WO2015058324A1 - Method for verifying security of tcp connection - Google Patents

Method for verifying security of tcp connection Download PDF

Info

Publication number
WO2015058324A1
WO2015058324A1 PCT/CN2013/001314 CN2013001314W WO2015058324A1 WO 2015058324 A1 WO2015058324 A1 WO 2015058324A1 CN 2013001314 W CN2013001314 W CN 2013001314W WO 2015058324 A1 WO2015058324 A1 WO 2015058324A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
packet
tcp
connection
access
Prior art date
Application number
PCT/CN2013/001314
Other languages
French (fr)
Chinese (zh)
Inventor
邱文乔
Original Assignee
邱文乔
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 邱文乔 filed Critical 邱文乔
Publication of WO2015058324A1 publication Critical patent/WO2015058324A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the present invention relates to a method of verifying the security of a TCP connection.
  • TCP/IP protocol In existing network systems (local area networks, Internet), interactive data is mainly connected through the TCP/IP protocol.
  • TCP/IP protocol was determined in the 1970s, it was mainly used for military purposes and used in closed networks. I didn't expect to get such a huge application, and of course I didn't consider security risks at all.
  • the technical problem to be solved by the present invention is to provide a method for verifying the security of a TCP connection, which is effective for protecting the security of the server in the first time.
  • a method for verifying the security of a TCP connection comprising the following steps:
  • the NDIS is used to modify the data packet of the TCP connection so that it can be accompanied by the padding data as the verification information
  • the server After receiving the data, the server decrypts the received data through the previously saved key and the SEAL algorithm.
  • the step 1 is specifically: first filling the TCP data packet with the accompanying data; then placing the generated incidental data directly at the end of the original SYN packet, and comparing the original SYN packet, the modified packet has 32 bytes of data. , To do this, the corresponding "Total Length" field indicating the length of the IP packet in the IP packet is also modified.
  • the incidental data filled in the TCP packet may be fixed data or variable data.
  • the specific method for filling the TCP packet with the variable attached data is: according to the preset static value, the client address, the client port, the server address, the server port, the SEQ serial number in the SYN packet, and the sending time.
  • the MD5 algorithm calculates a HASH value (16 bytes), which is placed in the check area; and generates a random 16-byte key, which is placed in the key area (and this value is local) Saved);
  • the accompanying data obtained at this time is plaintext.
  • the data is encrypted with the RSA algorithm public key.
  • the accompanying data filled in the TCP packet may be placed in an option area of the TCP packet header or in a data area of the TCP packet.
  • the step 2 is specifically: after receiving the TCP connection request, the server first checks whether there is attached data in the option area, and if there is attached data, it determines whether it meets the rule feature, and if it matches, allows access, if not, then Deny access, and discard this packet or RST to hang up; if there is no data attached, determine whether there is a data area, if there is no data area, refuse access, and discard the packet or RST to hang up; if there is a data area, Then check the length of the data; if the data length is 16 bytes, determine whether it meets the rule characteristics, if it is consistent, allow access, if it does not, then refuse access, and discard the packet or RST to hang up; if the data length If it is 32 bytes, the RSA algorithm is used to decrypt the data, and then it is judged whether the first 16 bytes conform to the rule feature. If it matches, the access is allowed, and the last 16 bytes are saved for decryption of the data transmitted after the connection, if
  • the specific method for judging whether the rule characteristics are met is: first, the attached data is decrypted by using the RSA algorithm private key; then the TCP connection is verified to be trustworthy, and the algorithm is the same as the client, according to the preset static value, the client address, and the client.
  • the port number, the server address, the server port, the SEQ sequence number in the SYN packet, and the sending time are calculated by the MD5 algorithm to calculate a HASH value (16 bytes). If this value matches the check value in the attached data, then Indicates that the connection is trusted, allows access, continues the subsequent connection process, and saves the key in the attached data; otherwise, rejects or ignores the request.
  • the present invention has the following beneficial effects: In the process of handshake before data transmission, the invention adds the verification of the connection information, and the connection is allowed only when the connection packet containing the specific information is allowed, and the other Ordinary connection request packets, hang up the connection, or discard the package, so that the connection can not be completed, subsequent attacks and theft can not be completed, through this way, the server security can be effectively protected in the first time.
  • the invention adds the verification of the connection information, and the connection is allowed only when the connection packet containing the specific information is allowed, and the other Ordinary connection request packets, hang up the connection, or discard the package, so that the connection can not be completed, subsequent attacks and theft can not be completed, through this way, the server security can be effectively protected in the first time.
  • Figure 1 is a timing diagram of the TCP protocol when it is connected.
  • Figure 2 is a diagram showing the structure of a packet when a standard TCP connection is made.
  • Figure 3 is a block diagram of the attached data using the option area of the TCP packet.
  • Figure 4 is a block diagram of the data area used to place the attached data using the TCP packet.
  • Figure 5 is a flow chart of the client generating variable accompanying data.
  • FIG. 6 is a flow chart when the server processes the TCP connection. detailed description
  • This embodiment is mainly directed to an application using the TCP protocol.
  • a handshake connection must be made before data transmission. If the connection information is checked during the handshake process, the connection is allowed only when the connection packet contains the specific information, and the other ordinary connection request packet is hang up, or the packet is discarded, so that the connection cannot be completed. Subsequent attacks and theft can not be completed. In this way, the security of the server can be effectively protected in the first time.
  • the TCP header can have an option area with a maximum space of 40 bytes, and the options that may be used in the first step of the client connection handshake to the server.
  • the agreement "1234abcd" is the data recognized by both the TCP client and the server
  • modify the SYN information through NDIS and then add "1234abcd” at the end of the option area.
  • the server receives the TCP connection signal, it detects the option area. If there is more data than the normal option area, and it is "1234abcd", the connection is considered to be from a trusted computer, otherwise the connection is ignored or hanged. .
  • values generated from certain algorithms can also be used as a basis for both tests.
  • the IP layer we can get the source IP address and destination IP address.
  • the TCP layer we can get the source port number, destination port number, SEQ number and other variables.
  • we can fill in the predetermined dry code combine these variables, and then pass the hash algorithm such as MD5/SHA1, or AES. Reversible algorithm, after calculation, get a value. Then fill it in the option area.
  • the server receives the connection request, if the check finds that there is extra data in the option area, the values of these variables are obtained one by one, and then calculated according to the same algorithm of the client, if it is related to the option. The same value stored in it indicates that the TCP connection is from a trusted client. Otherwise, the connection is ignored or hanged.
  • the application can be further extended by encrypting the data transmitted by the subsequent TCP while verifying whether the connection is from the trusted computer, and further enhancing security.
  • the method is as follows: The client initiates the connection The accompanying data consists of two parts, the first half is used to detect whether the connection is trusted, and the second half is used to transmit the key.
  • the client initiates the connection request the above method is first filled in as the first half of the inspection area, and then a random value is generated as the key to fill in the second half (and the random key is saved) to obtain the complete attached data. (Clear text).
  • This data (cryptotext) is then encrypted with the public key of the RSA algorithm. Then fill in the options area.
  • the server When the server receives this attached data, it decrypts it with the private key of the RSA algorithm. First, it uses the first half of the attached data to check whether the connection is trustworthy. If it is trusted, it allows the connection, and the attached data of the second half (also Is the random key), save it. After the handshake connection is established, when the client transmits data, the data is first encrypted by the symmetric algorithm (DES ⁇ AES ⁇ SEAL ⁇ RC4, etc.) and then sent. When the server receives the data, it decrypts the data with the saved key.
  • the option area cannot be placed all.
  • the data can be placed in the data area of the TCP packet at SYN.
  • the implementation process is the same as placing the accompanying data in the options area.
  • the method for verifying the security of a TCP connection in this embodiment includes the following steps:
  • the specified program when the specified program sends a TCP connection request to the specified server address and port, the data packet at the time of the TCP connection is modified by NDIS so that the padding data can be attached as the verification information.
  • the step 1 is specifically: first filling the TCP data packet with the accompanying data; then placing the generated incidental data directly at the end of the original SYN packet, and comparing the original SYN packet, the modified packet has 32 bytes of data.
  • the corresponding "Total Length" field indicating the length of the IP packet in the IP packet is also modified.
  • the accompanying data populated in the TCP packet can be either fixed data or variable data.
  • the specific method for populating the TCP packet with the variable data is: according to the preset static value, the client address, the client port, the server address, the server port, the SEQ sequence number in the SYN packet, and the sending time. , using the 5 algorithm to calculate a HASH value (16 bytes), this value is placed in the check area; at the same time generate a random 16-byte key, this value is placed in the key area, (and this value is The machine is saved.) The attached data obtained in this case is plain text. To protect the key from being compromised, the data is encrypted with the RSA algorithm public key.
  • the accompanying data populated in the TCP packet can be placed in the option area of the TCP packet header or in the data area of the TCP packet.
  • step 2 is as follows: After receiving the TCP connection request, the server first checks whether there is attached data in the option area. If there is attached data, it determines whether it meets the rule characteristics. If it matches, it allows access. If it does not match, the access is denied, and the packet is discarded or the RST hangs up; if there is no data attached, it is judged whether there is a data area, if there is no data area, the access is denied, and the packet is discarded or the RST hangs up; Data area, check the data length; If the data length is 16 bytes, it is judged whether it meets the rule characteristics. If it matches, the access is allowed. If it does not, the access is denied, and the packet is discarded or the RST hangs up.
  • the RSA algorithm is used to decrypt the data, and then it is judged whether the first 16 bytes conform to the rule feature. If it is met, the access is allowed, and the last 16 bytes are saved for decryption of the data transmitted after the connection, and if not, the access is denied. And discard this packet or RST to hang up the connection.
  • the specific method for judging whether the attached rule character is met is as follows: firstly, the attached data is decrypted by using the RSA algorithm private key; then the TCP connection is verified to be trustworthy, and the algorithm is the same as the client, according to the preset static value, the client address, and the client. Port, server address, server port, SEQ sequence number in SYN packet, transmission time, calculate a HASH value (16 bytes) by MD5 algorithm; if this value is consistent with the check value in the attached data, it indicates The connection is trusted, allowing access, continuing the subsequent connection process, and saving the key in the attached data; otherwise, rejecting or ignoring the request.
  • the server After receiving the data, the server decrypts the received data through the previously saved key and the SEAL algorithm.

Abstract

Disclosed is a method for verifying the security of a TCP connection, using NDIS to modify SYN packet data when a client initiates a connection. Additional verification information is added to an option area or a data area, and only under the conditions that a server detects the verification information and the verification information is correct, subsequent connection actions are allowed to be performed so as to finish access; otherwise, the connection is hung up, or the packet is discarded, so that the connection cannot be finished, and subsequent attacks, stealing and the like cannot be finished; and by means of the method, the security of the server may be protected effectively immediately.

Description

说 明 书 一种验证 TCP连接安全性的方法 技术领域  A method for verifying the security of a TCP connection
本发明涉及一种验证 TCP连接安全性的方法。  The present invention relates to a method of verifying the security of a TCP connection.
背景技术 Background technique
在现存的网络系统中 (局域网、 互联网), 主要通过 TCP/IP协议来连接交互数据。 而 TCP/IP协议在 70年代确定的时候, 主要是军事用途, 用于封闭的网络。 并没有想到 会获得如此巨大的应用, 当然也完全没有考虑安全性风险。  In existing network systems (local area networks, Internet), interactive data is mainly connected through the TCP/IP protocol. When the TCP/IP protocol was determined in the 1970s, it was mainly used for military purposes and used in closed networks. I didn't expect to get such a huge application, and of course I didn't consider security risks at all.
现有的防火墙等安全系统, 可以比较有效的防止来自外部发起的攻击。 但是对于内 部信任区域的电脑, 无法做出更为精确的控制。 举例来说, 用户想要保护一个重要的数 据库系统, 只有在客户端电脑中安装有杀毒软件及第三方审计软件后, 才允许访问数据 库。 现有的防火墙等安全系统, 无法对此需求给出解决方案。 发明内容  Existing security systems such as firewalls can effectively prevent attacks from external attacks. But for computers in the internal trust zone, there is no way to make more precise control. For example, users want to protect an important database system, and only allow anti-virus software and third-party audit software to be installed on the client computer to allow access to the database. Security systems such as existing firewalls cannot provide a solution to this requirement. Summary of the invention
本发明所要解决的技术问题是提供一种验证 TCP连接安全性的方法, 第一时间有 效的保护服务器的安全。  The technical problem to be solved by the present invention is to provide a method for verifying the security of a TCP connection, which is effective for protecting the security of the server in the first time.
为了解决上述技术问题, 本发明所提供的技术方案是: 一种验证 TCP连接安全性的 方法, 包括以下歩骤:  In order to solve the above technical problem, the technical solution provided by the present invention is: A method for verifying the security of a TCP connection, comprising the following steps:
①在客户端, 当指定的程序向指定的服务器地址及端口发送 TCP连接请求时, 利用 NDIS修改 TCP连接时的数据包, 使其能够附带填充数据作为验证信息;  1 On the client side, when the specified program sends a TCP connection request to the specified server address and port, the NDIS is used to modify the data packet of the TCP connection so that it can be accompanied by the padding data as the verification information;
②在服务器端, 当接收到 TCP客户端连接请求时, 首先通过检测 TCP数据包的选项 区中是否有附带数据, 来确定是否允许接入; 如果没有附带数据, 再通过检查 TCP数据 包的数据区是否有附带数据, 来确定是否允许接入;  2 On the server side, when receiving the TCP client connection request, first determine whether access is allowed by detecting whether there is attached data in the option area of the TCP packet; if there is no attached data, check the data of the TCP packet. Whether the area has accompanying data to determine whether access is allowed;
③在完成 TCP连接后, 客户端开发数据时, 通过 SEAL算法以及事先保存起来的密 钥对数据进行加密;  3 After the TCP connection is completed, when the client develops data, the data is encrypted by the SEAL algorithm and the previously saved key;
④服务器在收到数据后, 通过事先保存起来的密钥以及 SEAL算法, 对接收到的数 据进行解密。  4 After receiving the data, the server decrypts the received data through the previously saved key and the SEAL algorithm.
所述步骤①具体为: 首先对 TCP数据包填充附带数据; 然后将生成的附带数据直接 放置于原始 SYN包的尾部, 同时与原始 SYN包相比, 修改之后的包多了 32字节的数据, 为此, 相应的也要修改 IP包中表示 IP包长度的 "Total Length"字段。 The step 1 is specifically: first filling the TCP data packet with the accompanying data; then placing the generated incidental data directly at the end of the original SYN packet, and comparing the original SYN packet, the modified packet has 32 bytes of data. , To do this, the corresponding "Total Length" field indicating the length of the IP packet in the IP packet is also modified.
所述 TCP数据包中填充的附带数据可以为固定的数据, 也可以为可变动的数据。 所述对 TCP数据包填充可变动附带数据的具体方法为: 根据事先设定的静态值、 客 户端地址、 客户端端口、 服务器地址、服务器端口、 SYN包中的 SEQ序列号、 发送时间, 用 MD5算法将其计算出一 HASH值 (16字节), 此值放置于校验区; 同时生成一随机的 16字节密钥, 此值放置于密钥区, (并且将此值在本机保存下来); 此时得到的附带数据 为明文, 为保护密钥不被泄密, 用 RSA算法公钥加密此数据。  The incidental data filled in the TCP packet may be fixed data or variable data. The specific method for filling the TCP packet with the variable attached data is: according to the preset static value, the client address, the client port, the server address, the server port, the SEQ serial number in the SYN packet, and the sending time. The MD5 algorithm calculates a HASH value (16 bytes), which is placed in the check area; and generates a random 16-byte key, which is placed in the key area (and this value is local) Saved); The accompanying data obtained at this time is plaintext. To protect the key from being compromised, the data is encrypted with the RSA algorithm public key.
所述 TCP数据包中填充的附带数据可以置于 TCP数据包头部的选项区, 也可放置于 TCP数据包的数据区。  The accompanying data filled in the TCP packet may be placed in an option area of the TCP packet header or in a data area of the TCP packet.
所述步骤②具体为: 服务器端接收到 TCP连接请求后, 首先查看选项区中是否有附 带数据, 若有附带数据, 则判断其是否符合规则特征, 若符合则允许接入, 若不符合则 拒绝接入, 并丢弃此包或 RST挂断连接; 若没有附带数据, 则判断是否有数据区, 若没 有数据区则拒绝接入, 并丢弃此包或 RST挂断连接; 若有数据区, 则检査数据长度; 若 数据长度为 16字节, 则判断其是否符合规则特征, 若符合则允许接入, 若不符合则拒 绝接入, 并丢弃此包或 RST挂断连接; 若数据长度为 32字节, 则用 RSA算法解密此数 据, 然后判断前 16字节是否符合规则特征, 若符合则允许接入, 并将后 16字节保存以 便用于连接后传输的数据解密, 若不符合则拒绝接入, 并丢弃此包或 RST挂断连接。  The step 2 is specifically: after receiving the TCP connection request, the server first checks whether there is attached data in the option area, and if there is attached data, it determines whether it meets the rule feature, and if it matches, allows access, if not, then Deny access, and discard this packet or RST to hang up; if there is no data attached, determine whether there is a data area, if there is no data area, refuse access, and discard the packet or RST to hang up; if there is a data area, Then check the length of the data; if the data length is 16 bytes, determine whether it meets the rule characteristics, if it is consistent, allow access, if it does not, then refuse access, and discard the packet or RST to hang up; if the data length If it is 32 bytes, the RSA algorithm is used to decrypt the data, and then it is judged whether the first 16 bytes conform to the rule feature. If it matches, the access is allowed, and the last 16 bytes are saved for decryption of the data transmitted after the connection, if not If the match is denied access, and the packet is dropped or the RST hangs up.
所述判断附带是否符合规则特征的具体方法为:首先用 RSA算法私钥解密附带数据; 然后检验 TCP连接是否可信任, 算法与客户端相同, 根据事先设定的静态值、 客户端地 址、 客户端端口、服务器地址、服务器端口、 SYN包中的 SEQ序列号、 发送时间, 用 MD5 算法将其计算出一 HASH值(16字节); 如果此值与附带数据中的校验值一致, 则表明连 接可信任, 允许接入, 继续后续的连接过程, 同时将附带数据中的密钥保存起来; 反之, 则拒绝或忽略请求。  The specific method for judging whether the rule characteristics are met is: first, the attached data is decrypted by using the RSA algorithm private key; then the TCP connection is verified to be trustworthy, and the algorithm is the same as the client, according to the preset static value, the client address, and the client. The port number, the server address, the server port, the SEQ sequence number in the SYN packet, and the sending time are calculated by the MD5 algorithm to calculate a HASH value (16 bytes). If this value matches the check value in the attached data, then Indicates that the connection is trusted, allows access, continues the subsequent connection process, and saves the key in the attached data; otherwise, rejects or ignores the request.
采用了上述技术方案后, 本发明具有以下的有益效果: 本发明在进行数据传输之前 的握手的过程中,加入对连接信息的检验,只有当含有特定信息的连接包,才允许连接, 而其他普通的连接请求包, 则挂断连接, 或丢弃此包, 使连接无法完成, 后续的攻击及 窃取等也无法完成, 通过此途径, 可以在第一时间有效的保护服务器的安全。 附图说明  After adopting the above technical solution, the present invention has the following beneficial effects: In the process of handshake before data transmission, the invention adds the verification of the connection information, and the connection is allowed only when the connection packet containing the specific information is allowed, and the other Ordinary connection request packets, hang up the connection, or discard the package, so that the connection can not be completed, subsequent attacks and theft can not be completed, through this way, the server security can be effectively protected in the first time. DRAWINGS
为了使本发明的内容更容易被清楚地理解, 下面根据具体实施例并结合附图, 对本 发明作进一步详细的说明, 其中  In order to make the content of the present invention easier to understand, the present invention will be further described in detail below with reference to the accompanying drawings,
图 1为 TCP协议在连接时的时序图。 图 2为标准的 TCP连接时的数据包结构图。 Figure 1 is a timing diagram of the TCP protocol when it is connected. Figure 2 is a diagram showing the structure of a packet when a standard TCP connection is made.
图 3为利用 TCP数据包的选项区来放置附带数据的结构图。  Figure 3 is a block diagram of the attached data using the option area of the TCP packet.
图 4为利用 TCP数据包的数据区来放置附带数据的结构图。  Figure 4 is a block diagram of the data area used to place the attached data using the TCP packet.
图 5为客户端生成可变动附带数据的流程图。  Figure 5 is a flow chart of the client generating variable accompanying data.
图 6为服务端处理 TCP连接时的流程图。 具体实施方式  Figure 6 is a flow chart when the server processes the TCP connection. detailed description
(实施例 1 )  (Embodiment 1)
本实施例主要针对使用 TCP协议的应用。 对于 TCP协议来说, 在进行数据传输之 前, 必须要经过握手连接。 如果在握手的过程中, 加入对连接信息的检验, 只有当含有 特定信息的连接包, 才允许连接, 而其他普通的连接请求包, 则挂断连接, 或丢弃此包, 使连接无法完成, 后续的攻击及窃取等也无法完成, 通过此途径, 可以在第一时间有效 的保护服务器的安全。  This embodiment is mainly directed to an application using the TCP protocol. For the TCP protocol, a handshake connection must be made before data transmission. If the connection information is checked during the handshake process, the connection is allowed only when the connection packet contains the specific information, and the other ordinary connection request packet is hang up, or the packet is discarded, so that the connection cannot be completed. Subsequent attacks and theft can not be completed. In this way, the security of the server can be effectively protected in the first time.
见图 1至图 4, 根据 TCP协议, TCP头部可以有选项区, 其最大可以空间为 40字 节, 而在客户端向服务器连接握手的第一个步骤中, 其可能会用到的选项有: MSS最大 报文段长度, Kind=2 , 4字节。 Window Scale窗口扩大因子, Kind=3, 3字节。 SACK-Permit 选择性确认, Kind=4,2字节, Timestamp时间戳选项, Kind=8,10字节, 对齐之后, 其最 大可能利用的空间为 20字节, 即还有 20字节的可用空间。 可以利用这 20字节的可用 空间,传送一些我们指定的数据,用以检验连接的可信度。比如,约定" 1234abcd"为 TCP 客户端和服务端双方认可的数据, 则在客户端发起连接时, 通过 NDIS修改 SYN信息, 在选项区的末尾,再加入 "1234abcd"。当服务器端接收到 TCP连接信号时,检测选项区, 如果有比正常选项区还要多的数据, 并且其为" 1234abcd", 则认为该连接来自一信任的 电脑, 反之则忽略或挂断连接。  As shown in Figure 1 to Figure 4, according to the TCP protocol, the TCP header can have an option area with a maximum space of 40 bytes, and the options that may be used in the first step of the client connection handshake to the server. There are: MSS maximum segment length, Kind=2, 4 bytes. Window Scale window expansion factor, Kind=3, 3 bytes. SACK-Permit selective confirmation, Kind=4, 2 bytes, Timestamp timestamp option, Kind=8, 10 bytes, after alignment, the maximum possible space is 20 bytes, that is, there are 20 bytes available. space. You can use this 20 bytes of free space to transfer some of the data we specify to verify the trustworthiness of the connection. For example, if the agreement "1234abcd" is the data recognized by both the TCP client and the server, then when the client initiates the connection, modify the SYN information through NDIS, and then add "1234abcd" at the end of the option area. When the server receives the TCP connection signal, it detects the option area. If there is more data than the normal option area, and it is "1234abcd", the connection is considered to be from a trusted computer, otherwise the connection is ignored or hanged. .
除使用固定的数据外, 还可以使用根据一定算法生成得到的值作为双方检验的依 具。 比如在 IP层, 我们可以得到源 IP地址, 目的 IP地址。 在 TCP层我们可以得到源 端口号, 目的端口号, SEQ 序号等变量, 另外可再填入事先确定的干拢码, 将此类变量 组合, 再经过 MD5/SHA1等哈希算法, 或者 AES等可逆算法, 计算后得到一个数值。 然后将其填入选项区, 当服务器接收到连接请求时, 如果检査发现选项区中有额外的数 据, 则逐个得到这些变量的值, 然后按照客户端相同的算法进行计算, 如果其与选项中 存放的值相同, 则表明该 TCP连接来自于可信任的客户端。 反之则忽略或挂断连接。  In addition to using fixed data, values generated from certain algorithms can also be used as a basis for both tests. For example, at the IP layer, we can get the source IP address and destination IP address. At the TCP layer, we can get the source port number, destination port number, SEQ number and other variables. In addition, we can fill in the predetermined dry code, combine these variables, and then pass the hash algorithm such as MD5/SHA1, or AES. Reversible algorithm, after calculation, get a value. Then fill it in the option area. When the server receives the connection request, if the check finds that there is extra data in the option area, the values of these variables are obtained one by one, and then calculated according to the same algorithm of the client, if it is related to the option. The same value stored in it indicates that the TCP connection is from a trusted client. Otherwise, the connection is ignored or hanged.
利用上述方法,可以对此应用进一步扩展,即在验证连接是否来自信任电脑的同时, 对后续的 TCP传送的数据进行加密, 进一歩加强安全性。 方法如下: 客户端发起连接 时, 其附带的数据包含两部分, 前半部为用以检测连接是否信任, 后半部分用以传输密 钥。 当客户端发起连接请求时, 首先上述方法填充用作检验区的前半部分, 然后生成一 个随机的值作为密钥填入后半部分 (同时将此随机密钥保存起来), 得到完整的附带数 据 (明文)。 然后用 RSA算法的公钥加密此数据 (密文)。 然后填入选项区。 当服务器 收到此附带数据时, 用 RSA算法的私钥将其解密, 首先利用附带数据的前半部分检测 该连接是否可信任, 如果信任, 则允许连接, 并将后半部分的附带数据 (也就是随机密 钥), 保存起来。 当握手连接建立完成以后, 客户端传送数据时, 首先用其保存的密钥 通过对称算法(DES\AES\SEAL\RC4等)将数据进行加密, 然后再发送。 当服务器接收 到数据时, 利用保存下来的密钥解密数据。 With the above method, the application can be further extended by encrypting the data transmitted by the subsequent TCP while verifying whether the connection is from the trusted computer, and further enhancing security. The method is as follows: The client initiates the connection The accompanying data consists of two parts, the first half is used to detect whether the connection is trusted, and the second half is used to transmit the key. When the client initiates the connection request, the above method is first filled in as the first half of the inspection area, and then a random value is generated as the key to fill in the second half (and the random key is saved) to obtain the complete attached data. (Clear text). This data (cryptotext) is then encrypted with the public key of the RSA algorithm. Then fill in the options area. When the server receives this attached data, it decrypts it with the private key of the RSA algorithm. First, it uses the first half of the attached data to check whether the connection is trustworthy. If it is trusted, it allows the connection, and the attached data of the second half (also Is the random key), save it. After the handshake connection is established, when the client transmits data, the data is first encrypted by the symmetric algorithm (DES\AES\SEAL\RC4, etc.) and then sent. When the server receives the data, it decrypts the data with the saved key.
如果因为所需附带的数据量比较大, 选项区无法全部放置。 则可以在 SYN时, 将 数据放置于 TCP包的数据区。 其实现过程与将附带数据放置于选项区相同。  If the amount of data that is attached is large, the option area cannot be placed all. The data can be placed in the data area of the TCP packet at SYN. The implementation process is the same as placing the accompanying data in the options area.
综上所述, 本实施例的验证 TCP连接安全性的方法, 包括以下歩骤:  In summary, the method for verifying the security of a TCP connection in this embodiment includes the following steps:
①在客户端, 当指定的程序向指定的服务器地址及端口发送 TCP连接请求时, 利用 NDIS修改 TCP连接时的数据包, 使其能够附带填充数据作为验证信息。  1 On the client side, when the specified program sends a TCP connection request to the specified server address and port, the data packet at the time of the TCP connection is modified by NDIS so that the padding data can be attached as the verification information.
所述步骤①具体为: 首先对 TCP数据包填充附带数据; 然后将生成的附带数据直接 放置于原始 SYN包的尾部, 同时与原始 SYN包相比, 修改之后的包多了 32字节的数据, 为此, 相应的也要修改 IP包中表示 IP包长度的 "Total Length "字段。  The step 1 is specifically: first filling the TCP data packet with the accompanying data; then placing the generated incidental data directly at the end of the original SYN packet, and comparing the original SYN packet, the modified packet has 32 bytes of data. For this purpose, the corresponding "Total Length" field indicating the length of the IP packet in the IP packet is also modified.
TCP数据包中填充的附带数据可以为固定的数据, 也可以为可变动的数据。  The accompanying data populated in the TCP packet can be either fixed data or variable data.
见图 5,对 TCP数据包填充可变动附带数据的具体方法为:根据事先设定的静态值、 客户端地址、 客户端端口、 服务器地址、 服务器端口、 SYN包中的 SEQ序列号、 发送时 间, 用 5算法将其计算出一 HASH值(16字节), 此值放置于校验区; 同时生成一随机 的 16字节密钥, 此值放置于密钥区, (并且将此值在本机保存下来); 此时得到的附带 数据为明文, 为保护密钥不被泄密, 用 RSA算法公钥加密此数据。  As shown in Figure 5, the specific method for populating the TCP packet with the variable data is: according to the preset static value, the client address, the client port, the server address, the server port, the SEQ sequence number in the SYN packet, and the sending time. , using the 5 algorithm to calculate a HASH value (16 bytes), this value is placed in the check area; at the same time generate a random 16-byte key, this value is placed in the key area, (and this value is The machine is saved.) The attached data obtained in this case is plain text. To protect the key from being compromised, the data is encrypted with the RSA algorithm public key.
TCP数据包中填充的附带数据可以置于 TCP数据包头部的选项区, 也可放置于 TCP 数据包的数据区。  The accompanying data populated in the TCP packet can be placed in the option area of the TCP packet header or in the data area of the TCP packet.
②在服务器端, 当接收到 TCP客户端连接请求时, 首先通过检测 TCP数据包的选项 区中是否有附带数据, 来确定是否允许接入; 如果没有附带数据, 再通过检查 TCP数据 包的数据区是否有附带数据, 来确定是否允许接入。  2 On the server side, when receiving the TCP client connection request, first determine whether access is allowed by detecting whether there is attached data in the option area of the TCP packet; if there is no attached data, check the data of the TCP packet. Does the zone have accompanying data to determine if access is allowed.
见图 6, 歩骤②具体为: 服务器端接收到 TCP连接请求后, 首先查看选项区中是否 有附带数据, 若有附带数据, 则判断其是否符合规则特征, 若符合则允许接入, 若不符 合则拒绝接入, 并丢弃此包或 RST挂断连接; 若没有附带数据, 则判断是否有数据区, 若没有数据区则拒绝接入,并丢弃此包或 RST挂断连接;若有数据区,则检查数据长度; 若数据长度为 16字节, 则判断其是否符合规则特征, 若符合则允许接入, 若不符合则 拒绝接入, 并丢弃此包或 RST挂断连接; 若数据长度为 32字节, 则用 RSA算法解密此 数据, 然后判断前 16字节是否符合规则特征, 若符合则允许接入, 并将后 16字节保存 以便用于连接后传输的数据解密, 若不符合则拒绝接入, 并丢弃此包或 RST挂断连接。 As shown in Figure 6, step 2 is as follows: After receiving the TCP connection request, the server first checks whether there is attached data in the option area. If there is attached data, it determines whether it meets the rule characteristics. If it matches, it allows access. If it does not match, the access is denied, and the packet is discarded or the RST hangs up; if there is no data attached, it is judged whether there is a data area, if there is no data area, the access is denied, and the packet is discarded or the RST hangs up; Data area, check the data length; If the data length is 16 bytes, it is judged whether it meets the rule characteristics. If it matches, the access is allowed. If it does not, the access is denied, and the packet is discarded or the RST hangs up. If the data length is 32 bytes, The RSA algorithm is used to decrypt the data, and then it is judged whether the first 16 bytes conform to the rule feature. If it is met, the access is allowed, and the last 16 bytes are saved for decryption of the data transmitted after the connection, and if not, the access is denied. And discard this packet or RST to hang up the connection.
其中判断附带是否符合规则特征的具体方法为:首先用 RSA算法私钥解密附带数据; 然后检验 TCP连接是否可信任, 算法与客户端相同, 根据事先设定的静态值、 客户端地 址、 客户端端口、服务器地址、服务器端口、 SYN包中的 SEQ序列号、 发送时间, 用 MD5 算法将其计算出一 HASH值(16字节); 如果此值与附带数据中的校验值一致, 则表明连 接可信任, 允许接入, 继续后续的连接过程, 同时将附带数据中的密钥保存起来; 反之, 则拒绝或忽略请求。  The specific method for judging whether the attached rule character is met is as follows: firstly, the attached data is decrypted by using the RSA algorithm private key; then the TCP connection is verified to be trustworthy, and the algorithm is the same as the client, according to the preset static value, the client address, and the client. Port, server address, server port, SEQ sequence number in SYN packet, transmission time, calculate a HASH value (16 bytes) by MD5 algorithm; if this value is consistent with the check value in the attached data, it indicates The connection is trusted, allowing access, continuing the subsequent connection process, and saving the key in the attached data; otherwise, rejecting or ignoring the request.
③在完成 TCP连接后, 客户端开发数据时, 通过 SEAL算法以及事先保存起来的密 钥对数据进行加密。  3 After the TCP connection is completed, when the client develops data, the data is encrypted by the SEAL algorithm and the key saved in advance.
④服务器在收到数据后, 通过事先保存起来的密钥以及 SEAL算法, 对接收到的数 据进行解密。 以上所述的具体实施例, 对本发明的目的、 技术方案和有益效果进行了进一步详细 说明, 所应理解的是, 以上所述仅为本发明的具体实施例而已, 并不用于限制本发明, 凡在本发明的精神和原则之内, 所做的任何修改、 等同替换、 改进等, 均应包含在本发 明的保护范围之内。  4 After receiving the data, the server decrypts the received data through the previously saved key and the SEAL algorithm. The above described specific embodiments of the present invention are described in detail, and are not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 claims
1、 一种验证 TCP连接安全性的方法, 其特征在于: 包括以下歩骤 -1. A method for verifying the security of TCP connections, characterized by: including the following steps -
①在客户端, 当指定的程序向指定的服务器地址及端口发送 TCP连接请求时, 利用 NDIS修改 TCP连接时的数据包, 使其能够附带填充数据作为验证信息; ① On the client side, when the specified program sends a TCP connection request to the specified server address and port, use NDIS to modify the data packet during the TCP connection so that it can be accompanied by filler data as verification information;
②在服务器端, 当接收到 TCP客户端连接请求时, 首先通过检测 TCP数据包的选项 区中是否有附带数据, 来确定是否允许接入; 如果没有附带数据, 再通过检查 TCP数据 包的数据区是否有附带数据, 来确定是否允许接入; ② On the server side, when receiving a TCP client connection request, it first determines whether access is allowed by checking whether there is attached data in the option area of the TCP packet; if there is no attached data, it then checks the data of the TCP packet. Whether there is accompanying data in the area to determine whether access is allowed;
③在完成 TCP连接后, 客户端开发数据时, 通过 SEAL算法以及事先保存起来的密 钥对数据进行加密; ③After completing the TCP connection, when the client develops data, the data is encrypted through the SEAL algorithm and the key saved in advance;
④服务器在收到数据后, 通过事先保存起来的密钥以及 SEAL算法, 对接收到的数 据进行解密。 ④After receiving the data, the server decrypts the received data through the pre-saved key and SEAL algorithm.
2、 根据权利要求 1所述的一种验证 TCP连接安全性的方法, 其特征在于: 所述歩 骤①具体为: 首先对 TCP数据包填充附带数据; 然后将生成的附带数据直接放置于原始 SYN包的尾部, 同时与原始 SYN包相比, 修改之后的包多了 32字节的数据, 为此, 相应 的也要修改 IP包中表示 IP包长度的 "Total Length"字段。 2. A method for verifying the security of a TCP connection according to claim 1, characterized in that: the step ① is specifically: first filling the TCP data packet with incidental data; and then placing the generated incidental data directly in the original At the end of the SYN packet, compared with the original SYN packet, the modified packet has 32 bytes more data. For this reason, the "Total Length" field in the IP packet that indicates the length of the IP packet must also be modified accordingly.
3、根据权利要求 2所述的一种验证 TCP连接安全性的方法, 其特征在于: 所述 TCP 数据包中填充的附带数据可以为固定的数据, 也可以为可变动的数据。 3. A method for verifying the security of a TCP connection according to claim 2, characterized in that: the incidental data filled in the TCP data packet can be fixed data or variable data.
4、 根据权利要求 3所述的一种验证 TCP连接安全性的方法, 其特征在于: 所述对 TCP数据包填充可变动附带数据的具体方法为: 根据事先设定的静态值、 客户端地址、 客户端端口、 服务器地址、 服务器端口、 SYN包中的 SEQ序列号、 发送时间, 用 MD5算 法将其计算出一 HASH值 (16字节), 此值放置于校验区; 同时生成一随机的 16字节密 钥, 此值放置于密钥区, (并且将此值在本机保存下来); 此时得到的附带数据为明文, 为保护密钥不被泄密, 用 RSA算法公钥加密此数据。 4. A method for verifying the security of a TCP connection according to claim 3, characterized in that: the specific method of filling the TCP data packet with variable incidental data is: based on the preset static value, client address , client port, server address, server port, SEQ sequence number in the SYN packet, and sending time, use the MD5 algorithm to calculate a HASH value (16 bytes), and place this value in the check area; at the same time, generate a random The 16-byte key of this data.
5、 根据权利要求 2至 4之一所述的一种验证 TCP连接安全性的方法, 其特征在于: 所述 TCP数据包中填充的附带数据可以置于 TCP数据包头部的选项区, 也可放置于 TCP 数据包的数据区。 5. A method for verifying the security of a TCP connection according to one of claims 2 to 4, characterized in that: the incidental data filled in the TCP data packet can be placed in the option area of the TCP data packet header, or can be Placed in the data area of the TCP packet.
6、 根据权利要求 1所述的一种验证 TCP连接安全性的方法, 其特征在于: 所述歩 骤②具体为: 服务器端接收到 TCP连接请求后, 首先査看选项区中是否有附带数据, 若 有附带数据, 则判断其是否符合规则特征, 若符合则允许接入, 若不符合则拒绝接入, 并丢弃此包或 RST挂断连接; 若没有附带数据, 则判断是否有数据区, 若没有数据区则 拒绝接入, 并丢弃此包或 RST挂断连接; 若有数据区, 则检查数据长度; 若数据长度为 6. A method for verifying the security of a TCP connection according to claim 1, characterized in that: the step ② is specifically: after the server receives the TCP connection request, first check whether there is accompanying data in the option area , if there is attached data, determine whether it meets the rule characteristics. If it matches, access is allowed. If it does not match, access is refused, and the packet is discarded or RST hangs up the connection. If there is no attached data, it is determined whether there is a data area. , if there is no data area, access is refused, and the packet is discarded or RST hangs up the connection; if there is a data area, the data length is checked; if the data length is
b 16字节, 则判断其是否符合规则特征, 若符合则允许接入, 若不符合则拒绝接入, 并丢 弃此包或 RST挂断连接; 若数据长度为 32字节, 则用 RSA算法解密此数据, 然后判断 前 16字节是否符合规则特征, 若符合则允许接入, 并将后 16字节保存以便用于连接后 传输的数据解密, 若不符合则拒绝接入, 并丢弃此包或 RST挂断连接。 b 16 bytes, then determine whether it conforms to the rule characteristics. If it conforms, access is allowed. If it does not conform, access is denied, and the packet is discarded or RST hangs up the connection; if the data length is 32 bytes, use the RSA algorithm to decrypt it. This data is then judged whether the first 16 bytes comply with the rule characteristics. If it matches, access is allowed, and the last 16 bytes are saved for decryption of data transmitted after the connection. If it does not match, access is refused and the packet is discarded. Or RST hangs up the connection.
7、 根据权利要求 6所述的一种验证 TCP连接安全性的方法, 其特征在于: 所述判 断附带是否符合规则特征的具体方法为: 首先用 RSA算法私钥解密附带数据; 然后检验 TCP连接是否可信任, 算法与客户端相同, 根据事先设定的静态值、 客户端地址、 客户 端端口、 服务器地址、 服务器端口、 SYN包中的 SEQ序列号、 发送时间, 用 MD5算法将 其计算出一 HASH值(16字节); 如果此值与附带数据中的校验值一致, 则表明连接可信 任, 允许接入, 继续后续的连接过程, 同时将附带数据中的密钥保存起来; 反之, 则拒 绝或忽略请求。 7. A method for verifying the security of a TCP connection according to claim 6, characterized in that: the specific method for judging whether the attached data conforms to the rule characteristics is: first, decrypting the attached data using the RSA algorithm private key; and then verifying the TCP connection. Whether it is trustworthy or not, the algorithm is the same as that of the client. It is calculated using the MD5 algorithm based on the pre-set static value, client address, client port, server address, server port, SEQ sequence number in the SYN packet, and sending time. A HASH value (16 bytes); if this value is consistent with the check value in the attached data, it indicates that the connection is trustworthy, access is allowed, the subsequent connection process continues, and the key in the attached data is saved; otherwise , the request is rejected or ignored.
PCT/CN2013/001314 2013-10-22 2013-10-30 Method for verifying security of tcp connection WO2015058324A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310500299.2 2013-10-22
CN201310500299.2A CN103532964B (en) 2013-10-22 2013-10-22 A kind of method verifying TCP connection safety

Publications (1)

Publication Number Publication Date
WO2015058324A1 true WO2015058324A1 (en) 2015-04-30

Family

ID=49934643

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/001314 WO2015058324A1 (en) 2013-10-22 2013-10-30 Method for verifying security of tcp connection

Country Status (2)

Country Link
CN (1) CN103532964B (en)
WO (1) WO2015058324A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656914A (en) 2015-10-29 2017-05-10 阿里巴巴集团控股有限公司 Anti-attack data transmission method and apparatus
CN106470214B (en) * 2016-10-21 2020-03-06 杭州迪普科技股份有限公司 Attack detection method and device
TWI721086B (en) * 2017-01-20 2021-03-11 香港商阿里巴巴集團服務有限公司 Anti-attack data transmission method and device
CN110290221B (en) * 2019-07-09 2021-07-30 中星科源(北京)信息技术有限公司 Original address transmission method, system, storage medium and processor

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1679066A (en) * 2002-07-12 2005-10-05 英格里安网络公司 Network attached encryption
CN101436958A (en) * 2007-11-16 2009-05-20 太极计算机股份有限公司 Method for resisting abnegation service aggression
US20090323682A1 (en) * 2008-06-26 2009-12-31 Dell Products L.P. Method for Identifying the Transmission Control Protocol Stack of a Connection

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8364949B1 (en) * 2005-11-01 2013-01-29 Juniper Networks, Inc. Authentication for TCP-based routing and management protocols
JP5067362B2 (en) * 2008-12-26 2012-11-07 富士通株式会社 Communication terminal, network interface card and method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1679066A (en) * 2002-07-12 2005-10-05 英格里安网络公司 Network attached encryption
CN101436958A (en) * 2007-11-16 2009-05-20 太极计算机股份有限公司 Method for resisting abnegation service aggression
US20090323682A1 (en) * 2008-06-26 2009-12-31 Dell Products L.P. Method for Identifying the Transmission Control Protocol Stack of a Connection

Also Published As

Publication number Publication date
CN103532964B (en) 2016-09-07
CN103532964A (en) 2014-01-22

Similar Documents

Publication Publication Date Title
US10218502B2 (en) Confidential communication management
US11533297B2 (en) Secure communication channel with token renewal mechanism
JP6625211B2 (en) Key exchange through partially trusted third parties
CN108418691B (en) Dynamic network identity authentication method based on SGX
US9106617B2 (en) Methods, systems and computer program products for authenticating computer processing devices and transferring both encrypted and unencrypted data therebetween
US7552323B2 (en) System, apparatuses, methods, and computer-readable media using identification data in packet communications
WO2016180202A1 (en) Method and device for secure communication
CN103634114B (en) The verification method and system of intelligent code key
WO2019085531A1 (en) Method and device for network connection authentication
CN112671779B (en) DoH server-based domain name query method, device, equipment and medium
US7231518B1 (en) System and method for authenticating a storage device for use with driver software in a storage network
US11005828B1 (en) Securing data at rest
WO2017105704A1 (en) Bidirectional cryptographic io for data streams
US10122755B2 (en) Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node
WO2015058324A1 (en) Method for verifying security of tcp connection
WO2023279782A1 (en) Access control method, access control system and related device
Cui et al. Lightweight encryption and authentication for controller area network of autonomous vehicles
Hu et al. Gatekeeper: A gateway-based broadcast authentication protocol for the in-vehicle Ethernet
US20100242112A1 (en) System and method for protecting network resources from denial of service attacks
KR20130035600A (en) Method and apparatus for preventing data loss
JP2004194196A (en) Packet communication authentication system, communication controller and communication terminal
Hussain et al. Enc-DNS-HTTP: Utilising DNS infrastructure to secure web browsing
Benton et al. Signaturecheck: a protocol to detect man-in-the-middle attack in ssl
Wu et al. Research on vehicle cybersecurity based on dedicated security hardware and ECDH algorithm
US20240146728A1 (en) Access control method, access control system, and related device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13895910

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13895910

Country of ref document: EP

Kind code of ref document: A1