WO2020011332A1 - Système et procédé de création d'une connexion sécurisée - Google Patents

Système et procédé de création d'une connexion sécurisée Download PDF

Info

Publication number
WO2020011332A1
WO2020011332A1 PCT/EP2018/068518 EP2018068518W WO2020011332A1 WO 2020011332 A1 WO2020011332 A1 WO 2020011332A1 EP 2018068518 W EP2018068518 W EP 2018068518W WO 2020011332 A1 WO2020011332 A1 WO 2020011332A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
processing unit
service
network connection
service provider
Prior art date
Application number
PCT/EP2018/068518
Other languages
English (en)
Inventor
Igor SHAFRAN
Irena BEREZOVSKY
Itamar OFEK
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/EP2018/068518 priority Critical patent/WO2020011332A1/fr
Priority to CN201880095428.5A priority patent/CN112385192B/zh
Publication of WO2020011332A1 publication Critical patent/WO2020011332A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present invention in some embodiments thereof, relates to a system for providing a computerized service and, more specifically, but not exclusively, to a system for creating a secure connection between a client and a provider of a computerized service.
  • secure channel means a way of transferring data that is resistant to overhearing and tampering.
  • One possible method to establish a secure channel between a client and a provider of a computerized service is to use a secure point to point network protocol.
  • Some examples of a secure point to point network protocol are Internet Protocol Security (IPSec), Hypertext Transfer Protocol Secure (HTTPS), and Secure Shell (SSH).
  • IPSec Internet Protocol Security
  • HTTPS Hypertext Transfer Protocol Secure
  • SSH Secure Shell
  • Another possible method is to create a Virtual Private Network (VPN) for network communication between the client and the provider of the computerized service.
  • Some methods require exchanging one or more encryption keys between the client and the provider of the computerized service.
  • Some systems that use encryption key exchange use the Internet Key Exchange (IKE) protocol.
  • IKE Internet Key Exchange
  • a system for creating a secure connection between a client and a provider of a computerized service comprises a management processing unit adapted to: receive from a client processing unit a service identifier and a plurality of client credentials; deduce from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values; send to the client processing unit the plurality of client side network connection values to be used by the client processing unit when establishing a direct network connection; and send to a service provider processing unit the plurality of server side network connection values to be used by the service provider processing unit when establishing the direct network connection.
  • Using a management processing unit may eliminate a necessity for the service provider processing unit to listen on a public port.
  • a method for creating a secure connection between a client and a provider of a computerized service comprises receiving from a client processing unit a service identifier and a plurality of client credentials; deducing from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values; sending to the client processing unit the plurality of client side network connection values to be used by the client when establishing a direct network connection; and sending to a service provider processing unit the plurality of server side network connection values to be used by the service provider processing unit when establishing the direct network connection.
  • a system for creating a secure connection between a client and a provider of a computerized service comprises a client processing unit adapted to: send a service identifier and a plurality of client credentials to a management processing unit; receive from the management processing unit a plurality of client side network connection values; and establish a direct network connection with a service provider processing unit using the plurality of client side network connection values for the purpose of receiving the computerized service from the service provider processing unit.
  • the plurality of client side network connection values are selected from a group of network connection values comprising: a network address value, a network port number value, a service type identifier value, an algorithm identifier, a shared secret value, a private secret value, a public secret value, and a hint value describing a preferred protocol.
  • the plurality of server side network connection values are selected from the group of network connection values.
  • the plurality of client side network connection values comprises a network address value of the service provider processing unit and a network port number value of the service provider processing unit
  • the plurality of server side network connection values comprises a network address value of the client.
  • the service type identifier value identifies a service selected from a group consisting of: Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), Internet Protocol Security (IPSec), Transport Layer Security (TLS), and Secure Sockets Layer (SSL).
  • Sending the client processing unit a network address and port number of the service provider processing unit may eliminate a necessity for the service provider processing unit to listen on a public port, and sending the service provider processing unit a network address of the client processing unit may facilitate the service provider processing unit authenticating the client processing unit when the client processing unit attempts to establish a connection with the service provider processing unit.
  • the plurality of server side network connection values comprises some or all of the plurality of client credentials. Some or all of the plurality of client credentials may facilitate the service provider processing unit authenticating the client and thus reduce a risk of unauthorized access to the service provider.
  • the management processing unit is further adapted to instruct the service provider processing unit to execute a service software object or a plurality of service software objects for the purpose of providing the computerized service to the client processing unit.
  • the service software object or plurality of service software objects comprise a compute instance executed by the service provider processing unit for the purpose of providing the computerized service to the client processing unit.
  • the management processing unit is further adapted to configure at least one network device to direct a digital message or a plurality of digital messages from the client processing unit to the service provider processing unit. Configuring the at least one network device only when the computerized service is required by the client processing unit may reduce risk of unauthorized access to the computerized service as access is not permitted before there is demand from a client.
  • the system further comprises an authentication processing unit adapted to execute a hash-based message authentication code (HMAC) One-time Password (HOTP) server.
  • HMAC hash-based message authentication code
  • HOTP One-time Password
  • the client processing unit uses some or all of the client side values to generate a one-time password token for use in the direct network connection, and the service provider processing unit communicates with the HOTP server to authenticate the one time password token.
  • the authentication processing unit is the management processing unit or the service provider processing unit. Using a one-time password may facilitate supporting computerized services that require a one-time password.
  • the client credentials comprise an International Telecommunications Union's Standardization sector X.509 certificate (X.509 certificate) comprising an Enhanced Key Usage field, and a value of the Enhanced Key Usage field is the service identifier.
  • X.509 certificate International Telecommunications Union's Standardization sector X.509 certificate
  • a value of the Enhanced Key Usage field is the service identifier.
  • the management processing unit executes at least one Authentication, Authorization and
  • AAA Accounting
  • IKE Internet Key Exchange
  • RADIUS Radial Service
  • Login-TCP-Port attribute and a Login-Service attribute and the at least one AAA software object communicates with the at least one IKE software object using the plurality of RADIUS data attributes.
  • a value of the Login-IP-Host attribute sent from the at least one IKE software object to the client processing unit is a network address value of the service provider processing unit
  • a value of the Login-TCP-Port attribute sent from the at least one IKE software object to the client processing unit is a network port number value of the service provider processing unit
  • a value of the Login-Service attribute sent from the at least one IKE software object to the client processing unit is a service type identifier value
  • a value of the Filter-Id attribute sent from the at least one AAA software object to the at least one IKE software object or the client processing unit is a shared secret value for creation of a one-time password.
  • Using some RADIUS attributes may facilitate reduced costs of implementation and operation by using existing RADIUS supporting components.
  • the client processing unit sends the service identifier and the plurality of client credentials to the management processing unit using the Internet Key Exchange (IKE) protocol.
  • IKE Internet Key Exchange
  • the client processing unit establishes the direct network connection using a protocol selected from a group of secure protocols consisting of: Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), and Internet Protocol Security (IPSec).
  • SSH Secure Shell
  • HTTPS Hypertext Transfer Protocol Secure
  • IPSec Internet Protocol Security
  • FIG. 1 is a schematic block diagram of an exemplary system, according to some embodiments of the present invention.
  • FIG. 2 is a sequence diagram of an optional flow of operations, according to some embodiments of the present invention.
  • FIG. 3 is a sequence diagram of an optional flow of operations to deduce the plurality of client and server side network connection values, according to some embodiments of the present invention
  • FIG. 4 is a sequence diagram of an optional flow of operations using a one-time password, according to some embodiments of the present invention.
  • FIG. 5 is a sequence diagram of an optional flow of operations to establish an SSH connection, according to some embodiments of the present invention.
  • FIG. 6 is a sequence diagram of an optional flow of operations to establish an IPSec connection, according to some embodiments of the present invention.
  • the present invention in some embodiments thereof, relates to a system for providing a computerized service and, more specifically, but not exclusively, to a system for creating a secure connection between a client and a provider of a computerized service.
  • a client communicates with a provider of the computerized service using a digital communication network.
  • the digital communication network may be a Local Area Network (LAN), for example an Ethernet network or a wireless network such as a Wireless Fidelity (WiFi) network.
  • the digital communication network may be a Wide Area Network (WAN), for example the Internet.
  • the digital communication network may comprise a LAN and a WAN.
  • the provider of the computerized service may be one or more hardware processors adapted to execute one or more software objects for providing the computerized service.
  • server is used to mean a provider of a computerized service and the term“network” is used to mean a digital communication network.
  • the client sends the server a service request.
  • the server must listen continuously to a known network port for the service request from the client.
  • the server is located within a controlled access network (private network), such that other computers may access the server only via one or more network devices configured to filter network traffic into and out of the private network. Examples of a network device are a router, a switch, and a firewall.
  • a network device may be a dedicated device.
  • a network device may be a device, for example a computer, configured to implement a networking service such as routing, switching or a firewall, as well as other computerized services.
  • the term“gateway” refers to one or more network devices configured to filter network traffic into and out of a private network.
  • the gateway is configured to allow delivering the service request to the server inside the private network.
  • the gateway may be configured to deliver network traffic between the client and the server only using the secure network protocol. Allowing a service request from any client to be delivered to the server could expose the server to malicious exploitation via the known network port.
  • Configuring the gateway to allow only traffic from a group of known clients requires advance knowledge of which clients may require the computerized service, or manual ad hoc configuration of the gateway as a new client requires the computerized service.
  • more than one server is located on one private network there is a need to configure the gateway with access rules per client, per computerized service.
  • Additional configuration of the gateway may be needed when a new secure protocol is introduced, in addition to one or more secure protocols the gateway is already configured to deliver.
  • Some systems create a VPN for network access by the client to the private network; however using a VPN may expose the entire private network to the client, which may not be necessary or desirable as this exposure could expose the topology of the private network and additionally or alternately expose other computers connected to the private network to a malicious exploitation from the client.
  • a secure point to point network protocol is used for communication between the client and the server
  • a VPN solution requires double encryption - one for a secure channel between the client and the server and one for the VPN. This requires more than one encryption key exchange.
  • the present invention proposes using a mediation service for a single encryption key exchange to enable access to a computerized service on a private network using one of a plurality of secure point to point network protocols.
  • a secure connection interface (endpoint) is exposed by the server according to a client’s identity and security credentials, upon receiving by the mediation service a service request from the client.
  • the present invention proposes dynamically provisioning a service instance only when a client requires the service instance.
  • the present invention proposes dynamically configuring one or more network devices (the gateway) to enable establishment of a secure channel between the client and the server.
  • Dynamically configuring a secure point to point network protocol may allow eliminating pre-configuration of the gateway, reducing the ability of an unauthorized entity to access the server. Dynamically provisioning the service instance may further reduce the ability of an unauthorized entity to access the server as a service instance’s endpoint in the server exists for a reduced period of time.
  • refraining from using a VPN may prevent an unauthorized entity from accessing other devices connected to the private network other than the server.
  • refraining from using a VPN may facilitate reducing costs of operation as VPN expertise, which may be expensive, is not required.
  • EAP EAP Protocol
  • the exchanged information comprises client credentials.
  • client credential are a client’s identity, a preferred point to point network protocol identifier, a security certificate, and a permission to use a service.
  • IKE protocol with one or more EAP based protocols may facilitate using existing network devices and network software solutions already adapted to support IKE and EAP based protocols, and thus may facilitate lower implementation costs when implementing the present invention compared to implementing a solution requiring specially adapted network devices and network software solutions.
  • the present invention may be a system, a method, and/or a computer program product.
  • the computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
  • the computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device.
  • the computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.
  • Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network.
  • a network for example, the Internet, a local area network, a wide area network and/or a wireless network.
  • the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.
  • FPGA field-programmable gate arrays
  • PLA programmable logic arrays
  • each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the block may occur out of the order noted in the figures.
  • two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • system 100 comprises a management processing unit 101 for the purpose of provisioning a secure channel between a client processing unit 104 and a service provider processing unit 106 in order to provide client processing unit 104 with at least one computerized service by service provider processing unit 106.
  • a processing unit may be any kind of programmable or non programmable circuitry that is configured to carry out the operations described here within.
  • the processing unit may comprise hardware as well as software.
  • a processing unit may comprise one or more processors and a transitory or non-transitory memory that carries a program which causes the processing unit to perform the respective operations when the program is executed by the one or more processors.
  • client processing unit (client) 104 is connected to management processing unit (management) 101 via at least one digital communication network.
  • Client 104 is optionally connected to service provider processing unit (service provider) 106 via at least one other digital communication network.
  • service provider 106 is connected to a private network and client 104 is connected to service provider 106 via at least one network device 110, optionally configured to control access to the private network. Examples of a network device are a router, a switch, a residential gateway, and a firewall.
  • system 100 comprises authentication processing unit 114, for the purpose of executing a hash-based message authentication code (HMAC) One-time Password (HOTP) server used to authenticate client 104 when establishing a secure connection with service provider 106.
  • authentication processing unit 114 is management 101.
  • authentication processing unit 114 is service provider 106.
  • system 100 implements the following optional method.
  • client 104 sends management 101 a service identifier, identifying a computerized service requested by client 104, and a plurality of client credentials.
  • a computerized service examples include SSH, HTTPS, IPSec, Transport Layer Security (TLS), and Secure Sockets Layer (SSL).
  • the plurality of client credentials comprises an International Telecommunications Union’s Standardization sector X.509 certificate (X.509 certificate), used to prove client 104’ s ownership of a public key.
  • the X.509 certificate comprises an Enhanced Key Usage field.
  • a value of the Enhanced Key Usage field is the service identifier.
  • management 101 After receiving in 201 the service identifier and the plurality of client credentials from client 104, in 210 management 101 optionally deduces from the service identifier and the plurality of client credentials a plurality of server side network connection values and a plurality of client side network connection values.
  • Examples of a network connection value are: a network address value, a network port number value, a service type identifier value, an algorithm identifier, a shared secret value, a public secret value, and a hint value describing a preferred protocol.
  • a network address value may identify service provider 106 or client 104.
  • a network port number value may identify an endpoint of a computerized service or be used by service provider 106 to authenticate a request from client 104.
  • a service type identifier may identify a computerized service that service provider 106 is allowed to provide to client 104.
  • An algorithm identifier may identify an encryption algorithm to be used in a secure connection between client 104 and service provider 106.
  • a public secret value may be generated by management on behalf of service provider 106 or client 104 and sent to respective other party.
  • a hint value may be used by client 104 and/or service provider 106 when more than one computerized service is possible.
  • the client side network connection values may comprise one or more of: a network address value of service provider 106, and a network port value of service provider 106 identifying an endpoint for the computerized service provided by service provider 106 to client 104.
  • the server side network connection values may comprise a network address value of client 104.
  • the plurality of server side network connection values comprise some or all of the plurality of client credentials.
  • the plurality of server side network connection values optionally comprises the X.509 certificate.
  • the plurality of server side network connection values optionally comprises another X.509 certificate, used to prove client 104’ s ownership of another public key, for example a public key generated by management 101.
  • FIG. 3 a sequence diagram of an optional flow of operations 300 to deduce the plurality of client and server side network connection values, according to some embodiments of the present invention.
  • client 104 sends the service identifier and the plurality of client credentials to management 101 using the IKE protocol.
  • management 101 executes at least one IKE software object (IKE service) 121, for communicating with client 104.
  • IKE service IKE software object
  • client 104 optionally establishes a secure connection with IKE service 121 using IKE phase 1 protocol.
  • management 101 executes at least one Authentication Authorization and Accounting software object (AAA extended service) 122, to generate the plurality of client side network connection values and plurality of server side network connection values.
  • AAA extended service Authentication Authorization and Accounting software object
  • An optional flow of operations to deduce the plurality of client side network connection values and plurality of server side network connection values in 210 comprises in 311 IKE service 121 opening a secure channel with AAA extended service 122, and in 312 IKE service 121 negotiating with AAA extended service 122 one or more security keys using a shared secret value from the plurality of client credentials received from client 104 in 201.
  • IKE service 121 sends the plurality of client credentials and the service identifier received from client 104 in 201 to AAA extended service 122.
  • AAA extended service 122 generates in 313 the plurality of client side network connection values and plurality of server side network connection values, optionally using the plurality of client credentials and the service identifier received from the client in 201.
  • management 101 executes one or more connection controller software objects (connection controller) 123, for the purpose of provisioning a secure connection between client 104 and service provider 106.
  • connection controller software objects
  • AAA extended service 122 optionally sends connection controller 123 in 314 the generated plurality of client side network connection values and plurality of server side network connection values.
  • client 104 uses a plurality of Remote Authentication Dial-In User Service (RADIUS) data attributes when communicating with IKE service 121 and optionally communicating with AAA extended service 122
  • AAA extended service 122 uses the plurality of RADIUS data attributes when communicating with IKE service 121.
  • RADIUS Remote Authentication Dial-In User Service
  • a value of a RADIUS Login-IP-Host attribute sent from IKE service 121 to client 104 is a network address value of service provider 106
  • a value of a RADIUS Login-TCP-Port attribute sent from IKE service 121 to client 104 is a network port number value of service provider 106
  • a value of a RADIUS Login-Service attribute sent from IKE service 121 to client 104 is a service type identifier value
  • a value of a RADIUS Filter- Id attribute sent from the AAA extended service 122 to IKE service 121 or client 104 is a shared secret value for creation of a one-time password.
  • management 101 optionally sends client 104 the plurality of client side network connection values and in 241 management 101 optionally sends service provider 106 the plurality of server side network connection values.
  • management 101 optionally configures network device 110 to direct a digital message of a plurality of digital messages from client 104 to service provider 106, for example by configuring a port forwarding rule.
  • management 101 instructs service provider 106 to execute one or more service software objects for the purpose of providing the computerized service to client 104.
  • the one or more service software objects comprise a compute instance executed by service provider 106 for the purpose of providing the computerized service to client 104.
  • Examples of a compute instance are a virtual machine and an operating- system-level virtualization software object, also known as a container or a virtualization container, running one or more software programs or applications in isolation from other software programs.
  • Some examples of a service software object are a SSH service, an IPSec service and an HTTPS service.
  • client 104 optionally establishes a direct secure network connection with service provider 106 using the plurality of client side network connection values received from management 101 in 240, for the purpose of receiving the computerized service from server provider 106.
  • Service provider 106 optionally uses the plurality of server side network connection values when establishing the direct secure network connection with client 104.
  • client 104 establishes the direct secure network connection with service provider 106 using a secure point-to-point network protocol, for example SSH, HTTPS or IPSec.
  • authorization processing unit 114 executes one or more HOTP server software objects implementing a HOTP server.
  • 210 further comprises generating in 401 a one-time password token, optionally using a shared secret value from the plurality of client credentials received from client 104 in 201, sent by AAA extended service 122 to authorization processing unit 114.
  • the plurality of server side network connection values sent in 241 to server provider 106 comprises a network address value of authorization processing unit 114.
  • Some secure protocols that may use a one-time password include SSH and IPSec.
  • client 104 After receiving the plurality of client network connection values in 240, in 410 client 104 optionally initiates an SSH connection with service provider 106.
  • client 104 may execute one or more SSH client software objects, and service provider may execute one or more SSH server software objects.
  • client 104 optionally generates a one time password token in 420 and optionally sends the one-time password token to service provider 106 in 421.
  • service provider 106 optionally sends the one-time password token to authentication processing unit 114 to authenticate that client 104 connecting to SSH service provided by service provider 106 is the same client that connected in 301 and 210.
  • client 104 optionally executes one or more IPSec client software objects
  • service provider 106 optionally executes one or more IPSec server client objects.
  • client 104 After receiving the plurality of client network connection values in 240, in 601 client 104 optionally initiates an IPSec connection with service provider 106, for example using IKE phase 2 protocol. Optionally, client 104 sends service provider 106 the generated one-time password token. In this flow as well, in 422 service provider 106 optionally sends the one-time password token to authentication processing unit 114 to authenticate that client 104 connecting to IPSec service provided by service provider 106 is the same client that connected in 301 and 210. After authenticating client 104 with authentication processing unit 114, service provider 106 optionally establishes in 605 and IPSec connection with client 104, for example a VPN connection.
  • composition or method may include additional ingredients and/or steps, but only if the additional ingredients and/or steps do not materially alter the basic and novel characteristics of the claimed composition or method.
  • a compound or “at least one compound” may include a plurality of compounds, including mixtures thereof.
  • range format is merely for convenience and brevity and should not be construed as an inflexible limitation on the scope of the invention. Accordingly, the description of a range should be considered to have specifically disclosed all the possible subranges as well as individual numerical values within that range. For example, description of a range such as from 1 to 6 should be considered to have specifically disclosed subranges such as from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6 etc., as well as individual numbers within that range, for example, 1, 2, 3, 4, 5, and 6. This applies regardless of the breadth of the range.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un système de création d'une connexion sécurisée entre un client et un fournisseur d'un service informatisé comprenant une unité de traitement de gestion conçue pour : recevoir d'une unité de traitement client un identifiant de service et une pluralité de justificatifs d'identité de client ; en déduire de l'identifiant de service et de la pluralité de justificatifs d'identité de client une pluralité de valeurs de connexion de réseau côté serveur et une pluralité de valeurs de connexion de réseau côté client ; envoyer à l'unité de traitement de client la pluralité de valeurs de connexion de réseau côté client devant être utilisées par l'unité de traitement de client lors de l'établissement d'une connexion de réseau directe ; et envoyer à une unité de traitement de fournisseur de service la pluralité de valeurs de connexion de réseau côté serveur devant être utilisées par l'unité de traitement de fournisseur de service lors de l'établissement de la connexion de réseau directe. Il n'est donc plus nécessaire que l'unité de traitement de fournisseur de service écoute sur un port public.
PCT/EP2018/068518 2018-07-09 2018-07-09 Système et procédé de création d'une connexion sécurisée WO2020011332A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/EP2018/068518 WO2020011332A1 (fr) 2018-07-09 2018-07-09 Système et procédé de création d'une connexion sécurisée
CN201880095428.5A CN112385192B (zh) 2018-07-09 2018-07-09 用于创建安全连接的系统和方法

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2018/068518 WO2020011332A1 (fr) 2018-07-09 2018-07-09 Système et procédé de création d'une connexion sécurisée

Publications (1)

Publication Number Publication Date
WO2020011332A1 true WO2020011332A1 (fr) 2020-01-16

Family

ID=62904452

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/068518 WO2020011332A1 (fr) 2018-07-09 2018-07-09 Système et procédé de création d'une connexion sécurisée

Country Status (2)

Country Link
CN (1) CN112385192B (fr)
WO (1) WO2020011332A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040268152A1 (en) * 2003-06-27 2004-12-30 Wrq, Inc. Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys
US20060080545A1 (en) * 2004-10-12 2006-04-13 Bagley Brian B Single-use password authentication

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102012989B (zh) * 2010-12-07 2013-11-27 江苏风云网络服务有限公司 软件即服务中基于门限与密钥的授权方法
US9717003B2 (en) * 2015-03-06 2017-07-25 Qualcomm Incorporated Sponsored connectivity to cellular networks using existing credentials

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040268152A1 (en) * 2003-06-27 2004-12-30 Wrq, Inc. Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys
US20060080545A1 (en) * 2004-10-12 2006-04-13 Bagley Brian B Single-use password authentication

Also Published As

Publication number Publication date
CN112385192A (zh) 2021-02-19
CN112385192B (zh) 2022-04-22

Similar Documents

Publication Publication Date Title
US8201233B2 (en) Secure extended authentication bypass
US10298581B2 (en) Zero-touch IoT device provisioning
EP3272094B1 (fr) Authentification de bout en bout au niveau d'une couche de service à l'aide de mécanismes de chargement de clé publique
US8607301B2 (en) Deploying group VPNS and security groups over an end-to-end enterprise network
JP4829554B2 (ja) 装置のグループをプロテクトするファイヤウォール、システムに参加する装置及びシステム内のファイヤウォール・ルールを更新する方法
US11621945B2 (en) Method and system for secure communications
US7536548B1 (en) System and methodology providing multi-tier-security for network data exchange with industrial control components
US9059977B2 (en) Distribution of secure or cryptographic material
US8555344B1 (en) Methods and systems for fallback modes of operation within wireless computer networks
ES2376143T3 (es) Marco de distribución de clave simétrica para internet.
US9596077B2 (en) Community of interest-based secured communications over IPsec
US20150288679A1 (en) Interposer with Security Assistant Key Escrow
EP2951948B1 (fr) Clés macsec fournies par contrôleur de réseau
US20130227669A1 (en) Method and system for traffic engineering in secured networks
US11425098B2 (en) Streamlined authentication and authorization for virtual private network tunnel establishment
CN108809907B (zh) 一种证书请求消息发送方法、接收方法和装置
US9516065B2 (en) Secure communication device and method
CN110830351B (zh) 基于SaaS服务模式的租户管理及服务提供方法、装置
US20140282999A1 (en) Secure access to applications behind firewall
US20150249639A1 (en) Method and devices for registering a client to a server
Gunleifsen et al. Dynamic setup of IPsec VPNs in service function chaining
NO338710B1 (no) Fremgangsmåte for å tilveiebringe en autentisering/autorisering av en ekstern klientterminal, et kommunikasjonsnettverk og en terminal for et kommunikasjonsnettverk
EP3288235B1 (fr) Système et appareil pour garantir le respect d'un accord de niveau de service (sla) dans un environnement cloud via l'utilisation de signature électronique
CN103780389A (zh) 基于端口认证的方法及网络设备
CN112385192B (zh) 用于创建安全连接的系统和方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18740171

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18740171

Country of ref document: EP

Kind code of ref document: A1