WO2019062666A1 - System, method, and apparatus for securely accessing internal network - Google Patents
System, method, and apparatus for securely accessing internal network Download PDFInfo
- Publication number
- WO2019062666A1 WO2019062666A1 PCT/CN2018/106976 CN2018106976W WO2019062666A1 WO 2019062666 A1 WO2019062666 A1 WO 2019062666A1 CN 2018106976 W CN2018106976 W CN 2018106976W WO 2019062666 A1 WO2019062666 A1 WO 2019062666A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network access
- access request
- authentication information
- request
- network
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Definitions
- the present application relates to the field of network access, and in particular to a system for implementing secure access to an internal network.
- the present application also relates to a method and apparatus for securely accessing an internal network, a method and apparatus for receiving access by a server, a method and apparatus for processing data, and a method and apparatus for responding to a data.
- VPN solution In order to allow foreign employees to access intranet resources, the existing technology generally uses VPN solution; this method is to set up a VPN server in the internal network. After the local staff connects to the Internet, connect to the VPN server through the Internet, and then pass The VPN server enters the intranet.
- VPN In order to ensure data security, the communication data between the VPN server and the client is encrypted.
- data encryption data can be considered to be securely transmitted over a dedicated data link, just as a dedicated network is set up.
- VPN uses the public link on the Internet. Therefore, VPN is called virtual private network. It essentially uses encryption technology to encapsulate a data communication tunnel on the public network.
- VPN technology users can use VPN to access intranet resources, whether they are on a business trip or at home, so that VPN can be widely used in enterprises.
- the present invention provides a system for securely accessing a network to solve the problem that the server cannot accurately obtain the source of the client initiated by the http/https request.
- the present invention further provides a method and apparatus for secure access to an internal network, and a method and apparatus for receiving access by a server.
- the invention also provides a data processing method and device, and a data response method and device.
- the present invention provides a system for implementing secure access to an internal network, including: a network access requesting end, a mediation end, and an internal network server;
- the network access requesting end is configured to send a first request message for implementing a network access request, and receive a response message;
- the mediation end is configured to listen to and hijack the first request message of the network access requesting end; parse the first request message, and add authentication information to the first request message to obtain a second request message; Sending, by the target network address of the first request message, the second request message; and receiving a response message to the second request message, and forwarding the response message to the client;
- the internal network server is configured to receive the second request message, extract authentication information therefrom, and determine whether the network access request has access rights; if yes, return a response message.
- the mediator is disposed in the same mobile device as the network access requesting end.
- the network access request sent by the network access requesting end uses the http protocol
- the intermediate end performs an http handshake with the network access requesting end before receiving the first request message
- the intermediary The end performs an http handshake with the internal network server before issuing the second request message.
- the network access request sent by the network access requesting end is in an https manner, and the intermediate end performs an SSL handshake with the network access requesting end before receiving the first request message, and then The intermediary sends an SSL handshake with the internal network server according to the server_name field provided by the SSL handshake; after receiving the handshake success message returned by the internal network server, the intermediary sends a handshake to the network access requester. Success message.
- the CA pseudo certificate is imported to the network access requesting end and the mediation end.
- the authentication information includes at least one of the following information: unique identification information of the terminal device where the network access request end is located; user identity authentication information.
- the authentication information is encrypted by an asymmetric algorithm.
- the global traffic hijacking process is injected into the network access request initiated by the network access requesting end to implement hijacking of the first request message.
- the present invention also provides a method for securely accessing an internal network, comprising:
- Hijacking a network access request issued by an application having a network access function the network access request is referred to as a first request message;
- the response information is forwarded to the application that issued the network access request.
- the network access request is hijacked by using a hook function; and the hook function is injected into the network access request process in advance by using a DLL injection manner.
- the first request message is in the http mode, before receiving the first request message, including performing an http handshake with an application that sends a network access request; before sending the second request message, The internal network server performs an http handshake.
- the network access request is in an https manner, and before the receiving the first request message, performing an SSL handshake with the network access requesting end, and then, according to the server_name field provided by the SSL handshake, and the internal
- the network server performs an SSL handshake; after receiving the handshake success message returned by the internal network server, it sends a handshake success message to the application that sends the network access request.
- the CA pseudo certificate is imported before the network access request sent by the network access function application is hijacked.
- the authentication information includes at least one of the following information: unique identification information of the terminal device; user identity authentication information.
- the authentication information is encrypted using an asymmetric encryption algorithm.
- the present invention also provides a method for a server to receive an access, including:
- the authentication information is encrypted by using an asymmetric encryption algorithm, and determining, according to the authentication information, whether the access request is legal, including:
- the authentication information includes at least one of the following information: unique identification information of the terminal device, user identity authentication information;
- the verifying the validity of the access request according to the decrypted authentication information includes at least one of the following manners:
- the invention also provides a data processing method, comprising:
- the authentication information includes at least one of the following information: unique identification information of the computing device corresponding to the source address; user identity authentication information.
- the invention also provides a data response method, comprising:
- the present invention also provides an apparatus for securely accessing an internal network, comprising:
- a first request message hijacking unit configured to hijack a network access request issued by an application having a network access function; the network access request is referred to as a first request message;
- An authentication information adding unit configured to add authentication information to the first request message to form a second request message
- a second request message forwarding unit configured to forward the second request message to a destination server of the network access request, that is, an internal network server;
- a response information receiving unit configured to receive response information returned by the internal network server
- a response information forwarding unit configured to forward the response information to the application that issues the network access request.
- the present invention also provides an apparatus for receiving access by a server, including:
- An access request obtaining unit configured to acquire an access request that includes authentication information, where the access request is referred to as a second request message;
- An authentication information extracting unit configured to extract the authentication information
- the access request legality determining unit is configured to determine, according to the authentication information, whether the access request is legal;
- the response message returns to the unit, and when the result of the above unit is YES, is used to return a response message.
- the invention also provides an apparatus for data processing, comprising:
- a first network access request intercepting unit configured to intercept a first network access request, where the first network access request includes a source address and a target address;
- An authentication information adding unit configured to add authentication information to the first network access request, to obtain a second network access request
- a second network access request sending unit configured to send the second network access request to a computing device corresponding to the target address
- a response information receiving unit configured to receive response information returned by the computing device corresponding to the target address
- a response information sending unit configured to send the response information to the computing device corresponding to the source address.
- the invention also provides a data response device, comprising:
- a network access request obtaining unit configured to acquire a network access request that includes the authentication information
- An authentication information extracting unit configured to extract the authentication information from the network access request
- the network access request legality determining unit is configured to determine, according to the authentication information, whether the network access request is legal;
- the response information returning unit is configured to return a response message when the judgment result of the above unit is YES.
- the invention also provides an electronic device comprising:
- a memory for storing a program for securely accessing an internal network
- the device is powered on and runs the program for secure access to the internal network through the processor, and performs the following steps:
- Hijacking a network access request issued by an application having a network access function the network access request is referred to as a first request message;
- the response information is forwarded to the application that issued the network access request.
- the invention also provides an electronic device comprising:
- a memory for storing a program for receiving access by the server, after the device is powered on and running the program by the processor to receive the accessed program, performing the following steps:
- the invention also provides an electronic device comprising:
- a memory for storing a program for data processing, after the device is powered on and runs the program of the data processing by the processor, performing the following steps:
- the invention also provides an electronic device comprising:
- a memory for storing a program for data response, after the device is powered on and runs the program of the data response by the processor, performing the following steps:
- the system for securely accessing the internal network and the corresponding method and device provided by the application the client initiates an access request, and hijacks the request message to the intermediary; the intermediary analyzes the plaintext information, adds the encrypted information, and then requests the message. Sent to the server.
- advantages include:
- the server By extracting the encrypted information, the server accurately obtains the source of the client initiated by the http/https request, so that the client can accurately know whether the client has the right to access the intranet and avoid unauthorized access requests.
- the technical solution provided by the present application has the following advantages: since the VPN service is not needed, manual access and disconnection operations are eliminated, and no password is required for verification; a better user experience can be obtained. .
- the technical solution provided by the present application has the following advantages: the intranet server can be directly connected, and the access speed is improved.
- FIG. 1 is a schematic diagram of a system for implementing secure access to an internal network according to a first embodiment of the present application
- FIG. 2 is a schematic diagram of a request for accessing a network using the http protocol provided by the first embodiment of the present application
- FIG. 3 is a schematic diagram of a request for accessing a network using the https protocol provided by the first embodiment of the present application;
- FIG. 4 is a flowchart of a method for securely accessing an internal network according to a second embodiment of the present application
- FIG. 5 is a flowchart of a method for receiving an access by a server according to a third embodiment of the present application.
- FIG. 6 is a flowchart of a data processing method according to a fourth embodiment of the present application.
- FIG. 7 is a flowchart of a data response method according to a fifth embodiment of the present application.
- FIG. 8 is a schematic diagram of an apparatus for securely accessing an internal network according to a sixth embodiment of the present application.
- FIG. 9 is a schematic diagram of an apparatus for receiving access by a server according to a seventh embodiment of the present application.
- FIG. 10 is a schematic diagram of an apparatus for data processing according to an eighth embodiment of the present application.
- FIG. 11 is a schematic diagram of an apparatus for data response provided by a ninth embodiment of the present application.
- FIG. 12 is a schematic diagram of an electronic device according to a tenth embodiment of the present application.
- FIG. 13 is a schematic diagram of an electronic device according to an eleventh embodiment of the present application.
- FIG. 14 is a schematic diagram of an electronic device according to a twelfth embodiment of the present application.
- FIG. 15 is a schematic diagram of an electronic device according to a thirteenth embodiment of the present application.
- the present application provides a system for secure access to an internal network, a method for secure access to an internal network, and a method for a server to receive access.
- the following provides an embodiment for a detailed description of the system and method.
- the system and method are mainly designed to access the intranet resources of the company, but the system and method can be used in all network systems having the same requirements, and are not specifically limited herein.
- the network access requesting end in the present application, specifically refers to an application software capable of issuing a network access request, such as a browser or an APP; the application software is installed in a software platform of a hardware device such as a computer or a mobile phone.
- the intermediary in the present application, specifically refers to listening for an access request (referred to as a first request message in the present application) issued by the network access requester after being started, and hijacking the access request when pointing to a predetermined network address
- An application software module that accesses the request and adds authentication information to it, and then issues an access request (referred to as a second request message in the present application) to the predetermined network address.
- the application software module is generally disposed on the same terminal device as the network access requesting end, but it is not excluded that the main body is set on another terminal device, and only the device is configured to implement monitoring and hijacking the first A case of a program requesting information.
- An internal network server refers to a server that is capable of receiving network access requests over a network and acting as an entry point into a particular internal network.
- FIG. 1 is a schematic diagram of a system for securely accessing an internal network according to a first embodiment of the present application.
- the system for secure access to the internal network is described in detail below with reference to FIG.
- the embodiments described in the following description are intended to explain the principles of the system and are not intended to be limiting.
- a system for securely accessing an internal network comprising: a network access requester 101, a mediator 102, and an internal network server 103.
- the network access requesting end 101 is configured to issue a first request message for implementing a network access request, and receive a response message.
- the network access requesting end 101 is a software program disposed on a specific terminal device, and may be in the form of an APP application or a browser; the network access requesting end 101 can issue a network access request, and the network access request is mainly adopted by http. Agreement or https protocol.
- the network access request sent by the network access requesting end 101 is referred to as a first request message.
- the http protocol or the https protocol is currently the two main network application layer protocols for implementing network access; the latter is based on the former and combines the SSL protocol to achieve confidentiality of the access process.
- the CA pseudo-certificate needs to be imported to the network access requesting end 101 and the intermediation terminal 102, and the CA pseudo-certificate is at the network access requesting end 101 and the intermediary end 102.
- the mediator 102 uses the CA pseudo certificate as a server.
- a DLL injection method is also needed to inject a global traffic hijacking process into the network access request initiated by the network access requesting end 101 to implement monitoring and hijacking of the first request message.
- the process that implements the hijacking can be considered part of the mediation 102, merely deploying it in the network access request issued by the network access requesting end 101.
- the specific implementation can be implemented using the hook function.
- the so-called hook function is a special application program interface (API).
- API application program interface
- the hook function can be used to change the original function of a system API.
- the basic method is to "touch" the hook function to the API function entry point that needs to be modified. Its address points to the new custom function.
- the global DLL injection method is used to inject the hook function into the http access process or the https access process; the so-called DLL injection is to put a DLL file into the address space of a process, so that it becomes the Part of the process; many applications are not a complete executable, but are split into relatively independent dynamic link libraries, DLL files, placed in the system.
- the hook function is put into each http access process or https access process initiated by the network access requesting end 101 by a global DLL injection method.
- the mediation end 102 is configured to listen to and hijack the first request message of the network access requesting end, parse the first request message, and add authentication information to the first request message to obtain a second request message; Transmitting the second request message to a target network address of the first request message; and receiving a response message to the second request message, and forwarding the response message to the network access requesting end 101.
- the mediator 102 as a unit for implementing intermediate forwarding of a network access request in the technical solution provided by the present application, is generally a software program, and is generally disposed in an APP application or a browser of the network access requesting end 101. On the terminal device where it is located; of course, it is not excluded that in some cases, it is arranged on a dedicated device or on a remote server. At this time, it is still necessary to arrange a program for monitoring and hijacking on the network access requesting end 101. .
- the mediation terminal 102 implements the following functions:
- the mediator 102 is used by the server as the network access requesting end; any network access request (referred to as the first request message in this embodiment) sent by the network access requesting end 101 is hijacked by hijacking.
- the mediator 102 responds to the first request message by the mediator 102 as a server; inevitably, in order to implement the process, the network access requesting end 101 and the mediation end 102 are first There is a need to have a handshake.
- the intermediary 102 obtains the second request message after adding the authentication information to the first request message, and is sent by the intermediary 102 as a requesting party to the internal network server 103 as the target server; After the response message of the internal network server 103, the response message is forwarded to the network access requesting end 101; inevitably, in order to implement the process, the intermediate end 102 and the internal network server 103 are further First, there is a need to have a handshake.
- the mediation terminal 102 implements the above functions is to implement monitoring and hijacking of the network access request sent by the network access requesting end 101.
- the specific implementation manner of the first request message for intercepting and hijacking the network access requesting end may be various; one of the most probable ways is to inject the hook function into the network access request by using a global DLL injection manner as described above.
- the network access request sent by the network access requesting end 101 that is, the first request message, is monitored and hijacked by the hook function.
- the hook function arranged in the http process of the network access requesting end and the https process in advance in the global DLL injection manner for realizing the above-mentioned snooping and hijacking should be regarded as a part of the mediation end 102.
- the process of the Hook function to implement the monitoring and hijacking is a technical means commonly used in the technical field, and will not be described in detail herein.
- the network access request (ie, the first request message) will not be able to directly access the server of its target URL, but the first request message is obtained by the intermediary 102, and The authentication information is added to the first request message to obtain a second request message.
- the authentication information is used to prove that the user or the terminal that issued the access request has the access authority of the internal network server 103 to be accessed.
- the authentication information may adopt the following information: unique identification information of the terminal device where the network access request end is located; user identity authentication information.
- unique identification information of the terminal device where the network access request end is located may be used separately or simultaneously.
- the authentication information needs to be encrypted by an asymmetric encryption algorithm.
- the unique identification information of the terminal device where the access requesting end 101 is located refers to the identification information of the terminal device, such as a laptop computer or a mobile phone, a tablet computer, etc., where the access requesting end 101 is arranged, such as the hardware serial number of the device or IMEI identification and other unique identifiers corresponding to the terminal device; since the mobile terminal devices are currently mainstream, these devices are directly associated with personal identity. Therefore, access rights to the intranet can be directly associated with a device, for example, can be set A mobile phone or an iPad has access to an internal network. Therefore, the unique identification information of the terminal device, whether it is the hardware serial number or the IMEI identifier, can be used to determine whether the access request has access rights.
- the information is added to the network access request, that is, the internal network server can determine whether the network access request has the access authority. Since the mediator 102 is generally located in the same hardware device as the network access requesting end 101, the hardware serial number or the IMEI identifier of the hardware device in which the mediator 102 is located can be directly read by the mediator 102; The hardware environment of the specific device is related to the system environment, and those skilled in the art can conveniently obtain related technical means. In addition, if the mediation end 102 is not disposed on the same hardware device as the network access requesting end 101, the hardware serial number or IMEI of the hardware device in which the network access requesting end 101 is disposed may be externally read.
- the identifier that identifies and corresponds to the network access requesting end 101 is recorded in the mediation terminal 102.
- the corresponding network access requesting end can be directly used.
- the unique identification information of the terminal device of 101 is used as the authentication information.
- the user identity authentication information is authentication information directly corresponding to a specific visitor, for example, an identity ID provided to a certain visitor for accessing an internal network; the information is managed and issued by the internal network server 103.
- the intermediary 102 stores the user identity authentication information directly related to the identity of the visitor, and adds the user identity authentication information to the first request message, so that the internal network server 103 can determine whether the party that issued the network request has the internal The basis for the access rights of the internal network managed by the web server 103.
- the manner of adding the authentication information to the first request message may take a plurality of possible manners.
- a method that may be mainly used is to add the authentication information to the header information of the first request message. Resolving the first request message to obtain its original header information; adding the authentication information to the header information in a preset format, and obtaining processed header information with the added authentication information; The header information is used as new header information, and the original header information in the first request message is replaced to obtain the second request information.
- the second request message may be used as a network request sent to a target network address of the first request message; naturally, the target network address of the second request message is directed to the internal network server 103.
- the mediator 102 After the mediator 102 sends the second request message to the internal network server 103, if the authentication is passed, the response message returned by the internal network server 103 is received; the mediator 102 needs to parse the response message. It is known that the response message is a response to which network access requester requests, and then sends the response message to the corresponding network access requester.
- the intermediary 102 first acts as a substitute for the server, establishes a process of http communication or https communication with the network access requesting end 101, and then acts as a substitute for the client, and the internal network server.
- the establishment of http communication or https communication, in the above process, must be carried out according to the communication rules of the corresponding protocol, including the handshake process of the initial communication; for the above different network protocols, the specific implementation process of the above two steps is different, the following respectively Explain.
- FIG. 2 For the manner of implementing the foregoing process by using the http protocol, reference may be made to FIG. 2, which is specifically described below in conjunction with FIG. 2.
- the intermediary 102 first receives the connection request 1, the intermediary 2 and the network access request when receiving the first request message.
- the terminal performs handshake 2 to establish a TCP connection; when receiving the http request 3 of the first request message (a specific request during the execution of the http protocol), the intermediary 102 initiates a DNS according to the host field stored therein.
- the second request message 6 obtained by adding the authentication information to the first request message obtained in the http request 3 step may be forwarded to the internal device.
- FIG. 3 is specifically described below in conjunction with FIG. 3.
- the intermediate end 102 performs an SSL handshake with the network access requesting end during the connection process before receiving the first request message. Then, the mediator performs an SSL handshake with the internal network server according to the server_name field provided by the SSL handshake 2'; the server_name field is the meaning of the server name, because the corresponding IP address may point to different The server needs a corresponding CA certificate for each server, so you need to use the server_name field to determine which CA certificate to use.
- the mediator 102 After the mediator 102 receives the signal handshake success 3', the mediator 102 sends a signal handshake success 4' to the network access requester 101; thereafter, the network access requester 101 can go to the mediation end.
- 102 initiates an https request, that is, a first request message 5'; after the intermediary 102 adds the authentication information to form a second request message, the second terminal sends a second request message 6' to the internal network server 103, the internal network server.
- the intermediary 102 After the verification 103 returns a response message 7', the intermediary 102 forwards the response message 8' to the network access requesting end 101, and the subsequent https request message and the response message of the secondary connection are still forwarded by the intermediary 102.
- the intermediary 102 is used as a server for transfer, and the intermediary 102 handshakes and connects with the network access requester 101 and the internal network server 103, respectively.
- the authentication information is added to the first request message. After the authentication succeeds, the message from the other party can be continued to be forwarded to one party.
- the internal network server 103 is configured to receive the second request message, extract authentication information therefrom, and determine whether the network access request has access rights; if yes, return a response message.
- the internal network server 103 refers to a server capable of receiving a network access request through a network and serving as an entrance to a specific internal network.
- the internal network server 103 is the target network address of the network access requesting end 101 and the mediation end 102, and the purpose thereof is to receive network access request information and provide response information according to the network access request information.
- the internal network server 103 receives the second request message including the authentication information, analyzes it, and determines its legality, that is, whether it is an access request with access rights. .
- the process of determining the validity of the second request message may be implemented by analyzing the header information of the second request message.
- the second request message The header information is processed post header information to which the authentication information is added, the encrypted authentication information is extracted from the header information, and the encrypted information is encrypted by a decryption method corresponding to an asymmetric encryption algorithm.
- the authentication information is decrypted to obtain authentication information, and the authentication information is at least one of unique identification information of the terminal device and user identity authentication information, because the authentication information is preset by the internal network server 103.
- the internal network server 103 pre-stores a terminal device list and a user list for which access is permitted, and therefore, the process of determining whether the network access request has access rights is substantially identifying and matching the authentication information.
- the specific matching process includes at least one of: following the end of the decrypted authentication information
- the unique identification information of the device is compared with the list of terminal devices allowed to be accessed by the server itself, and it is determined whether the terminal device that issued the access request is in the list; according to the decrypted user identity authentication information and the
- the server itself stores a list of users allowed to access, and determines whether the user who issued the access request is in the list. If the matching result is consistent, it indicates that the access request has access rights, and the internal network server 103 immediately generates corresponding response information according to the message content (first request message) of the second request message, and points to the mediation end. 102 transmits the response information.
- FIG. 4 is a flowchart of the method for securely accessing an internal network.
- the method provided in this embodiment has the same technical content as the system provided in the foregoing first embodiment, and the main body in the foregoing embodiment is mainly used as an implementation body of the method, and the technology in this embodiment is related to the technology in this embodiment.
- the related content of the foregoing first embodiment and details are not described herein again.
- the method for securely accessing an internal network includes the following steps:
- the purpose of this step is to receive the original access request information.
- the original access request information is the first request message, and is sent by the network application requesting end such as the APP application or the browser to the destination server accessed by the network by using the http protocol or the https protocol.
- the network access request issued by the application having the network access function refers to monitoring and hijacking the network access request originally sent to the destination server to receive the network access request first.
- the hijacking process is: injecting a hook function into an http access process or an https access process by using a global DLL injection method.
- the sender of the first request message When the first request message is hijacked, if the first request message is sent by using the http protocol, the sender of the first request message needs to perform an http handshake and handshake before receiving the first request message. After the success, the sender of the first request message may send the first request message; if the first request information is sent by using the https protocol, the CA pseudo certificate needs to be imported before the first request message is hijacked. And before the receiving the first request message, performing an SSL handshake with the sender of the first request message and the subsequent destination server, and after the success of the series of SSL handshakes, the sender of the first request message can be Sending the first request message.
- the foregoing steps are performed to hijack the first request message, and the step is to add authentication information to the first request message to form a second request message, which is used to prove that the first request message is sent.
- the requesting end has access rights to the destination server to be accessed.
- the authentication information may adopt the following information: the unique identification information of the terminal device where the network access request end is located; the user identity authentication information, and the two types of the authentication information may be adopted separately or simultaneously.
- After the authentication information is encrypted by the asymmetric encryption algorithm, it is added in the header information of the first request message.
- the purpose of this step is to forward the second request message formed by the above steps to the destination server accessed by the network.
- the destination server in the present application is an internal network server.
- the process is: the connection process before receiving the first request message And performing an SSL handshake with the network access requesting end, and then performing an SSL handshake with the internal network server according to the server_name field provided by the SSL handshake.
- the second request message includes authentication information and the first request message
- the internal network server extracts the authentication information from the second request message, and the authentication information is obtained by a corresponding decryption method of an asymmetric encryption algorithm. Decrypting is performed, and it is determined whether the network access request has access authority according to the authentication information; if yes, a response message is returned.
- the step is configured to receive the returned response information.
- This step is for forwarding the received response information to the application that issues the network access request.
- the process needs to parse the response information, obtain a response to the network access request of the network application, and then send the response message to the corresponding network application.
- FIG. 5 is a flowchart of a method for the server to receive an access.
- the method provided in this embodiment has the same technical content as the system provided in the first embodiment, and the internal network server in the foregoing embodiment is mainly used as an implementation body of the method, and the embodiment and the foregoing
- the technical details of the second embodiment please refer to the related content of the first embodiment and the second embodiment, and details are not described herein again.
- the method for receiving access by the server includes the following steps:
- the purpose of this step is to receive an access request.
- the access request including the authentication information refers to the second request message forwarded in step S103 in the second embodiment.
- the function of this step is to extract the authentication information in the second request message, and determine whether the user or the terminal that sent the access request has the access right by using the authentication information.
- S203 Determine, according to the authentication information, whether the access request is legal.
- This step is used to decrypt the authentication information, and thereby verify the validity of the access request.
- the authentication information is encrypted by using an asymmetric encryption algorithm. Therefore, in this embodiment, the authentication information is decrypted by using a decryption method corresponding to the asymmetric encryption algorithm, and the decrypted authentication information includes at least one of the following information:
- the identification information is compared with the list of terminal devices allowed to be accessed by the server itself, determining whether the terminal device that issued the access request is in the list; and storing the decrypted user identity authentication information with the server itself
- the list of allowed users is compared, and it is determined whether the user who issued the access request is in the list.
- This step is used to respond accordingly according to the judgment result of the above step. If the judgment result proves that the access request has legality, the corresponding response information is returned according to the access request.
- FIG. 6 is a flowchart of a method for receiving access by the server.
- the data processing method includes the following steps:
- the first network access request is intercepted, where the first network access request includes a source address and a target address.
- the authentication information includes at least one of the following information: unique identification information of the computing device corresponding to the source address; user identity authentication information.
- the method for data processing provided by this embodiment is substantially the same as the system for providing secure access to the internal network provided by the system provided by the first embodiment and the second embodiment, and only has a description in the expression. Adjustment.
- the implementation body of this embodiment is the mediation end in the first embodiment.
- the computing device corresponding to the source address in this embodiment represents the network access requesting end in the first embodiment.
- the computing device corresponding to the target address represents an internal network server in the first embodiment; the first network access request represents a first request message in the second embodiment, and the second network access request represents the The second request message in the second embodiment; for related content, refer to the first embodiment and the second embodiment of the present application, and details are not described herein again.
- FIG. 7 is a flowchart of the data response method.
- the method for data response includes the following steps:
- S403. Determine, according to the authentication information, whether the network access request is legal.
- a method for data response provided by this embodiment is substantially the same as the system provided by the first embodiment and the method for receiving access by the server provided by the third embodiment, and is only adjusted in the description.
- the implementation body of this embodiment is the internal network server in the first embodiment.
- FIG. 8 is a schematic diagram of an apparatus for securely accessing an internal network according to the embodiment.
- the apparatus for securely accessing an internal network includes:
- a first request message hijacking unit 201 configured to hijack a network access request issued by an application having a network access function; the network access request is referred to as a first request message;
- the authentication information adding unit 202 is configured to add authentication information to the first request message to form a second request message.
- a second request message forwarding unit 203 configured to forward the second request message to a destination server of the network access request, that is, an internal network server;
- the response information receiving unit 204 is configured to receive response information returned by the internal network server
- the response information forwarding unit 205 is configured to forward the response information to the application that sends the network access request.
- the network access request is hijacked by using a hook function; and the hook function is injected into the network access request process in advance by using a DLL injection manner.
- the first request message is in the http mode, before receiving the first request message, including performing an http handshake with an application that sends a network access request; before sending the second request message, The internal network server performs an http handshake.
- the network access request is in an https manner, and before the receiving the first request message, performing an SSL handshake with the network access requesting end, and then, according to the server_name field provided by the SSL handshake, and the internal
- the network server performs an SSL handshake; after receiving the handshake success message returned by the internal network server, it sends a handshake success message to the application that sends the network access request.
- the CA pseudo certificate is imported before the network access request sent by the network access function application is hijacked.
- the authentication information includes at least one of the following information: unique identification information of the terminal device; user identity authentication information.
- the authentication information is encrypted using an asymmetric encryption algorithm.
- FIG. 9 is a schematic diagram of a device for receiving access by a server according to the embodiment.
- the apparatus for receiving access by the server includes:
- the access request obtaining unit 301 is configured to acquire an access request that includes authentication information, and the access request is referred to as a second request message.
- the authentication information extracting unit 302 is configured to extract the authentication information
- the access request legality determining unit 303 is configured to determine, according to the authentication information, whether the access request is legal;
- the response message returning unit 304 is configured to return a response message when the result of the above-mentioned unit is YES.
- the authentication information is encrypted by using an asymmetric encryption algorithm, and determining, according to the authentication information, whether the access request is legal, including:
- the authentication information includes at least one of the following information: unique identification information of the terminal device, user identity authentication information;
- the verifying the validity of the access request according to the decrypted authentication information includes at least one of the following manners:
- FIG. 10 is a schematic diagram of a device for data processing according to the embodiment.
- the apparatus for data processing includes:
- the first network access request intercepting unit 401 is configured to intercept the first network access request, where the first network access request includes a source address and a target address;
- the authentication information adding unit 402 is configured to add the authentication information to the first network access request to obtain a second network access request.
- a second network access request sending unit 403, configured to send the second network access request to a computing device corresponding to the target address
- the response information receiving unit 404 is configured to receive response information returned by the computing device corresponding to the target address
- the response information sending unit 405 is configured to send the response information to the computing device corresponding to the source address.
- the authentication information includes at least one of the following information: unique identification information of the computing device corresponding to the source address; user identity authentication information.
- FIG. 11 is a schematic diagram of a device for responding to data according to the embodiment.
- the device for responding to the data includes:
- the network access request obtaining unit 501 is configured to acquire a network access request that includes the authentication information.
- the authentication information extracting unit 502 is configured to extract the authentication information from the network access request.
- the network access request legality determining unit 503 is configured to determine, according to the authentication information, whether the network access request is legal;
- the response information returning unit 504 is configured to return a response message when the determination result of the above unit is YES.
- a tenth embodiment of the present application provides an electronic device.
- FIG. 12 it is a schematic diagram of an embodiment of the device. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
- the device embodiments described below are merely illustrative.
- the electronic device includes: a processor 601; a memory 602.
- the memory 602 is configured to store a program for securely accessing an internal network. After the device is powered on and runs the program for securely accessing the internal network through the processor 601, the following steps are performed:
- Hijacking a network access request issued by an application having a network access function the network access request is referred to as a first request message; adding authentication information to the first request message to form a second request message; and the second request message is Forwarding to the destination server of the network access request, ie, the internal network server; receiving response information returned by the internal network server; forwarding the response information to the application that issues the network access request.
- FIG. 13 a schematic diagram of an embodiment of the device is shown. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
- the device embodiments described below are merely illustrative.
- the electronic device includes: a processor 701; a memory 702.
- the memory 702 is configured to store a program that the server receives the access, and after the device is powered on and runs the program that is received by the server 701, the following steps are performed:
- the access request is referred to as a second request message; extracting the authentication information; determining, according to the authentication information, whether the access request is legal; if yes, returning a response message.
- FIG. 14 is a schematic diagram of an embodiment of the device. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
- the device embodiments described below are merely illustrative.
- the electronic device includes: a processor 801; a memory 802.
- the memory 802 is configured to store a program for data processing. After the device is powered on and runs the program of the data processing by the processor 801, the following steps are performed:
- Intercepting a first network access request where the first network access request includes a source address and a target address; adding authentication information to the first network access request to obtain a second network access request; and accessing the second network access
- the request is sent to the computing device corresponding to the target address; the response information returned by the computing device corresponding to the target address is received; and the response information is sent to the computing device corresponding to the source address.
- a thirteenth embodiment of the present application provides an electronic device.
- FIG. 15 a schematic diagram of an embodiment of the device is shown. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
- the device embodiments described below are merely illustrative.
- the electronic device includes: a processor 901; a memory 902.
- the memory 902 is configured to store a program for data response. After the device is powered on and runs the program of the data response by the processor 901, the following steps are performed:
- a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
- processors CPUs
- input/output interfaces network interfaces
- memory volatile and non-volatile memory
- the memory may include non-persistent memory, random access memory (RAM), and/or non-volatile memory in a computer readable medium, such as read only memory (ROM) or flash memory.
- RAM random access memory
- ROM read only memory
- Memory is an example of a computer readable medium.
- Computer readable media including both permanent and non-persistent, removable and non-removable media may be implemented by any method or technology.
- the information can be computer readable instructions, data structures, modules of programs, or other data.
- Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory. (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other memory technology, compact disk read only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape storage or other magnetic storage devices or any other non-transportable media can be used to store information that can be accessed by a computing device.
- computer readable media does not include non-transitory computer readable media, such as modulated data signals and carrier waves.
- embodiments of the present application can be provided as a method, system, or computer program product.
- the present application can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment in combination of software and hardware.
- the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Disclosed are a system, method, and apparatus for securely accessing an internal network, said system comprising: a network access requesting end, an intermediary end, and an internal-network server; said network access requesting end is used for issuing a first request message used for requesting network access and is used for receiving a response message; said intermediary end is used for monitoring and hijacking the first request message of said network access requesting end; parsing the first request message and adding authentication information to the first request message to obtain a second request message; further, sending said second request message to a destination network address of said first request message; and, receiving a response message concerning the second request message and forwarding said response message to a client; said internal-network server is used for receiving the second request message and extracting authentication information from same, and determining whether the network access request has access permission; if so, then returning the response message. By means of the technical solution provided by the present invention, it is possible to accurately learn whether a client has permission to access an internal network, preventing unprivileged access requests.
Description
本申请要求2017年9月29日递交的申请号为201710905297.X、发明名称为“一种实现安全访问内部网络的系统、方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201710905297.X filed on Sep. 29, 2017, entitled "A System, Method and Apparatus for Implementing Secure Access to Internal Networks", the entire contents of which are incorporated by reference. In this application.
本申请涉及网络访问领域,具体涉及一种实现安全访问内部网络的系统。本申请同时涉及一种用于安全访问内部网络的方法及装置、一种服务器接收访问的方法及装置、一种数据处理的方法及装置、以及一种数据响应的方法及装置。The present application relates to the field of network access, and in particular to a system for implementing secure access to an internal network. The present application also relates to a method and apparatus for securely accessing an internal network, a method and apparatus for receiving access by a server, a method and apparatus for processing data, and a method and apparatus for responding to a data.
在传统的企业网络配置中,要进行远程访问,方法是租用DDN(数字数据网)专线或帧中继,这样的通讯方案必然导致高昂的网络通讯和维护费用。对于移动用户(移动办公人员)与远端个人用户而言,一般会通过拨号线路(Internet)进入企业的局域网,但这样必然带来安全上的隐患。In the traditional enterprise network configuration, remote access is required by renting a DDN (Digital Data Network) leased line or frame relay. Such a communication scheme inevitably leads to high network communication and maintenance costs. For mobile users (mobile workers) and remote individual users, they usually enter the LAN of the enterprise through the dial-up line (Internet), but this will inevitably bring security risks.
为了让外地员工访问到内网资源,现有技术下一般使用VPN解决;这种方法是在内网中架设一台VPN服务器,外地员工在当地连上互联网后,通过互联网连接VPN服务器,然后通过VPN服务器进入企业内网。In order to allow foreign employees to access intranet resources, the existing technology generally uses VPN solution; this method is to set up a VPN server in the internal network. After the local staff connects to the Internet, connect to the VPN server through the Internet, and then pass The VPN server enters the intranet.
为了保证数据安全,VPN服务器和客户机之间的通讯数据都进行了加密处理。有了数据加密,就可以认为数据是在一条专用的数据链路上进行安全传输,就如同专门架设了一个专用网络一样。但实际上VPN使用的是互联网上的公用链路,因此VPN称为虚拟专用网络,其实质上就是利用加密技术在公网上封装出一个数据通讯隧道。有了VPN技术,用户无论是在外地出差还是在家中办公,只要能上互联网就能利用VPN访问内网资源,使VPN在企业中得到了广泛的应用。In order to ensure data security, the communication data between the VPN server and the client is encrypted. With data encryption, data can be considered to be securely transmitted over a dedicated data link, just as a dedicated network is set up. But in fact, VPN uses the public link on the Internet. Therefore, VPN is called virtual private network. It essentially uses encryption technology to encapsulate a data communication tunnel on the public network. With VPN technology, users can use VPN to access intranet resources, whether they are on a business trip or at home, so that VPN can be widely used in enterprises.
但使用VPN访问内网资源也存在明显的问题。其中一个最主要的问题是,服务器不能准确的获取http/https请求发起的客户端来源,这样,就无法判断客户端是否真正具备访问内网的权限。However, there are also obvious problems in using VPN to access intranet resources. One of the main problems is that the server cannot accurately obtain the source of the client initiated by the http/https request, so that it is impossible to determine whether the client actually has access to the intranet.
发明内容Summary of the invention
本发明提供一种用于安全访问网络的系统,以解决服务器不能准确的获取 http/https请求发起的客户端来源的问题。本发明另外提供一种用于安全访问内部网络的方法及装置、以及一种服务器接收访问的方法及装置。本发明还提供一种数据处理的方法及装置、以及一种数据响应的方法及装置。The present invention provides a system for securely accessing a network to solve the problem that the server cannot accurately obtain the source of the client initiated by the http/https request. The present invention further provides a method and apparatus for secure access to an internal network, and a method and apparatus for receiving access by a server. The invention also provides a data processing method and device, and a data response method and device.
本发明提供一种实现安全访问内部网络的系统,包括:网络访问请求端,中介端,内部网络服务器;The present invention provides a system for implementing secure access to an internal network, including: a network access requesting end, a mediation end, and an internal network server;
所述网络访问请求端,用于发出用于实现网络访问请求的第一请求消息、以及接收响应消息;The network access requesting end is configured to send a first request message for implementing a network access request, and receive a response message;
所述中介端,用于监听并劫持所述网络访问请求端的第一请求消息;解析所述第一请求消息,并在所述第一请求消息中添加认证信息,得到第二请求消息;继而向所述第一请求消息的目标网络地址发送所述第二请求消息;以及,接收对所述第二请求消息的响应消息,并将该响应消息转发到客户端;The mediation end is configured to listen to and hijack the first request message of the network access requesting end; parse the first request message, and add authentication information to the first request message to obtain a second request message; Sending, by the target network address of the first request message, the second request message; and receiving a response message to the second request message, and forwarding the response message to the client;
所述内部网络服务器,用于接收所述第二请求消息,从中提取认证信息,判断所述网络访问请求是否具有访问权限;若是,则返回响应消息。The internal network server is configured to receive the second request message, extract authentication information therefrom, and determine whether the network access request has access rights; if yes, return a response message.
可选的,所述中介端与所述网络访问请求端布置在同一个移动设备中。Optionally, the mediator is disposed in the same mobile device as the network access requesting end.
可选的,所述网络访问请求端发出的所述网络访问请求采用http协议,则所述中介端在接收所述第一请求消息之前,与所述网络访问请求端进行http握手,所述中介端在发出所述第二请求消息之前,与所述内部网络服务器进行http握手。Optionally, the network access request sent by the network access requesting end uses the http protocol, and the intermediate end performs an http handshake with the network access requesting end before receiving the first request message, where the intermediary The end performs an http handshake with the internal network server before issuing the second request message.
可选的,所述网络访问请求端发出的所述网络访问请求采用https方式,则所述中介端在接收所述第一请求消息之前,与所述网络访问请求端进行SSL握手,继而,所述中介端根据所述SSL握手提供的server_name字段,与所述内部网络服务器发出SSL握手;所述中介端接收到所述内部网络服务器返回的握手成功讯息后,向所述网络访问请求端发出握手成功讯息。Optionally, the network access request sent by the network access requesting end is in an https manner, and the intermediate end performs an SSL handshake with the network access requesting end before receiving the first request message, and then The intermediary sends an SSL handshake with the internal network server according to the server_name field provided by the SSL handshake; after receiving the handshake success message returned by the internal network server, the intermediary sends a handshake to the network access requester. Success message.
可选的,在进行网络访问请求之前,导入CA伪证书到所述网络访问请求端和中介端。Optionally, before the network access request is performed, the CA pseudo certificate is imported to the network access requesting end and the mediation end.
可选的,所述认证信息包含如下信息的至少一种:网络访问请求端所在的终端设备的唯一识别信息;用户身份认证信息。Optionally, the authentication information includes at least one of the following information: unique identification information of the terminal device where the network access request end is located; user identity authentication information.
可选的,所述认证信息经过非对称算法加密。Optionally, the authentication information is encrypted by an asymmetric algorithm.
可选的,采用DLL注入的方式,在所述网络访问请求端发起的网络访问请求中注入全局流量劫持进程,实现对所述第一请求消息的劫持。Optionally, in the DLL injection manner, the global traffic hijacking process is injected into the network access request initiated by the network access requesting end to implement hijacking of the first request message.
本发明还提供一种用于安全访问内部网络的方法,包括:The present invention also provides a method for securely accessing an internal network, comprising:
劫持具有网络访问功能的应用发出的网络访问请求;所述网络访问请求称为第一请求消息;Hijacking a network access request issued by an application having a network access function; the network access request is referred to as a first request message;
在所述第一请求消息中添加认证信息,形成第二请求消息;Adding authentication information to the first request message to form a second request message;
将所述第二请求消息转发到所述网络访问请求的目的服务器,即内部网络服务器;Forwarding the second request message to a destination server of the network access request, that is, an internal network server;
接收所述内部网络服务器返回的响应信息;Receiving response information returned by the internal network server;
将所述响应信息转发给发出所述网络访问请求的所述应用。The response information is forwarded to the application that issued the network access request.
可选的,所述劫持具有网络访问功能的应用发出的网络访问请求的步骤中,采用hook函数劫持所述网络访问请求;所述hook函数预先通过DLL注入方式注入所述网络访问请求进程中。Optionally, in the step of hijacking a network access request issued by an application having a network access function, the network access request is hijacked by using a hook function; and the hook function is injected into the network access request process in advance by using a DLL injection manner.
可选的,所述第一请求消息采用http方式的情况下,在接收所述第一请求消息之前,包括与发出网络访问请求的应用进行http握手;在发出所述第二请求消息之前,与所述内部网络服务器进行http握手。Optionally, if the first request message is in the http mode, before receiving the first request message, including performing an http handshake with an application that sends a network access request; before sending the second request message, The internal network server performs an http handshake.
可选的,所述网络访问请求采用https方式,在接收所述第一请求消息之前,与所述网络访问请求端进行SSL握手,继而,根据所述SSL握手提供的server_name字段,与所述内部网络服务器进行SSL握手;接收到所述内部网络服务器返回的握手成功讯息后,向发出所述网络访问请求的应用发出握手成功讯息。Optionally, the network access request is in an https manner, and before the receiving the first request message, performing an SSL handshake with the network access requesting end, and then, according to the server_name field provided by the SSL handshake, and the internal The network server performs an SSL handshake; after receiving the handshake success message returned by the internal network server, it sends a handshake success message to the application that sends the network access request.
可选的,在劫持所述具有网络访问功能的应用发出的网络访问请求之前,导入CA伪证书。Optionally, the CA pseudo certificate is imported before the network access request sent by the network access function application is hijacked.
可选的,所述认证信息包含如下信息的至少一种:终端设备的唯一识别信息;用户身份认证信息。Optionally, the authentication information includes at least one of the following information: unique identification information of the terminal device; user identity authentication information.
可选的,所述认证信息使用非对称加密算法加密。Optionally, the authentication information is encrypted using an asymmetric encryption algorithm.
本发明还提供一种服务器接收访问的方法,包括:The present invention also provides a method for a server to receive an access, including:
获取包含认证信息的访问请求,该访问请求称为第二请求消息;Obtaining an access request that includes authentication information, and the access request is referred to as a second request message;
提取所述认证信息;Extracting the authentication information;
根据所述认证信息,判断所述访问请求是否合法;Determining whether the access request is legal according to the authentication information;
若是,返回响应消息。If yes, return a response message.
可选的,所述认证信息采用非对称加密算法加密,所述根据所述认证信息,判断所述访问请求是否合法,包括:Optionally, the authentication information is encrypted by using an asymmetric encryption algorithm, and determining, according to the authentication information, whether the access request is legal, including:
解密所述认证信息,所述认证信息中包含如下信息的至少一种:终端设备的唯一识别信息,用户身份认证信息;Decrypting the authentication information, where the authentication information includes at least one of the following information: unique identification information of the terminal device, user identity authentication information;
根据解密后的所述认证信息,验证所述访问请求的合法性。Verifying the validity of the access request based on the decrypted authentication information.
可选的,所述根据解密后的所述认证信息,验证所述访问请求的合法性,包括以下方式的至少一种:Optionally, the verifying the validity of the access request according to the decrypted authentication information includes at least one of the following manners:
根据所述解密后的所述认证信息中包含的终端设备的唯一识别信息与所述服务器自身存储的允许访问的终端设备列表对比,判断发出访问请求的所述终端设备是否在该列表中;Determining, according to the unique identification information of the terminal device included in the decrypted authentication information, that the terminal device that issued the access request is in the list, compared with the terminal device list that is allowed to be accessed by the server itself;
根据所述解密后的所述用户身份认证信息与所述服务器自身存储的允许访问的用户列表对比,判断发出访问请求的所述用户是否在该列表中。Determining, according to the decrypted user identity authentication information, a user list that is allowed to be accessed by the server itself, determining whether the user who issued the access request is in the list.
本发明还提供一种数据处理方法,包括:The invention also provides a data processing method, comprising:
拦截第一网络访问请求,其中,所述第一网络访问请求包括源地址、目标地址;Intercepting a first network access request, where the first network access request includes a source address and a target address;
在所述第一网络访问请求中添加认证信息,得到第二网络访问请求;Adding authentication information to the first network access request to obtain a second network access request;
将所述第二网络访问请求发送到所述目标地址对应的计算设备;Sending the second network access request to a computing device corresponding to the target address;
接收所述目标地址对应的计算设备返回的响应信息;Receiving response information returned by the computing device corresponding to the target address;
将所述响应信息发送到所述源地址对应的计算设备。Sending the response information to a computing device corresponding to the source address.
可选的,所述认证信息包含如下信息的至少一种:所述源地址对应的计算设备的唯一识别信息;用户身份认证信息。Optionally, the authentication information includes at least one of the following information: unique identification information of the computing device corresponding to the source address; user identity authentication information.
本发明还提供一种数据响应方法,包括:The invention also provides a data response method, comprising:
获取包含认证信息的网络访问请求;Obtain a network access request containing authentication information;
从所述网络访问请求中提取所述认证信息;Extracting the authentication information from the network access request;
根据所述认证信息,判断所述网络访问请求是否合法;Determining, according to the authentication information, whether the network access request is legal;
若是,返回响应信息。If yes, return a response message.
本发明还提供一种用于安全访问内部网络的装置,包括:The present invention also provides an apparatus for securely accessing an internal network, comprising:
第一请求消息劫持单元,用于劫持具有网络访问功能的应用发出的网络访问请求;所述网络访问请求称为第一请求消息;a first request message hijacking unit, configured to hijack a network access request issued by an application having a network access function; the network access request is referred to as a first request message;
认证信息添加单元,用于在所述第一请求消息中添加认证信息,形成第二请求消息;An authentication information adding unit, configured to add authentication information to the first request message to form a second request message;
第二请求消息转发单元,用于将所述第二请求消息转发到所述网络访问请求的目的服务器,即内部网络服务器;a second request message forwarding unit, configured to forward the second request message to a destination server of the network access request, that is, an internal network server;
响应信息接收单元,用于接收所述内部网络服务器返回的响应信息;a response information receiving unit, configured to receive response information returned by the internal network server;
响应信息转发单元,用于将所述响应信息转发给发出所述网络访问请求的所述应用。And a response information forwarding unit, configured to forward the response information to the application that issues the network access request.
本发明还提供一种服务器接收访问的装置,包括:The present invention also provides an apparatus for receiving access by a server, including:
访问请求获取单元,用于获取包含认证信息的访问请求,该访问请求称为第二请求消息;An access request obtaining unit, configured to acquire an access request that includes authentication information, where the access request is referred to as a second request message;
认证信息提取单元,用于提取所述认证信息;An authentication information extracting unit, configured to extract the authentication information;
访问请求合法性判断单元,用于根据所述认证信息,判断所述访问请求是否合法;The access request legality determining unit is configured to determine, according to the authentication information, whether the access request is legal;
响应消息返回单元,当上述单元的判断结果为是时,用于返回响应消息。The response message returns to the unit, and when the result of the above unit is YES, is used to return a response message.
本发明还提供一种数据处理的装置,包括:The invention also provides an apparatus for data processing, comprising:
第一网络访问请求拦截单元,用于拦截第一网络访问请求,其中,所述第一网络访问请求包括源地址、目标地址;a first network access request intercepting unit, configured to intercept a first network access request, where the first network access request includes a source address and a target address;
认证信息添加单元,用于在所述第一网络访问请求中添加认证信息,得到第二网络访问请求;An authentication information adding unit, configured to add authentication information to the first network access request, to obtain a second network access request;
第二网络访问请求发送单元,用于将所述第二网络访问请求发送到所述目标地址对应的计算设备;a second network access request sending unit, configured to send the second network access request to a computing device corresponding to the target address;
响应信息接收单元,用于接收所述目标地址对应的计算设备返回的响应信息;a response information receiving unit, configured to receive response information returned by the computing device corresponding to the target address;
响应信息发送单元,用于将所述响应信息发送到所述源地址对应的计算设备。And a response information sending unit, configured to send the response information to the computing device corresponding to the source address.
本发明还提供一种数据响应装置,包括:The invention also provides a data response device, comprising:
网络访问请求获取单元,用于获取包含认证信息的网络访问请求;a network access request obtaining unit, configured to acquire a network access request that includes the authentication information;
认证信息提取单元,用于从所述网络访问请求中提取所述认证信息;An authentication information extracting unit, configured to extract the authentication information from the network access request;
网络访问请求合法性判断单元,用于根据所述认证信息,判断所述网络访问请求是否合法;The network access request legality determining unit is configured to determine, according to the authentication information, whether the network access request is legal;
响应信息返回单元,当上述单元的判断结果为是时,用于返回响应消息。The response information returning unit is configured to return a response message when the judgment result of the above unit is YES.
本发明还提供一种电子设备,包括:The invention also provides an electronic device comprising:
处理器;以及Processor;
存储器,用于存储一种用于安全访问内部网络的程序,该设备通电并通过所述处理器运行所述用于安全访问内部网络的程序后,执行下述步骤:a memory for storing a program for securely accessing an internal network, the device is powered on and runs the program for secure access to the internal network through the processor, and performs the following steps:
劫持具有网络访问功能的应用发出的网络访问请求;所述网络访问请求称为第一请求消息;Hijacking a network access request issued by an application having a network access function; the network access request is referred to as a first request message;
在所述第一请求消息中添加认证信息,形成第二请求消息;Adding authentication information to the first request message to form a second request message;
将所述第二请求消息转发到所述网络访问请求的目的服务器,即内部网络服务器;Forwarding the second request message to a destination server of the network access request, that is, an internal network server;
接收所述内部网络服务器返回的响应信息;Receiving response information returned by the internal network server;
将所述响应信息转发给发出所述网络访问请求的所述应用。The response information is forwarded to the application that issued the network access request.
本发明还提供一种电子设备,包括:The invention also provides an electronic device comprising:
处理器;以及Processor;
存储器,用于存储一种服务器接收访问的程序,该设备通电并通过所述处理器运行所述服务器接收访问的程序后,执行下述步骤:a memory for storing a program for receiving access by the server, after the device is powered on and running the program by the processor to receive the accessed program, performing the following steps:
获取包含认证信息的访问请求,该访问请求称为第二请求消息;Obtaining an access request that includes authentication information, and the access request is referred to as a second request message;
提取所述认证信息;Extracting the authentication information;
根据所述认证信息,判断所述访问请求是否合法;Determining whether the access request is legal according to the authentication information;
若是,返回响应消息。If yes, return a response message.
本发明还提供一种电子设备,包括:The invention also provides an electronic device comprising:
处理器;以及Processor;
存储器,用于存储一种数据处理的程序,该设备通电并通过所述处理器运行所述数据处理的程序后,执行下述步骤:a memory for storing a program for data processing, after the device is powered on and runs the program of the data processing by the processor, performing the following steps:
拦截第一网络访问请求,其中,所述第一网络访问请求包括源地址、目标地址;Intercepting a first network access request, where the first network access request includes a source address and a target address;
在所述第一网络访问请求中添加认证信息,得到第二网络访问请求;Adding authentication information to the first network access request to obtain a second network access request;
将所述第二网络访问请求发送到所述目标地址对应的计算设备;Sending the second network access request to a computing device corresponding to the target address;
接收所述目标地址对应的计算设备返回的响应信息;Receiving response information returned by the computing device corresponding to the target address;
将所述响应信息发送到所述源地址对应的计算设备。Sending the response information to a computing device corresponding to the source address.
本发明还提供一种电子设备,包括:The invention also provides an electronic device comprising:
处理器;以及Processor;
存储器,用于存储一种数据响应的程序,该设备通电并通过所述处理器运行所述数据响应的程序后,执行下述步骤:a memory for storing a program for data response, after the device is powered on and runs the program of the data response by the processor, performing the following steps:
获取包含认证信息的网络访问请求;Obtain a network access request containing authentication information;
从所述网络访问请求中提取所述认证信息;Extracting the authentication information from the network access request;
根据所述认证信息,判断所述网络访问请求是否合法;Determining, according to the authentication information, whether the network access request is legal;
若是,返回响应信息。If yes, return a response message.
本申请提供的用于安全访问内部网络的系统以及对应的方法、装置,由客户端发起访问请求,并将请求消息劫持到中介端;中介端通过解析明文信息,加入加密信息后,将请求消息发送到服务器。The system for securely accessing the internal network and the corresponding method and device provided by the application, the client initiates an access request, and hijacks the request message to the intermediary; the intermediary analyzes the plaintext information, adds the encrypted information, and then requests the message. Sent to the server.
与现有技术相比,根据本申请一个实施例,优点包括:In accordance with an embodiment of the present application, advantages include:
服务器通过提取加密信息,准确获取http/https请求发起的客户端来源,从而可以准确获知客户端是否具有访问内网的权限,避免无权限的访问请求。By extracting the encrypted information, the server accurately obtains the source of the client initiated by the http/https request, so that the client can accurately know whether the client has the right to access the intranet and avoid unauthorized access requests.
根据本申请一个实施例,本申请提供的技术方案还具有如下优点:由于无需使用VPN服务,舍去了手动接入和断开操作,且不需要输入密码实现验证;能够获得更佳的用户体验。According to an embodiment of the present application, the technical solution provided by the present application has the following advantages: since the VPN service is not needed, manual access and disconnection operations are eliminated, and no password is required for verification; a better user experience can be obtained. .
根据本申请一个实施例,本申请提供的技术方案还具有如下优点:能够直接连接内网服务器,提高访问速度。According to an embodiment of the present application, the technical solution provided by the present application has the following advantages: the intranet server can be directly connected, and the access speed is improved.
图1是本申请第一实施例提供的用于实现安全访问内部网络的系统示意图;1 is a schematic diagram of a system for implementing secure access to an internal network according to a first embodiment of the present application;
图2是本申请第一实施例提供的采用http协议实现访问网络请求的示意图;2 is a schematic diagram of a request for accessing a network using the http protocol provided by the first embodiment of the present application;
图3是本申请第一实施例提供的采用https协议实现访问网络请求的示意图;3 is a schematic diagram of a request for accessing a network using the https protocol provided by the first embodiment of the present application;
图4是本申请第二实施例提供的用于安全访问内部网络的方法的流程图;4 is a flowchart of a method for securely accessing an internal network according to a second embodiment of the present application;
图5是本申请第三实施例提供的服务器接收访问的方法的流程图;5 is a flowchart of a method for receiving an access by a server according to a third embodiment of the present application;
图6是本申请第四实施例提供的数据处理方法的流程图;6 is a flowchart of a data processing method according to a fourth embodiment of the present application;
图7是本申请第五实施例提供的数据响应方法的流程图;7 is a flowchart of a data response method according to a fifth embodiment of the present application;
图8是本申请第六实施例提供的用于安全访问内部网络的装置示意图;8 is a schematic diagram of an apparatus for securely accessing an internal network according to a sixth embodiment of the present application;
图9是本申请第七实施例提供的服务器接收访问的装置示意图;9 is a schematic diagram of an apparatus for receiving access by a server according to a seventh embodiment of the present application;
图10是本申请第八实施例提供的数据处理的装置示意图;10 is a schematic diagram of an apparatus for data processing according to an eighth embodiment of the present application;
图11是本申请第九实施例提供的数据响应的装置示意图;11 is a schematic diagram of an apparatus for data response provided by a ninth embodiment of the present application;
图12是本申请第十实施例提供的电子设备的示意图;FIG. 12 is a schematic diagram of an electronic device according to a tenth embodiment of the present application; FIG.
图13是本申请第十一实施例提供的电子设备的示意图;FIG. 13 is a schematic diagram of an electronic device according to an eleventh embodiment of the present application; FIG.
图14是本申请第十二实施例提供的电子设备的示意图;FIG. 14 is a schematic diagram of an electronic device according to a twelfth embodiment of the present application; FIG.
图15是本申请第十三实施例提供的电子设备的示意图。FIG. 15 is a schematic diagram of an electronic device according to a thirteenth embodiment of the present application.
在下面的描述中阐述了很多具体细节以便于充分理解本发明。但是本发明能够以很多不同于在此描述的其它方式来实施,本领域技术人员可以在不违背本发明内涵的情况下做类似推广,因此本发明不受下面公开的具体实施的限制。Numerous specific details are set forth in the description below in order to provide a thorough understanding of the invention. However, the present invention can be implemented in many other ways than those described herein, and a person skilled in the art can make a similar promotion without departing from the spirit of the invention, and thus the invention is not limited by the specific embodiments disclosed below.
本申请提供一种用于安全访问内部网络的系统、一种用于安全访问内部网络的方 法、以及一种服务器接收访问的方法,以下提供实施例对所述系统和方法展开详细说明。所述系统和方法主要针对于访问公司内网资源而设计,但所述系统和方法可以使用在有同样需求的所有网络系统中,这里不做具体限定。The present application provides a system for secure access to an internal network, a method for secure access to an internal network, and a method for a server to receive access. The following provides an embodiment for a detailed description of the system and method. The system and method are mainly designed to access the intranet resources of the company, but the system and method can be used in all network systems having the same requirements, and are not specifically limited herein.
以下对本申请中使用的关键术语进行说明。The key terms used in this application are described below.
网络访问请求端,在本申请中,特指能够发出网络访问请求的应用软件,如浏览器或者APP;该应用软件安装在计算机、手机等硬件设备的软件平台中。The network access requesting end, in the present application, specifically refers to an application software capable of issuing a network access request, such as a browser or an APP; the application software is installed in a software platform of a hardware device such as a computer or a mobile phone.
中介端,在本申请,特指在被启动后,监听所述网络访问请求端发出的访问请求(本申请中称为第一请求消息),在该访问请求指向预定的网络地址时,劫持该访问请求,并对其加入认证信息后再向预定的网络地址发出访问请求(本申请中称为第二请求消息)的应用软件模块。该应用软件模块一般与所述网络访问请求端布置在同一个终端设备上,但也不排除主体被设置在另外一个终端设备上,在所述网络访问请求端仅仅设置实现监听、劫持所述第一请求信息的程序的情况。The intermediary, in the present application, specifically refers to listening for an access request (referred to as a first request message in the present application) issued by the network access requester after being started, and hijacking the access request when pointing to a predetermined network address An application software module that accesses the request and adds authentication information to it, and then issues an access request (referred to as a second request message in the present application) to the predetermined network address. The application software module is generally disposed on the same terminal device as the network access requesting end, but it is not excluded that the main body is set on another terminal device, and only the device is configured to implement monitoring and hijacking the first A case of a program requesting information.
内部网络服务器,在本申请中,指能够通过网络接收网络访问请求,并作为进入特定的内部网络的入口的服务器。An internal network server, in this application, refers to a server that is capable of receiving network access requests over a network and acting as an entry point into a particular internal network.
本申请第一实施例提供一种用于安全访问内部网络的系统,请参考图1理解该实施例,图1为本申请第一实施例提供的用于安全访问内部网络的系统示意图。以下结合图1对所述用于安全访问内部网络的系统进行详细描述。以下描述所涉及的实施例是用来解释说明系统原理,不是实际使用的限定。The first embodiment of the present application provides a system for securely accessing an internal network. Please refer to FIG. 1 for an embodiment of the present invention. FIG. 1 is a schematic diagram of a system for securely accessing an internal network according to a first embodiment of the present application. The system for secure access to the internal network is described in detail below with reference to FIG. The embodiments described in the following description are intended to explain the principles of the system and are not intended to be limiting.
一种用于安全访问内部网络的系统,包括:网络访问请求端101,中介端102,内部网络服务器103。A system for securely accessing an internal network, comprising: a network access requester 101, a mediator 102, and an internal network server 103.
所述网络访问请求端101用于发出用于实现网络访问请求的第一请求消息、以及接收响应消息。The network access requesting end 101 is configured to issue a first request message for implementing a network access request, and receive a response message.
以下对上述网络访问请求端101的详细工作过程进行说明。The detailed working process of the above network access requesting end 101 will be described below.
所述网络访问请求端101是布置在特定终端设备上的软件程序,其表现形式可以是APP应用,或者浏览器;所述网络访问请求端101能够发出网络访问请求,该网络访问请求主要采用http协议或者https协议。在本申请中,将所述网络访问请求端101发出的网络访问请求称为第一请求消息。The network access requesting end 101 is a software program disposed on a specific terminal device, and may be in the form of an APP application or a browser; the network access requesting end 101 can issue a network access request, and the network access request is mainly adopted by http. Agreement or https protocol. In the present application, the network access request sent by the network access requesting end 101 is referred to as a first request message.
所述http协议或者https协议是目前实现网络访问的两种主要的网络应用层协议;后者是在前者基础上结合了SSL协议,实现对访问过程的保密。The http protocol or the https protocol is currently the two main network application layer protocols for implementing network access; the latter is based on the former and combines the SSL protocol to achieve confidentiality of the access process.
针对使用https协议的情况,在进行网络访问请求之前,需要导入CA伪证书到所 述网络访问请求端101和中介端102,该CA伪证书在所述网络访问请求端101和所述中介端102之间建立https连接使用。其中,所述中介端102作为服务器端使用所述CA伪证书。For the case of using the https protocol, before the network access request is made, the CA pseudo-certificate needs to be imported to the network access requesting end 101 and the intermediation terminal 102, and the CA pseudo-certificate is at the network access requesting end 101 and the intermediary end 102. Establish an https connection between the use. The mediator 102 uses the CA pseudo certificate as a server.
此外,还需要采用DLL注入的方式,在所述网络访问请求端101发起的网络访问请求中注入全局流量劫持进程,实现对所述第一请求消息的监听和劫持。实现劫持的进程可以视为所述中介端102的一部分,仅仅是将其部署在所述网络访问请求端101发出的网络访问请求中。具体的实现方式可以使用hook函数实现。所谓hook函数是一种特殊的应用程序接口(即API),使用hook函数可以改变一个系统API的原有功能,其基本的方法就是通过hook函数“接触”到需要修改的API函数入口点,改变它的地址指向新的自定义的函数。In addition, a DLL injection method is also needed to inject a global traffic hijacking process into the network access request initiated by the network access requesting end 101 to implement monitoring and hijacking of the first request message. The process that implements the hijacking can be considered part of the mediation 102, merely deploying it in the network access request issued by the network access requesting end 101. The specific implementation can be implemented using the hook function. The so-called hook function is a special application program interface (API). The hook function can be used to change the original function of a system API. The basic method is to "touch" the hook function to the API function entry point that needs to be modified. Its address points to the new custom function.
在本实施例中,采用全局DLL注入的方式,将hook函数注入到http访问进程或者https访问进程中;所谓DLL注入,是将一个DLL文件放进某个进程的地址空间里,让它成为该进程的一部分;许多应用程序并不是一个完整的可执行文件,而是被分割成一些相对独立的动态链接库,即DLL文件,放置于系统中。当执行某一个程序时,相应的DLL文件就会被调用。本实施例中,即是通过全局DLL注入方式将hook函数放入所述网络访问请求端101发起的每一个http访问进程或者https访问进程中。In this embodiment, the global DLL injection method is used to inject the hook function into the http access process or the https access process; the so-called DLL injection is to put a DLL file into the address space of a process, so that it becomes the Part of the process; many applications are not a complete executable, but are split into relatively independent dynamic link libraries, DLL files, placed in the system. When a program is executed, the corresponding DLL file is called. In this embodiment, the hook function is put into each http access process or https access process initiated by the network access requesting end 101 by a global DLL injection method.
所述中介端102,用于监听并劫持所述网络访问请求端的第一请求消息;解析所述第一请求消息,并在所述第一请求消息中添加认证信息,得到第二请求消息;继而向所述第一请求消息的目标网络地址发送所述第二请求消息;以及,接收对所述第二请求消息的响应消息,并将该响应消息转发到所述网络访问请求端101。The mediation end 102 is configured to listen to and hijack the first request message of the network access requesting end, parse the first request message, and add authentication information to the first request message to obtain a second request message; Transmitting the second request message to a target network address of the first request message; and receiving a response message to the second request message, and forwarding the response message to the network access requesting end 101.
所述中介端102,在本申请提供的技术方案中作为实现网络访问请求的中间转发的单元,其实体一般为一个软件程序,并一般布置在所述网络访问请求端101的APP应用或者浏览器所在的终端设备上;当然,不排除在一些情况下,被布置在专门的设备上或者某个远程服务器上,此时,仍然需要在所述网络访问请求端101上布置负责监听和劫持的程序。The mediator 102, as a unit for implementing intermediate forwarding of a network access request in the technical solution provided by the present application, is generally a software program, and is generally disposed in an APP application or a browser of the network access requesting end 101. On the terminal device where it is located; of course, it is not excluded that in some cases, it is arranged on a dedicated device or on a remote server. At this time, it is still necessary to arrange a program for monitoring and hijacking on the network access requesting end 101. .
在本实施例提供的系统中,所述中介端102实现了如下功能:In the system provided in this embodiment, the mediation terminal 102 implements the following functions:
首先,所述中介端102是被当做所述网络访问请求端的服务器使用;所述网络访问请求端101发出的任何网络访问请求(本实施例中称为第一请求消息),均通过劫持方式劫持到该中介端102,由所述中介端102作为服务器对所述第一请求消息进行应答;必然的,为了实现这个过程中,所述网络访问请求端101与所述中介端102之间还首先 需要有进行握手的环节。First, the mediator 102 is used by the server as the network access requesting end; any network access request (referred to as the first request message in this embodiment) sent by the network access requesting end 101 is hijacked by hijacking. The mediator 102 responds to the first request message by the mediator 102 as a server; inevitably, in order to implement the process, the network access requesting end 101 and the mediation end 102 are first There is a need to have a handshake.
其次,由该中介端102在所述第一请求消息中添加认证信息后获得第二请求消息,并由该中介端102作为请求方,向作为目标服务器的内部网络服务器103发出;在接收到所述内部网络服务器103的响应消息后,再将所述响应消息转发到所述网络访问请求端101;必然的,为了实现这个过程中,所述中介端102与所述内部网络服务器103之间还首先需要有进行握手的环节。Secondly, the intermediary 102 obtains the second request message after adding the authentication information to the first request message, and is sent by the intermediary 102 as a requesting party to the internal network server 103 as the target server; After the response message of the internal network server 103, the response message is forwarded to the network access requesting end 101; inevitably, in order to implement the process, the intermediate end 102 and the internal network server 103 are further First, there is a need to have a handshake.
可以看出,所述中介端102实现上述功能的前提是,实现对所述网络访问请求端101发出的网络访问请求的监听和劫持。所述监听并劫持所述网络访问请求端的第一请求消息的具体实现方式可以有多种;一种最可能的方式就是前述已经说明的将hook函数使用全局DLL注入方式注入到所述网络访问请求端的http进程以及https进程中,通过hook函数实现对所述网络访问请求端101发出的网络访问请求——即第一请求消息——进行监听和劫持。为实现上述监听并劫持而预先以全局DLL注入方式在网络访问请求端的http进程以及https进程中布置的hook函数应当视为所述中介端102的一部分。Hook函数实现监听和劫持的过程属于本技术领域常用的技术手段,在此不予详细介绍。It can be seen that the premise that the mediation terminal 102 implements the above functions is to implement monitoring and hijacking of the network access request sent by the network access requesting end 101. The specific implementation manner of the first request message for intercepting and hijacking the network access requesting end may be various; one of the most probable ways is to inject the hook function into the network access request by using a global DLL injection manner as described above. In the http process and the https process, the network access request sent by the network access requesting end 101, that is, the first request message, is monitored and hijacked by the hook function. The hook function arranged in the http process of the network access requesting end and the https process in advance in the global DLL injection manner for realizing the above-mentioned snooping and hijacking should be regarded as a part of the mediation end 102. The process of the Hook function to implement the monitoring and hijacking is a technical means commonly used in the technical field, and will not be described in detail herein.
所述第一请求消息被劫持后,该网络访问请求(即第一请求消息)将无法直接访问其目标网址的服务器,而是由所述中介端102获得所述第一请求消息,并在所述第一请求消息中添加认证信息,得到第二请求消息。After the first request message is hijacked, the network access request (ie, the first request message) will not be able to directly access the server of its target URL, but the first request message is obtained by the intermediary 102, and The authentication information is added to the first request message to obtain a second request message.
所述认证信息,用于证明发出访问请求的用户或者终端具有对待访问的内部网络服务器103的访问权限的信息。所述认证信息可以采用如下信息:网络访问请求端所在的终端设备的唯一识别信息;用户身份认证信息。上述两种认证信息可以分别采用,也可以同时采用。在对所述认证信息进行添加前,需通过非对称加密算法对所述认证信息进行加密。The authentication information is used to prove that the user or the terminal that issued the access request has the access authority of the internal network server 103 to be accessed. The authentication information may adopt the following information: unique identification information of the terminal device where the network access request end is located; user identity authentication information. The above two types of authentication information may be used separately or simultaneously. Before the authentication information is added, the authentication information needs to be encrypted by an asymmetric encryption algorithm.
所述访问请求端101所在终端设备的唯一识别信息,是指布置所述访问请求端101的终端设备——如手提电脑或者手机、平板电脑等——的识别信息,例如设备的硬件序列号或者IMEI标识等与终端设备唯一对应的标志码;由于移动终端设备目前是主流,这些设备与个人身份直接关联,因此,对内网的访问权限往往可以直接关联到某个设备,例如,可以设定某台手机或者某个iPad具有对某个内部网络的访问权限,因此,采用终端设备的唯一识别信息,无论是硬件序列号还是IMEI标识,都可以用于判断访问请求是否具有访问权限,将这些信息加入所述网络访问请求中,即可以作为内部网络服务器判断所述网络访问请求是否具备访问权限的依据。由于所述中介端102一般与所述网 络访问请求端101位于同一个硬件设备,因此,可以由中介端102直接读取其所在的硬件设备的硬件序列号或者IMEI标识获得;具体读取方式与具体设备的硬件环境和系统环境相关,本领域技术人员能够方便的获得相关技术手段。另外,如果所述中介端102并未与所述网络访问请求端101布置在同一个硬件设备上,也可以从外部读取布置了所述网络访问请求端101的硬件设备的硬件序列号或者IMEI标识并对应于网络访问请求端101的标识记录在所述中介端102中,在截取到来自所述网络访问请求端101的网络访问请求的情况下,就可以直接使用对应所述网络访问请求端101的终端设备的唯一识别信息作为认证信息。The unique identification information of the terminal device where the access requesting end 101 is located refers to the identification information of the terminal device, such as a laptop computer or a mobile phone, a tablet computer, etc., where the access requesting end 101 is arranged, such as the hardware serial number of the device or IMEI identification and other unique identifiers corresponding to the terminal device; since the mobile terminal devices are currently mainstream, these devices are directly associated with personal identity. Therefore, access rights to the intranet can be directly associated with a device, for example, can be set A mobile phone or an iPad has access to an internal network. Therefore, the unique identification information of the terminal device, whether it is the hardware serial number or the IMEI identifier, can be used to determine whether the access request has access rights. The information is added to the network access request, that is, the internal network server can determine whether the network access request has the access authority. Since the mediator 102 is generally located in the same hardware device as the network access requesting end 101, the hardware serial number or the IMEI identifier of the hardware device in which the mediator 102 is located can be directly read by the mediator 102; The hardware environment of the specific device is related to the system environment, and those skilled in the art can conveniently obtain related technical means. In addition, if the mediation end 102 is not disposed on the same hardware device as the network access requesting end 101, the hardware serial number or IMEI of the hardware device in which the network access requesting end 101 is disposed may be externally read. The identifier that identifies and corresponds to the network access requesting end 101 is recorded in the mediation terminal 102. In the case that the network access request from the network access requesting end 101 is intercepted, the corresponding network access requesting end can be directly used. The unique identification information of the terminal device of 101 is used as the authentication information.
所述用户身份认证信息,是直接对应于具体访问者的认证信息,例如,为某个访问者提供的访问某个内部网络的身份ID;这些信息由所述内部网络服务器103管理和颁发,所述中介端102存储该与访问者的身份直接相关的用户身份认证信息,并将其加入所述第一请求消息,就可以作为所述内部网络服务器103判别发出网络请求的一方是否有所述内部网络服务器103管理的内部网络的访问权限的依据。The user identity authentication information is authentication information directly corresponding to a specific visitor, for example, an identity ID provided to a certain visitor for accessing an internal network; the information is managed and issued by the internal network server 103. The intermediary 102 stores the user identity authentication information directly related to the identity of the visitor, and adds the user identity authentication information to the first request message, so that the internal network server 103 can determine whether the party that issued the network request has the internal The basis for the access rights of the internal network managed by the web server 103.
具体在所述第一请求消息中添加认证信息的方式可以采取多种可能方式,一种主要可能采用的方式是在第一请求消息的头部信息中添加所述认证信息,具体可以采用如下步骤:解析所述第一请求消息,获取其原始头部信息;将所述认证信息按预设格式添加到所述头部信息,获得添加了认证信息的处理后头部信息;将所述处理后头部信息作为新的头部信息,替换所述第一请求消息中的原始头部信息,得到所述第二请求信息。所述第二请求消息就可以用于作为向所述第一请求消息的目标网络地址发送的网络请求;自然地,所述第二请求消息的目标网络地址指向的就是所述内部网络服务器103。Specifically, the manner of adding the authentication information to the first request message may take a plurality of possible manners. A method that may be mainly used is to add the authentication information to the header information of the first request message. Resolving the first request message to obtain its original header information; adding the authentication information to the header information in a preset format, and obtaining processed header information with the added authentication information; The header information is used as new header information, and the original header information in the first request message is replaced to obtain the second request information. The second request message may be used as a network request sent to a target network address of the first request message; naturally, the target network address of the second request message is directed to the internal network server 103.
当所述中介端102向所述内部网络服务器103发送第二请求消息后,如果认证通过,则会接收到所述内部网络服务器103返回的响应消息;所述中介端102需要解析该响应消息,获知该响应消息是对哪一个网络访问请求端的请求的回应,然后将该响应消息发送到相应的网络访问请求端。After the mediator 102 sends the second request message to the internal network server 103, if the authentication is passed, the response message returned by the internal network server 103 is received; the mediator 102 needs to parse the response message. It is known that the response message is a response to which network access requester requests, and then sends the response message to the corresponding network access requester.
在此需要进一步说明的是,所述中介端102先作为服务器的替身,与所述网络访问请求端101之间建立http通讯或者https通讯的过程,然后作为客户端的替身,与所述内部网络服务器建立http通讯或者https通讯,上述过程中,均需要分别依据相应协议的通讯规则进行,包括初次通讯的握手过程;针对上述不同的网络协议,上述两个步骤的具体执行过程是不同的,以下分别予以说明。It should be further noted that the intermediary 102 first acts as a substitute for the server, establishes a process of http communication or https communication with the network access requesting end 101, and then acts as a substitute for the client, and the internal network server. The establishment of http communication or https communication, in the above process, must be carried out according to the communication rules of the corresponding protocol, including the handshake process of the initial communication; for the above different network protocols, the specific implementation process of the above two steps is different, the following respectively Explain.
采用http协议实现上述过程的方式可以参考图2,以下结合图2具体说明。For the manner of implementing the foregoing process by using the http protocol, reference may be made to FIG. 2, which is specifically described below in conjunction with FIG. 2.
若所述网络访问请求端发出的所述网络访问请求采用http协议,则所述中介端102在接收所述第一请求消息时,首先接收到连接请求1,中介端2与所述网络访问请求端进行握手2,建立TCP连接;当接收到所述第一请求消息的http请求3(http协议执行过程中的一个具体请求)时,则所述中介端102根据其存储的host字段或者发起DNS请求等方式,获取所述网络访问请求指向的内部网络服务器的IP地址,并请求与所要访问的所述内部网络服务器103建立连接关系4;所述内部网络服务器103会与所述中介端102之间实现握手5,待中介端102接收到握手成功的消息后,就可将在http请求3步骤中获得的第一请求消息中添加了认证信息后获得的第二请求消息6转发到所述内部网络服务器103;所述内部网络服务器103验证后响应http请求7;所述中介端102将接收的响应消息转发8给所述网络访问请求端101,实现一次完整的访问-响应过程;当然,一次连接过程可能包含若干次http请求和响应过程,前述握手环节可以只进行一次即可。If the network access request sent by the network access requesting end adopts the http protocol, the intermediary 102 first receives the connection request 1, the intermediary 2 and the network access request when receiving the first request message. The terminal performs handshake 2 to establish a TCP connection; when receiving the http request 3 of the first request message (a specific request during the execution of the http protocol), the intermediary 102 initiates a DNS according to the host field stored therein. Requesting, etc., obtaining an IP address of an internal network server pointed to by the network access request, and requesting establishing a connection relationship 4 with the internal network server 103 to be accessed; the internal network server 103 and the intermediary 102 After the handshake is performed, the second request message 6 obtained by adding the authentication information to the first request message obtained in the http request 3 step may be forwarded to the internal device. Web server 103; the internal network server 103 verifies the response http request 7; the mediator 102 forwards the received response message 8 to the network access Seeking end 101, to achieve a complete visit - response process; of course, a connection process may contain several http request and response process, part of the handshake may be performed only once.
采用https协议实现上述过程的方式可以参考图3,以下结合图3具体说明。For the manner of implementing the foregoing process by using the https protocol, reference may be made to FIG. 3, which is specifically described below in conjunction with FIG. 3.
若所述网络访问请求端发出的所述网络访问请求采用https协议,则所述中介端102在接收所述第一请求消息之前的连接过程中,与所述网络访问请求端进行SSL握手1’,继而,所述中介端根据所述SSL握手提供的server_name字段,与所述内部网络服务器进行SSL握手2’;所述server_name字段是服务器名的含义,这是由于对应同一个IP地址可能指向不同的服务器,对应每个服务器需要对应的CA证书,所以需要使用server_name字段确定采用哪一种CA证书。If the network access request sent by the network access requesting end uses the https protocol, the intermediate end 102 performs an SSL handshake with the network access requesting end during the connection process before receiving the first request message. Then, the mediator performs an SSL handshake with the internal network server according to the server_name field provided by the SSL handshake 2'; the server_name field is the meaning of the server name, because the corresponding IP address may point to different The server needs a corresponding CA certificate for each server, so you need to use the server_name field to determine which CA certificate to use.
当所述中介端102接收到信号握手成功3’后,所述中介端102向所述网络访问请求端101发出信号握手成功4’;此后,所述网络访问请求端101可以向所述中介端102发起https请求,即第一请求消息5’;所述中介端102在其中添加认证信息形成第二请求消息后,转发第二请求消息6’到所述内部网络服务器103,所述内部网络服务器103验证后返回响应消息7’,中介端102将所述响应消息转发8’给所述网络访问请求端101,该次连接的后续https请求消息以及响应消息,仍然由所述中介端102转发。After the mediator 102 receives the signal handshake success 3', the mediator 102 sends a signal handshake success 4' to the network access requester 101; thereafter, the network access requester 101 can go to the mediation end. 102 initiates an https request, that is, a first request message 5'; after the intermediary 102 adds the authentication information to form a second request message, the second terminal sends a second request message 6' to the internal network server 103, the internal network server. After the verification 103 returns a response message 7', the intermediary 102 forwards the response message 8' to the network access requesting end 101, and the subsequent https request message and the response message of the secondary connection are still forwarded by the intermediary 102.
总体而言,无论是http请求还是https请求,均是将所述中介端102作为一个中转用的服务器,中介端102分别与所述网络访问请求端101和所述内部网络服务器103握手和连接,并在转发的开始,向第一请求消息中添加认证信息,认证成功后,即可以继续向一方转发来自另外一方的消息。In general, whether the http request or the https request is used, the intermediary 102 is used as a server for transfer, and the intermediary 102 handshakes and connects with the network access requester 101 and the internal network server 103, respectively. At the beginning of the forwarding, the authentication information is added to the first request message. After the authentication succeeds, the message from the other party can be continued to be forwarded to one party.
所述内部网络服务器103,用于接收所述第二请求消息,从中提取认证信息,判断 所述网络访问请求是否具有访问权限;若是,则返回响应消息。The internal network server 103 is configured to receive the second request message, extract authentication information therefrom, and determine whether the network access request has access rights; if yes, return a response message.
在本申请中,所述内部网络服务器103指能够通过网络,接收网络访问请求,并作为进入特定的内部网络的入口的服务器。在本实施例中,所述内部网络服务器103为上述网络访问请求端101和所述中介端102的目标网络地址,其目的在于接收网络访问请求信息并根据所述网络访问请求信息提供响应信息。In the present application, the internal network server 103 refers to a server capable of receiving a network access request through a network and serving as an entrance to a specific internal network. In this embodiment, the internal network server 103 is the target network address of the network access requesting end 101 and the mediation end 102, and the purpose thereof is to receive network access request information and provide response information according to the network access request information.
上述通过中介端102为所述网络访问请求端101的所述第一请求消息添加认证信息以形成第二请求消息,对所述第二请求消息进行转发,并且所述内部网络服务器103与所述中阶端102握手成功而建立连接关系后,所述内部网络服务器103接收所述包含认证信息的第二请求消息,并对其进行分析,判断其合法性,即是否为具有访问权限的访问请求。Adding the authentication information to the first request message of the network access requesting end 101 by the intermediary 102 to form a second request message, forwarding the second request message, and the internal network server 103 and the After the middle end 102 successfully hands over and establishes a connection relationship, the internal network server 103 receives the second request message including the authentication information, analyzes it, and determines its legality, that is, whether it is an access request with access rights. .
本实施例中,判断所述第二请求消息合法性的过程可通过分析所述第二请求消息的头部信息而实现,在上述对所述中介端102的描述中,所述第二请求消息的头部信息为添加了所述认证信息的处理后头部信息,从该头部信息中提取出经加密的所述认证信息,通过与非对称加密算法相对应的解密方法对所述经加密的认证信息进行解密,即可获得认证信息,所述认证信息为终端设备的唯一识别信息和用户身份认证信息中的至少一种,由于所述认证信息是由所述内部网络服务器103预先设定和管理的,所述内部网络服务器103预先存储有允许对其访问的终端设备列表和用户列表,因此,判断所述网络访问请求是否具有访问权限的过程实质为对所述认证信息进行识别匹配的过程,具体匹配的过程包括如下中的至少一种:根据所述解密后的所述认证信息中包含的终端设备的唯一识别信息与所述服务器自身存储的允许访问的终端设备列表对比,判断发出访问请求的所述终端设备是否在该列表中;根据所述解密后的所述用户身份认证信息与所述服务器自身存储的允许访问的用户列表对比,判断发出访问请求的所述用户是否在该列表中。若匹配结果相符,则表明所述访问请求具有访问权限,所述内部网络服务器103立即根据所述第二请求消息的消息内容(第一请求消息)生成相应的响应信息,并指向所述中介端102发送所述响应信息。In this embodiment, the process of determining the validity of the second request message may be implemented by analyzing the header information of the second request message. In the foregoing description of the mediation end 102, the second request message The header information is processed post header information to which the authentication information is added, the encrypted authentication information is extracted from the header information, and the encrypted information is encrypted by a decryption method corresponding to an asymmetric encryption algorithm. The authentication information is decrypted to obtain authentication information, and the authentication information is at least one of unique identification information of the terminal device and user identity authentication information, because the authentication information is preset by the internal network server 103. And managing, the internal network server 103 pre-stores a terminal device list and a user list for which access is permitted, and therefore, the process of determining whether the network access request has access rights is substantially identifying and matching the authentication information. a process, the specific matching process includes at least one of: following the end of the decrypted authentication information The unique identification information of the device is compared with the list of terminal devices allowed to be accessed by the server itself, and it is determined whether the terminal device that issued the access request is in the list; according to the decrypted user identity authentication information and the The server itself stores a list of users allowed to access, and determines whether the user who issued the access request is in the list. If the matching result is consistent, it indicates that the access request has access rights, and the internal network server 103 immediately generates corresponding response information according to the message content (first request message) of the second request message, and points to the mediation end. 102 transmits the response information.
有关所述内部网络服务器103返回响应信息的过程,在上述对所述中介端102的相关描述中已做说明,在此不再赘述。The process of returning the response information by the internal network server 103 has been described in the above description of the mediator 102, and details are not described herein again.
本申请第二实施例提供一种用于安全访问内部网络的方法,请参考图4理解该实施例,图4为所述用于安全访问内部网络的方法的流程图。The second embodiment of the present application provides a method for securely accessing an internal network. Please refer to FIG. 4 for an understanding of the embodiment. FIG. 4 is a flowchart of the method for securely accessing an internal network.
本实施例所提供的方法与上述第一实施例所提供的系统具有相同的技术内容,其主 要为将上述实施例中的中介端作为本方法的实施主体进行说明,有关本实施例中的技术细节请参考上述第一实施例的相关内容,在此不再赘述。The method provided in this embodiment has the same technical content as the system provided in the foregoing first embodiment, and the main body in the foregoing embodiment is mainly used as an implementation body of the method, and the technology in this embodiment is related to the technology in this embodiment. For details, refer to the related content of the foregoing first embodiment, and details are not described herein again.
如图4所示,所述用于安全访问内部网络的方法,包括如下步骤:As shown in FIG. 4, the method for securely accessing an internal network includes the following steps:
S101,劫持具有网络访问功能的应用发出的网络访问请求;所述网络访问请求称为第一请求消息。S101. Hijack a network access request issued by an application having a network access function; the network access request is referred to as a first request message.
本步骤的作用在于接收原始访问请求信息。所述原始访问请求信息为第一请求消息,是由APP应用或者浏览器等网络访问请求端采用http协议或者https协议发送给网络访问的目的服务器的。The purpose of this step is to receive the original access request information. The original access request information is the first request message, and is sent by the network application requesting end such as the APP application or the browser to the destination server accessed by the network by using the http protocol or the https protocol.
所述劫持具有网络访问功能的应用发出的网络访问请求,指的是对原本发送给目的服务器的所述网络访问请求进行监听和劫持,以率先接收所述网络访问请求。本实施例中,所述劫持的过程为:采用全局DLL注入的方式,将hook函数注入到http访问进程或者https访问进程中。The network access request issued by the application having the network access function refers to monitoring and hijacking the network access request originally sent to the destination server to receive the network access request first. In this embodiment, the hijacking process is: injecting a hook function into an http access process or an https access process by using a global DLL injection method.
在劫持所述第一请求消息时,若所述第一请求消息是采用http协议发送的,则在接收所述第一请求消息之前需与所述第一请求消息的发送方进行http握手,握手成功后所述第一请求消息的发送方才可发送所述第一请求消息;若所述第一请求信息是采用https协议发送的,则在劫持所述第一请求消息之前需导入CA伪证书,且在接收所述第一请求消息之前,需分别与所述第一请求消息的发送方和后续的目的服务器进行SSL握手,待一系列SSL握手成功后,所述第一请求消息的发送方才可发送所述第一请求消息。When the first request message is hijacked, if the first request message is sent by using the http protocol, the sender of the first request message needs to perform an http handshake and handshake before receiving the first request message. After the success, the sender of the first request message may send the first request message; if the first request information is sent by using the https protocol, the CA pseudo certificate needs to be imported before the first request message is hijacked. And before the receiving the first request message, performing an SSL handshake with the sender of the first request message and the subsequent destination server, and after the success of the series of SSL handshakes, the sender of the first request message can be Sending the first request message.
S102,在所述第一请求消息中添加认证信息,形成第二请求消息。S102. Add authentication information to the first request message to form a second request message.
上述步骤完成对所述第一请求消息进行劫持,本步骤的作用在于在所述第一请求消息中添加认证信息,以形成第二请求消息,用于证明发出所述第一请求消息的网络访问请求端具有待访问的目的服务器的访问权限。所述认证信息可以采用如下信息:网络访问请求端所处的终端设备的唯一识别信息;用户身份认证信息,上述两种认证信息可以分别采用,也可以同时采用。所述认证信息经过非对称加密算法进行加密后,被添加在所述第一请求消息的头部信息中。The foregoing steps are performed to hijack the first request message, and the step is to add authentication information to the first request message to form a second request message, which is used to prove that the first request message is sent. The requesting end has access rights to the destination server to be accessed. The authentication information may adopt the following information: the unique identification information of the terminal device where the network access request end is located; the user identity authentication information, and the two types of the authentication information may be adopted separately or simultaneously. After the authentication information is encrypted by the asymmetric encryption algorithm, it is added in the header information of the first request message.
S103,将所述第二请求消息转发到所述网络访问请求的目的服务器,即内部网络服务器。S103. Forward the second request message to a destination server of the network access request, that is, an internal network server.
本步骤的作用在于将上述步骤形成的第二请求消息转发至网络访问的目的服务器,本申请中所述目的服务器为内部网络服务器。The purpose of this step is to forward the second request message formed by the above steps to the destination server accessed by the network. The destination server in the present application is an internal network server.
在将所述第二请求消息转发到所述内部网络服务器之前,需首先与所述内部网络服 务器建立联系,具体为:若采用http协议发送,则与所述内部网络服务器进行http握手;若采用https协议发送,则在所述步骤S101中已完成了与所述第一请求消息的发送方和所述内部网络服务器的SSL握手,该过程为:在接收所述第一请求消息之前的连接过程中,与所述网络访问请求端进行SSL握手,继而,根据所述SSL握手提供的server_name字段,与所述内部网络服务器进行SSL握手。Before forwarding the second request message to the internal network server, first establishing a contact with the internal network server, specifically: if the HTTP protocol is used, performing an http handshake with the internal network server; The https protocol is sent, and the SSL handshake with the sender of the first request message and the internal network server is completed in the step S101, the process is: the connection process before receiving the first request message And performing an SSL handshake with the network access requesting end, and then performing an SSL handshake with the internal network server according to the server_name field provided by the SSL handshake.
所述第二请求消息包括认证信息和所述第一请求消息,所述内部网络服务器从所述第二请求消息中提取所述认证信息,通过非对称加密算法的相应解密方法对所述认证信息进行解密,并且根据所述认证信息判断所述网络访问请求是否具有访问权限;若是,则返回响应消息。The second request message includes authentication information and the first request message, and the internal network server extracts the authentication information from the second request message, and the authentication information is obtained by a corresponding decryption method of an asymmetric encryption algorithm. Decrypting is performed, and it is determined whether the network access request has access authority according to the authentication information; if yes, a response message is returned.
S104,接收所述内部网络服务器返回的响应信息。S104. Receive response information returned by the internal network server.
当上述步骤的判断结果为所述网络访问请求具有访问权限、且所述内部网络服务器返回响应信息后,本步骤用于接收所述返回的响应信息。When the result of the foregoing step is that the network access request has access rights and the internal network server returns response information, the step is configured to receive the returned response information.
S105,将所述响应信息转发给发出所述网络访问请求的所述应用。S105. Forward the response information to the application that sends the network access request.
本步骤用于将所述接收的响应信息转发给发出所述网络访问请求的所述应用。该过程需要对所述响应信息进行解析,获知该响应消息是对哪一个网络应用的网络访问请求的回应,然后将该响应消息发送到相应的网络应用。This step is for forwarding the received response information to the application that issues the network access request. The process needs to parse the response information, obtain a response to the network access request of the network application, and then send the response message to the corresponding network application.
本申请第三实施例提供一种服务器接收访问的方法,请参考图5理解该实施例,图5为所述服务器接收访问的方法的流程图。A third embodiment of the present application provides a method for a server to receive an access. Please refer to FIG. 5 for an embodiment. FIG. 5 is a flowchart of a method for the server to receive an access.
本实施例所提供的方法与上述第一实施例所提供的系统具有相同的技术内容,其主要为将上述实施例中的内部网络服务器作为本方法的实施主体进行说明,且本实施例与上述第二实施例的方法实施例相对应,有关本实施例中的技术细节请参考上述第一实施例和第二实施例的相关内容,在此不再赘述。The method provided in this embodiment has the same technical content as the system provided in the first embodiment, and the internal network server in the foregoing embodiment is mainly used as an implementation body of the method, and the embodiment and the foregoing For the technical details of the second embodiment, please refer to the related content of the first embodiment and the second embodiment, and details are not described herein again.
如图5所示,所述服务器接收访问的方法,包括如下步骤:As shown in FIG. 5, the method for receiving access by the server includes the following steps:
S201,获取包含认证信息的访问请求,该访问请求称为第二请求消息。S201. Acquire an access request that includes authentication information, and the access request is referred to as a second request message.
本步骤的作用在于接收访问请求。The purpose of this step is to receive an access request.
所述包含认证信息的访问请求指的是上述第二实施例中的步骤S103所转发的第二请求消息。The access request including the authentication information refers to the second request message forwarded in step S103 in the second embodiment.
S202,提取所述认证信息。S202. Extract the authentication information.
本步骤的作用在于对所述第二请求消息中的认证信息进行提取,通过所述认证信息即可判断发出所述访问请求的用户或者终端是否具有访问权限。The function of this step is to extract the authentication information in the second request message, and determine whether the user or the terminal that sent the access request has the access right by using the authentication information.
S203,根据所述认证信息,判断所述访问请求是否合法。S203. Determine, according to the authentication information, whether the access request is legal.
本步骤用于对所述认证信息进行解密,并以此验证所述访问请求的合法性。This step is used to decrypt the authentication information, and thereby verify the validity of the access request.
所述认证信息是采用非对称加密算法进行加密的,因此,本实施例采用非对称加密算法所对应的解密方法对所述认证信息进行解密,解密后的认证信息包括如下信息的至少一种:终端设备的唯一识别信息,用户身份认证信息;对应的,验证所述访问请求的合法性的方式包括如下方式的至少一种:根据所述解密后的所述认证信息中包含的终端设备的唯一识别信息与所述服务器自身存储的允许访问的终端设备列表对比,判断发出访问请求的所述终端设备是否在该列表中;根据所述解密后的所述用户身份认证信息与所述服务器自身存储的允许访问的用户列表对比,判断发出访问请求的所述用户是否在该列表中。The authentication information is encrypted by using an asymmetric encryption algorithm. Therefore, in this embodiment, the authentication information is decrypted by using a decryption method corresponding to the asymmetric encryption algorithm, and the decrypted authentication information includes at least one of the following information: The unique identification information of the terminal device, the user identity authentication information; correspondingly, the manner of verifying the validity of the access request includes at least one of the following manners: according to the uniqueness of the terminal device included in the decrypted authentication information The identification information is compared with the list of terminal devices allowed to be accessed by the server itself, determining whether the terminal device that issued the access request is in the list; and storing the decrypted user identity authentication information with the server itself The list of allowed users is compared, and it is determined whether the user who issued the access request is in the list.
S204,若是,返回响应消息。S204, if yes, return a response message.
本步骤用于根据上述步骤的判断结果作出相应回应,如果上述判断结果证明所述访问请求具有合法性,则根据所述访问请求返回相应的响应信息。This step is used to respond accordingly according to the judgment result of the above step. If the judgment result proves that the access request has legality, the corresponding response information is returned according to the access request.
本申请第四实施例提供一种数据处理方法,请参考图6理解该实施例,图6为所述服务器接收访问的方法的流程图。The fourth embodiment of the present application provides a data processing method. Please refer to FIG. 6 to understand the embodiment. FIG. 6 is a flowchart of a method for receiving access by the server.
如图6所述,所述数据处理的方法包括如下步骤:As shown in FIG. 6, the data processing method includes the following steps:
S301,拦截第一网络访问请求,其中,所述第一网络访问请求包括源地址、目标地址。S301. The first network access request is intercepted, where the first network access request includes a source address and a target address.
S302,在所述第一网络访问请求中添加认证信息,得到第二网络访问请求。S302. Add authentication information to the first network access request to obtain a second network access request.
所述认证信息包含如下信息的至少一种:所述源地址对应的计算设备的唯一识别信息;用户身份认证信息。The authentication information includes at least one of the following information: unique identification information of the computing device corresponding to the source address; user identity authentication information.
S303,将所述第二网络访问请求发送到所述目标地址对应的计算设备。S303. Send the second network access request to a computing device corresponding to the target address.
S304,接收所述目标地址对应的计算设备返回的响应信息。S304. Receive response information returned by the computing device corresponding to the target address.
S305,将所述响应信息发送到所述源地址对应的计算设备。S305. Send the response information to a computing device corresponding to the source address.
本实施例提供的一种数据处理的方法,其实质与上述第一实施例提供的系统及第二实施例所提供的用于安全访问内部网络的方法为相同技术内容,仅在表述上有所调整。本实施例的实施主体为所述第一实施例中的中介端,本实施例中的所述源地址对应的计算设备代表所述第一实施例中的网络访问请求端,本实施例中的所述目标地址对应的计算设备代表所述第一实施例中的内部网络服务器;所述第一网络访问请求代表第二实施例中的第一请求消息,所述第二网络访问请求代表所述第二实施例中的第二请求消息; 相关内容请参阅本申请第一实施例和第二实施例,在此不再赘述。The method for data processing provided by this embodiment is substantially the same as the system for providing secure access to the internal network provided by the system provided by the first embodiment and the second embodiment, and only has a description in the expression. Adjustment. The implementation body of this embodiment is the mediation end in the first embodiment. The computing device corresponding to the source address in this embodiment represents the network access requesting end in the first embodiment. The computing device corresponding to the target address represents an internal network server in the first embodiment; the first network access request represents a first request message in the second embodiment, and the second network access request represents the The second request message in the second embodiment; for related content, refer to the first embodiment and the second embodiment of the present application, and details are not described herein again.
本申请第五实施例提供一种数据响应方法,请参考图7理解该实施例,图7为所述数据响应方法的流程图。The fifth embodiment of the present application provides a data response method. Please refer to FIG. 7 for an understanding of the embodiment. FIG. 7 is a flowchart of the data response method.
如图7所述,所述数据响应的方法包括如下步骤:As shown in FIG. 7, the method for data response includes the following steps:
S401,获取包含认证信息的网络访问请求。S401. Acquire a network access request that includes authentication information.
S402,从所述网络访问请求中提取所述认证信息。S402. Extract the authentication information from the network access request.
S403,根据所述认证信息,判断所述网络访问请求是否合法。S403. Determine, according to the authentication information, whether the network access request is legal.
S404,若是,返回响应信息。S404, if yes, return response information.
本实施例提供的一种数据响应的方法,其实质与上述第一实施例提供的系统及第三实施例所提供的服务器接收访问的方法为相同技术内容,仅在表述上有所调整。本实施例的实施主体为所述第一实施例中的内部网络服务器。相关内容请参阅本申请第一实施例和第三实施例,在此不再赘述。A method for data response provided by this embodiment is substantially the same as the system provided by the first embodiment and the method for receiving access by the server provided by the third embodiment, and is only adjusted in the description. The implementation body of this embodiment is the internal network server in the first embodiment. For related content, please refer to the first embodiment and the third embodiment of the present application, and details are not described herein again.
本申请第六实施例提供一种用于安全访问内部网络的装置,请参考图8理解该实施例,图8为本实施例提供的用于安全访问内部网络的装置示意图。The sixth embodiment of the present application provides an apparatus for securely accessing an internal network. Please refer to FIG. 8 to understand the embodiment. FIG. 8 is a schematic diagram of an apparatus for securely accessing an internal network according to the embodiment.
如图8所示,所述用于安全访问内部网络的装置包括:As shown in FIG. 8, the apparatus for securely accessing an internal network includes:
第一请求消息劫持单元201,用于劫持具有网络访问功能的应用发出的网络访问请求;所述网络访问请求称为第一请求消息;a first request message hijacking unit 201, configured to hijack a network access request issued by an application having a network access function; the network access request is referred to as a first request message;
认证信息添加单元202,用于在所述第一请求消息中添加认证信息,形成第二请求消息;The authentication information adding unit 202 is configured to add authentication information to the first request message to form a second request message.
第二请求消息转发单元203,用于将所述第二请求消息转发到所述网络访问请求的目的服务器,即内部网络服务器;a second request message forwarding unit 203, configured to forward the second request message to a destination server of the network access request, that is, an internal network server;
响应信息接收单元204,用于接收所述内部网络服务器返回的响应信息;The response information receiving unit 204 is configured to receive response information returned by the internal network server;
响应信息转发单元205,用于将所述响应信息转发给发出所述网络访问请求的所述应用。The response information forwarding unit 205 is configured to forward the response information to the application that sends the network access request.
可选的,所述劫持具有网络访问功能的应用发出的网络访问请求的步骤中,采用hook函数劫持所述网络访问请求;所述hook函数预先通过DLL注入方式注入所述网络访问请求进程中。Optionally, in the step of hijacking a network access request issued by an application having a network access function, the network access request is hijacked by using a hook function; and the hook function is injected into the network access request process in advance by using a DLL injection manner.
可选的,所述第一请求消息采用http方式的情况下,在接收所述第一请求消息之前,包括与发出网络访问请求的应用进行http握手;在发出所述第二请求消息之前,与所述内部网络服务器进行http握手。Optionally, if the first request message is in the http mode, before receiving the first request message, including performing an http handshake with an application that sends a network access request; before sending the second request message, The internal network server performs an http handshake.
可选的,所述网络访问请求采用https方式,在接收所述第一请求消息之前,与所述网络访问请求端进行SSL握手,继而,根据所述SSL握手提供的server_name字段,与所述内部网络服务器进行SSL握手;接收到所述内部网络服务器返回的握手成功讯息后,向发出所述网络访问请求的应用发出握手成功讯息。Optionally, the network access request is in an https manner, and before the receiving the first request message, performing an SSL handshake with the network access requesting end, and then, according to the server_name field provided by the SSL handshake, and the internal The network server performs an SSL handshake; after receiving the handshake success message returned by the internal network server, it sends a handshake success message to the application that sends the network access request.
可选的,在劫持所述具有网络访问功能的应用发出的网络访问请求之前,导入CA伪证书。Optionally, the CA pseudo certificate is imported before the network access request sent by the network access function application is hijacked.
可选的,所述认证信息包含如下信息的至少一种:终端设备的唯一识别信息;用户身份认证信息。Optionally, the authentication information includes at least one of the following information: unique identification information of the terminal device; user identity authentication information.
可选的,所述认证信息使用非对称加密算法加密。Optionally, the authentication information is encrypted using an asymmetric encryption algorithm.
本申请第七实施例提供一种服务器接收访问的装置,请参考图9理解该实施例,图9为本实施例提供的服务器接收访问的装置示意图。The seventh embodiment of the present application provides a device for receiving access by a server. Please refer to FIG. 9 for an understanding of the embodiment. FIG. 9 is a schematic diagram of a device for receiving access by a server according to the embodiment.
如图9所示,所述服务器接收访问的装置包括:As shown in FIG. 9, the apparatus for receiving access by the server includes:
访问请求获取单元301,用于获取包含认证信息的访问请求,该访问请求称为第二请求消息;The access request obtaining unit 301 is configured to acquire an access request that includes authentication information, and the access request is referred to as a second request message.
认证信息提取单元302,用于提取所述认证信息;The authentication information extracting unit 302 is configured to extract the authentication information;
访问请求合法性判断单元303,用于根据所述认证信息,判断所述访问请求是否合法;The access request legality determining unit 303 is configured to determine, according to the authentication information, whether the access request is legal;
响应消息返回单元304,当上述单元的判断结果为是时,用于返回响应消息。The response message returning unit 304 is configured to return a response message when the result of the above-mentioned unit is YES.
可选的,所述认证信息采用非对称加密算法加密,所述根据所述认证信息,判断所述访问请求是否合法,包括:Optionally, the authentication information is encrypted by using an asymmetric encryption algorithm, and determining, according to the authentication information, whether the access request is legal, including:
解密所述认证信息,所述认证信息中包含如下信息的至少一种:终端设备的唯一识别信息,用户身份认证信息;Decrypting the authentication information, where the authentication information includes at least one of the following information: unique identification information of the terminal device, user identity authentication information;
根据解密后的所述认证信息,验证所述访问请求的合法性。Verifying the validity of the access request based on the decrypted authentication information.
可选的,所述根据解密后的所述认证信息,验证所述访问请求的合法性,包括以下方式的至少一种:Optionally, the verifying the validity of the access request according to the decrypted authentication information includes at least one of the following manners:
根据所述解密后的所述认证信息中包含的终端设备的唯一识别信息与所述服务器自身存储的允许访问的终端设备列表对比,判断发出访问请求的所述终端设备是否在该列表中;Determining, according to the unique identification information of the terminal device included in the decrypted authentication information, that the terminal device that issued the access request is in the list, compared with the terminal device list that is allowed to be accessed by the server itself;
根据所述解密后的所述用户身份认证信息与所述服务器自身存储的允许访问的用户列表对比,判断发出访问请求的所述用户是否在该列表中。Determining, according to the decrypted user identity authentication information, a user list that is allowed to be accessed by the server itself, determining whether the user who issued the access request is in the list.
本申请第八实施例提供一种数据处理的装置,请参考图10理解该实施例,图10为本实施例提供的数据处理的装置示意图。The eighth embodiment of the present application provides a device for data processing. Please refer to FIG. 10 for an embodiment of the present invention. FIG. 10 is a schematic diagram of a device for data processing according to the embodiment.
如图10所示,所述数据处理的装置包括:As shown in FIG. 10, the apparatus for data processing includes:
第一网络访问请求拦截单元401,用于拦截第一网络访问请求,其中,所述第一网络访问请求包括源地址、目标地址;The first network access request intercepting unit 401 is configured to intercept the first network access request, where the first network access request includes a source address and a target address;
认证信息添加单元402,用于在所述第一网络访问请求中添加认证信息,得到第二网络访问请求;The authentication information adding unit 402 is configured to add the authentication information to the first network access request to obtain a second network access request.
第二网络访问请求发送单元403,用于将所述第二网络访问请求发送到所述目标地址对应的计算设备;a second network access request sending unit 403, configured to send the second network access request to a computing device corresponding to the target address;
响应信息接收单元404,用于接收所述目标地址对应的计算设备返回的响应信息;The response information receiving unit 404 is configured to receive response information returned by the computing device corresponding to the target address;
响应信息发送单元405,用于将所述响应信息发送到所述源地址对应的计算设备。The response information sending unit 405 is configured to send the response information to the computing device corresponding to the source address.
优选的,所述认证信息包含如下信息的至少一种:所述源地址对应的计算设备的唯一识别信息;用户身份认证信息。Preferably, the authentication information includes at least one of the following information: unique identification information of the computing device corresponding to the source address; user identity authentication information.
本申请第九实施例提供一种数据响应的装置,请参考图11理解该实施例,图11为本实施例提供的数据响应的装置示意图。The ninth embodiment of the present application provides a device for data response. Please refer to FIG. 11 for an understanding of the embodiment. FIG. 11 is a schematic diagram of a device for responding to data according to the embodiment.
如图11所示,所述数据响应的装置包括:As shown in FIG. 11, the device for responding to the data includes:
网络访问请求获取单元501,用于获取包含认证信息的网络访问请求;The network access request obtaining unit 501 is configured to acquire a network access request that includes the authentication information.
认证信息提取单元502,用于从所述网络访问请求中提取所述认证信息;The authentication information extracting unit 502 is configured to extract the authentication information from the network access request.
网络访问请求合法性判断单元503,用于根据所述认证信息,判断所述网络访问请求是否合法;The network access request legality determining unit 503 is configured to determine, according to the authentication information, whether the network access request is legal;
响应信息返回单元504,当上述单元的判断结果为是时,用于返回响应消息。The response information returning unit 504 is configured to return a response message when the determination result of the above unit is YES.
本申请第十实施例提供一种电子设备,请参看图12,该图为该设备实施例的示意图。由于设备实施例基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。下述描述的设备实施例仅仅是示意性的。A tenth embodiment of the present application provides an electronic device. Referring to FIG. 12, it is a schematic diagram of an embodiment of the device. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment. The device embodiments described below are merely illustrative.
所述电子设备,包括:处理器601;存储器602。所述存储器602用于存储一种用于安全访问内部网络的程序,该设备通电并通过所述处理器601运行所述用于安全访问内部网络的程序后,执行下述步骤:The electronic device includes: a processor 601; a memory 602. The memory 602 is configured to store a program for securely accessing an internal network. After the device is powered on and runs the program for securely accessing the internal network through the processor 601, the following steps are performed:
劫持具有网络访问功能的应用发出的网络访问请求;所述网络访问请求称为第一请求消息;在所述第一请求消息中添加认证信息,形成第二请求消息;将所述第二请求消息转发到所述网络访问请求的目的服务器,即内部网络服务器;接收所述内部网络服务 器返回的响应信息;将所述响应信息转发给发出所述网络访问请求的所述应用。Hijacking a network access request issued by an application having a network access function; the network access request is referred to as a first request message; adding authentication information to the first request message to form a second request message; and the second request message is Forwarding to the destination server of the network access request, ie, the internal network server; receiving response information returned by the internal network server; forwarding the response information to the application that issues the network access request.
本申请第十一实施例提供一种电子设备,请参看图13,该图为该设备实施例的示意图。由于设备实施例基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。下述描述的设备实施例仅仅是示意性的。An eleventh embodiment of the present application provides an electronic device. Referring to FIG. 13, a schematic diagram of an embodiment of the device is shown. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment. The device embodiments described below are merely illustrative.
所述电子设备,包括:处理器701;存储器702。所述存储器702用于存储一种服务器接收访问的程序,该设备通电并通过所述处理器701运行所述服务器接收访问的程序后,执行下述步骤:The electronic device includes: a processor 701; a memory 702. The memory 702 is configured to store a program that the server receives the access, and after the device is powered on and runs the program that is received by the server 701, the following steps are performed:
获取包含认证信息的访问请求,该访问请求称为第二请求消息;提取所述认证信息;根据所述认证信息,判断所述访问请求是否合法;若是,返回响应消息。Acquiring an access request including the authentication information, the access request is referred to as a second request message; extracting the authentication information; determining, according to the authentication information, whether the access request is legal; if yes, returning a response message.
本申请第十二实施例提供一种电子设备,请参看图14,该图为该设备实施例的示意图。由于设备实施例基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。下述描述的设备实施例仅仅是示意性的。The twelfth embodiment of the present application provides an electronic device. Please refer to FIG. 14, which is a schematic diagram of an embodiment of the device. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment. The device embodiments described below are merely illustrative.
所述电子设备,包括:处理器801;存储器802。所述存储器802用于存储一种数据处理的程序,该设备通电并通过所述处理器801运行所述数据处理的程序后,执行下述步骤:The electronic device includes: a processor 801; a memory 802. The memory 802 is configured to store a program for data processing. After the device is powered on and runs the program of the data processing by the processor 801, the following steps are performed:
拦截第一网络访问请求,其中,所述第一网络访问请求包括源地址、目标地址;在所述第一网络访问请求中添加认证信息,得到第二网络访问请求;将所述第二网络访问请求发送到所述目标地址对应的计算设备;接收所述目标地址对应的计算设备返回的响应信息;将所述响应信息发送到所述源地址对应的计算设备。Intercepting a first network access request, where the first network access request includes a source address and a target address; adding authentication information to the first network access request to obtain a second network access request; and accessing the second network access The request is sent to the computing device corresponding to the target address; the response information returned by the computing device corresponding to the target address is received; and the response information is sent to the computing device corresponding to the source address.
本申请第十三实施例提供一种电子设备,请参看图15,该图为该设备实施例的示意图。由于设备实施例基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。下述描述的设备实施例仅仅是示意性的。A thirteenth embodiment of the present application provides an electronic device. Referring to FIG. 15, a schematic diagram of an embodiment of the device is shown. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment. The device embodiments described below are merely illustrative.
所述电子设备,包括:处理器901;存储器902。所述存储器902用于存储一种数据响应的程序,该设备通电并通过所述处理器901运行所述数据响应的程序后,执行下述步骤:The electronic device includes: a processor 901; a memory 902. The memory 902 is configured to store a program for data response. After the device is powered on and runs the program of the data response by the processor 901, the following steps are performed:
获取包含认证信息的网络访问请求;从所述网络访问请求中提取所述认证信息;根据所述认证信息,判断所述网络访问请求是否合法;若是,返回响应信息。Obtaining a network access request that includes the authentication information; extracting the authentication information from the network access request; determining, according to the authentication information, whether the network access request is legal; if yes, returning the response information.
本发明虽然以较佳实施例公开如上,但其并不是用来限定本发明,任何本领域技术人员在不脱离本发明的精神和范围内,都可以做出可能的变动和修改,因此本发明的保护范围应当以本发明权利要求所界定的范围为准。The present invention is disclosed in the above preferred embodiments, but it is not intended to limit the present invention, and any one skilled in the art can make possible variations and modifications without departing from the spirit and scope of the invention. The scope of protection should be determined by the scope defined by the claims of the present invention.
本申请虽然以较佳实施例公开如上,但其并不是用来限定本申请,任何本领域技术人员在不脱离本申请的精神和范围内,都可以做出可能的变动和修改,因此本申请的保护范围应当以本申请权利要求所界定的范围为准。The present application is disclosed in the above preferred embodiments, but it is not intended to limit the present application, and any person skilled in the art can make possible changes and modifications without departing from the spirit and scope of the present application. The scope of protection should be based on the scope defined by the claims of the present application.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。The memory may include non-persistent memory, random access memory (RAM), and/or non-volatile memory in a computer readable medium, such as read only memory (ROM) or flash memory. Memory is an example of a computer readable medium.
1、计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括非暂存电脑可读媒体(transitory media),如调制的数据信号和载波。1. Computer readable media including both permanent and non-persistent, removable and non-removable media may be implemented by any method or technology. The information can be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory. (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other memory technology, compact disk read only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape storage or other magnetic storage devices or any other non-transportable media can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media, such as modulated data signals and carrier waves.
2、本领域技术人员应明白,本申请的实施例可提供为方法、系统或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。2. Those skilled in the art will appreciate that embodiments of the present application can be provided as a method, system, or computer program product. Thus, the present application can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment in combination of software and hardware. Moreover, the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
Claims (25)
- 一种实现安全访问内部网络的系统,其特征在于,包括:网络访问请求端,中介端,内部网络服务器;A system for implementing secure access to an internal network, comprising: a network access requesting end, a mediation end, and an internal network server;所述网络访问请求端,用于发出用于实现网络访问请求的第一请求消息、以及接收响应消息;The network access requesting end is configured to send a first request message for implementing a network access request, and receive a response message;所述中介端,用于监听并劫持所述网络访问请求端的第一请求消息;解析所述第一请求消息,并在所述第一请求消息中添加认证信息,得到第二请求消息;继而向所述第一请求消息的目标网络地址发送所述第二请求消息;以及,接收对所述第二请求消息的响应消息,并将该响应消息转发到客户端;The mediation end is configured to listen to and hijack the first request message of the network access requesting end; parse the first request message, and add authentication information to the first request message to obtain a second request message; Sending, by the target network address of the first request message, the second request message; and receiving a response message to the second request message, and forwarding the response message to the client;所述内部网络服务器,用于接收所述第二请求消息,从中提取认证信息,判断所述网络访问请求是否具有访问权限;若是,则返回响应消息。The internal network server is configured to receive the second request message, extract authentication information therefrom, and determine whether the network access request has access rights; if yes, return a response message.
- 根据权利要求1所述系统,其特征在于,所述中介端与所述网络访问请求端布置在同一个移动设备中。The system of claim 1 wherein said mediator and said network access requesting end are disposed in the same mobile device.
- 根据权利要求1所述系统,其特征在于,所述网络访问请求端发出的所述网络访问请求采用http协议,则所述中介端在接收所述第一请求消息之前,与所述网络访问请求端进行http握手,所述中介端在发出所述第二请求消息之前,与所述内部网络服务器进行http握手。The system according to claim 1, wherein the network access request sent by the network access requesting end adopts an http protocol, and the mediator requests the network access request before receiving the first request message. The end performs an http handshake, and the intermediary performs an http handshake with the internal network server before issuing the second request message.
- 根据权利要求1所述系统,其特征在于,所述网络访问请求端发出的所述网络访问请求采用https方式,则所述中介端在接收所述第一请求消息之前,与所述网络访问请求端进行SSL握手,继而,所述中介端根据所述SSL握手提供的server_name字段,与所述内部网络服务器发出SSL握手;所述中介端接收到所述内部网络服务器返回的握手成功讯息后,向所述网络访问请求端发出握手成功讯息。The system according to claim 1, wherein the network access request sent by the network access requesting end adopts an https mode, and the mediation request and the network access request before receiving the first request message by the mediation end Ending an SSL handshake, and then the intermediary sends an SSL handshake with the internal network server according to the server_name field provided by the SSL handshake; after receiving the handshake success message returned by the internal network server, the intermediary sends a handshake message to the internal network server. The network access requesting end sends a handshake success message.
- 根据权利要求4所述系统,其特征在于,在进行网络访问请求之前,导入CA伪证书到所述网络访问请求端和中介端。The system according to claim 4, wherein the CA pseudo certificate is imported to the network access requesting end and the intermediation end before the network access request is made.
- 根据权利要求1所述系统,其特征在于,所述认证信息包含如下信息的至少一种:网络访问请求端所在的终端设备的唯一识别信息;用户身份认证信息。The system according to claim 1, wherein the authentication information comprises at least one of the following: unique identification information of the terminal device where the network access request end is located; user identity authentication information.
- 根据权利要求1所述系统,其特征在于,所述认证信息经过非对称算法加密。The system of claim 1 wherein said authentication information is encrypted by an asymmetric algorithm.
- 根据权利要求1所述系统,其特征在于,采用DLL注入的方式,在所述网络访问请求端发起的网络访问请求中注入全局流量劫持进程,实现对所述第一请求消息的劫持。The system according to claim 1, wherein the global traffic hijacking process is injected into the network access request initiated by the network access requesting end by means of DLL injection to implement hijacking of the first request message.
- 一种用于安全访问内部网络的方法,其特征在于,包括:A method for securely accessing an internal network, comprising:劫持具有网络访问功能的应用发出的网络访问请求;所述网络访问请求称为第一请求消息;Hijacking a network access request issued by an application having a network access function; the network access request is referred to as a first request message;在所述第一请求消息中添加认证信息,形成第二请求消息;Adding authentication information to the first request message to form a second request message;将所述第二请求消息转发到所述网络访问请求的目的服务器,即内部网络服务器;Forwarding the second request message to a destination server of the network access request, that is, an internal network server;接收所述内部网络服务器返回的响应信息;Receiving response information returned by the internal network server;将所述响应信息转发给发出所述网络访问请求的所述应用。The response information is forwarded to the application that issued the network access request.
- 根据权利要求9所述的用于安全访问内部网络的方法,其特征在于,所述劫持具有网络访问功能的应用发出的网络访问请求的步骤中,采用hook函数劫持所述网络访问请求;所述hook函数预先通过DLL注入方式注入所述网络访问请求进程中。The method for securely accessing an internal network according to claim 9, wherein in the step of hijacking a network access request issued by an application having a network access function, the network access request is hijacked by a hook function; The hook function is injected into the network access request process in advance by DLL injection.
- 根据权利要求9所述的用于安全访问内部网络的方法,其特征在于,所述第一请求消息采用http方式的情况下,在接收所述第一请求消息之前,包括与发出网络访问请求的应用进行http握手;在发出所述第二请求消息之前,与所述内部网络服务器进行http握手。The method for securely accessing an internal network according to claim 9, wherein, in the case that the first request message is in the http mode, before receiving the first request message, including the sending of the network access request The application performs an http handshake; and performs an http handshake with the internal network server before issuing the second request message.
- 根据权利要求9所述的用于安全访问内部网络的方法,其特征在于,所述网络访问请求采用https方式,在接收所述第一请求消息之前,与所述网络访问请求端进行SSL握手,继而,根据所述SSL握手提供的server_name字段,与所述内部网络服务器进行SSL握手;接收到所述内部网络服务器返回的握手成功讯息后,向发出所述网络访问请求的应用发出握手成功讯息。The method for securely accessing an internal network according to claim 9, wherein the network access request is in an https manner, and an SSL handshake is performed with the network access requesting end before receiving the first request message. Then, according to the server_name field provided by the SSL handshake, an SSL handshake is performed with the internal network server; after receiving the handshake success message returned by the internal network server, a handshake success message is sent to the application that sends the network access request.
- 根据权利要求12所述的用于安全访问内部网络的方法,其特征在于,在劫持所述具有网络访问功能的应用发出的网络访问请求之前,导入CA伪证书。The method for securely accessing an internal network according to claim 12, wherein the CA pseudo certificate is imported before the network access request issued by the application having the network access function is hijacked.
- 根据权利要求9所述的用于安全访问内部网络的方法,其特征在于,所述认证信息包含如下信息的至少一种:终端设备的唯一识别信息;用户身份认证信息。The method for securely accessing an internal network according to claim 9, wherein the authentication information comprises at least one of the following: unique identification information of the terminal device; user identity authentication information.
- 根据权利要求9所述的用于安全访问内部网络的方法,其特征在于,所述认证信息使用非对称加密算法加密。The method for securely accessing an internal network according to claim 9, wherein the authentication information is encrypted using an asymmetric encryption algorithm.
- 一种服务器接收访问的方法,其特征在于,包括:A method for receiving access by a server, comprising:获取包含认证信息的访问请求,该访问请求称为第二请求消息;Obtaining an access request that includes authentication information, and the access request is referred to as a second request message;提取所述认证信息;Extracting the authentication information;根据所述认证信息,判断所述访问请求是否合法;Determining whether the access request is legal according to the authentication information;若是,返回响应消息。If yes, return a response message.
- 根据权利要求16所述方法,其特征在于,所述认证信息采用非对称加密算法加密,所述根据所述认证信息,判断所述访问请求是否合法,包括:The method according to claim 16, wherein the authentication information is encrypted by using an asymmetric encryption algorithm, and determining whether the access request is legal according to the authentication information comprises:解密所述认证信息,所述认证信息中包含如下信息的至少一种:终端设备的唯一识别信息,用户身份认证信息;Decrypting the authentication information, where the authentication information includes at least one of the following information: unique identification information of the terminal device, user identity authentication information;根据解密后的所述认证信息,验证所述访问请求的合法性。Verifying the validity of the access request based on the decrypted authentication information.
- 根据权利要求17所述方法,其特征在于,所述根据解密后的所述认证信息,验证所述访问请求的合法性,包括以下方式的至少一种:The method according to claim 17, wherein the verifying the validity of the access request according to the decrypted authentication information comprises at least one of the following manners:根据所述解密后的所述认证信息中包含的终端设备的唯一识别信息与所述服务器自身存储的允许访问的终端设备列表对比,判断发出访问请求的所述终端设备是否在该列表中;Determining, according to the unique identification information of the terminal device included in the decrypted authentication information, that the terminal device that issued the access request is in the list, compared with the terminal device list that is allowed to be accessed by the server itself;根据所述解密后的所述用户身份认证信息与所述服务器自身存储的允许访问的用户列表对比,判断发出访问请求的所述用户是否在该列表中。Determining, according to the decrypted user identity authentication information, a user list that is allowed to be accessed by the server itself, determining whether the user who issued the access request is in the list.
- 一种数据处理方法,其特征在于,包括:A data processing method, comprising:拦截第一网络访问请求,其中,所述第一网络访问请求包括源地址、目标地址;Intercepting a first network access request, where the first network access request includes a source address and a target address;在所述第一网络访问请求中添加认证信息,得到第二网络访问请求;Adding authentication information to the first network access request to obtain a second network access request;将所述第二网络访问请求发送到所述目标地址对应的计算设备;Sending the second network access request to a computing device corresponding to the target address;接收所述目标地址对应的计算设备返回的响应信息;Receiving response information returned by the computing device corresponding to the target address;将所述响应信息发送到所述源地址对应的计算设备。Sending the response information to a computing device corresponding to the source address.
- 根据权利要求19所述方法,其特征在于,所述认证信息包含如下信息的至少一种:所述源地址对应的计算设备的唯一识别信息;用户身份认证信息。The method according to claim 19, wherein the authentication information comprises at least one of the following: unique identification information of the computing device corresponding to the source address; user identity authentication information.
- 一种数据响应方法,其特征在于,包括:A data response method, comprising:获取包含认证信息的网络访问请求;Obtain a network access request containing authentication information;从所述网络访问请求中提取所述认证信息;Extracting the authentication information from the network access request;根据所述认证信息,判断所述网络访问请求是否合法;Determining, according to the authentication information, whether the network access request is legal;若是,返回响应信息。If yes, return a response message.
- 一种电子设备,其特征在于,包括:An electronic device, comprising:处理器;以及Processor;存储器,用于存储一种用于安全访问内部网络的程序,该设备通电并通过所述处理器运行所述用于安全访问内部网络的程序后,执行下述步骤:a memory for storing a program for securely accessing an internal network, the device is powered on and runs the program for secure access to the internal network through the processor, and performs the following steps:劫持具有网络访问功能的应用发出的网络访问请求;所述网络访问请求称为第一请 求消息;Hijacking a network access request issued by an application having a network access function; the network access request is referred to as a first request message;在所述第一请求消息中添加认证信息,形成第二请求消息;Adding authentication information to the first request message to form a second request message;将所述第二请求消息转发到所述网络访问请求的目的服务器,即内部网络服务器;Forwarding the second request message to a destination server of the network access request, that is, an internal network server;接收所述内部网络服务器返回的响应信息;Receiving response information returned by the internal network server;将所述响应信息转发给发出所述网络访问请求的所述应用。The response information is forwarded to the application that issued the network access request.
- 一种电子设备,其特征在于,包括:An electronic device, comprising:处理器;以及Processor;存储器,用于存储一种服务器接收访问的程序,该设备通电并通过所述处理器运行所述服务器接收访问的程序后,执行下述步骤:a memory for storing a program for receiving access by the server, after the device is powered on and running the program by the processor to receive the accessed program, performing the following steps:获取包含认证信息的访问请求,该访问请求称为第二请求消息;Obtaining an access request that includes authentication information, and the access request is referred to as a second request message;提取所述认证信息;Extracting the authentication information;根据所述认证信息,判断所述访问请求是否合法;Determining whether the access request is legal according to the authentication information;若是,返回响应消息。If yes, return a response message.
- 一种电子设备,其特征在于,包括:An electronic device, comprising:处理器;以及Processor;存储器,用于存储一种数据处理的程序,该设备通电并通过所述处理器运行所述数据处理的程序后,执行下述步骤:a memory for storing a program for data processing, after the device is powered on and runs the program of the data processing by the processor, performing the following steps:拦截第一网络访问请求,其中,所述第一网络访问请求包括源地址、目标地址;Intercepting a first network access request, where the first network access request includes a source address and a target address;在所述第一网络访问请求中添加认证信息,得到第二网络访问请求;Adding authentication information to the first network access request to obtain a second network access request;将所述第二网络访问请求发送到所述目标地址对应的计算设备;Sending the second network access request to a computing device corresponding to the target address;接收所述目标地址对应的计算设备返回的响应信息;Receiving response information returned by the computing device corresponding to the target address;将所述响应信息发送到所述源地址对应的计算设备。Sending the response information to a computing device corresponding to the source address.
- 一种电子设备,其特征在于,包括:An electronic device, comprising:处理器;以及Processor;存储器,用于存储一种数据响应的程序,该设备通电并通过所述处理器运行所述数据响应的程序后,执行下述步骤:a memory for storing a program for data response, after the device is powered on and runs the program of the data response by the processor, performing the following steps:获取包含认证信息的网络访问请求;Obtain a network access request containing authentication information;从所述网络访问请求中提取所述认证信息;Extracting the authentication information from the network access request;根据所述认证信息,判断所述网络访问请求是否合法;Determining, according to the authentication information, whether the network access request is legal;若是,返回响应信息。If yes, return a response message.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710905297.X | 2017-09-29 | ||
CN201710905297.XA CN109587097A (en) | 2017-09-29 | 2017-09-29 | A kind of system, method and apparatus for realizing secure access internal network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019062666A1 true WO2019062666A1 (en) | 2019-04-04 |
Family
ID=65900652
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/106976 WO2019062666A1 (en) | 2017-09-29 | 2018-09-21 | System, method, and apparatus for securely accessing internal network |
Country Status (3)
Country | Link |
---|---|
CN (1) | CN109587097A (en) |
TW (1) | TW201916628A (en) |
WO (1) | WO2019062666A1 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112104605A (en) * | 2020-08-10 | 2020-12-18 | 深信服科技股份有限公司 | Network management method, device and storage medium |
CN114157475A (en) * | 2021-11-30 | 2022-03-08 | 迈普通信技术股份有限公司 | Equipment access method, device, authentication equipment and access equipment |
CN114363031A (en) * | 2021-12-29 | 2022-04-15 | 中国电信股份有限公司 | Network access method and device |
CN115766059A (en) * | 2022-09-22 | 2023-03-07 | 网易(杭州)网络有限公司 | Cluster deployment method, access method, device and electronic equipment |
CN116796306A (en) * | 2023-08-15 | 2023-09-22 | 浩鲸云计算科技股份有限公司 | Method for controlling authority of notebook table under same tenant |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112260981A (en) * | 2019-07-22 | 2021-01-22 | 北京明华联盟科技有限公司 | Identity authentication method, device, system and storage medium |
CN112532561B (en) * | 2019-08-28 | 2023-04-07 | 斑马智行网络(香港)有限公司 | Method, device, system and storage medium for realizing access between devices |
CN112541136B (en) * | 2019-09-23 | 2024-02-13 | 北京国双科技有限公司 | Network address information acquisition method and device, storage medium and electronic equipment |
CN110807202B (en) * | 2019-10-31 | 2022-03-18 | 北京字节跳动网络技术有限公司 | Processing method and device of verification information, electronic equipment and computer readable medium |
CN110995422B (en) * | 2019-11-29 | 2023-02-03 | 深信服科技股份有限公司 | Data analysis method, system, equipment and computer readable storage medium |
CN111355720B (en) * | 2020-02-25 | 2022-08-05 | 深信服科技股份有限公司 | Method, system and equipment for accessing intranet by application and computer storage medium |
CN111814084A (en) * | 2020-06-18 | 2020-10-23 | 北京天空卫士网络安全技术有限公司 | Data access management method, device and system |
CN111737723B (en) * | 2020-08-25 | 2020-12-29 | 杭州海康威视数字技术股份有限公司 | Service processing method, device and equipment |
CN115065530B (en) * | 2022-06-13 | 2024-01-23 | 北京华信傲天网络技术有限公司 | Trusted data interaction method and system |
CN116633687A (en) * | 2023-07-20 | 2023-08-22 | 深圳市永达电子信息股份有限公司 | Terminal safety access method, system and controller |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012092269A1 (en) * | 2010-12-29 | 2012-07-05 | Citrix Systems, Inc. | Systems and methods for policy based integration to horizontally deployed wan optimization appliances |
CN102811225A (en) * | 2012-08-22 | 2012-12-05 | 神州数码网络(北京)有限公司 | Method and switch for security socket layer (SSL) intermediate agent to access web resource |
CN105915550A (en) * | 2015-11-25 | 2016-08-31 | 北京邮电大学 | SDN-based Portal/Radius authentication method |
CN106790194A (en) * | 2016-12-30 | 2017-05-31 | 中国银联股份有限公司 | A kind of access control method and device based on ssl protocol |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102171984B (en) * | 2008-10-06 | 2014-06-11 | 诺基亚西门子通信公司 | Service provider access |
CN102368768B (en) * | 2011-10-12 | 2014-04-02 | 北京星网锐捷网络技术有限公司 | Identification method, equipment and system as well as identification server |
CN104239577A (en) * | 2014-10-09 | 2014-12-24 | 北京奇虎科技有限公司 | Method and device for detecting authenticity of webpage data |
US10171457B2 (en) * | 2015-12-29 | 2019-01-01 | International Business Machines Corporation | Service provider initiated additional authentication in a federated system |
-
2017
- 2017-09-29 CN CN201710905297.XA patent/CN109587097A/en active Pending
-
2018
- 2018-06-13 TW TW107120280A patent/TW201916628A/en unknown
- 2018-09-21 WO PCT/CN2018/106976 patent/WO2019062666A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012092269A1 (en) * | 2010-12-29 | 2012-07-05 | Citrix Systems, Inc. | Systems and methods for policy based integration to horizontally deployed wan optimization appliances |
CN102811225A (en) * | 2012-08-22 | 2012-12-05 | 神州数码网络(北京)有限公司 | Method and switch for security socket layer (SSL) intermediate agent to access web resource |
CN105915550A (en) * | 2015-11-25 | 2016-08-31 | 北京邮电大学 | SDN-based Portal/Radius authentication method |
CN106790194A (en) * | 2016-12-30 | 2017-05-31 | 中国银联股份有限公司 | A kind of access control method and device based on ssl protocol |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112104605A (en) * | 2020-08-10 | 2020-12-18 | 深信服科技股份有限公司 | Network management method, device and storage medium |
CN114157475A (en) * | 2021-11-30 | 2022-03-08 | 迈普通信技术股份有限公司 | Equipment access method, device, authentication equipment and access equipment |
CN114157475B (en) * | 2021-11-30 | 2023-09-19 | 迈普通信技术股份有限公司 | Equipment access method and device, authentication equipment and access equipment |
CN114363031A (en) * | 2021-12-29 | 2022-04-15 | 中国电信股份有限公司 | Network access method and device |
CN115766059A (en) * | 2022-09-22 | 2023-03-07 | 网易(杭州)网络有限公司 | Cluster deployment method, access method, device and electronic equipment |
CN115766059B (en) * | 2022-09-22 | 2024-05-17 | 网易(杭州)网络有限公司 | Cluster deployment method, access method, device and electronic equipment |
CN116796306A (en) * | 2023-08-15 | 2023-09-22 | 浩鲸云计算科技股份有限公司 | Method for controlling authority of notebook table under same tenant |
CN116796306B (en) * | 2023-08-15 | 2023-11-14 | 浩鲸云计算科技股份有限公司 | Method for controlling authority of notebook table under same tenant |
Also Published As
Publication number | Publication date |
---|---|
TW201916628A (en) | 2019-04-16 |
CN109587097A (en) | 2019-04-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2019062666A1 (en) | System, method, and apparatus for securely accessing internal network | |
TWI756439B (en) | Network access authentication method, device and system | |
US10554420B2 (en) | Wireless connections to a wireless access point | |
CN107666383B (en) | Message processing method and device based on HTTPS (hypertext transfer protocol secure protocol) | |
US11196561B2 (en) | Authorized data sharing using smart contracts | |
US10650119B2 (en) | Multimedia data processing method, apparatus, system, and storage medium | |
US11829502B2 (en) | Data sharing via distributed ledgers | |
WO2016015436A1 (en) | Platform authorization method, platform server, application client, system, and storage medium | |
US11303431B2 (en) | Method and system for performing SSL handshake | |
US10257171B2 (en) | Server public key pinning by URL | |
WO2018205997A1 (en) | Method and device for connecting wireless access point | |
US10262146B2 (en) | Application-to-application messaging over an insecure application programming interface | |
CN110933078B (en) | H5 unregistered user session tracking method | |
US20180375648A1 (en) | Systems and methods for data encryption for cloud services | |
US11451517B2 (en) | Secure and auditable proxy technology using trusted execution environments | |
CN105208041A (en) | HOOK-based cloud storage application encryption data packet cracking method | |
EP4351086A1 (en) | Access control method, access control system and related device | |
US20220353081A1 (en) | User authentication techniques across applications on a user device | |
WO2018099407A1 (en) | Account authentication login method and device | |
CN115499177A (en) | Cloud desktop access method, zero-trust gateway, cloud desktop client and server | |
US10356112B2 (en) | Method of mitigating cookie-injection and cookie-replaying attacks | |
WO2017024588A1 (en) | Service processing method and apparatus | |
US11610011B2 (en) | Secure transfer of data between programs executing on the same end-user device | |
GB2590520A (en) | Data sharing via distributed ledgers | |
TW202326492A (en) | Device, method and system of handling access control |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18862673 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18862673 Country of ref document: EP Kind code of ref document: A1 |