WO2015058324A1 - Procédé de vérification de la sécurité d'une connexion tcp - Google Patents

Procédé de vérification de la sécurité d'une connexion tcp Download PDF

Info

Publication number
WO2015058324A1
WO2015058324A1 PCT/CN2013/001314 CN2013001314W WO2015058324A1 WO 2015058324 A1 WO2015058324 A1 WO 2015058324A1 CN 2013001314 W CN2013001314 W CN 2013001314W WO 2015058324 A1 WO2015058324 A1 WO 2015058324A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
packet
tcp
connection
access
Prior art date
Application number
PCT/CN2013/001314
Other languages
English (en)
Chinese (zh)
Inventor
邱文乔
Original Assignee
邱文乔
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 邱文乔 filed Critical 邱文乔
Publication of WO2015058324A1 publication Critical patent/WO2015058324A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the present invention relates to a method of verifying the security of a TCP connection.
  • TCP/IP protocol In existing network systems (local area networks, Internet), interactive data is mainly connected through the TCP/IP protocol.
  • TCP/IP protocol was determined in the 1970s, it was mainly used for military purposes and used in closed networks. I didn't expect to get such a huge application, and of course I didn't consider security risks at all.
  • the technical problem to be solved by the present invention is to provide a method for verifying the security of a TCP connection, which is effective for protecting the security of the server in the first time.
  • a method for verifying the security of a TCP connection comprising the following steps:
  • the NDIS is used to modify the data packet of the TCP connection so that it can be accompanied by the padding data as the verification information
  • the server After receiving the data, the server decrypts the received data through the previously saved key and the SEAL algorithm.
  • the step 1 is specifically: first filling the TCP data packet with the accompanying data; then placing the generated incidental data directly at the end of the original SYN packet, and comparing the original SYN packet, the modified packet has 32 bytes of data. , To do this, the corresponding "Total Length" field indicating the length of the IP packet in the IP packet is also modified.
  • the incidental data filled in the TCP packet may be fixed data or variable data.
  • the specific method for filling the TCP packet with the variable attached data is: according to the preset static value, the client address, the client port, the server address, the server port, the SEQ serial number in the SYN packet, and the sending time.
  • the MD5 algorithm calculates a HASH value (16 bytes), which is placed in the check area; and generates a random 16-byte key, which is placed in the key area (and this value is local) Saved);
  • the accompanying data obtained at this time is plaintext.
  • the data is encrypted with the RSA algorithm public key.
  • the accompanying data filled in the TCP packet may be placed in an option area of the TCP packet header or in a data area of the TCP packet.
  • the step 2 is specifically: after receiving the TCP connection request, the server first checks whether there is attached data in the option area, and if there is attached data, it determines whether it meets the rule feature, and if it matches, allows access, if not, then Deny access, and discard this packet or RST to hang up; if there is no data attached, determine whether there is a data area, if there is no data area, refuse access, and discard the packet or RST to hang up; if there is a data area, Then check the length of the data; if the data length is 16 bytes, determine whether it meets the rule characteristics, if it is consistent, allow access, if it does not, then refuse access, and discard the packet or RST to hang up; if the data length If it is 32 bytes, the RSA algorithm is used to decrypt the data, and then it is judged whether the first 16 bytes conform to the rule feature. If it matches, the access is allowed, and the last 16 bytes are saved for decryption of the data transmitted after the connection, if
  • the specific method for judging whether the rule characteristics are met is: first, the attached data is decrypted by using the RSA algorithm private key; then the TCP connection is verified to be trustworthy, and the algorithm is the same as the client, according to the preset static value, the client address, and the client.
  • the port number, the server address, the server port, the SEQ sequence number in the SYN packet, and the sending time are calculated by the MD5 algorithm to calculate a HASH value (16 bytes). If this value matches the check value in the attached data, then Indicates that the connection is trusted, allows access, continues the subsequent connection process, and saves the key in the attached data; otherwise, rejects or ignores the request.
  • the present invention has the following beneficial effects: In the process of handshake before data transmission, the invention adds the verification of the connection information, and the connection is allowed only when the connection packet containing the specific information is allowed, and the other Ordinary connection request packets, hang up the connection, or discard the package, so that the connection can not be completed, subsequent attacks and theft can not be completed, through this way, the server security can be effectively protected in the first time.
  • the invention adds the verification of the connection information, and the connection is allowed only when the connection packet containing the specific information is allowed, and the other Ordinary connection request packets, hang up the connection, or discard the package, so that the connection can not be completed, subsequent attacks and theft can not be completed, through this way, the server security can be effectively protected in the first time.
  • Figure 1 is a timing diagram of the TCP protocol when it is connected.
  • Figure 2 is a diagram showing the structure of a packet when a standard TCP connection is made.
  • Figure 3 is a block diagram of the attached data using the option area of the TCP packet.
  • Figure 4 is a block diagram of the data area used to place the attached data using the TCP packet.
  • Figure 5 is a flow chart of the client generating variable accompanying data.
  • FIG. 6 is a flow chart when the server processes the TCP connection. detailed description
  • This embodiment is mainly directed to an application using the TCP protocol.
  • a handshake connection must be made before data transmission. If the connection information is checked during the handshake process, the connection is allowed only when the connection packet contains the specific information, and the other ordinary connection request packet is hang up, or the packet is discarded, so that the connection cannot be completed. Subsequent attacks and theft can not be completed. In this way, the security of the server can be effectively protected in the first time.
  • the TCP header can have an option area with a maximum space of 40 bytes, and the options that may be used in the first step of the client connection handshake to the server.
  • the agreement "1234abcd" is the data recognized by both the TCP client and the server
  • modify the SYN information through NDIS and then add "1234abcd” at the end of the option area.
  • the server receives the TCP connection signal, it detects the option area. If there is more data than the normal option area, and it is "1234abcd", the connection is considered to be from a trusted computer, otherwise the connection is ignored or hanged. .
  • values generated from certain algorithms can also be used as a basis for both tests.
  • the IP layer we can get the source IP address and destination IP address.
  • the TCP layer we can get the source port number, destination port number, SEQ number and other variables.
  • we can fill in the predetermined dry code combine these variables, and then pass the hash algorithm such as MD5/SHA1, or AES. Reversible algorithm, after calculation, get a value. Then fill it in the option area.
  • the server receives the connection request, if the check finds that there is extra data in the option area, the values of these variables are obtained one by one, and then calculated according to the same algorithm of the client, if it is related to the option. The same value stored in it indicates that the TCP connection is from a trusted client. Otherwise, the connection is ignored or hanged.
  • the application can be further extended by encrypting the data transmitted by the subsequent TCP while verifying whether the connection is from the trusted computer, and further enhancing security.
  • the method is as follows: The client initiates the connection The accompanying data consists of two parts, the first half is used to detect whether the connection is trusted, and the second half is used to transmit the key.
  • the client initiates the connection request the above method is first filled in as the first half of the inspection area, and then a random value is generated as the key to fill in the second half (and the random key is saved) to obtain the complete attached data. (Clear text).
  • This data (cryptotext) is then encrypted with the public key of the RSA algorithm. Then fill in the options area.
  • the server When the server receives this attached data, it decrypts it with the private key of the RSA algorithm. First, it uses the first half of the attached data to check whether the connection is trustworthy. If it is trusted, it allows the connection, and the attached data of the second half (also Is the random key), save it. After the handshake connection is established, when the client transmits data, the data is first encrypted by the symmetric algorithm (DES ⁇ AES ⁇ SEAL ⁇ RC4, etc.) and then sent. When the server receives the data, it decrypts the data with the saved key.
  • the option area cannot be placed all.
  • the data can be placed in the data area of the TCP packet at SYN.
  • the implementation process is the same as placing the accompanying data in the options area.
  • the method for verifying the security of a TCP connection in this embodiment includes the following steps:
  • the specified program when the specified program sends a TCP connection request to the specified server address and port, the data packet at the time of the TCP connection is modified by NDIS so that the padding data can be attached as the verification information.
  • the step 1 is specifically: first filling the TCP data packet with the accompanying data; then placing the generated incidental data directly at the end of the original SYN packet, and comparing the original SYN packet, the modified packet has 32 bytes of data.
  • the corresponding "Total Length" field indicating the length of the IP packet in the IP packet is also modified.
  • the accompanying data populated in the TCP packet can be either fixed data or variable data.
  • the specific method for populating the TCP packet with the variable data is: according to the preset static value, the client address, the client port, the server address, the server port, the SEQ sequence number in the SYN packet, and the sending time. , using the 5 algorithm to calculate a HASH value (16 bytes), this value is placed in the check area; at the same time generate a random 16-byte key, this value is placed in the key area, (and this value is The machine is saved.) The attached data obtained in this case is plain text. To protect the key from being compromised, the data is encrypted with the RSA algorithm public key.
  • the accompanying data populated in the TCP packet can be placed in the option area of the TCP packet header or in the data area of the TCP packet.
  • step 2 is as follows: After receiving the TCP connection request, the server first checks whether there is attached data in the option area. If there is attached data, it determines whether it meets the rule characteristics. If it matches, it allows access. If it does not match, the access is denied, and the packet is discarded or the RST hangs up; if there is no data attached, it is judged whether there is a data area, if there is no data area, the access is denied, and the packet is discarded or the RST hangs up; Data area, check the data length; If the data length is 16 bytes, it is judged whether it meets the rule characteristics. If it matches, the access is allowed. If it does not, the access is denied, and the packet is discarded or the RST hangs up.
  • the RSA algorithm is used to decrypt the data, and then it is judged whether the first 16 bytes conform to the rule feature. If it is met, the access is allowed, and the last 16 bytes are saved for decryption of the data transmitted after the connection, and if not, the access is denied. And discard this packet or RST to hang up the connection.
  • the specific method for judging whether the attached rule character is met is as follows: firstly, the attached data is decrypted by using the RSA algorithm private key; then the TCP connection is verified to be trustworthy, and the algorithm is the same as the client, according to the preset static value, the client address, and the client. Port, server address, server port, SEQ sequence number in SYN packet, transmission time, calculate a HASH value (16 bytes) by MD5 algorithm; if this value is consistent with the check value in the attached data, it indicates The connection is trusted, allowing access, continuing the subsequent connection process, and saving the key in the attached data; otherwise, rejecting or ignoring the request.
  • the server After receiving the data, the server decrypts the received data through the previously saved key and the SEAL algorithm.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un procédé de vérification de la sécurité d'une connexion TCP qui utilise une NDIS pour modifier un paquet de données SYN quand un client initie une connexion. Des informations de vérification supplémentaires sont ajoutées à une zone d'options ou une zone de données, et c'est seulement après qu'un serveur a détecté les informations de vérification et que les informations de vérification sont correctes que des actions de connexion peuvent être exécutées de sorte à terminer l'accès. Autrement, la connexion est suspendue ou le paquet est abandonné, si bien que l'accès ne peut pas être terminé et que des attaques, des vols et similaires ne peuvent pas être terminés. Le procédé permet de protéger la sécurité du serveur, instantanément et efficacement.
PCT/CN2013/001314 2013-10-22 2013-10-30 Procédé de vérification de la sécurité d'une connexion tcp WO2015058324A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310500299.2A CN103532964B (zh) 2013-10-22 2013-10-22 一种验证tcp连接安全性的方法
CN201310500299.2 2013-10-22

Publications (1)

Publication Number Publication Date
WO2015058324A1 true WO2015058324A1 (fr) 2015-04-30

Family

ID=49934643

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/001314 WO2015058324A1 (fr) 2013-10-22 2013-10-30 Procédé de vérification de la sécurité d'une connexion tcp

Country Status (2)

Country Link
CN (1) CN103532964B (fr)
WO (1) WO2015058324A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656914A (zh) * 2015-10-29 2017-05-10 阿里巴巴集团控股有限公司 防攻击数据传输方法及装置
CN106470214B (zh) * 2016-10-21 2020-03-06 杭州迪普科技股份有限公司 攻击检测方法和装置
TWI721086B (zh) * 2017-01-20 2021-03-11 香港商阿里巴巴集團服務有限公司 防攻擊資料傳輸方法及裝置
CN110290221B (zh) * 2019-07-09 2021-07-30 中星科源(北京)信息技术有限公司 一种原始地址传输方法、系统、存储介质和处理器

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1679066A (zh) * 2002-07-12 2005-10-05 英格里安网络公司 网络连接加密
CN101436958A (zh) * 2007-11-16 2009-05-20 太极计算机股份有限公司 抵御拒绝服务攻击的方法
US20090323682A1 (en) * 2008-06-26 2009-12-31 Dell Products L.P. Method for Identifying the Transmission Control Protocol Stack of a Connection

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8364949B1 (en) * 2005-11-01 2013-01-29 Juniper Networks, Inc. Authentication for TCP-based routing and management protocols
JP5067362B2 (ja) * 2008-12-26 2012-11-07 富士通株式会社 通信端末、ネットワークインタフェースカード及びその方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1679066A (zh) * 2002-07-12 2005-10-05 英格里安网络公司 网络连接加密
CN101436958A (zh) * 2007-11-16 2009-05-20 太极计算机股份有限公司 抵御拒绝服务攻击的方法
US20090323682A1 (en) * 2008-06-26 2009-12-31 Dell Products L.P. Method for Identifying the Transmission Control Protocol Stack of a Connection

Also Published As

Publication number Publication date
CN103532964B (zh) 2016-09-07
CN103532964A (zh) 2014-01-22

Similar Documents

Publication Publication Date Title
US10652015B2 (en) Confidential communication management
US11533297B2 (en) Secure communication channel with token renewal mechanism
JP6625211B2 (ja) 部分的に信頼できる第三者機関を通しての鍵交換
CN108418691B (zh) 基于sgx的动态网络身份认证方法
US9106617B2 (en) Methods, systems and computer program products for authenticating computer processing devices and transferring both encrypted and unencrypted data therebetween
CN103634114B (zh) 智能密码钥匙的验证方法及系统
US20040098620A1 (en) System, apparatuses, methods, and computer-readable media using identification data in packet communications
WO2019085531A1 (fr) Procédé et dispositif d'authentification de connexion de réseau
CN112671779B (zh) 基于DoH服务器的域名查询方法、装置、设备及介质
US7231518B1 (en) System and method for authenticating a storage device for use with driver software in a storage network
WO2017105704A1 (fr) E/s cryptographique bidirectionnelle pour des flux de données
US10122755B2 (en) Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node
Cui et al. Lightweight encryption and authentication for controller area network of autonomous vehicles
US20240146728A1 (en) Access control method, access control system, and related device
WO2015058324A1 (fr) Procédé de vérification de la sécurité d'une connexion tcp
Hu et al. Gatekeeper: A gateway-based broadcast authentication protocol for the in-vehicle Ethernet
KR20130035600A (ko) 정보 유출 차단 장치 및 방법
JP2004194196A (ja) パケット通信認証システム、通信制御装置及び通信端末
Benton et al. Signaturecheck: a protocol to detect man-in-the-middle attack in ssl
Hussain et al. Enc‐DNS‐HTTP: Utilising DNS Infrastructure to Secure Web Browsing
Bozkurt et al. Exploring the Vulnerabilities and Countermeasures of SSL/TLS Protocols in Secure Data Transmission Over Computer Networks
Wu et al. Research on vehicle cybersecurity based on dedicated security hardware and ECDH algorithm
US20050144352A1 (en) System and method for protecting network resources from denial of service attacks
KR102668919B1 (ko) 네트워크에 연결된 시스템의 보안을 위한 프로토콜 다이얼렉트 기법
EP3087714B1 (fr) Procédé et appareil pour détecter qu'un attaquant a envoyé un ou plusieurs messages à un noeud récepteur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13895910

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13895910

Country of ref document: EP

Kind code of ref document: A1