WO2019062666A1 - Procédé et appareil permettant d'accéder de manière sécurisée à un réseau interne - Google Patents

Procédé et appareil permettant d'accéder de manière sécurisée à un réseau interne Download PDF

Info

Publication number
WO2019062666A1
WO2019062666A1 PCT/CN2018/106976 CN2018106976W WO2019062666A1 WO 2019062666 A1 WO2019062666 A1 WO 2019062666A1 CN 2018106976 W CN2018106976 W CN 2018106976W WO 2019062666 A1 WO2019062666 A1 WO 2019062666A1
Authority
WO
WIPO (PCT)
Prior art keywords
network access
access request
authentication information
request
network
Prior art date
Application number
PCT/CN2018/106976
Other languages
English (en)
Chinese (zh)
Inventor
李齐
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2019062666A1 publication Critical patent/WO2019062666A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • the present application relates to the field of network access, and in particular to a system for implementing secure access to an internal network.
  • the present application also relates to a method and apparatus for securely accessing an internal network, a method and apparatus for receiving access by a server, a method and apparatus for processing data, and a method and apparatus for responding to a data.
  • VPN solution In order to allow foreign employees to access intranet resources, the existing technology generally uses VPN solution; this method is to set up a VPN server in the internal network. After the local staff connects to the Internet, connect to the VPN server through the Internet, and then pass The VPN server enters the intranet.
  • VPN In order to ensure data security, the communication data between the VPN server and the client is encrypted.
  • data encryption data can be considered to be securely transmitted over a dedicated data link, just as a dedicated network is set up.
  • VPN uses the public link on the Internet. Therefore, VPN is called virtual private network. It essentially uses encryption technology to encapsulate a data communication tunnel on the public network.
  • VPN technology users can use VPN to access intranet resources, whether they are on a business trip or at home, so that VPN can be widely used in enterprises.
  • the present invention provides a system for securely accessing a network to solve the problem that the server cannot accurately obtain the source of the client initiated by the http/https request.
  • the present invention further provides a method and apparatus for secure access to an internal network, and a method and apparatus for receiving access by a server.
  • the invention also provides a data processing method and device, and a data response method and device.
  • the present invention provides a system for implementing secure access to an internal network, including: a network access requesting end, a mediation end, and an internal network server;
  • the network access requesting end is configured to send a first request message for implementing a network access request, and receive a response message;
  • the mediation end is configured to listen to and hijack the first request message of the network access requesting end; parse the first request message, and add authentication information to the first request message to obtain a second request message; Sending, by the target network address of the first request message, the second request message; and receiving a response message to the second request message, and forwarding the response message to the client;
  • the internal network server is configured to receive the second request message, extract authentication information therefrom, and determine whether the network access request has access rights; if yes, return a response message.
  • the mediator is disposed in the same mobile device as the network access requesting end.
  • the network access request sent by the network access requesting end uses the http protocol
  • the intermediate end performs an http handshake with the network access requesting end before receiving the first request message
  • the intermediary The end performs an http handshake with the internal network server before issuing the second request message.
  • the network access request sent by the network access requesting end is in an https manner, and the intermediate end performs an SSL handshake with the network access requesting end before receiving the first request message, and then The intermediary sends an SSL handshake with the internal network server according to the server_name field provided by the SSL handshake; after receiving the handshake success message returned by the internal network server, the intermediary sends a handshake to the network access requester. Success message.
  • the CA pseudo certificate is imported to the network access requesting end and the mediation end.
  • the authentication information includes at least one of the following information: unique identification information of the terminal device where the network access request end is located; user identity authentication information.
  • the authentication information is encrypted by an asymmetric algorithm.
  • the global traffic hijacking process is injected into the network access request initiated by the network access requesting end to implement hijacking of the first request message.
  • the present invention also provides a method for securely accessing an internal network, comprising:
  • Hijacking a network access request issued by an application having a network access function the network access request is referred to as a first request message;
  • the response information is forwarded to the application that issued the network access request.
  • the network access request is hijacked by using a hook function; and the hook function is injected into the network access request process in advance by using a DLL injection manner.
  • the first request message is in the http mode, before receiving the first request message, including performing an http handshake with an application that sends a network access request; before sending the second request message, The internal network server performs an http handshake.
  • the network access request is in an https manner, and before the receiving the first request message, performing an SSL handshake with the network access requesting end, and then, according to the server_name field provided by the SSL handshake, and the internal
  • the network server performs an SSL handshake; after receiving the handshake success message returned by the internal network server, it sends a handshake success message to the application that sends the network access request.
  • the CA pseudo certificate is imported before the network access request sent by the network access function application is hijacked.
  • the authentication information includes at least one of the following information: unique identification information of the terminal device; user identity authentication information.
  • the authentication information is encrypted using an asymmetric encryption algorithm.
  • the present invention also provides a method for a server to receive an access, including:
  • the authentication information is encrypted by using an asymmetric encryption algorithm, and determining, according to the authentication information, whether the access request is legal, including:
  • the authentication information includes at least one of the following information: unique identification information of the terminal device, user identity authentication information;
  • the verifying the validity of the access request according to the decrypted authentication information includes at least one of the following manners:
  • the invention also provides a data processing method, comprising:
  • the authentication information includes at least one of the following information: unique identification information of the computing device corresponding to the source address; user identity authentication information.
  • the invention also provides a data response method, comprising:
  • the present invention also provides an apparatus for securely accessing an internal network, comprising:
  • a first request message hijacking unit configured to hijack a network access request issued by an application having a network access function; the network access request is referred to as a first request message;
  • An authentication information adding unit configured to add authentication information to the first request message to form a second request message
  • a second request message forwarding unit configured to forward the second request message to a destination server of the network access request, that is, an internal network server;
  • a response information receiving unit configured to receive response information returned by the internal network server
  • a response information forwarding unit configured to forward the response information to the application that issues the network access request.
  • the present invention also provides an apparatus for receiving access by a server, including:
  • An access request obtaining unit configured to acquire an access request that includes authentication information, where the access request is referred to as a second request message;
  • An authentication information extracting unit configured to extract the authentication information
  • the access request legality determining unit is configured to determine, according to the authentication information, whether the access request is legal;
  • the response message returns to the unit, and when the result of the above unit is YES, is used to return a response message.
  • the invention also provides an apparatus for data processing, comprising:
  • a first network access request intercepting unit configured to intercept a first network access request, where the first network access request includes a source address and a target address;
  • An authentication information adding unit configured to add authentication information to the first network access request, to obtain a second network access request
  • a second network access request sending unit configured to send the second network access request to a computing device corresponding to the target address
  • a response information receiving unit configured to receive response information returned by the computing device corresponding to the target address
  • a response information sending unit configured to send the response information to the computing device corresponding to the source address.
  • the invention also provides a data response device, comprising:
  • a network access request obtaining unit configured to acquire a network access request that includes the authentication information
  • An authentication information extracting unit configured to extract the authentication information from the network access request
  • the network access request legality determining unit is configured to determine, according to the authentication information, whether the network access request is legal;
  • the response information returning unit is configured to return a response message when the judgment result of the above unit is YES.
  • the invention also provides an electronic device comprising:
  • a memory for storing a program for securely accessing an internal network
  • the device is powered on and runs the program for secure access to the internal network through the processor, and performs the following steps:
  • Hijacking a network access request issued by an application having a network access function the network access request is referred to as a first request message;
  • the response information is forwarded to the application that issued the network access request.
  • the invention also provides an electronic device comprising:
  • a memory for storing a program for receiving access by the server, after the device is powered on and running the program by the processor to receive the accessed program, performing the following steps:
  • the invention also provides an electronic device comprising:
  • a memory for storing a program for data processing, after the device is powered on and runs the program of the data processing by the processor, performing the following steps:
  • the invention also provides an electronic device comprising:
  • a memory for storing a program for data response, after the device is powered on and runs the program of the data response by the processor, performing the following steps:
  • the system for securely accessing the internal network and the corresponding method and device provided by the application the client initiates an access request, and hijacks the request message to the intermediary; the intermediary analyzes the plaintext information, adds the encrypted information, and then requests the message. Sent to the server.
  • advantages include:
  • the server By extracting the encrypted information, the server accurately obtains the source of the client initiated by the http/https request, so that the client can accurately know whether the client has the right to access the intranet and avoid unauthorized access requests.
  • the technical solution provided by the present application has the following advantages: since the VPN service is not needed, manual access and disconnection operations are eliminated, and no password is required for verification; a better user experience can be obtained. .
  • the technical solution provided by the present application has the following advantages: the intranet server can be directly connected, and the access speed is improved.
  • FIG. 1 is a schematic diagram of a system for implementing secure access to an internal network according to a first embodiment of the present application
  • FIG. 2 is a schematic diagram of a request for accessing a network using the http protocol provided by the first embodiment of the present application
  • FIG. 3 is a schematic diagram of a request for accessing a network using the https protocol provided by the first embodiment of the present application;
  • FIG. 4 is a flowchart of a method for securely accessing an internal network according to a second embodiment of the present application
  • FIG. 5 is a flowchart of a method for receiving an access by a server according to a third embodiment of the present application.
  • FIG. 6 is a flowchart of a data processing method according to a fourth embodiment of the present application.
  • FIG. 7 is a flowchart of a data response method according to a fifth embodiment of the present application.
  • FIG. 8 is a schematic diagram of an apparatus for securely accessing an internal network according to a sixth embodiment of the present application.
  • FIG. 9 is a schematic diagram of an apparatus for receiving access by a server according to a seventh embodiment of the present application.
  • FIG. 10 is a schematic diagram of an apparatus for data processing according to an eighth embodiment of the present application.
  • FIG. 11 is a schematic diagram of an apparatus for data response provided by a ninth embodiment of the present application.
  • FIG. 12 is a schematic diagram of an electronic device according to a tenth embodiment of the present application.
  • FIG. 13 is a schematic diagram of an electronic device according to an eleventh embodiment of the present application.
  • FIG. 14 is a schematic diagram of an electronic device according to a twelfth embodiment of the present application.
  • FIG. 15 is a schematic diagram of an electronic device according to a thirteenth embodiment of the present application.
  • the present application provides a system for secure access to an internal network, a method for secure access to an internal network, and a method for a server to receive access.
  • the following provides an embodiment for a detailed description of the system and method.
  • the system and method are mainly designed to access the intranet resources of the company, but the system and method can be used in all network systems having the same requirements, and are not specifically limited herein.
  • the network access requesting end in the present application, specifically refers to an application software capable of issuing a network access request, such as a browser or an APP; the application software is installed in a software platform of a hardware device such as a computer or a mobile phone.
  • the intermediary in the present application, specifically refers to listening for an access request (referred to as a first request message in the present application) issued by the network access requester after being started, and hijacking the access request when pointing to a predetermined network address
  • An application software module that accesses the request and adds authentication information to it, and then issues an access request (referred to as a second request message in the present application) to the predetermined network address.
  • the application software module is generally disposed on the same terminal device as the network access requesting end, but it is not excluded that the main body is set on another terminal device, and only the device is configured to implement monitoring and hijacking the first A case of a program requesting information.
  • An internal network server refers to a server that is capable of receiving network access requests over a network and acting as an entry point into a particular internal network.
  • FIG. 1 is a schematic diagram of a system for securely accessing an internal network according to a first embodiment of the present application.
  • the system for secure access to the internal network is described in detail below with reference to FIG.
  • the embodiments described in the following description are intended to explain the principles of the system and are not intended to be limiting.
  • a system for securely accessing an internal network comprising: a network access requester 101, a mediator 102, and an internal network server 103.
  • the network access requesting end 101 is configured to issue a first request message for implementing a network access request, and receive a response message.
  • the network access requesting end 101 is a software program disposed on a specific terminal device, and may be in the form of an APP application or a browser; the network access requesting end 101 can issue a network access request, and the network access request is mainly adopted by http. Agreement or https protocol.
  • the network access request sent by the network access requesting end 101 is referred to as a first request message.
  • the http protocol or the https protocol is currently the two main network application layer protocols for implementing network access; the latter is based on the former and combines the SSL protocol to achieve confidentiality of the access process.
  • the CA pseudo-certificate needs to be imported to the network access requesting end 101 and the intermediation terminal 102, and the CA pseudo-certificate is at the network access requesting end 101 and the intermediary end 102.
  • the mediator 102 uses the CA pseudo certificate as a server.
  • a DLL injection method is also needed to inject a global traffic hijacking process into the network access request initiated by the network access requesting end 101 to implement monitoring and hijacking of the first request message.
  • the process that implements the hijacking can be considered part of the mediation 102, merely deploying it in the network access request issued by the network access requesting end 101.
  • the specific implementation can be implemented using the hook function.
  • the so-called hook function is a special application program interface (API).
  • API application program interface
  • the hook function can be used to change the original function of a system API.
  • the basic method is to "touch" the hook function to the API function entry point that needs to be modified. Its address points to the new custom function.
  • the global DLL injection method is used to inject the hook function into the http access process or the https access process; the so-called DLL injection is to put a DLL file into the address space of a process, so that it becomes the Part of the process; many applications are not a complete executable, but are split into relatively independent dynamic link libraries, DLL files, placed in the system.
  • the hook function is put into each http access process or https access process initiated by the network access requesting end 101 by a global DLL injection method.
  • the mediation end 102 is configured to listen to and hijack the first request message of the network access requesting end, parse the first request message, and add authentication information to the first request message to obtain a second request message; Transmitting the second request message to a target network address of the first request message; and receiving a response message to the second request message, and forwarding the response message to the network access requesting end 101.
  • the mediator 102 as a unit for implementing intermediate forwarding of a network access request in the technical solution provided by the present application, is generally a software program, and is generally disposed in an APP application or a browser of the network access requesting end 101. On the terminal device where it is located; of course, it is not excluded that in some cases, it is arranged on a dedicated device or on a remote server. At this time, it is still necessary to arrange a program for monitoring and hijacking on the network access requesting end 101. .
  • the mediation terminal 102 implements the following functions:
  • the mediator 102 is used by the server as the network access requesting end; any network access request (referred to as the first request message in this embodiment) sent by the network access requesting end 101 is hijacked by hijacking.
  • the mediator 102 responds to the first request message by the mediator 102 as a server; inevitably, in order to implement the process, the network access requesting end 101 and the mediation end 102 are first There is a need to have a handshake.
  • the intermediary 102 obtains the second request message after adding the authentication information to the first request message, and is sent by the intermediary 102 as a requesting party to the internal network server 103 as the target server; After the response message of the internal network server 103, the response message is forwarded to the network access requesting end 101; inevitably, in order to implement the process, the intermediate end 102 and the internal network server 103 are further First, there is a need to have a handshake.
  • the mediation terminal 102 implements the above functions is to implement monitoring and hijacking of the network access request sent by the network access requesting end 101.
  • the specific implementation manner of the first request message for intercepting and hijacking the network access requesting end may be various; one of the most probable ways is to inject the hook function into the network access request by using a global DLL injection manner as described above.
  • the network access request sent by the network access requesting end 101 that is, the first request message, is monitored and hijacked by the hook function.
  • the hook function arranged in the http process of the network access requesting end and the https process in advance in the global DLL injection manner for realizing the above-mentioned snooping and hijacking should be regarded as a part of the mediation end 102.
  • the process of the Hook function to implement the monitoring and hijacking is a technical means commonly used in the technical field, and will not be described in detail herein.
  • the network access request (ie, the first request message) will not be able to directly access the server of its target URL, but the first request message is obtained by the intermediary 102, and The authentication information is added to the first request message to obtain a second request message.
  • the authentication information is used to prove that the user or the terminal that issued the access request has the access authority of the internal network server 103 to be accessed.
  • the authentication information may adopt the following information: unique identification information of the terminal device where the network access request end is located; user identity authentication information.
  • unique identification information of the terminal device where the network access request end is located may be used separately or simultaneously.
  • the authentication information needs to be encrypted by an asymmetric encryption algorithm.
  • the unique identification information of the terminal device where the access requesting end 101 is located refers to the identification information of the terminal device, such as a laptop computer or a mobile phone, a tablet computer, etc., where the access requesting end 101 is arranged, such as the hardware serial number of the device or IMEI identification and other unique identifiers corresponding to the terminal device; since the mobile terminal devices are currently mainstream, these devices are directly associated with personal identity. Therefore, access rights to the intranet can be directly associated with a device, for example, can be set A mobile phone or an iPad has access to an internal network. Therefore, the unique identification information of the terminal device, whether it is the hardware serial number or the IMEI identifier, can be used to determine whether the access request has access rights.
  • the information is added to the network access request, that is, the internal network server can determine whether the network access request has the access authority. Since the mediator 102 is generally located in the same hardware device as the network access requesting end 101, the hardware serial number or the IMEI identifier of the hardware device in which the mediator 102 is located can be directly read by the mediator 102; The hardware environment of the specific device is related to the system environment, and those skilled in the art can conveniently obtain related technical means. In addition, if the mediation end 102 is not disposed on the same hardware device as the network access requesting end 101, the hardware serial number or IMEI of the hardware device in which the network access requesting end 101 is disposed may be externally read.
  • the identifier that identifies and corresponds to the network access requesting end 101 is recorded in the mediation terminal 102.
  • the corresponding network access requesting end can be directly used.
  • the unique identification information of the terminal device of 101 is used as the authentication information.
  • the user identity authentication information is authentication information directly corresponding to a specific visitor, for example, an identity ID provided to a certain visitor for accessing an internal network; the information is managed and issued by the internal network server 103.
  • the intermediary 102 stores the user identity authentication information directly related to the identity of the visitor, and adds the user identity authentication information to the first request message, so that the internal network server 103 can determine whether the party that issued the network request has the internal The basis for the access rights of the internal network managed by the web server 103.
  • the manner of adding the authentication information to the first request message may take a plurality of possible manners.
  • a method that may be mainly used is to add the authentication information to the header information of the first request message. Resolving the first request message to obtain its original header information; adding the authentication information to the header information in a preset format, and obtaining processed header information with the added authentication information; The header information is used as new header information, and the original header information in the first request message is replaced to obtain the second request information.
  • the second request message may be used as a network request sent to a target network address of the first request message; naturally, the target network address of the second request message is directed to the internal network server 103.
  • the mediator 102 After the mediator 102 sends the second request message to the internal network server 103, if the authentication is passed, the response message returned by the internal network server 103 is received; the mediator 102 needs to parse the response message. It is known that the response message is a response to which network access requester requests, and then sends the response message to the corresponding network access requester.
  • the intermediary 102 first acts as a substitute for the server, establishes a process of http communication or https communication with the network access requesting end 101, and then acts as a substitute for the client, and the internal network server.
  • the establishment of http communication or https communication, in the above process, must be carried out according to the communication rules of the corresponding protocol, including the handshake process of the initial communication; for the above different network protocols, the specific implementation process of the above two steps is different, the following respectively Explain.
  • FIG. 2 For the manner of implementing the foregoing process by using the http protocol, reference may be made to FIG. 2, which is specifically described below in conjunction with FIG. 2.
  • the intermediary 102 first receives the connection request 1, the intermediary 2 and the network access request when receiving the first request message.
  • the terminal performs handshake 2 to establish a TCP connection; when receiving the http request 3 of the first request message (a specific request during the execution of the http protocol), the intermediary 102 initiates a DNS according to the host field stored therein.
  • the second request message 6 obtained by adding the authentication information to the first request message obtained in the http request 3 step may be forwarded to the internal device.
  • FIG. 3 is specifically described below in conjunction with FIG. 3.
  • the intermediate end 102 performs an SSL handshake with the network access requesting end during the connection process before receiving the first request message. Then, the mediator performs an SSL handshake with the internal network server according to the server_name field provided by the SSL handshake 2'; the server_name field is the meaning of the server name, because the corresponding IP address may point to different The server needs a corresponding CA certificate for each server, so you need to use the server_name field to determine which CA certificate to use.
  • the mediator 102 After the mediator 102 receives the signal handshake success 3', the mediator 102 sends a signal handshake success 4' to the network access requester 101; thereafter, the network access requester 101 can go to the mediation end.
  • 102 initiates an https request, that is, a first request message 5'; after the intermediary 102 adds the authentication information to form a second request message, the second terminal sends a second request message 6' to the internal network server 103, the internal network server.
  • the intermediary 102 After the verification 103 returns a response message 7', the intermediary 102 forwards the response message 8' to the network access requesting end 101, and the subsequent https request message and the response message of the secondary connection are still forwarded by the intermediary 102.
  • the intermediary 102 is used as a server for transfer, and the intermediary 102 handshakes and connects with the network access requester 101 and the internal network server 103, respectively.
  • the authentication information is added to the first request message. After the authentication succeeds, the message from the other party can be continued to be forwarded to one party.
  • the internal network server 103 is configured to receive the second request message, extract authentication information therefrom, and determine whether the network access request has access rights; if yes, return a response message.
  • the internal network server 103 refers to a server capable of receiving a network access request through a network and serving as an entrance to a specific internal network.
  • the internal network server 103 is the target network address of the network access requesting end 101 and the mediation end 102, and the purpose thereof is to receive network access request information and provide response information according to the network access request information.
  • the internal network server 103 receives the second request message including the authentication information, analyzes it, and determines its legality, that is, whether it is an access request with access rights. .
  • the process of determining the validity of the second request message may be implemented by analyzing the header information of the second request message.
  • the second request message The header information is processed post header information to which the authentication information is added, the encrypted authentication information is extracted from the header information, and the encrypted information is encrypted by a decryption method corresponding to an asymmetric encryption algorithm.
  • the authentication information is decrypted to obtain authentication information, and the authentication information is at least one of unique identification information of the terminal device and user identity authentication information, because the authentication information is preset by the internal network server 103.
  • the internal network server 103 pre-stores a terminal device list and a user list for which access is permitted, and therefore, the process of determining whether the network access request has access rights is substantially identifying and matching the authentication information.
  • the specific matching process includes at least one of: following the end of the decrypted authentication information
  • the unique identification information of the device is compared with the list of terminal devices allowed to be accessed by the server itself, and it is determined whether the terminal device that issued the access request is in the list; according to the decrypted user identity authentication information and the
  • the server itself stores a list of users allowed to access, and determines whether the user who issued the access request is in the list. If the matching result is consistent, it indicates that the access request has access rights, and the internal network server 103 immediately generates corresponding response information according to the message content (first request message) of the second request message, and points to the mediation end. 102 transmits the response information.
  • FIG. 4 is a flowchart of the method for securely accessing an internal network.
  • the method provided in this embodiment has the same technical content as the system provided in the foregoing first embodiment, and the main body in the foregoing embodiment is mainly used as an implementation body of the method, and the technology in this embodiment is related to the technology in this embodiment.
  • the related content of the foregoing first embodiment and details are not described herein again.
  • the method for securely accessing an internal network includes the following steps:
  • the purpose of this step is to receive the original access request information.
  • the original access request information is the first request message, and is sent by the network application requesting end such as the APP application or the browser to the destination server accessed by the network by using the http protocol or the https protocol.
  • the network access request issued by the application having the network access function refers to monitoring and hijacking the network access request originally sent to the destination server to receive the network access request first.
  • the hijacking process is: injecting a hook function into an http access process or an https access process by using a global DLL injection method.
  • the sender of the first request message When the first request message is hijacked, if the first request message is sent by using the http protocol, the sender of the first request message needs to perform an http handshake and handshake before receiving the first request message. After the success, the sender of the first request message may send the first request message; if the first request information is sent by using the https protocol, the CA pseudo certificate needs to be imported before the first request message is hijacked. And before the receiving the first request message, performing an SSL handshake with the sender of the first request message and the subsequent destination server, and after the success of the series of SSL handshakes, the sender of the first request message can be Sending the first request message.
  • the foregoing steps are performed to hijack the first request message, and the step is to add authentication information to the first request message to form a second request message, which is used to prove that the first request message is sent.
  • the requesting end has access rights to the destination server to be accessed.
  • the authentication information may adopt the following information: the unique identification information of the terminal device where the network access request end is located; the user identity authentication information, and the two types of the authentication information may be adopted separately or simultaneously.
  • After the authentication information is encrypted by the asymmetric encryption algorithm, it is added in the header information of the first request message.
  • the purpose of this step is to forward the second request message formed by the above steps to the destination server accessed by the network.
  • the destination server in the present application is an internal network server.
  • the process is: the connection process before receiving the first request message And performing an SSL handshake with the network access requesting end, and then performing an SSL handshake with the internal network server according to the server_name field provided by the SSL handshake.
  • the second request message includes authentication information and the first request message
  • the internal network server extracts the authentication information from the second request message, and the authentication information is obtained by a corresponding decryption method of an asymmetric encryption algorithm. Decrypting is performed, and it is determined whether the network access request has access authority according to the authentication information; if yes, a response message is returned.
  • the step is configured to receive the returned response information.
  • This step is for forwarding the received response information to the application that issues the network access request.
  • the process needs to parse the response information, obtain a response to the network access request of the network application, and then send the response message to the corresponding network application.
  • FIG. 5 is a flowchart of a method for the server to receive an access.
  • the method provided in this embodiment has the same technical content as the system provided in the first embodiment, and the internal network server in the foregoing embodiment is mainly used as an implementation body of the method, and the embodiment and the foregoing
  • the technical details of the second embodiment please refer to the related content of the first embodiment and the second embodiment, and details are not described herein again.
  • the method for receiving access by the server includes the following steps:
  • the purpose of this step is to receive an access request.
  • the access request including the authentication information refers to the second request message forwarded in step S103 in the second embodiment.
  • the function of this step is to extract the authentication information in the second request message, and determine whether the user or the terminal that sent the access request has the access right by using the authentication information.
  • S203 Determine, according to the authentication information, whether the access request is legal.
  • This step is used to decrypt the authentication information, and thereby verify the validity of the access request.
  • the authentication information is encrypted by using an asymmetric encryption algorithm. Therefore, in this embodiment, the authentication information is decrypted by using a decryption method corresponding to the asymmetric encryption algorithm, and the decrypted authentication information includes at least one of the following information:
  • the identification information is compared with the list of terminal devices allowed to be accessed by the server itself, determining whether the terminal device that issued the access request is in the list; and storing the decrypted user identity authentication information with the server itself
  • the list of allowed users is compared, and it is determined whether the user who issued the access request is in the list.
  • This step is used to respond accordingly according to the judgment result of the above step. If the judgment result proves that the access request has legality, the corresponding response information is returned according to the access request.
  • FIG. 6 is a flowchart of a method for receiving access by the server.
  • the data processing method includes the following steps:
  • the first network access request is intercepted, where the first network access request includes a source address and a target address.
  • the authentication information includes at least one of the following information: unique identification information of the computing device corresponding to the source address; user identity authentication information.
  • the method for data processing provided by this embodiment is substantially the same as the system for providing secure access to the internal network provided by the system provided by the first embodiment and the second embodiment, and only has a description in the expression. Adjustment.
  • the implementation body of this embodiment is the mediation end in the first embodiment.
  • the computing device corresponding to the source address in this embodiment represents the network access requesting end in the first embodiment.
  • the computing device corresponding to the target address represents an internal network server in the first embodiment; the first network access request represents a first request message in the second embodiment, and the second network access request represents the The second request message in the second embodiment; for related content, refer to the first embodiment and the second embodiment of the present application, and details are not described herein again.
  • FIG. 7 is a flowchart of the data response method.
  • the method for data response includes the following steps:
  • S403. Determine, according to the authentication information, whether the network access request is legal.
  • a method for data response provided by this embodiment is substantially the same as the system provided by the first embodiment and the method for receiving access by the server provided by the third embodiment, and is only adjusted in the description.
  • the implementation body of this embodiment is the internal network server in the first embodiment.
  • FIG. 8 is a schematic diagram of an apparatus for securely accessing an internal network according to the embodiment.
  • the apparatus for securely accessing an internal network includes:
  • a first request message hijacking unit 201 configured to hijack a network access request issued by an application having a network access function; the network access request is referred to as a first request message;
  • the authentication information adding unit 202 is configured to add authentication information to the first request message to form a second request message.
  • a second request message forwarding unit 203 configured to forward the second request message to a destination server of the network access request, that is, an internal network server;
  • the response information receiving unit 204 is configured to receive response information returned by the internal network server
  • the response information forwarding unit 205 is configured to forward the response information to the application that sends the network access request.
  • the network access request is hijacked by using a hook function; and the hook function is injected into the network access request process in advance by using a DLL injection manner.
  • the first request message is in the http mode, before receiving the first request message, including performing an http handshake with an application that sends a network access request; before sending the second request message, The internal network server performs an http handshake.
  • the network access request is in an https manner, and before the receiving the first request message, performing an SSL handshake with the network access requesting end, and then, according to the server_name field provided by the SSL handshake, and the internal
  • the network server performs an SSL handshake; after receiving the handshake success message returned by the internal network server, it sends a handshake success message to the application that sends the network access request.
  • the CA pseudo certificate is imported before the network access request sent by the network access function application is hijacked.
  • the authentication information includes at least one of the following information: unique identification information of the terminal device; user identity authentication information.
  • the authentication information is encrypted using an asymmetric encryption algorithm.
  • FIG. 9 is a schematic diagram of a device for receiving access by a server according to the embodiment.
  • the apparatus for receiving access by the server includes:
  • the access request obtaining unit 301 is configured to acquire an access request that includes authentication information, and the access request is referred to as a second request message.
  • the authentication information extracting unit 302 is configured to extract the authentication information
  • the access request legality determining unit 303 is configured to determine, according to the authentication information, whether the access request is legal;
  • the response message returning unit 304 is configured to return a response message when the result of the above-mentioned unit is YES.
  • the authentication information is encrypted by using an asymmetric encryption algorithm, and determining, according to the authentication information, whether the access request is legal, including:
  • the authentication information includes at least one of the following information: unique identification information of the terminal device, user identity authentication information;
  • the verifying the validity of the access request according to the decrypted authentication information includes at least one of the following manners:
  • FIG. 10 is a schematic diagram of a device for data processing according to the embodiment.
  • the apparatus for data processing includes:
  • the first network access request intercepting unit 401 is configured to intercept the first network access request, where the first network access request includes a source address and a target address;
  • the authentication information adding unit 402 is configured to add the authentication information to the first network access request to obtain a second network access request.
  • a second network access request sending unit 403, configured to send the second network access request to a computing device corresponding to the target address
  • the response information receiving unit 404 is configured to receive response information returned by the computing device corresponding to the target address
  • the response information sending unit 405 is configured to send the response information to the computing device corresponding to the source address.
  • the authentication information includes at least one of the following information: unique identification information of the computing device corresponding to the source address; user identity authentication information.
  • FIG. 11 is a schematic diagram of a device for responding to data according to the embodiment.
  • the device for responding to the data includes:
  • the network access request obtaining unit 501 is configured to acquire a network access request that includes the authentication information.
  • the authentication information extracting unit 502 is configured to extract the authentication information from the network access request.
  • the network access request legality determining unit 503 is configured to determine, according to the authentication information, whether the network access request is legal;
  • the response information returning unit 504 is configured to return a response message when the determination result of the above unit is YES.
  • a tenth embodiment of the present application provides an electronic device.
  • FIG. 12 it is a schematic diagram of an embodiment of the device. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • the device embodiments described below are merely illustrative.
  • the electronic device includes: a processor 601; a memory 602.
  • the memory 602 is configured to store a program for securely accessing an internal network. After the device is powered on and runs the program for securely accessing the internal network through the processor 601, the following steps are performed:
  • Hijacking a network access request issued by an application having a network access function the network access request is referred to as a first request message; adding authentication information to the first request message to form a second request message; and the second request message is Forwarding to the destination server of the network access request, ie, the internal network server; receiving response information returned by the internal network server; forwarding the response information to the application that issues the network access request.
  • FIG. 13 a schematic diagram of an embodiment of the device is shown. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • the device embodiments described below are merely illustrative.
  • the electronic device includes: a processor 701; a memory 702.
  • the memory 702 is configured to store a program that the server receives the access, and after the device is powered on and runs the program that is received by the server 701, the following steps are performed:
  • the access request is referred to as a second request message; extracting the authentication information; determining, according to the authentication information, whether the access request is legal; if yes, returning a response message.
  • FIG. 14 is a schematic diagram of an embodiment of the device. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • the device embodiments described below are merely illustrative.
  • the electronic device includes: a processor 801; a memory 802.
  • the memory 802 is configured to store a program for data processing. After the device is powered on and runs the program of the data processing by the processor 801, the following steps are performed:
  • Intercepting a first network access request where the first network access request includes a source address and a target address; adding authentication information to the first network access request to obtain a second network access request; and accessing the second network access
  • the request is sent to the computing device corresponding to the target address; the response information returned by the computing device corresponding to the target address is received; and the response information is sent to the computing device corresponding to the source address.
  • a thirteenth embodiment of the present application provides an electronic device.
  • FIG. 15 a schematic diagram of an embodiment of the device is shown. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • the device embodiments described below are merely illustrative.
  • the electronic device includes: a processor 901; a memory 902.
  • the memory 902 is configured to store a program for data response. After the device is powered on and runs the program of the data response by the processor 901, the following steps are performed:
  • a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-persistent memory, random access memory (RAM), and/or non-volatile memory in a computer readable medium, such as read only memory (ROM) or flash memory.
  • RAM random access memory
  • ROM read only memory
  • Memory is an example of a computer readable medium.
  • Computer readable media including both permanent and non-persistent, removable and non-removable media may be implemented by any method or technology.
  • the information can be computer readable instructions, data structures, modules of programs, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory. (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other memory technology, compact disk read only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape storage or other magnetic storage devices or any other non-transportable media can be used to store information that can be accessed by a computing device.
  • computer readable media does not include non-transitory computer readable media, such as modulated data signals and carrier waves.
  • embodiments of the present application can be provided as a method, system, or computer program product.
  • the present application can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment in combination of software and hardware.
  • the application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un système, un procédé et un appareil permettant d'accéder de manière sécurisée à un réseau interne, ledit système comprenant : une extrémité de demande d'accès au réseau, une extrémité intermédiaire et un serveur de réseau interne ; ladite extrémité de demande d'accès au réseau est utilisée pour émettre un premier message de demande utilisé pour demander un accès au réseau et est utilisée pour recevoir un message de réponse ; ladite extrémité intermédiaire est utilisée pour surveiller et détourner le premier message de demande de ladite extrémité de demande d'accès au réseau ; analyser le premier message de demande et ajouter des informations d'authentification au premier message de demande afin d'obtenir un second message de demande ; en outre, envoyer ledit second message de demande à une adresse de réseau de destination dudit premier message de demande ; et, recevoir un message de réponse concernant le second message de demande et transmettre ledit message de réponse à un client ; ledit serveur de réseau interne est utilisé pour recevoir le second message de demande et extraire des informations d'authentification de celui-ci, et déterminer si la demande d'accès au réseau a une autorisation d'accès ; si tel est le cas, renvoyer ensuite le message de réponse. Au moyen de la solution technique fournie par la présente invention, il est possible d'apprendre avec précision si un client a la permission d'accéder à un réseau interne, empêchant des demandes d'accès non privilégiées.
PCT/CN2018/106976 2017-09-29 2018-09-21 Procédé et appareil permettant d'accéder de manière sécurisée à un réseau interne WO2019062666A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710905297.XA CN109587097A (zh) 2017-09-29 2017-09-29 一种实现安全访问内部网络的系统、方法和装置
CN201710905297.X 2017-09-29

Publications (1)

Publication Number Publication Date
WO2019062666A1 true WO2019062666A1 (fr) 2019-04-04

Family

ID=65900652

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/106976 WO2019062666A1 (fr) 2017-09-29 2018-09-21 Procédé et appareil permettant d'accéder de manière sécurisée à un réseau interne

Country Status (3)

Country Link
CN (1) CN109587097A (fr)
TW (1) TW201916628A (fr)
WO (1) WO2019062666A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112104605A (zh) * 2020-08-10 2020-12-18 深信服科技股份有限公司 网络管理方法、设备及存储介质
CN114157475A (zh) * 2021-11-30 2022-03-08 迈普通信技术股份有限公司 一种设备接入方法、装置,认证设备及接入设备
CN114363031A (zh) * 2021-12-29 2022-04-15 中国电信股份有限公司 一种网络访问方法及装置
CN115766059A (zh) * 2022-09-22 2023-03-07 网易(杭州)网络有限公司 一种集群部署方法、访问方法、装置及电子设备
CN116796306A (zh) * 2023-08-15 2023-09-22 浩鲸云计算科技股份有限公司 一种同一租户下notebook表权限控制的方法

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112260981A (zh) * 2019-07-22 2021-01-22 北京明华联盟科技有限公司 身份认证方法、装置、系统以及存储介质
CN112532561B (zh) * 2019-08-28 2023-04-07 斑马智行网络(香港)有限公司 用于实现设备间访问的方法、装置、系统及存储介质
CN112541136B (zh) * 2019-09-23 2024-02-13 北京国双科技有限公司 网络地址信息的获取方法、装置、存储介质和电子设备
CN110807202B (zh) * 2019-10-31 2022-03-18 北京字节跳动网络技术有限公司 校验信息的处理方法、装置、电子设备及计算机可读介质
CN110995422B (zh) * 2019-11-29 2023-02-03 深信服科技股份有限公司 一种数据分析方法、系统、设备及计算机可读存储介质
CN111355720B (zh) * 2020-02-25 2022-08-05 深信服科技股份有限公司 一种应用访问内网方法、系统、设备及计算机存储介质
CN111814084A (zh) * 2020-06-18 2020-10-23 北京天空卫士网络安全技术有限公司 数据访问管理的方法、装置和系统
CN111737723B (zh) * 2020-08-25 2020-12-29 杭州海康威视数字技术股份有限公司 一种业务处理方法、装置及设备
CN115065530B (zh) * 2022-06-13 2024-01-23 北京华信傲天网络技术有限公司 一种可信数据交互方法及系统
CN116633687A (zh) * 2023-07-20 2023-08-22 深圳市永达电子信息股份有限公司 一种终端安全接入方法、系统及控制器

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012092269A1 (fr) * 2010-12-29 2012-07-05 Citrix Systems, Inc. Systèmes et procédés d'intégration à base de règles pour des appareils d'optimisation wan déployés horizontalement
CN102811225A (zh) * 2012-08-22 2012-12-05 神州数码网络(北京)有限公司 一种ssl中间代理访问web资源的方法及交换机
CN105915550A (zh) * 2015-11-25 2016-08-31 北京邮电大学 一种基于SDN的Portal/Radius认证方法
CN106790194A (zh) * 2016-12-30 2017-05-31 中国银联股份有限公司 一种基于ssl协议的访问控制方法及装置

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8881248B2 (en) * 2008-10-06 2014-11-04 Nokia Solutions And Networks Oy Service provider access
CN102368768B (zh) * 2011-10-12 2014-04-02 北京星网锐捷网络技术有限公司 认证方法、设备、系统及认证服务器
CN104239577A (zh) * 2014-10-09 2014-12-24 北京奇虎科技有限公司 检测网页数据真伪的方法和装置
US10171457B2 (en) * 2015-12-29 2019-01-01 International Business Machines Corporation Service provider initiated additional authentication in a federated system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012092269A1 (fr) * 2010-12-29 2012-07-05 Citrix Systems, Inc. Systèmes et procédés d'intégration à base de règles pour des appareils d'optimisation wan déployés horizontalement
CN102811225A (zh) * 2012-08-22 2012-12-05 神州数码网络(北京)有限公司 一种ssl中间代理访问web资源的方法及交换机
CN105915550A (zh) * 2015-11-25 2016-08-31 北京邮电大学 一种基于SDN的Portal/Radius认证方法
CN106790194A (zh) * 2016-12-30 2017-05-31 中国银联股份有限公司 一种基于ssl协议的访问控制方法及装置

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112104605A (zh) * 2020-08-10 2020-12-18 深信服科技股份有限公司 网络管理方法、设备及存储介质
CN114157475A (zh) * 2021-11-30 2022-03-08 迈普通信技术股份有限公司 一种设备接入方法、装置,认证设备及接入设备
CN114157475B (zh) * 2021-11-30 2023-09-19 迈普通信技术股份有限公司 一种设备接入方法、装置,认证设备及接入设备
CN114363031A (zh) * 2021-12-29 2022-04-15 中国电信股份有限公司 一种网络访问方法及装置
CN115766059A (zh) * 2022-09-22 2023-03-07 网易(杭州)网络有限公司 一种集群部署方法、访问方法、装置及电子设备
CN115766059B (zh) * 2022-09-22 2024-05-17 网易(杭州)网络有限公司 一种集群部署方法、访问方法、装置及电子设备
CN116796306A (zh) * 2023-08-15 2023-09-22 浩鲸云计算科技股份有限公司 一种同一租户下notebook表权限控制的方法
CN116796306B (zh) * 2023-08-15 2023-11-14 浩鲸云计算科技股份有限公司 一种同一租户下notebook表权限控制的方法

Also Published As

Publication number Publication date
TW201916628A (zh) 2019-04-16
CN109587097A (zh) 2019-04-05

Similar Documents

Publication Publication Date Title
WO2019062666A1 (fr) Procédé et appareil permettant d'accéder de manière sécurisée à un réseau interne
TWI756439B (zh) 入網認證方法、裝置及系統
US10554420B2 (en) Wireless connections to a wireless access point
CN107666383B (zh) 基于https协议的报文处理方法以及装置
US10650119B2 (en) Multimedia data processing method, apparatus, system, and storage medium
US11196561B2 (en) Authorized data sharing using smart contracts
US11829502B2 (en) Data sharing via distributed ledgers
WO2016015436A1 (fr) Procédé d'autorisation de plateforme, serveur de plateforme, client d'application, système et support de stockage
US11303431B2 (en) Method and system for performing SSL handshake
WO2018205997A1 (fr) Procédé et dispositif de connexion de point d'accès sans fil
US10257171B2 (en) Server public key pinning by URL
US10262146B2 (en) Application-to-application messaging over an insecure application programming interface
CN110933078B (zh) 一种h5未登录用户会话跟踪方法
US20180375648A1 (en) Systems and methods for data encryption for cloud services
US11451517B2 (en) Secure and auditable proxy technology using trusted execution environments
CN105208041A (zh) 基于hook的云存储应用加密数据包破解方法
EP4351086A1 (fr) Procédé de contrôle d'accès, système de contrôle d'accès et dispositif associé
WO2018099407A1 (fr) Procédé et dispositif de connexion basée sur une authentification de compte
US10356112B2 (en) Method of mitigating cookie-injection and cookie-replaying attacks
US20220353081A1 (en) User authentication techniques across applications on a user device
CN115499177A (zh) 云桌面访问方法、零信任网关、云桌面客户端和服务端
WO2017024588A1 (fr) Procédé et appareil de traitement de service
US11610011B2 (en) Secure transfer of data between programs executing on the same end-user device
GB2590520A (en) Data sharing via distributed ledgers
TW202326492A (zh) 處理存取控制的裝置、方法及系統

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18862673

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18862673

Country of ref document: EP

Kind code of ref document: A1