also different. Here, the execution order of steps S425 and S430 is not limited. For example, step S430 may be performed first, and then step S425 may be performed; or steps S425 and S430 may be performed simultaneously.

之後,在步驟S435中,代理主機120透過主控程式221利用公開金鑰對連線程式227(已寫入有連接埠的埠號碼)以及驗證程式225(已寫入有驗證碼)進行加密而獲得加密資料。接著,在步驟S440中,主控程式221傳送加密資料給客戶端裝置130。客戶端裝置130在接收到加密資料之後,透過加密程式223’利用私密金鑰對加密資料進行解密,進而獲得連線程式227’及驗證程式225’。在執行連線程式227’及驗證程式225’之後,會各自刪除連線程式227’及驗證程式225’,以避免驗證碼被竊取。另外,在欲重新傳送驗證碼時,可由加密程式223’再度對加密資料進行解密,以獲得連線程式227’及驗證程式225’。After that, in step S435, the agent host 120 encrypts the connection program 227 (the port number has been written with the port) and the verification program 225 (the verification code has been written) by using the public key through the master program 221. Get encrypted data. Next, in step S440, the main control program 221 sends the encrypted data to the client device 130. After receiving the encrypted data, the client device 130 decrypts the encrypted data by using the private key through the encryption program 223 ', thereby obtaining the connection program 227' and the verification program 225 '. After the connection program 227 'and the verification program 225' are executed, the connection program 227 'and the verification program 225' are deleted, respectively, to prevent the verification code from being stolen. In addition, when re-transmitting the verification code, the encrypted data can be decrypted again by the encryption program 223 'to obtain the connection program 227' and the verification program 225 '.

之後,在步驟S450中,基於埠號碼,透過連線程式227’與連接埠建立連線。在與代理主機120的連接埠建立連線之後,在步驟S455,透過驗證程式225’傳送驗證碼至連接埠。After that, in step S450, a connection is established with the port through the connection program 227 'based on the port number. After establishing a connection with the port of the proxy host 120, in step S455, a verification code is transmitted to the port through the verification program 225 '.

另外,在步驟S435中,代理主機120還可利用公開金鑰將自動重啟程式229連同連線程式227(已寫入有連接埠的埠號碼)以及驗證程式225(已寫入有驗證碼)一起進行加密而獲得加密資料。在客戶端裝置120對加密資料進行解密,則可同時獲得連線程式227’、驗證程式225’以及自動重啟程式229’。自動重啟程式229’會自動偵測驗證程式225’是否正常運作。倘若自動重啟程式229’判定驗證程式225’未正常運作時,則其重新啟動初始化程式211,以中斷與代理主機120之間的連線而重新透過初始化程式211來傳送連線請求(重新執行步驟S405)。In addition, in step S435, the proxy host 120 may also use the public key to automatically restart the program 229 together with the connection program 227 (the port number has been written into the port) and the verification program 225 (with the verification code written) Encrypt to obtain encrypted data. When the encrypted data is decrypted on the client device 120, the connection program 227 ', the verification program 225', and the automatic restart program 229 'can be obtained at the same time. The automatic restart program 229 'will automatically detect whether the verification program 225' is functioning normally. If the automatic restart program 229 'determines that the verification program 225' is not operating normally, it restarts the initialization program 211 to interrupt the connection with the proxy host 120 and re-sends a connection request through the initialization program 211 (re-execute steps) S405).

在步驟S460中,代理主機120透過主控程式221來監聽連接埠,以判斷是否自客戶端裝置130接收到驗證碼。而在連接埠接收到驗證碼,且判定驗證碼正確時,在步驟S465中,代理主機120與伺服器110連線,使得客戶端裝置130經由代理主機120提供的連接埠與伺服器110建立連線。另一方面,在連接埠接收到驗證碼,且判定驗證碼不正確時,代理主機120關閉連接埠以中斷客戶端裝置130與代理主機120之間的連線。In step S460, the proxy host 120 monitors the port through the main control program 221 to determine whether a verification code is received from the client device 130. When the port receives the verification code and determines that the verification code is correct, in step S465, the proxy host 120 connects to the server 110, so that the client device 130 establishes a connection with the server 110 through the port provided by the proxy host 120. line. On the other hand, when the port receives the verification code and determines that the verification code is incorrect, the proxy host 120 closes the port to interrupt the connection between the client device 130 and the proxy host 120.

在透過代理主機120使得客戶端裝置130得以與伺服器110建立連線之後,還可進一步來驗證客戶端裝置130的身分。底下再舉一實施例來說明。After enabling the client device 130 to establish a connection with the server 110 through the proxy host 120, the identity of the client device 130 can be further verified. An example is given below for illustration.

圖5是依照本發明一實施例的驗證客戶端裝置的方法流程圖。請參照圖1、圖2及圖5,在步驟S505,在客戶端裝置130中,每隔第一固定時間(例如10分鐘)透過驗證程式225’傳送驗證碼至代理主機120的連接埠。接著,在步驟S510中,代理主機120透過主控程式221持續監聽連接埠。在步驟S515中,主控程式221判斷是否每隔第二固定時間(例如15分鐘)接收到驗證碼。倘若每隔第二固定時間未監聽到連接埠接收到驗證碼,在步驟S525中,主控程式221關閉所述連接埠,以中斷代理主機120與客戶端裝置130之間的連線。倘若每隔第二固定時間連接埠接收到驗證碼,在步驟S520中,主控程式221進一步判斷驗證碼是否正確。倘若驗證碼正確,則回到步驟S515,主控程式221持續每隔第二固定時間監聽連接埠是否接收到驗證碼。倘若驗證碼不正確,在步驟S525中,主控程式221關閉所述連接埠,以中斷代理主機120與客戶端裝置130之間的連線。FIG. 5 is a flowchart of a method for authenticating a client device according to an embodiment of the present invention. Referring to FIG. 1, FIG. 2 and FIG. 5, in step S505, the client device 130 sends a verification code to the port of the proxy host 120 through the verification program 225 ′ every first fixed time (for example, 10 minutes). Next, in step S510, the agent host 120 continuously monitors the port through the main control program 221. In step S515, the main control program 221 determines whether a verification code is received every second fixed time (for example, 15 minutes). If the port does not listen to the verification code every second fixed time, in step S525, the main control program 221 closes the port to interrupt the connection between the proxy host 120 and the client device 130. If a verification code is received by the port every second fixed time, in step S520, the main control program 221 further determines whether the verification code is correct. If the verification code is correct, the process returns to step S515, and the main control program 221 continuously monitors whether the port receives the verification code every second fixed time. If the verification code is incorrect, in step S525, the main control program 221 closes the connection port to interrupt the connection between the proxy host 120 and the client device 130.

另外,在客戶端裝置130中還進一步提供了隔離環境方法,以避免客戶端裝置130被攻擊者掌握。所述隔離環境方法例如為容器(Container)、沙箱(Sandbox)、命名空間(Namespace)、程式裝甲(Apparmor)、安全增強式Linux(SELinux, Security-Enhanced Linux)及控制群組(CGroups,control groups)等。在容器(例如Docker容器)內運行的應用程式可以受到資源的控制與隔離。在電腦安全領域,沙箱(sandbox)是一種安全機制,為執行中的程式提供的隔離環境。AppArmor是藉由記錄程式的所有動作,建立該程式的設定檔(profile)來達成限制程式進行例外行為以防止不正當的存取。安全增強式Linux是一種強制存取控制(mandatory access control)的實現。控制群組是Linux內核的一個功能,用來限制、控制與分離一個行程群組的資源(如CPU、記憶體、磁碟輸入輸出等)。In addition, a method for isolating the environment is further provided in the client device 130 to prevent the client device 130 from being mastered by an attacker. The isolation environment method is, for example, a Container, a Sandbox, a Namespace, an Apparmor, a Security-Enhanced Linux (SELinux), and a Control Group (CGroups, control). groups) and so on. Applications running inside containers (such as Docker containers) can be controlled and isolated by resources. In the field of computer security, a sandbox is a security mechanism that provides an isolated environment for running programs. AppArmor is to record all the actions of a program and create a profile of the program to restrict the program from doing exceptions to prevent unauthorized access. Security-enhanced Linux is an implementation of mandatory access control. The control group is a function of the Linux kernel, which is used to limit, control, and separate the resources of a travel group (such as CPU, memory, disk input and output, etc.).

例如,倘若客戶端裝置被攻擊者掌握,而被取得最高使用者權線(例如,系統管理者),攻擊者即可變更客戶端程式流程,偽冒客戶端程式通過驗證後,後續在系統運作過程中均傳送假資料至代理主機120。為了避免此類型問題,客戶端裝置130中採用了隔離環境方法,可對客戶端裝置130中的連線程式227’進行保護,限制非法使用者在隔離環境內只能執行規定的流程,確保非法使用者無法使用連線程式227’、驗證程式225’。For example, if a client device is mastered by an attacker and has been granted the highest user authority (for example, a system administrator), the attacker can change the client program flow. After the fake client program passes the verification, it subsequently operates in the system. In the process, fake data is transmitted to the agent host 120. In order to avoid this type of problem, the client device 130 adopts an isolation environment method, which can protect the connection program 227 'in the client device 130, restricting illegal users to only perform prescribed procedures in the isolation environment to ensure illegal The user cannot use the connection program 227 'and the verification program 225'.

綜上所述,在初始設定上,客戶端裝置內僅具備初始化程式,透過一連串的溝通與驗證後,客戶端裝置才能夠從代理主機取得其他程式以及驗證碼,之後,客戶端裝置會定期發送驗證碼至代理主機,代理主機則依據驗證碼來判斷客戶端裝置的真偽或是否有問題。所述實施例的連線系統可彈性佈署及運用於各式各樣的物聯網系統上,以確保布建在外面的客戶端裝置是安全可信任的裝置。In summary, in the initial setting, the client device only has an initialization program. After a series of communication and verification, the client device can obtain other programs and verification codes from the proxy host. After that, the client device will periodically send The verification code is sent to the proxy host, and the proxy host determines whether the client device is authentic or not according to the verification code. The connection system of the embodiment can be flexibly deployed and applied to various Internet of Things systems to ensure that client devices deployed outside are secure and trusted devices.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed as above with the examples, it is not intended to limit the present invention. Any person with ordinary knowledge in the technical field can make some modifications and retouching without departing from the spirit and scope of the present invention. The protection scope of the present invention shall be determined by the scope of the attached patent application.

100‧‧‧連線系統100‧‧‧ Connected System

110‧‧‧伺服器 120‧‧‧代理主機 110‧‧‧ server 120‧‧‧ proxy host

130、130-1、130-2‧‧‧客戶端裝置 130, 130-1, 130-2‧‧‧ client devices

211‧‧‧初始化程式 211‧‧‧ initialization program

221‧‧‧主控程式 221‧‧‧Master Control Program

223、223’‧‧‧加密程式 223, 223’‧‧‧ encryption program

225、225’‧‧‧驗證程式 225, 225’‧‧‧ verification program

227、227’‧‧‧連線程式 227, 227’‧‧‧ Connect program

229、229’‧‧‧自動重啟程式 229, 229’‧‧‧Auto restart program

S305~S325‧‧‧一種連線方法的各步驟 S305 ~ S325‧‧‧Steps of a connection method

S405~S470‧‧‧另一種連線方法的各步驟 S405 ~ S470‧‧‧ Steps of another connection method

S505~S525‧‧‧驗證客戶端裝置的方法各步驟 S505 ~ S525‧‧‧Methods for verifying client device

圖1是依照本發明一實施例的連線系統的方塊圖。 圖2是依照本發明一實施例的連線系統的代理主機與客戶端裝置內部構成的方塊圖。 圖3是依照本發明一實施例的一種連線方法的流程圖。 圖4是依照本發明一實施例的另一種連線方法的流程圖。 圖5是依照本發明一實施例的驗證客戶端裝置的方法流程圖。FIG. 1 is a block diagram of a connection system according to an embodiment of the present invention. FIG. 2 is a block diagram of an internal configuration of a proxy host and a client device of a connection system according to an embodiment of the present invention. FIG. 3 is a flowchart of a connection method according to an embodiment of the present invention. FIG. 4 is a flowchart of another connection method according to an embodiment of the present invention. FIG. 5 is a flowchart of a method for authenticating a client device according to an embodiment of the present invention.

Claims (16)

一種連線方法,包括: 透過一客戶端裝置的一初始化程式向一代理主機傳送一連線請求; 在該代理主機接收到該連線請求之後,透過該代理主機對一連線程式及一驗證程式進行加密而獲得一加密資料,並傳送該加密資料至該客戶端裝置; 透過該客戶端裝置對該加密資料進行解密而獲得該連線程式及該驗證程式; 在該客戶端裝置中透過該連線程式與該代理主機進行連線,並且透過該驗證程式傳送一驗證碼至該代理主機;以及 當該代理主機判定該驗證碼正確時,透過該代理主機來建立該客戶端裝置與一伺服器之間的連線。A connection method includes: sending a connection request to a proxy host through an initialization program of a client device; after the proxy host receives the connection request, a connection program and a verification are performed through the proxy host The program encrypts to obtain an encrypted data, and transmits the encrypted data to the client device; decrypts the encrypted data through the client device to obtain the connection program and the verification program; and in the client device through the The connection program connects with the proxy host, and sends a verification code to the proxy host through the verification program; and when the proxy host determines that the verification code is correct, the client device and a server are established through the proxy host. Connection between the devices. 如申請專利範圍第1項所述的連線方法,其中在該代理主機接收到該連線請求之後,更包括: 由該代理主機傳送一加密程式至該客戶端裝置; 透過該客戶端裝置執行該加密程式以獲得一公開金鑰與一私密金鑰;以及 透過該客戶端裝置傳送該公開金鑰至該代理主機, 其中,該代理主機利用該公開金鑰對該連線程式及該驗證程式進行加密而獲得該加密資料,而該客戶端裝置利用該私密金鑰對該加密資料進行解密。The connection method according to item 1 of the scope of patent application, wherein after the proxy host receives the connection request, the method further includes: transmitting, by the proxy host, an encryption program to the client device; and executing through the client device The encryption program obtains a public key and a private key; and sends the public key to the proxy host through the client device, wherein the proxy host uses the public key to the connection program and the verification program Encryption is performed to obtain the encrypted data, and the client device uses the private key to decrypt the encrypted data. 如申請專利範圍第2項所述的連線方法,其中在該代理主機接收到該連線請求之後,更包括: 透過該代理主機對該加密程式寫入一識別碼並進行編譯而獲得一編譯後資料,並傳送該編譯後資料至該客戶端裝置;以及 透過該客戶端裝置解譯該編譯後資料而獲得該識別碼與該加密程式; 其中,在透過該客戶端裝置執行該加密程式以獲得該公開金鑰與該私密金鑰的步驟之後,更包括: 透過該客戶端裝置傳送該公開金鑰與該識別碼至該代理主機; 透過該代理主機判斷是否接收到該識別碼; 當在一預設時間內該代理主機判定未接收到該識別碼,則該代理主機中斷與該客戶端裝置之間的通訊;以及 當在該預設時間內該代理主機判定接收到該識別碼,則透過該代理主機利用該公開金鑰對該連線程式及該驗證程式進行加密而獲得該加密資料。The connection method according to item 2 of the scope of patent application, wherein after the proxy host receives the connection request, the method further includes: writing an identification code to the encryption program through the proxy host and compiling to obtain a compilation Post-compiled data and send the compiled data to the client device; and interpret the compiled data through the client device to obtain the identification code and the encryption program; wherein the encrypted program is executed by the client device to After the step of obtaining the public key and the private key, the method further includes: transmitting the public key and the identification code to the proxy host through the client device; judging whether the identification code is received through the proxy host; If the proxy host determines that the identification code is not received within a preset time, the proxy host interrupts communication with the client device; and when the proxy host determines that the identification code is received within the preset time, then The proxy host uses the public key to encrypt the connection program and the verification program to obtain the encrypted data. 如申請專利範圍第1項所述的連線方法,其中在該代理主機接收到該連線請求之後,更包括: 由該代理主機設定一連接埠以對應至該客戶端裝置; 透過該代理主機寫入所設定的該連接埠的埠號碼至該連線程式; 透過該代理主機產生該驗證碼,並寫入該驗證碼至該驗證程式以及儲存該驗證碼至該代理主機的一儲存裝置中;以及 透過該代理主機對該連線程式以及該驗證程式進行加密而獲得該加密資料。The connection method according to item 1 of the scope of patent application, wherein after the proxy host receives the connection request, the method further includes: setting a port by the proxy host to correspond to the client device; through the proxy host Write the set port number of the port to the connection program; generate the verification code through the proxy host, write the verification code to the verification program, and store the verification code in a storage device of the proxy host ; And obtaining the encrypted data by encrypting the connection program and the verification program through the proxy host. 如申請專利範圍第4項所述的連線方法,其中在該客戶端裝置中透過該連線程式與該代理主機進行連線,並且透過該驗證程式傳送該驗證碼至該代理主機的步驟包括: 基於該埠號碼,透過該連線程式與該連接埠建立連線;以及 透過該驗證程式傳送該驗證碼至該連接埠。The connection method according to item 4 of the scope of patent application, wherein the steps of connecting the proxy device to the proxy host through the connection program in the client device, and transmitting the verification code to the proxy host through the verification program include: : Based on the port number, establish a connection with the port through the connection program; and send the verification code to the port through the verification program. 如申請專利範圍第4項所述的連線方法,更包括: 透過該代理主機監聽該連接埠,以判斷是否自該客戶端裝置接收到該驗證碼; 在該連接埠接收到該驗證碼,且判定該驗證碼正確時,透過該代理主機與該伺服器連線,使得該客戶端裝置經由該代理主機提供的該連接埠與該伺服器建立連線;以及 在該連接埠接收到該驗證碼,且判定該驗證碼不正確時,透過該代理主機關閉該連接埠以中斷該客戶端裝置與該代理主機之間的連線。The connection method according to item 4 of the scope of patent application, further comprising: monitoring the port through the proxy host to determine whether the verification code is received from the client device; receiving the verification code at the port, When the verification code is determined to be correct, the proxy host is connected to the server, so that the client device establishes a connection with the server through the port provided by the proxy host; and the verification is received at the port. When the verification code is determined to be incorrect, the proxy host closes the port to interrupt the connection between the client device and the proxy host. 如申請專利範圍第4項所述的連線方法,其中在透過該客戶端裝置對該加密資料進行解密而獲得該連線程式及該驗證程式的步驟之後,更包括: 在該客戶端裝置中,每隔一第一固定時間透過該驗證程式傳送該驗證碼至該代理主機的該連接埠; 在該代理主機中,每隔一第二固定時間監聽該連接埠是否接收到該驗證碼; 倘若每隔該第二固定時間未監聽到該連接埠接收到該驗證碼,則關閉該連接埠; 倘若每隔該第二固定時間監聽到該連接埠接收到該驗證碼,判斷該驗證碼是否正確; 倘若該驗證碼正確,則持續每隔該第二固定時間監聽該連接埠是否接收到該驗證碼;以及 倘若該驗證碼不正確,則關閉該連接埠。The connection method according to item 4 of the scope of patent application, wherein after the step of obtaining the connection program and the verification program by decrypting the encrypted data through the client device, the method further includes: in the client device , Sending the verification code to the port of the proxy host through the verification program every first fixed time; in the proxy host, monitoring whether the port receives the verification code every second fixed time; if If the port does not listen to the port to receive the verification code every second fixed time, the port is closed; if the port receives the verification code to the port every second fixed time, determine whether the verification code is correct ; If the verification code is correct, continuously monitor whether the port receives the verification code every second fixed time; and if the verification code is incorrect, close the port. 如申請專利範圍第1項所述的連線方法,其中該加密資料更包括一自動重啟程式,該連線方法更包括: 在該客戶端裝置對該加密資料進行解密而獲得該自動重啟程式之後,透過該自動重啟程式判斷該驗證程式是否正常運作;以及 在判定該驗證程式未正常運作時,透過該自動重啟程式重新啟動該初始化程式,以中斷與該代理主機之間的連線而重新透過該初始化程式來傳送該連線請求。The connection method according to item 1 of the scope of patent application, wherein the encrypted data further includes an automatic restart program, and the connection method further includes: after the client device decrypts the encrypted data to obtain the automatic restart program To determine whether the verification program is working normally through the automatic restart program; and when the verification program is not working normally, restart the initialization program through the automatic restart program to interrupt the connection with the proxy host and re-pass The initialization program sends the connection request. 一種連線系統,包括: 一伺服器; 一代理主機,與該伺服器連線,其中該代理主機儲存有一連線程式以及一驗證程式;以及 一客戶端裝置,安裝有一初始化程式,透過該初始化程式與該代理主機的該主控程式進行溝通, 其中,該客戶端裝置透過該初始化程式向該代理主機傳送一連線請求; 在該代理主機接收到該連線請求之後,對一連線程式及一驗證程式進行加密而獲得一加密資料,並傳送該加密資料至該客戶端裝置; 該客戶端裝置在對該加密資料進行解密而獲得該連線程式及該驗證程式之後,透過該連線程式與該代理主機進行連線,並且透過該驗證程式傳送一驗證碼至該代理主機; 當該代理主機判定該驗證碼正確時,透過該代理主機來建立該客戶端裝置與該伺服器之間的連線。A connection system includes: a server; a proxy host connected to the server, wherein the proxy host stores a connection program and a verification program; and a client device installed with an initialization program through which the initialization The program communicates with the master program of the proxy host, wherein the client device sends a connection request to the proxy host through the initialization program; after the proxy host receives the connection request, it sends a connection request to a connection program And an authentication program to encrypt to obtain an encrypted data, and send the encrypted data to the client device; the client device decrypts the encrypted data to obtain the connection program and the verification program, and then through the connection The program connects with the proxy host, and sends a verification code to the proxy host through the verification program; when the proxy host determines that the verification code is correct, establishes a connection between the client device and the server through the proxy host. Connection. 如申請專利範圍第9項所述的連線系統,其中在該代理主機接收到該連線請求之後,該代理主機傳送一加密程式至該客戶端裝置; 該客戶端裝置執行該加密程式以獲得一公開金鑰與一私密金鑰,並且傳送該公開金鑰至該代理主機, 其中,該代理主機利用該公開金鑰對該連線程式及該驗證程式進行加密而獲得該加密資料,而該客戶端裝置利用該私密金鑰對該加密資料進行解密。The connection system according to item 9 of the scope of patent application, wherein after the proxy host receives the connection request, the proxy host sends an encryption program to the client device; the client device executes the encryption program to obtain A public key and a private key, and transmitting the public key to the proxy host, wherein the proxy host uses the public key to encrypt the connection program and the verification program to obtain the encrypted data, and the The client device uses the private key to decrypt the encrypted data. 如申請專利範圍第10項所述的連線系統,其中在該代理主機接收到該連線請求之後,該代理主機對該加密程式寫入一識別碼並進行編譯而獲得一編譯後資料,並傳送該編譯後資料至該客戶端裝置; 該客戶端裝置解譯該編譯後資料而獲得該識別碼與該加密程式,並且傳送該公開金鑰與該識別碼至該代理主機; 該代理主機判斷是否接收到該識別碼,當在一預設時間內該代理主機判定未接收到該識別碼,則該代理主機中斷與該客戶端裝置之間的通訊;以及當在該預設時間內該代理主機判定接收到該識別碼,則利用該公開金鑰對該連線程式及該驗證程式進行加密而獲得該加密資料。The connection system according to item 10 of the scope of patent application, wherein after the proxy host receives the connection request, the proxy host writes an identification code to the encryption program and compiles to obtain a compiled data, and Sending the compiled data to the client device; the client device interprets the compiled data to obtain the identification code and the encryption program, and sends the public key and the identification code to the proxy host; the proxy host judges Whether the identification code is received, when the proxy host determines that the identification code has not been received within a preset time, the proxy host interrupts communication with the client device; and when the proxy is within the preset time The host determines that the identification code is received, and then uses the public key to encrypt the connection program and the verification program to obtain the encrypted data. 如申請專利範圍第9項所述的連線系統,其中在該代理主機接收到該連線請求之後,該代理主機設定一連接埠以對應至該客戶端裝置,寫入所設定的該連接埠的埠號碼至該連線程式,產生該驗證碼並寫入該驗證碼至該驗證程式以及儲存該驗證碼至該代理主機的一儲存裝置中,之後,該代理主機對該連線程式以及該驗證程式進行加密而獲得該加密資料。The connection system according to item 9 of the scope of patent application, wherein after the proxy host receives the connection request, the proxy host sets a port corresponding to the client device and writes the set port The port number to the connection program, generate the verification code and write the verification code to the verification program and store the verification code in a storage device of the proxy host, and then the proxy host sends the connection program and the The verification program encrypts to obtain the encrypted data. 如申請專利範圍第12項所述的連線系統,其中該客戶端裝置基於該埠號碼,透過該連線程式與該連接埠建立連線,並且透過該驗證程式傳送該驗證碼至該連接埠。The connection system according to item 12 of the scope of patent application, wherein the client device establishes a connection with the port through the connection program based on the port number, and sends the verification code to the port through the verification program. . 如申請專利範圍第12項所述的連線系統,其中該代理主機監聽該連接埠,以判斷是否自該客戶端裝置接收到該驗證碼;在該連接埠接收到該驗證碼,且判定該驗證碼正確時,該代理主機與該伺服器連線,使得該客戶端裝置經由該代理主機提供的該連接埠與該伺服器建立連線;在該連接埠接收到該驗證碼,且判定該驗證碼不正確時,該代理主機關閉該連接埠以中斷該客戶端裝置與該代理主機之間的連線。The connection system according to item 12 of the scope of patent application, wherein the proxy host monitors the port to determine whether the verification code is received from the client device; the verification code is received at the port, and the When the verification code is correct, the proxy host connects with the server, so that the client device establishes a connection with the server via the port provided by the proxy host; the verification code is received at the port, and the When the verification code is incorrect, the proxy host closes the port to interrupt the connection between the client device and the proxy host. 如申請專利範圍第12項所述的連線系統,其中該客戶端裝置每隔一第一固定時間透過該驗證程式傳送該驗證碼至該代理主機的該連接埠; 該代理主機中每隔一第二固定時間監聽該連接埠是否接收到該驗證碼;倘若每隔該第二固定時間未監聽到該連接埠接收到該驗證碼,該代理主機關閉該連接埠; 倘若每隔該第二固定時間監聽到該連接埠接收到該驗證碼,該代理主機判斷該驗證碼是否正確;倘若該驗證碼正確,該代理主機持續每隔該第二固定時間監聽該連接埠是否接收到該驗證碼;倘若該驗證碼不正確,該代理主機關閉該連接埠。The connection system according to item 12 of the scope of patent application, wherein the client device sends the verification code to the port of the proxy host through the verification program every first fixed time; every one of the proxy hosts The second fixed time monitors whether the port receives the verification code; if the port does not listen to the verification code every second fixed time, the proxy host closes the port; if every second fixed time If the verification code is received by the port, the proxy host judges whether the verification code is correct; if the verification code is correct, the proxy host continuously monitors whether the port receives the verification code every second fixed time; If the verification code is incorrect, the proxy host closes the port. 如申請專利範圍第9項所述的連線系統,其中該加密資料更包括一自動重啟程式,在該客戶端裝置對該加密資料進行解密而獲得該自動重啟程式之後,透過該自動重啟程式判斷該驗證程式是否正常運作;在判定該驗證程式未正常運作時,透過該自動重啟程式重新啟動該初始化程式,以中斷與該代理主機之間的連線而重新透過該初始化程式來傳送該連線請求。The connection system according to item 9 of the patent application scope, wherein the encrypted data further includes an automatic restart program. After the client device decrypts the encrypted data to obtain the automatic restart program, the automatic restart program is used to determine the encrypted restart data. Whether the verification program works normally; when it is determined that the verification program is not working normally, restart the initialization program through the automatic restart program to interrupt the connection with the proxy host and re-send the connection through the initialization program request.
TW107100158A 2018-01-03 2018-01-03 Connection method and connection system TWI662817B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW107100158A TWI662817B (en) 2018-01-03 2018-01-03 Connection method and connection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW107100158A TWI662817B (en) 2018-01-03 2018-01-03 Connection method and connection system

Publications (2)

Publication Number Publication Date
TWI662817B true TWI662817B (en) 2019-06-11
TW201931827A TW201931827A (en) 2019-08-01

Family

ID=67764569

Family Applications (1)

Application Number Title Priority Date Filing Date
TW107100158A TWI662817B (en) 2018-01-03 2018-01-03 Connection method and connection system

Country Status (1)

Country Link
TW (1) TWI662817B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012031757A1 (en) * 2010-09-09 2012-03-15 Loginpeople Sa Method of challenge-response type-otp based secure authentication
US20130185780A1 (en) * 2012-01-12 2013-07-18 Infosys Limited Computer implemented method and system for generating a one time password
US9083510B1 (en) * 2013-03-13 2015-07-14 Emc Corporation Generation and management of crypto key for cloud data
US20150312249A1 (en) * 2014-04-28 2015-10-29 Fixmo, Inc. Password retrieval system and method involving token usage without prior knowledge of the password
US9230084B2 (en) * 2012-10-23 2016-01-05 Verizon Patent And Licensing Inc. Method and system for enabling secure one-time password authentication
TWI556618B (en) * 2015-01-16 2016-11-01 Univ Nat Kaohsiung 1St Univ Sc Network Group Authentication System and Method
TWI576779B (en) * 2015-10-13 2017-04-01 Nat Sun Yat-Sen Univ Method and Method of Payment Authentication System for Internet of Things
TW201806352A (en) * 2016-08-04 2018-02-16 捷而思股份有限公司 Forged command filtering system, collaborative operating system, and related command authentication circuit

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012031757A1 (en) * 2010-09-09 2012-03-15 Loginpeople Sa Method of challenge-response type-otp based secure authentication
US20130185780A1 (en) * 2012-01-12 2013-07-18 Infosys Limited Computer implemented method and system for generating a one time password
US9230084B2 (en) * 2012-10-23 2016-01-05 Verizon Patent And Licensing Inc. Method and system for enabling secure one-time password authentication
US9083510B1 (en) * 2013-03-13 2015-07-14 Emc Corporation Generation and management of crypto key for cloud data
US20150312249A1 (en) * 2014-04-28 2015-10-29 Fixmo, Inc. Password retrieval system and method involving token usage without prior knowledge of the password
TWI556618B (en) * 2015-01-16 2016-11-01 Univ Nat Kaohsiung 1St Univ Sc Network Group Authentication System and Method
TWI576779B (en) * 2015-10-13 2017-04-01 Nat Sun Yat-Sen Univ Method and Method of Payment Authentication System for Internet of Things
TW201806352A (en) * 2016-08-04 2018-02-16 捷而思股份有限公司 Forged command filtering system, collaborative operating system, and related command authentication circuit

Also Published As

Publication number Publication date
TW201931827A (en) 2019-08-01

Similar Documents

Publication Publication Date Title
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
CN109858265B (en) Encryption method, device and related equipment
US9698988B2 (en) Management control method, apparatus, and system for virtual machine
CN103797489B (en) For safely by program perform be tied to and node be locked to trust signature authorized organization system and method
JP5703391B2 (en) System and method for tamper resistant boot processing
CN101026455B (en) Secure processor
US9521125B2 (en) Pseudonymous remote attestation utilizing a chain-of-trust
TW201732669A (en) Controlled secure code authentication
RU2019126625A (en) ADDRESSING A TRUSTED PERFORMANCE ENVIRONMENT USING AN ENCRYPTION KEY
US9961048B2 (en) System and associated software for providing advanced data protections in a defense-in-depth system by integrating multi-factor authentication with cryptographic offloading
CN101005361A (en) Server and software protection method and system
TWI679551B (en) Process identity authentication method and device
US10225247B2 (en) Bidirectional cryptographic IO for data streams
WO2022213760A1 (en) Information transmission method, storage medium and electronic device
US10691619B1 (en) Combined integrity protection, encryption and authentication
JP2020126586A (en) Protecting integrity of log data
US11126567B1 (en) Combined integrity protection, encryption and authentication
JP6188633B2 (en) Computer system, computer, semiconductor device, information processing method, and computer program
CN106992978B (en) Network security management method and server
CN112703500A (en) Protecting data stored in memory of IoT devices during low power mode
US20210126776A1 (en) Technologies for establishing device locality
WO2014117648A1 (en) Application access method and device
TWI662817B (en) Connection method and connection system
KR101711024B1 (en) Method for accessing temper-proof device and apparatus enabling of the method
CN107317925B (en) Mobile terminal