WO2020224341A1 - Method and apparatus for identifying tls encrypted traffic - Google Patents

Method and apparatus for identifying tls encrypted traffic Download PDF

Info

Publication number
WO2020224341A1
WO2020224341A1 PCT/CN2020/080236 CN2020080236W WO2020224341A1 WO 2020224341 A1 WO2020224341 A1 WO 2020224341A1 CN 2020080236 W CN2020080236 W CN 2020080236W WO 2020224341 A1 WO2020224341 A1 WO 2020224341A1
Authority
WO
WIPO (PCT)
Prior art keywords
app
server
dpi
information
tls
Prior art date
Application number
PCT/CN2020/080236
Other languages
French (fr)
Chinese (zh)
Inventor
宋科
李华光
刘西亮
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2020224341A1 publication Critical patent/WO2020224341A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the present disclosure relates to the field of mobile communication, and in particular to a method and device for identifying TLS encrypted traffic.
  • TLS Transport Layer Security
  • MEC Mobile Edge Computing
  • edge computing provides 5G terminals with a reliable mobile wireless network with high bandwidth and low latency.
  • a possible typical operation mode is that when the network load is close to saturation, MEC equipment will provide services for different applications Different QoS guarantees, especially high-priority QoS guarantees for application services paid by SP (Service Provider) with cooperative relations. Therefore, it is particularly important to accurately identify the application service traffic based on TLS encryption of the cooperative SP through DPI technology.
  • this disclosure proposes a method for identifying traffic based on TLS encryption, including: DPI SERVER receives from registered websites App registration request information, and assign APP feature identification information to the target app, and send it back to the registration website; DPI SERVER exchanges the APP feature verification information of the APP with the APP SERVER based on the TLS connection with mutual verification, and both parties have the same APP after the exchange Characteristic identification information and APP characteristic verification information; DPI SERVER sends the APP characteristic identification information and APP characteristic verification information of the APP to the DPI network element based on the TLS connection of mutual verification; the DPI network element verifies the user according to the APP characteristic verification information The legality of the APP feature identification information in the TLS traffic, and the TLS traffic generated by the APP is identified according to the APP feature identification information.
  • the present disclosure also provides a TLS encrypted traffic characteristic information management device, including: an APP registration management module placed in DPI SERVER, which is used to receive APP registration request information from a registration website and allocate APP characteristic identification information to the target APP. And send it back to the registration website; the APP SERVER update management module placed in the DPI SERVER, which is based on the two-way verification TLS connection, exchanges the APP feature verification information of the APP with the APP SERVER, and both parties have the same APP feature identification information and APP Feature verification information:
  • the DPI feature update management module placed in the DPI SERVER sends the APP feature identification information and APP feature verification information of the APP to the DPI network element based on the TLS connection of mutual verification.
  • the present disclosure also provides a server, including: a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and the processor implements the TLS described in any one of the above claims when the processor executes the program Encrypted traffic identification method.
  • FIG. 1 is a flow chart of the TLS encrypted traffic identification method provided by the present disclosure
  • FIG. 2 is a structural diagram of a TLS encrypted traffic characteristic information management device provided by the present disclosure
  • FIG. 3 is a structural diagram of a server provided by the present disclosure.
  • FIG. 4 is a timing interaction diagram of the TLS encrypted traffic identification method provided by the present disclosure.
  • the DPI network elements described in the present disclosure may refer to DPI independent network element devices on the one hand, and may also refer to network element devices with built-in DPI functions such as PGW gateways, MEC servers, switches, routers, and firewalls.
  • This disclosure introduces DPI SERVER to allocate APP TOKEN and other information for APP.
  • APP service traffic carries information such as APP TOKEN through the custom TLS extension of the SERVER HELLO message, so that the DPI network element can accurately identify the TLS-encrypted APP service traffic of the cooperative SP, so that the DPI network element can be prevented by a series of measures proposed in this disclosure Traffic fraud: verify the integrity of related data through MAC (Message Authentication Code), prevent replay attacks through multi-interval counter check, verify APP identity through public key cryptographic signature, and check APP SERVER public network IP address Strengthen the accuracy of feature recognition.
  • MAC Message Authentication Code
  • an embodiment of the present disclosure provides a method for identifying TLS encrypted traffic.
  • DPI SERVER receives and processes the APP registration request message sent by the APP developer through the registration website.
  • DPI SERVER returns the corresponding APP registration response message to the registration website to provide APP registration information for APP developers.
  • the APP registration request message includes: APP name, SP name, APP SERVER name, APP SERVER certificate CN/SAN and other information used in the APP SERVER update phase.
  • the APP registration response message includes information such as a dedicated TLS extension type ID, APP TOKEN, and the date and time when the APP TOKEN is successfully allocated.
  • DPI SERVER uses "SP name + APP name" as a unique identifier, and assigns a globally unique APP TOKEN to the APP of the SP.
  • APP TOKEN can be a large integer of 128 bits (that is, 16 bytes).
  • DPI SERVER For the allocation of a dedicated TLS extension type ID, DPI SERVER first ensures that the selected extension type ID cannot be a well-known extension type ID that has been assigned by IANA (Internet Assigned Numbers Authority).
  • IANA Internet Assigned Numbers Authority
  • the official IANA (www.iana.org) document "Transport Layer Security (TLS) Extensions” records the latest well-known extension type ID, such as 0 for SERVER_NAME, 1 for MAX_FRAGMENT_LENGTH, 16 for APPLICATION_LAYER_PROTOCOL_NEGOTIATION (ALPN), 35 for SESSION_TICKET, 41 for PRE_SHARED_KEY (PSK), 43 is SUPPORTED_VERSIONS, wait for dozens, these well-known extension type IDs cannot be selected.
  • DPI SERVER can select the extended type ID from the current more than 65,000 "UNASSIGNED” numbers, or select the extended type ID from the current more than 200 "RESERVED FOR PRIVATE USE” numbers.
  • DPI SERVER may support that the APP registration request message includes one or more value ranges of the TLS extension type ID that needs to be excluded.
  • APP may add other custom extension type IDs unrelated to the present disclosure in TLS, so the dedicated TLS extension type ID allocated by DPI SERVER cannot conflict with other custom extension type IDs of APP.
  • the DPI SERVER after excluding the well-known TLS extension type ID of IANA and other extension type IDs specified by the APP, the DPI SERVER allocates a dedicated TLS extension type ID for DPI identification to the APP.
  • DPI SERVER can give different SPs (ie "SP names") after excluding the well-known IANA TLS extension type ID and excluding other extension type IDs specified by APP.
  • SPs ie "SP names”
  • the same or different dedicated TLS extension type IDs are allocated; alternatively, the same or different dedicated TLS extension type IDs can also be allocated to different APPs (ie, "SP name+APP name").
  • the APP developer deploys information such as the dedicated TLS extension type ID, APP TOKEN, and the date and time when the APP TOKEN is successfully allocated through the registration website to the APP SERVER.
  • the APP developer deploys the special TLS extension type ID and other information obtained through the registration website to the APP CLIENT.
  • a dedicated TLS extension type ID is deployed in the APP SERVER, so that the APP SERVER carries the extension type ID and the corresponding extended content when replying to the SERVER HELLO response to the CLIENT HELLO containing the extension type ID.
  • TLS 1.0 protocol For the TLS 1.0 protocol, TLS 1.1 protocol, and TLS 1.2 protocol, CLIENT HELLO is not encrypted, and SERVER HELLO is not encrypted.
  • the dedicated TLS extension introduced at this stage can be added to CLIENT HELLO and SERVER HELLO normally.
  • TLS 1.3 protocol For the TLS 1.3 protocol, CLIENT HELLO is not encrypted, and SERVER HELLO is not encrypted.
  • the dedicated TLS extension introduced at this stage can be normally added to CLIENT HELLO and SERVER HELLO.
  • the TLS1.3 protocol introduces the ENCRYPTED EXTENSIONS message to encrypt extensions that do not require clear text transmission, it is necessary to ensure that the dedicated TLS extension introduced at this stage should be added to the SERVER HELLO instead of ENCRYPTED EXTENSIONS when implementing this disclosure in.
  • the DPI SERVER receives the TLS connection establishment request initiated by the APP SERVER, and uses the mutual certificate verification mechanism to establish the TLS connection.
  • the DPI SERVER receives the APP SERVER update request message and processes the DPI identification and verification information periodically updated by the APP SERVER.
  • the DPI SERVER also sends the new DPI identification and verification information to the APP SERVER through the APP SERVER update response message.
  • the APP SERVER update request message includes: APP TOKEN, the date and time when the APP TOKEN is successfully allocated, the APP SERVER public network IP address (optional), and the APP SERVER public key information used for DPI identification.
  • the APP SERVER update response message contains information such as the legal range of the multi-interval counter, MAC key, and MAC algorithm.
  • the TLS connection between APP SERVER and DPI SERVER adopts a two-way certificate verification mechanism, which increases the difficulty and cost of traffic fraud.
  • APP SERVER sends its own certificate to DPI SERVER through an uplink CERTIFICATE message
  • DPI SERVER as a TLS server sends its own certificate to APP SERVER through a downlink CERTIFICATE message.
  • the respective certificates of APP SERVER and DPI SERVER must be issued by a third-party legal CA (Certificate Authority) to ensure that both parties can verify the legal identity of each other through each other's certificate.
  • DPI SERVER obtains the "APP SERVER certificate CN/SAN used in the APP SERVER update phase" through the first step of APP registration, and verifies the CN and SAN sent by the APP SERVER through the uplink CERTIFICATE to verify the legality of the APP SERVER Identity.
  • APP SERVER periodically sends APP SERVER update request message to DPI SERVER through the TLS connection with DPI SERVER, adding APP SERVER public network IP address (optional), APP SERVER public key used for DPI identification
  • the information is sent to the DPI SERVER; at the same time, the APP TOKEN and the date and time of the successful allocation of the APP TOKEN are carried in the message, so that the DPI SERVER can be associated with the relevant information of the APP formed in the first step of APP registration.
  • the APP SERVER update request message includes APP SERVER public key information used for DPI identification.
  • APP SERVER can periodically regenerate the public key and its paired private key, and send the newly generated public key to DPI SERVER through this message.
  • the public key is used in the subsequent DPI feature identification phase of the fourth step, and the DPI network element verifies the signature of the APP SERVER to the relevant part of the APP TOKEN extension.
  • these IP addresses can be described in the form of "include” and “exclude from inclusion” through multiple groups/pairs. For example, taking IPv4 as an example, it can be described as including X1.X2. IP addresses in the range from X3.X4 to Y1.Y2.Y3.Y4, and exclude IP addresses in the range from M1.M2.M3.M4 to N1.N2.N3.N4, and include or exclude the description
  • the content can be one or more address ranges.
  • the APP SERVER update response message includes the legal range of the multi-interval counter allocated by the DPI SERVER.
  • the value range of the multi-interval counter can be a positive integer (denoted as MAX64) starting from 1 to a maximum of 64 bits (8 bytes).
  • the legal range of the multi-interval counter can be one or more ranges from 1 to MAX64.
  • the APP SERVER update response message contains MAC key and MAC algorithm information.
  • the MAC algorithm can use the HMAC algorithm (RFC 2104), and the algorithm description format in this message can be "HMAC-MD5", "HMAC-SHA1", “HMAC-SHA224”, “HMAC-SHA256” , “HMAC-SHA384", "HMAC-SHA512", etc.
  • the DPI SERVER receives the TLS connection establishment request initiated by the DPI network element, and uses the mutual certificate verification mechanism to establish the TLS connection.
  • the DPI SERVER receives and processes the DPI feature update request initiated by the DPI network element, and provides the DPI network element with the latest DPI feature information of the APP through the corresponding DPI feature update response.
  • the DPI feature update response message includes: APP name, SP name, APP SERVER name, dedicated TLS extension type ID, APP TOKEN, date and time of successful APP TOKEN allocation, APP SERVER public network IP address (optional) , App SERVER public key used for DPI identification, legal range of multi-interval counter, MAC key, MAC algorithm and other information.
  • the TLS connection between the DPI network element and the DPI SERVER adopts a two-way certificate verification mechanism, which increases the difficulty and cost of traffic fraud.
  • the DPI network element sends its own certificate to the DPI SERVER through an uplink CERTIFICATE message
  • the DPI SERVER as a TLS server sends its own certificate to the DPI network element through a downlink CERTIFICATE message.
  • the DPI SERVER certificate must be issued by a third-party legal CA to ensure that the DPI network element can verify the legal identity of the DPI SERVER through the certificate.
  • the certificate of the DPI network element can be issued by the DPI SERVER as a private CA for the DPI network element, and is preset in the DPI network element as the legal identity certificate of the DPI network element.
  • the DPI network element periodically sends a DPI feature update request message to the DPI SERVER through a TLS connection with the DPI SERVER to obtain the latest identification feature information of each APP in the DPI SERVER.
  • the DPI SERVER sends the identification feature information of each APP whose relevant information has been updated after the last DPI network element request, to the DPI network element through a DPI feature update response message.
  • the DPI SERVER puts each APP TOKEN or "SP name + APP name" that has not been updated since the last DPI network element request into a message and sends it to the DPI network element.
  • one or more APP TOKEN or "SP name + APP name" may be specified or excluded.
  • the DPI feature update response message sent by the DPI SERVER only carries the latest identification feature information of the corresponding APP.
  • the DPI network element detects the specified extension type and content in the CLIENT HELLO and SERVER HELLO messages in the APP Internet traffic, matches the APP TOKEN and verifies the APP SERVER signature and MAC to confirm the authenticity of the APP traffic , So as to accurately identify APP business traffic.
  • the CLIENT HELLO message sent by the APP CLIENT in the APP service traffic includes: the previously allocated dedicated TLS extension type ID and the content is empty.
  • the SERVER HELLO message sent by the APP SERVER in the APP business traffic contains: the previously allocated special TLS extension type ID, the extension content includes the APP TOKEN, the date and time of the successful allocation of the APP TOKEN, and a multi-section within the legal range of the multi-section counter Counter value, signature of the extended content of the previous part, signature algorithm, MAC value of the extended content of the previous part, MAC algorithm and other information.
  • the CLIENT HELLO message sent by the APP CLIENT includes a custom TLS extension whose extension type ID is the special TLS extension type ID allocated during the first step of APP registration, and its extension content is empty.
  • the SERVER HELLO message sent by APP SERVER contains a custom TLS extension whose extension type ID is the special TLS extension type ID allocated during the first step of APP registration.
  • the extension content is as follows:
  • the extended content 1 APP TOKEN.
  • the APP TOKEN comes from the first stage of APP registration.
  • the extended content 2 the date and time when the APP TOKEN is successfully allocated.
  • the date and time information comes from the first step of APP registration.
  • the extended content 3 a multi-interval counter value within the legal range of the multi-interval counter.
  • the legal range of the multi-interval counter comes from the second step of APP SERVER update phase.
  • the APP SERVER is within the legal range of the multi-interval counter, and the value is from small to large.
  • extended content 4 a signature for the entire extended content 1 to extended content 3.
  • APP SERVERr uses the signature algorithm of the extended content 5 to sign the entire extended content 1 to the extended content 3.
  • the content is first hashed to obtain a fixed-length hash result, and then the hash result is used for the APP SERVER public key generated in the second step of the APP SERVER update phase for DPI identification.
  • the private key is encrypted, and the result of the encryption is the signature.
  • extended content 5 signature algorithm.
  • the signature algorithm is determined by APP SERVER, including hash algorithm and public key encryption algorithm.
  • APP SERVER including hash algorithm and public key encryption algorithm.
  • MD5-RSA SHA1-RSA
  • SHA224-RSA SHA256-RSA
  • One of "SHA384-RSA SHA512-RSA
  • extended content 6 the MAC value of the entire extended content 1 to extended content 5.
  • APP SERVER adopts the MAC algorithm of extended content 7, and uses the MAC key obtained from DPI SERVER in the second step of APP SERVER update stage to generate a MAC value for the entire extended content 1 to 5.
  • extended content 7 MAC algorithm.
  • the MAC algorithm is determined by the APP SERVER, and one of the multiple MAC algorithms allocated by the DPI SERVER in the second step of the APP SERVER update phase is selected for use.
  • the DPI network element detects whether the CLIENT HELLO message in the TLS traffic contains the relevant dedicated TLS extension type ID. If it does, it needs to continue the SERVER HELLO for the TLS-TCP (Transmission Control Protocol) flow The message is further checked; if it is not included, there is no need to continue to check the SERVER HELLO message of the TLS-TCP stream.
  • TLS-TCP Transmission Control Protocol
  • the DPI network element detects whether the SERVER HELLO message in the TLS traffic contains the relevant dedicated TLS extension type ID, and if it does, it will continue to check and verify the extension content; if it does not, it does not need to continue to do so. The extended content is further tested and verified.
  • the method for detecting and verifying the extended content by the DPI network element is as follows:
  • the DPI network element extracts extended content 1 as the APP TOKEN. If the subsequent verification is passed, the APP TOKEN is identified as the corresponding APP, that is, the current TLS traffic is accurately identified as the corresponding APP service.
  • the DPI network element extracts the extended content 2 as the date and time for successfully assigning the APP TOKEN. On the one hand, it can be used to verify the uniqueness of the APP TOKEN, and on the other hand, it can be used to describe the APP TOKEN version information.
  • the DPI network element extracts the extended content 3 as the multi-interval counter value.
  • the DPI network element detects whether the multi-interval counter value is within the legal range of the multi-interval counter. If it is within the legal range, check the multiple intervals of SERVER HELLO messages for different TLS flows of the same APP CLIENT user (distinguated by the user side IP address) under the same APP SERVER (distinguished by the network side IP address + network side PORT) Whether the counter value is incremented or reaches the maximum value and rewinds, if it is incremented or reaches the maximum rewind, the multi-interval counter value is deemed to pass the check, otherwise it is deemed to fail the check. If it is not within the legal scope, it is also deemed to have failed the inspection.
  • the legal value check of the multi-range counter is used to prevent traffic fraud based on replay attacks.
  • the DPI network element extracts the extended content 4 as the APP SERVER's signature for the entire extended content 1 to the extended content 3; the DPI network element uses the extended content 1 to the extended content 3 as a whole, using the extracted content from the extended content 5.
  • the signature algorithm extracted from the extended content 5 includes a hash algorithm and a public key encryption algorithm.
  • the hash algorithm is used to hash the entire extended content 1 to 3 to obtain the hash result;
  • the key encryption algorithm uses the APP SERVER public key for DPI identification obtained in the third step of the DPI feature update stage to decrypt the extended content 4 to obtain the decryption result; if the hash result is consistent with the decryption result, it is considered passed Signature verification; otherwise, it is considered that the signature verification has not passed.
  • the extended signature verification is used to verify the legitimacy of the APP SERVER's identity to reduce or prevent traffic fraud.
  • the DPI network element extracts the extended content 5 as a signature algorithm for verifying the extended content 4.
  • the DPI network element extracts the extended content 6 as the MAC value of the APP SERVER for the entire extended content 1 to the extended content 5; the DPI network element uses the extended content 1 to the extended content 5 as a whole to extract from the extended content 7 to
  • the MAC algorithm and the MAC key obtained from the DPI feature update phase in the third step are calculated to generate the MAC value; if the generated MAC value is consistent with the extracted MAC value, the MAC check is considered passed, otherwise the MAC check is not considered by.
  • the extended MAC check is used to ensure the integrity of the extended content and reduce the possibility of traffic fraud.
  • the DPI network element extracts the extended content 7 as a MAC algorithm for verifying the extended content 6.
  • the DPI network element can identify the APP TOKEN that has passed the multi-interval counter check, signature verification, and MAC verification as the corresponding APP, that is, accurately identify the current TLS traffic as the corresponding APP service.
  • the DPI network element in the case of accurately identifying APP services described above, if the DPI network element obtains the APP SERVER public network IP address from the DPI feature update stage in the third step, it can check the network side of the current TLS-TCP flow Whether the IP address is within the range of the APP SERVER public network IP address, if it is, the accuracy of the identification result can be enhanced.
  • an embodiment of the present disclosure also provides a TLS encrypted traffic characteristic information management device, including: an APP registration management module 201 set in the DPI SERVER 200.
  • the APP registration management module receives APP registration request information from the registration website, assigns APP characteristic identification information to the target APP, and sends it back to the registration website.
  • the APP SERVER installed in the DPI SERVER 200 updates the management module 202.
  • the APP SERVER update management module exchanges the APP feature verification information of the APP with the APP SERVER based on a two-way verification TLS connection. After the exchange, both parties have the same APP feature identification information and APP feature verification information.
  • the DPI feature update management module 203 set in the DPI SERVER 200.
  • the DPI feature update management module sends the APP feature identification information and APP feature verification information of the APP to the DPI network element based on the TLS connection of mutual verification.
  • an embodiment of the present disclosure also provides a server 300, which includes a memory 301, a processor 302, a bus interface 303, a user interface 304, and an output interface 305.
  • the processor 302 executes the TLS encrypted traffic identification method.
  • the present disclosure can realize the precise and detailed DPI identification for anti-fraud of the application service TLS encrypted traffic of the telecommunications operator's cooperative SP, thereby reducing or preventing the occurrence of traffic fraud.
  • Such software may be distributed on a computer-readable medium
  • the computer-readable medium may include a computer storage medium (or non-transitory medium) and a communication medium (or transitory medium).
  • the term computer storage medium includes volatile and non-volatile memory implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data).
  • Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassette, tape, magnetic disk storage or other magnetic storage device, or Any other medium used to store desired information and that can be accessed by a computer.
  • communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media .

Abstract

Provided is a method for identifying TLS encrypted traffic. The method comprises: a DPI SERVER receiving application registration request information from a registration website, assigning application feature identification information to a target application, and sending same back to the registration website; the DPI SERVER exchanging application feature verification information of the application with an APP SERVER on the basis of a bidirectional verification TLS connection, wherein both parties have the same application feature identification information and application feature verification information after the exchange; the DPI SERVER sending the application feature identification information and the application feature verification information of the application to a DPI network element on the basis of the bidirectional verification TLS connection; and the DPI network element verifying, according to the application feature verification information, the legitimacy of the application feature identification information in the TLS traffic of a user, and identifying, according to the application feature identification information, the TLS traffic generated by the application.

Description

一种TLS加密流量识别方法及装置Method and device for identifying TLS encrypted flow
本公开要求享有2019年05月09日提交的名称为“一种TLS加密流量识别方法及装置”的中国专利申请CN201910396042.4的优先权,其全部内容通过引用并入本文中。This disclosure claims the priority of the Chinese patent application CN201910396042.4 entitled "A method and device for identifying TLS encrypted traffic" filed on May 9, 2019, the entire content of which is incorporated herein by reference.
技术领域Technical field
本公开涉及移动通信领域,尤其涉及一种TLS加密流量识别方法及装置。The present disclosure relates to the field of mobile communication, and in particular to a method and device for identifying TLS encrypted traffic.
背景技术Background technique
随着移动宽带和智能终端的不断发展,以及用户信息安全隐私保护的加强,越来越多的iOS及ANDROID应用程序的网络连接采用基于TLS(Transport Layer Security,传输层安全)承载,致使TLS加密流量占比越来越大。电信运营商对用户TLS加密流量进行精确识别的需求场景也越来越多。在电信运营商移动网络中,不管是在P-GW(Packet Data Network Gateway)网元、MEC(Mobile Edge Computing,移动边缘计算)服务器,或者其它相关交换机、路由器、防火墙、流量分析器等设备中,都可能会需要基于DPI(Deep Packet Inspection,深度报文检测)技术对TLS加密流量进行精确识别。With the continuous development of mobile broadband and smart terminals, as well as the strengthening of user information security and privacy protection, more and more network connections of iOS and Android applications are carried based on TLS (Transport Layer Security), resulting in TLS encryption The proportion of traffic is increasing. There are more and more demand scenarios for telecom operators to accurately identify users' TLS encrypted traffic. In the mobile network of telecom operators, whether in P-GW (Packet Data Network Gateway) network elements, MEC (Mobile Edge Computing) servers, or other related switches, routers, firewalls, traffic analyzers and other equipment , It may be necessary to accurately identify TLS encrypted traffic based on DPI (Deep Packet Inspection, deep packet inspection) technology.
以5G MEC为例,边缘计算为5G终端提供了高带宽、低时延的可靠的移动无线网络,一种可能的典型运营模式是,当网络负荷接近饱和时,MEC设备将为不同应用业务提供不同的QoS保障,尤其是对有合作关系的SP(Service Provider,业务供应商)付费的应用业务提供高优先级QoS保障。所以,通过DPI技术准确识别出合作SP的基于TLS加密的应用业务流量尤为重要。Taking 5G MEC as an example, edge computing provides 5G terminals with a reliable mobile wireless network with high bandwidth and low latency. A possible typical operation mode is that when the network load is close to saturation, MEC equipment will provide services for different applications Different QoS guarantees, especially high-priority QoS guarantees for application services paid by SP (Service Provider) with cooperative relations. Therefore, it is particularly important to accurately identify the application service traffic based on TLS encryption of the cooperative SP through DPI technology.
然而,常规DPI技术,通常根据TLS CLIENT HELLO消息中SNI(Server Name Indication,服务器名称指示)或TLS Certificate消息中服务器证书CN(Common Name)及SAN(Subject Alternative Name,主题备用名称)或DNS(Domain Name System,域名系统)请求/响应消息中服务器DNS域名,对合作SP的应用业务TLS加密流量进行识别。这类识别方法通常存在缺陷,比如:有些VPN(Virtual Private Network,虚拟专用网)软件利用这类SNI、CN、SAN、DNS等特征,将其VPN流量伪装成电信运营商的合作SP的应用业务流量,从而达到获取高优先级QoS或者逃避计费等目的。However, conventional DPI technology usually follows the SNI (Server Name Indication) in the TLS CLIENT HELLO message or the server certificate CN (Common Name) and SAN (Subject Alternative Name) or DNS (Domain Name) in the TLS Certificate message. Name System) The DNS domain name of the server in the request/response message identifies the TLS encrypted traffic of the application service of the cooperative SP. This type of identification method usually has defects. For example, some VPN (Virtual Private Network) software uses such features as SNI, CN, SAN, DNS, etc., to disguise its VPN traffic as the application service of the cooperative SP of a telecom operator Traffic, so as to achieve the purpose of obtaining high priority QoS or avoiding billing.
目前,一种常见的解决方法是,电信运营商提前获取合作SP的服务器公网IP地址,针对这些指定IP地址的TLS加密流量进行DPI识别。但是,这种方法过于粗放,无法精确识别合作SP的细化业务。At present, a common solution is that telecom operators obtain the public network IP address of the server of the cooperative SP in advance, and perform DPI identification for the TLS encrypted traffic of these designated IP addresses. However, this method is too extensive to accurately identify the refined business of the cooperative SP.
目前,另一种常见解决方法是,电信运营商通过合作SP的服务器公网IP地址和一个或多个SNI/CN/SAN/DNS的组合信息对TLS加密流量进行DPI识别。这种方法可以一定程度细化合作SP的应用业务,但是细化程度通常不够理想。而且,IETF(Internet Engineering Task Force,互联网工程任务组)在TLS 1.3(RFC 8446)协议中已经对Certificate消息进行加密,导致CN/SAN特征失效;以及在DoT(RFC 7858)和DoH(RFC8484)协议中已经对DNS消息加密,导致DNS特征失效;以及加密SNI的草案已拟定发布讨论,将导致未来SNI特征也会失效。At present, another common solution is that telecom operators perform DPI identification on TLS encrypted traffic through the public network IP address of the cooperative SP server and one or more SNI/CN/SAN/DNS combination information. This method can refine the application business of the cooperative SP to a certain extent, but the degree of refinement is usually not ideal. Moreover, the IETF (Internet Engineering Task Force) has encrypted the Certificate message in the TLS 1.3 (RFC 8446) protocol, causing the CN/SAN feature to become invalid; and in the DoT (RFC 7858) and DoH (RFC8484) protocols DNS messages have been encrypted in China, resulting in the invalidation of DNS features; and the draft of encrypted SNI has been drafted and released for discussion, which will cause future SNI features to become invalid.
目前需要一种针对电信运营商合作SP的应用业务TLS加密流量的防欺诈的精确细化的可行的DPI识别方法。通过使用本公开的方法,可实现针对电信运营商合作SP的应用业务TLS加密流量的防欺诈的精确细化的DPI识别,减少或防止流量欺诈现象的发生。At present, there is a need for a precise and detailed and feasible DPI identification method for anti-fraud of the application service TLS encrypted traffic of the telecom operator's cooperative SP. By using the method of the present disclosure, precise and detailed DPI identification for anti-fraud of the application service TLS encrypted traffic of the application service of the telecom operator's cooperative SP can be realized, and the occurrence of traffic fraud can be reduced or prevented.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this article. This summary is not intended to limit the scope of protection of the claims.
为了使电信运营商精细化识别其合作SP基于TLS加密的应用业务流量,且减少或防止流量欺诈现象的发生,本公开提出一种基于TLS加密流量识别的方法,包括:DPI SERVER接收来自注册网站的APP注册请求信息,并为目标APP分配APP特征标识信息,且发送回注册网站;DPI SERVER基于双向验证的TLS连接,与APP SERVER交换该APP的APP特征验证信息,交换后双方具有相同的APP特征标识信息以及APP特征验证信息;DPI SERVER基于双向验证的TLS连接,将该APP的APP特征标识信息以及APP特征验证信息,发送给DPI网元;DPI网元根据所述APP特征验证信息验证用户TLS流量中所述APP特征标识信息的合法性,并根据所述APP特征标识信息识别由该APP产生的TLS流量。In order to allow telecom operators to finely identify the application service traffic of their cooperative SP based on TLS encryption, and to reduce or prevent the occurrence of traffic fraud, this disclosure proposes a method for identifying traffic based on TLS encryption, including: DPI SERVER receives from registered websites App registration request information, and assign APP feature identification information to the target app, and send it back to the registration website; DPI SERVER exchanges the APP feature verification information of the APP with the APP SERVER based on the TLS connection with mutual verification, and both parties have the same APP after the exchange Characteristic identification information and APP characteristic verification information; DPI SERVER sends the APP characteristic identification information and APP characteristic verification information of the APP to the DPI network element based on the TLS connection of mutual verification; the DPI network element verifies the user according to the APP characteristic verification information The legality of the APP feature identification information in the TLS traffic, and the TLS traffic generated by the APP is identified according to the APP feature identification information.
本公开还提供一种TLS加密流量特征信息管理装置,包括:置于DPI SERVER中的APP注册管理模块,其用于接收来自注册网站的APP注册请求信息,并为目标APP分配APP特征标识信息,且发送回注册网站;置于DPI SERVER中的APP SERVER更新管理 模块,其基于双向验证的TLS连接,与APP SERVER交换该APP的APP特征验证信息,交换后双方具有相同的APP特征标识信息以及APP特征验证信息;置于DPI SERVER中的DPI特征更新管理模块,其基于双向验证的TLS连接,将该APP的APP特征标识信息以及APP特征验证信息,发送给DPI网元。The present disclosure also provides a TLS encrypted traffic characteristic information management device, including: an APP registration management module placed in DPI SERVER, which is used to receive APP registration request information from a registration website and allocate APP characteristic identification information to the target APP. And send it back to the registration website; the APP SERVER update management module placed in the DPI SERVER, which is based on the two-way verification TLS connection, exchanges the APP feature verification information of the APP with the APP SERVER, and both parties have the same APP feature identification information and APP Feature verification information: The DPI feature update management module placed in the DPI SERVER sends the APP feature identification information and APP feature verification information of the APP to the DPI network element based on the TLS connection of mutual verification.
本公开还提供一种服务器,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如权利要求上述任意一项所述TLS加密流量识别的方法。The present disclosure also provides a server, including: a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and the processor implements the TLS described in any one of the above claims when the processor executes the program Encrypted traffic identification method.
附图说明Description of the drawings
图1是本公开提供的TLS加密流量识别方法的流程图;Figure 1 is a flow chart of the TLS encrypted traffic identification method provided by the present disclosure;
图2是本公开提供的TLS加密流量特征信息管理装置结构图;Figure 2 is a structural diagram of a TLS encrypted traffic characteristic information management device provided by the present disclosure;
图3是本公开提供的一种服务器的结构图;Figure 3 is a structural diagram of a server provided by the present disclosure;
图4是本公开提供的TLS加密流量识别方法的时序交互图。Figure 4 is a timing interaction diagram of the TLS encrypted traffic identification method provided by the present disclosure.
具体实施方式Detailed ways
下文中将结合附图对本公开的实施例进行详细说明。Hereinafter, the embodiments of the present disclosure will be described in detail with reference to the accompanying drawings.
在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps shown in the flowchart of the drawings may be executed in a computer system such as a set of computer-executable instructions. And, although a logical sequence is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than here.
本公开所述的DPI网元,一方面可以指DPI独立网元设备,另一方面也可以指PGW网关、MEC服务器、交换机、路由器、防火墙等内置DPI功能的网元设备。The DPI network elements described in the present disclosure may refer to DPI independent network element devices on the one hand, and may also refer to network element devices with built-in DPI functions such as PGW gateways, MEC servers, switches, routers, and firewalls.
本公开引入DPI SERVER,为APP分配APP TOKEN等信息。APP业务流量通过SERVER HELLO消息的自定义TLS扩展携带APP TOKEN等信息,以供DPI网元准确识别合作SP的基于TLS加密的APP业务流量,使得DPI网元可以通过本公开提出的一系列手段防范流量欺诈情况:通过MAC(Message Authentication Code,消息鉴权码)验证相关数据的完整性,通过多区间计数器检查防止重放攻击,通过公钥密码签名验证APP身份,通过APP SERVER公网IP地址检查加强特征识别的准确性。This disclosure introduces DPI SERVER to allocate APP TOKEN and other information for APP. APP service traffic carries information such as APP TOKEN through the custom TLS extension of the SERVER HELLO message, so that the DPI network element can accurately identify the TLS-encrypted APP service traffic of the cooperative SP, so that the DPI network element can be prevented by a series of measures proposed in this disclosure Traffic fraud: verify the integrity of related data through MAC (Message Authentication Code), prevent replay attacks through multi-interval counter check, verify APP identity through public key cryptographic signature, and check APP SERVER public network IP address Strengthen the accuracy of feature recognition.
如图1所示,本公开实施例提供一种TLS加密流量识别方法。As shown in FIG. 1, an embodiment of the present disclosure provides a method for identifying TLS encrypted traffic.
S101,APP注册阶段。如图1所示第一步,DPI SERVER接收到APP开发者通过注册网站发来的APP注册请求消息并处理。DPI SERVER通过相应的APP注册响应消息返回给注册网站为APP开发者提供APP注册信息。S101, APP registration stage. As shown in the first step in Figure 1, DPI SERVER receives and processes the APP registration request message sent by the APP developer through the registration website. DPI SERVER returns the corresponding APP registration response message to the registration website to provide APP registration information for APP developers.
在一实施方式中,APP注册请求消息中包含:APP名称、SP名称、APP SERVER名称、用于APP SERVER更新阶段的APP SERVER证书CN/SAN等信息。在一实施方式中,APP注册响应消息中包括:专用TLS扩展类型ID、APP TOKEN、成功分配APP TOKEN的日期时间等信息。In one embodiment, the APP registration request message includes: APP name, SP name, APP SERVER name, APP SERVER certificate CN/SAN and other information used in the APP SERVER update phase. In one embodiment, the APP registration response message includes information such as a dedicated TLS extension type ID, APP TOKEN, and the date and time when the APP TOKEN is successfully allocated.
例如,DPI SERVER以“SP名称+APP名称”为唯一标识,为该SP的该APP分配全局唯一的APP TOKEN。APP TOKEN可以为128位(即16字节)大整数。For example, DPI SERVER uses "SP name + APP name" as a unique identifier, and assigns a globally unique APP TOKEN to the APP of the SP. APP TOKEN can be a large integer of 128 bits (that is, 16 bytes).
对于专用TLS扩展类型ID的分配,DPI SERVER首先确保所选的扩展类型ID不能是IANA(Internet Assigned Numbers Authority,互联网编号管理局)已分配的知名扩展类型ID。IANA(www.iana.org)正式文件《Transport Layer Security(TLS)Extensions》记录着最新的知名扩展类型ID,如0为SERVER_NAME,1为MAX_FRAGMENT_LENGTH,16为APPLICATION_LAYER_PROTOCOL_NEGOTIATION(ALPN),35为SESSION_TICKET,41为PRE_SHARED_KEY(PSK),43为SUPPORTED_VERSIONS,等数十个,这些知名扩展类型ID不能被选取。DPI SERVER可以从目前65000多个“UNASSIGNED”数字中选取扩展类型ID,或者从目前200多个“RESERVED FOR PRIVATE USE”数字中选取扩展类型ID。For the allocation of a dedicated TLS extension type ID, DPI SERVER first ensures that the selected extension type ID cannot be a well-known extension type ID that has been assigned by IANA (Internet Assigned Numbers Authority). The official IANA (www.iana.org) document "Transport Layer Security (TLS) Extensions" records the latest well-known extension type ID, such as 0 for SERVER_NAME, 1 for MAX_FRAGMENT_LENGTH, 16 for APPLICATION_LAYER_PROTOCOL_NEGOTIATION (ALPN), 35 for SESSION_TICKET, 41 for PRE_SHARED_KEY (PSK), 43 is SUPPORTED_VERSIONS, wait for dozens, these well-known extension type IDs cannot be selected. DPI SERVER can select the extended type ID from the current more than 65,000 "UNASSIGNED" numbers, or select the extended type ID from the current more than 200 "RESERVED FOR PRIVATE USE" numbers.
在一实施方式中,DPI SERVER可以支持,APP注册请求消息中包含需要排除的TLS扩展类型ID的一个或多个取值范围。APP可能会在TLS中加入其它与本公开无关的自定义扩展类型ID,所以DPI SERVER分配的专用TLS扩展类型ID不能与APP的其它自定义扩展类型ID相冲突。在一实施方式中,DPI SERVER在排除IANA知名TLS扩展类型ID,并排除APP指定的其它扩展类型ID之后,再为该APP分配用于DPI识别的专用TLS扩展类型ID。In one embodiment, DPI SERVER may support that the APP registration request message includes one or more value ranges of the TLS extension type ID that needs to be excluded. APP may add other custom extension type IDs unrelated to the present disclosure in TLS, so the dedicated TLS extension type ID allocated by DPI SERVER cannot conflict with other custom extension type IDs of APP. In one embodiment, after excluding the well-known TLS extension type ID of IANA and other extension type IDs specified by the APP, the DPI SERVER allocates a dedicated TLS extension type ID for DPI identification to the APP.
在一实施方式中,为了给流量欺诈行为增加难度和成本,DPI SERVER在排除IANA知名TLS扩展类型ID后,并且排除APP指定的其它扩展类型ID后,可以给不同SP(即“SP名称”)分配相同或不同的专用TLS扩展类型ID;或者,也可以给不同APP(即“SP名称+APP名称”)分配相同或不同的专用TLS扩展类型ID。In one embodiment, in order to increase the difficulty and cost of traffic fraud, DPI SERVER can give different SPs (ie "SP names") after excluding the well-known IANA TLS extension type ID and excluding other extension type IDs specified by APP. The same or different dedicated TLS extension type IDs are allocated; alternatively, the same or different dedicated TLS extension type IDs can also be allocated to different APPs (ie, "SP name+APP name").
在一实施方式中,APP开发者将通过注册网站获得的专用TLS扩展类型ID、APP  TOKEN、成功分配APP TOKEN的日期时间等信息部署到APP SERVER。APP开发者将通过注册网站获得的专用TLS扩展类型ID等信息部署到APP CLIENT。In one embodiment, the APP developer deploys information such as the dedicated TLS extension type ID, APP TOKEN, and the date and time when the APP TOKEN is successfully allocated through the registration website to the APP SERVER. The APP developer deploys the special TLS extension type ID and other information obtained through the registration website to the APP CLIENT.
在APP CLIENT中部署专用TLS扩展类型ID,使得APP CLIENT产生TLS流量的CLIENT HELLO消息时,携带专用TLS扩展类型ID。Deploy a dedicated TLS extension type ID in the APP CLIENT, so that the APP CLIENT generates a CLIENT HELLO message for TLS traffic to carry the dedicated TLS extension type ID.
在APP SERVER中部署专用TLS扩展类型ID,使得APP SERVER在对含有该扩展类型ID的CLIENT HELLO回复SERVER HELLO响应时,携带该扩展类型ID,以及相应的扩展内容。A dedicated TLS extension type ID is deployed in the APP SERVER, so that the APP SERVER carries the extension type ID and the corresponding extended content when replying to the SERVER HELLO response to the CLIENT HELLO containing the extension type ID.
对于TLS 1.0协议、TLS 1.1协议、TLS 1.2协议,CLIENT HELLO不加密、SERVER HELLO不加密,本阶段引入的专用TLS扩展可以正常加入CLIENT HELLO、SERVER HELLO中。For the TLS 1.0 protocol, TLS 1.1 protocol, and TLS 1.2 protocol, CLIENT HELLO is not encrypted, and SERVER HELLO is not encrypted. The dedicated TLS extension introduced at this stage can be added to CLIENT HELLO and SERVER HELLO normally.
对于TLS 1.3协议,CLIENT HELLO不加密、SERVER HELLO不加密,本阶段引入的专用TLS扩展可以正常加入CLIENT HELLO、SERVER HELLO中。但是,因为TLS1.3协议引入了ENCRYPTED EXTENSIONS消息用于加密不需要明文传输的扩展,所以在本公开实施时需要确保本阶段引入的专用TLS扩展应加入到SERVER HELLO中,而不是加入到ENCRYPTED EXTENSIONS中。在一实施方式中,以OpenSSL-1.1.1库为例,通过OPEN SSL API函数SSL_CTX_add_custom_ext()设置自定义扩展时,通过将该函数的相关参数设置为包含“SSL_EXT_TLS1_3_SERVER_HELLO”而不是包含“SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS”,从而使得本阶段引入的专用TLS扩展可以正常加入SERVER HELLO中。For the TLS 1.3 protocol, CLIENT HELLO is not encrypted, and SERVER HELLO is not encrypted. The dedicated TLS extension introduced at this stage can be normally added to CLIENT HELLO and SERVER HELLO. However, because the TLS1.3 protocol introduces the ENCRYPTED EXTENSIONS message to encrypt extensions that do not require clear text transmission, it is necessary to ensure that the dedicated TLS extension introduced at this stage should be added to the SERVER HELLO instead of ENCRYPTED EXTENSIONS when implementing this disclosure in. In one embodiment, taking the OpenSSL-1.1.1 library as an example, when setting a custom extension through the OPENSSL API function SSL_CTX_add_custom_ext(), by setting the relevant parameters of the function to include "SSL_EXT_TLS1_3_SERVER_HELLO" instead of "SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS" So that the dedicated TLS extension introduced at this stage can be added to SERVER HELLO normally.
S102,APP SERVER更新阶段。如图1所示第二步,DPI SERVER接收APP SERVER发起的TLS连接建立请求,并采用双向证书验证机制建立TLS连接。DPI SERVER接收APP SERVER更新请求消息,并处理APP SERVER周期性更新的DPI识别及验证信息,同时DPI SERVER也通过APP SERVER更新响应消息,将新的DPI识别及验证信息发送给APP SERVER。S102, APP SERVER update stage. As shown in the second step in Figure 1, the DPI SERVER receives the TLS connection establishment request initiated by the APP SERVER, and uses the mutual certificate verification mechanism to establish the TLS connection. The DPI SERVER receives the APP SERVER update request message and processes the DPI identification and verification information periodically updated by the APP SERVER. At the same time, the DPI SERVER also sends the new DPI identification and verification information to the APP SERVER through the APP SERVER update response message.
在一实施方式中,APP SERVER更新请求消息包含:APP TOKEN、成功分配APP TOKEN的日期时间、APP SERVER公网IP地址(可选)、用于DPI识别的APP SERVER公钥信息。APP SERVER更新响应消息包含:多区间计数器合法范围、MAC密钥、MAC算法等信息。In one embodiment, the APP SERVER update request message includes: APP TOKEN, the date and time when the APP TOKEN is successfully allocated, the APP SERVER public network IP address (optional), and the APP SERVER public key information used for DPI identification. The APP SERVER update response message contains information such as the legal range of the multi-interval counter, MAC key, and MAC algorithm.
在一实施方式中,APP SERVER与DPI SERVER之间的TLS连接采用双向证书验证 机制,给流量欺诈行为增加难度和成本。APP SERVER作为TLS客户端将自己的证书通过上行CERTIFICATE消息发送给DPI SERVER,DPI SERVER作为TLS服务端将自己的证书通过下行CERTIFICATE消息发送给APP SERVER。APP SERVER和DPI SERVER各自的证书,均须由第三方合法CA(Certificate Authority,证书颁发机构)签发,以保证双方能通过对方的证书验证对方的合法身份。其中,DPI SERVER通过第一步APP注册阶段获得的“用于APP SERVER更新阶段的APP SERVER证书CN/SAN”,对APP SERVER通过上行CERTIFICATE发送的CN及SAN进行校验,以验证APP SERVER的合法身份。In one embodiment, the TLS connection between APP SERVER and DPI SERVER adopts a two-way certificate verification mechanism, which increases the difficulty and cost of traffic fraud. As a TLS client, APP SERVER sends its own certificate to DPI SERVER through an uplink CERTIFICATE message, and DPI SERVER as a TLS server sends its own certificate to APP SERVER through a downlink CERTIFICATE message. The respective certificates of APP SERVER and DPI SERVER must be issued by a third-party legal CA (Certificate Authority) to ensure that both parties can verify the legal identity of each other through each other's certificate. Among them, DPI SERVER obtains the "APP SERVER certificate CN/SAN used in the APP SERVER update phase" through the first step of APP registration, and verifies the CN and SAN sent by the APP SERVER through the uplink CERTIFICATE to verify the legality of the APP SERVER Identity.
在一实施方式中,APP SERVER通过与DPI SERVER的TLS连接,周期性地发送APP SERVER更新请求消息给DPI SERVER,将APP SERVER公网IP地址(可选)、用于DPI识别的APP SERVER公钥信息发送给DPI SERVER;同时,在该消息中携带APP TOKEN、成功分配APP TOKEN的日期时间,以便于DPI SERVER关联到第一步APP注册阶段所形成的该APP的相关信息。In one embodiment, APP SERVER periodically sends APP SERVER update request message to DPI SERVER through the TLS connection with DPI SERVER, adding APP SERVER public network IP address (optional), APP SERVER public key used for DPI identification The information is sent to the DPI SERVER; at the same time, the APP TOKEN and the date and time of the successful allocation of the APP TOKEN are carried in the message, so that the DPI SERVER can be associated with the relevant information of the APP formed in the first step of APP registration.
例如,在APP SERVER更新请求消息中,包含用于DPI识别的APP SERVER公钥信息。在一实施方式中,APP SERVER可以周期性地重新生成该公钥及其配对的私钥,并将最新生成的公钥通过此消息发送给DPI SERVER。该公钥用于后续第四步DPI特征识别阶段中,DPI网元验证APP SERVER对APP TOKEN扩展内容相关部分的签名。For example, the APP SERVER update request message includes APP SERVER public key information used for DPI identification. In one embodiment, APP SERVER can periodically regenerate the public key and its paired private key, and send the newly generated public key to DPI SERVER through this message. The public key is used in the subsequent DPI feature identification phase of the fourth step, and the DPI network element verifies the signature of the APP SERVER to the relevant part of the APP TOKEN extension.
在一实施方式中,在APP SERVER更新请求消息中,APP SERVER如果能获取其对APP CLIENT所提供服务的APP SERVER公网IP地址,则应将这些IP地址上报给DPI SERVER,以便后续第四步DPI特征识别阶段中,DPI网元加强特征识别精确性。在一实施方式中,对于这些IP地址,可以通过多组/多对以“包含”和“对包含进行排除”的方式来描述,比如,以IPv4为例可描述为,包含从X1.X2.X3.X4到Y1.Y2.Y3.Y4范围内的IP地址,并排除该范围内从M1.M2.M3.M4到N1.N2.N3.N4范围内的IP地址,而且包含或排除所描述的内容可以是一个或多个地址范围。In one embodiment, in the APP SERVER update request message, if the APP SERVER can obtain the APP SERVER public network IP address for the service provided by the APP CLIENT, it should report these IP addresses to the DPI SERVER for the subsequent fourth step In the DPI feature recognition stage, DPI network elements strengthen the accuracy of feature recognition. In one embodiment, these IP addresses can be described in the form of "include" and "exclude from inclusion" through multiple groups/pairs. For example, taking IPv4 as an example, it can be described as including X1.X2. IP addresses in the range from X3.X4 to Y1.Y2.Y3.Y4, and exclude IP addresses in the range from M1.M2.M3.M4 to N1.N2.N3.N4, and include or exclude the description The content can be one or more address ranges.
在一实施方式中,在APP SERVER更新响应消息中,包含DPI SERVER分配的多区间计数器合法范围。在一实施方式中,多区间计数器取值范围可以是从1开始到最大值64位(8字节)的正整数(记为MAX64)。多区间计数器合法范围可以是从1到MAX64之间的一个或多个范围段。In one embodiment, the APP SERVER update response message includes the legal range of the multi-interval counter allocated by the DPI SERVER. In an embodiment, the value range of the multi-interval counter can be a positive integer (denoted as MAX64) starting from 1 to a maximum of 64 bits (8 bytes). The legal range of the multi-interval counter can be one or more ranges from 1 to MAX64.
例如,在APP SERVER更新响应消息中,包含MAC密钥和MAC算法信息。在一实施方式中,MAC算法可以采用HMAC算法(RFC 2104),在本消息中的算法描述格式 可以为“HMAC-MD5”、“HMAC-SHA1”、“HMAC-SHA224”、“HMAC-SHA256”、“HMAC-SHA384”、“HMAC-SHA512”等。For example, the APP SERVER update response message contains MAC key and MAC algorithm information. In one embodiment, the MAC algorithm can use the HMAC algorithm (RFC 2104), and the algorithm description format in this message can be "HMAC-MD5", "HMAC-SHA1", "HMAC-SHA224", "HMAC-SHA256" , "HMAC-SHA384", "HMAC-SHA512", etc.
S103,DPI特征更新阶段。如图1所示第三步,DPI SERVER接收DPI网元发起的TLS连接建立请求,并采用双向证书验证机制建立TLS连接。DPI SERVER接收DPI网元发起的DPI特征更新请求并处理,以及通过相应的DPI特征更新响应为DPI网元提供APP的最新DPI特征信息。S103, the DPI feature update stage. As shown in the third step in Figure 1, the DPI SERVER receives the TLS connection establishment request initiated by the DPI network element, and uses the mutual certificate verification mechanism to establish the TLS connection. The DPI SERVER receives and processes the DPI feature update request initiated by the DPI network element, and provides the DPI network element with the latest DPI feature information of the APP through the corresponding DPI feature update response.
在一实施方式中,DPI特征更新响应消息包含:APP名称、SP名称、APP SERVER名称、专用TLS扩展类型ID、APP TOKEN、成功分配APP TOKEN的日期时间、APP SERVER公网IP地址(可选)、用于DPI识别的APP SERVER公钥、多区间计数器合法范围、MAC密钥、MAC算法等信息。In one embodiment, the DPI feature update response message includes: APP name, SP name, APP SERVER name, dedicated TLS extension type ID, APP TOKEN, date and time of successful APP TOKEN allocation, APP SERVER public network IP address (optional) , App SERVER public key used for DPI identification, legal range of multi-interval counter, MAC key, MAC algorithm and other information.
在一实施方式中,DPI网元与DPI SERVER之间的TLS连接采用双向证书验证机制,给流量欺诈行为增加难度和成本。DPI网元作为TLS客户端将自己的证书通过上行CERTIFICATE消息发送给DPI SERVER,DPI SERVER作为TLS服务端将自己的证书通过下行CERTIFICATE消息发送给DPI网元。DPI SERVER的证书,须由第三方合法CA签发,以保证DPI网元能通过该证书验证DPI SERVER的合法身份。DPI网元的证书,可由DPI SERVER作为私有CA为DPI网元签发,预置于DPI网元中,作为DPI网元的合法身份证明。In one embodiment, the TLS connection between the DPI network element and the DPI SERVER adopts a two-way certificate verification mechanism, which increases the difficulty and cost of traffic fraud. As a TLS client, the DPI network element sends its own certificate to the DPI SERVER through an uplink CERTIFICATE message, and the DPI SERVER as a TLS server sends its own certificate to the DPI network element through a downlink CERTIFICATE message. The DPI SERVER certificate must be issued by a third-party legal CA to ensure that the DPI network element can verify the legal identity of the DPI SERVER through the certificate. The certificate of the DPI network element can be issued by the DPI SERVER as a private CA for the DPI network element, and is preset in the DPI network element as the legal identity certificate of the DPI network element.
在一实施方式中,DPI网元通过与DPI SERVER的TLS连接,周期性地向DPI SERVER发送DPI特征更新请求消息,以获取DPI SERVER中各个APP最新的识别特征信息。In one embodiment, the DPI network element periodically sends a DPI feature update request message to the DPI SERVER through a TLS connection with the DPI SERVER to obtain the latest identification feature information of each APP in the DPI SERVER.
在一实施方式中,DPI SERVER将上次DPI网元请求之后发生过相关信息更新的各APP识别特征信息,通过DPI特征更新响应消息发送给DPI网元。在一实施方式中,DPI SERVER将上次DPI网元请求之后未发生过相关信息更新的各APP TOKEN或“SP名称+APP名称”置于消息中发送给DPI网元。In one embodiment, the DPI SERVER sends the identification feature information of each APP whose relevant information has been updated after the last DPI network element request, to the DPI network element through a DPI feature update response message. In one embodiment, the DPI SERVER puts each APP TOKEN or "SP name + APP name" that has not been updated since the last DPI network element request into a message and sends it to the DPI network element.
在一实施方式中,DPI网元发送的DPI特征更新请求消息中,可以指定或排除一个或多个APP TOKEN或“SP名称+APP名称”。对应地,DPI SERVER在发送的DPI特征更新响应消息中,只携带相应的APP的最新的识别特征信息。In one embodiment, in the DPI feature update request message sent by the DPI network element, one or more APP TOKEN or "SP name + APP name" may be specified or excluded. Correspondingly, the DPI feature update response message sent by the DPI SERVER only carries the latest identification feature information of the corresponding APP.
S104,DPI特征识别阶段。如图1所示第四步,DPI网元检测APP上网流量中的CLIENT HELLO、SERVER HELLO消息中的指定扩展类型及其内容,匹配APP TOKEN并验证APP SERVER签名及MAC,确认APP流量的真实性,从而准确识别APP业务流量。S104, DPI feature recognition stage. As shown in the fourth step in Figure 1, the DPI network element detects the specified extension type and content in the CLIENT HELLO and SERVER HELLO messages in the APP Internet traffic, matches the APP TOKEN and verifies the APP SERVER signature and MAC to confirm the authenticity of the APP traffic , So as to accurately identify APP business traffic.
在一实施方式中,该APP业务流量中APP CLIENT发出的CLIENT HELLO消息内包含:之前分配的专用TLS扩展类型ID且内容为空。该APP业务流量中APP SERVER发出的SERVER HELLO消息内包含:之前分配的专用TLS扩展类型ID、该扩展内容包含有APP TOKEN、成功分配APP TOKEN的日期时间、多区间计数器合法范围内的一个多区间计数器值、对前部分扩展内容的签名、签名算法、对前部分扩展内容的MAC值、MAC算法等信息。In one embodiment, the CLIENT HELLO message sent by the APP CLIENT in the APP service traffic includes: the previously allocated dedicated TLS extension type ID and the content is empty. The SERVER HELLO message sent by the APP SERVER in the APP business traffic contains: the previously allocated special TLS extension type ID, the extension content includes the APP TOKEN, the date and time of the successful allocation of the APP TOKEN, and a multi-section within the legal range of the multi-section counter Counter value, signature of the extended content of the previous part, signature algorithm, MAC value of the extended content of the previous part, MAC algorithm and other information.
在一实施方式中,APP CLIENT发出的CLIENT HELLO消息中,包含一个自定义TLS扩展,其扩展类型ID为第一步APP注册阶段分配的专用TLS扩展类型ID,其扩展内容为空。In one embodiment, the CLIENT HELLO message sent by the APP CLIENT includes a custom TLS extension whose extension type ID is the special TLS extension type ID allocated during the first step of APP registration, and its extension content is empty.
在一实施方式中,APP SERVER发出的SERVER HELLO消息中,包含一个自定义TLS扩展,其扩展类型ID为第一步APP注册阶段分配的专用TLS扩展类型ID,其扩展内容如下:In one embodiment, the SERVER HELLO message sent by APP SERVER contains a custom TLS extension whose extension type ID is the special TLS extension type ID allocated during the first step of APP registration. The extension content is as follows:
在一实施方式中,扩展内容1:APP TOKEN。该APP TOKEN来自于第一步APP注册阶段。In one embodiment, the extended content 1: APP TOKEN. The APP TOKEN comes from the first stage of APP registration.
在一实施方式中,扩展内容2:成功分配APP TOKEN的日期时间。该日期时间信息来自于第一步APP注册阶段。In one embodiment, the extended content 2: the date and time when the APP TOKEN is successfully allocated. The date and time information comes from the first step of APP registration.
在一实施方式中,扩展内容3:多区间计数器合法范围内的一个多区间计数器值。该多区间计数器合法范围来自于第二步APP SERVER更新阶段。在一实施方式中,对于同一个APP CLIENT用户(以IP地址区分),APP SERVER在该多区间计数器合法范围内,从小到大取值,对于每个TLS连接的SERVER HELLO消息,其多区间计数器值加1,达到该多区间计数器取值范围的最大值后,再回绕到最小值重新开始。In one embodiment, the extended content 3: a multi-interval counter value within the legal range of the multi-interval counter. The legal range of the multi-interval counter comes from the second step of APP SERVER update phase. In one embodiment, for the same APP CLIENT user (identified by IP address), the APP SERVER is within the legal range of the multi-interval counter, and the value is from small to large. For each TLS connection SERVER HELLO message, its multi-interval counter The value is increased by 1, and after reaching the maximum value of the multi-interval counter, it will wrap around to the minimum value and start again.
在一实施方式中,扩展内容4:对扩展内容1~扩展内容3整体的签名。APP SERVERr采用扩展内容5的签名算法对扩展内容1~扩展内容3整体进行签名。在一实施方式中,首先对该内容进行哈希以获取固定长度的哈希结果,然后对哈希结果使用第二步APP SERVER更新阶段所生成的用于DPI识别的APP SERVER公钥所对应的私钥进行加密,加密结果即为签名。In one embodiment, extended content 4: a signature for the entire extended content 1 to extended content 3. APP SERVERr uses the signature algorithm of the extended content 5 to sign the entire extended content 1 to the extended content 3. In one embodiment, the content is first hashed to obtain a fixed-length hash result, and then the hash result is used for the APP SERVER public key generated in the second step of the APP SERVER update phase for DPI identification. The private key is encrypted, and the result of the encryption is the signature.
在一实施方式中,扩展内容5:签名算法。该签名算法由APP SERVER决定,包含哈希算法和公钥加密算法,在一实施方式中,如“MD5-RSA”、“SHA1-RSA”、“SHA224-RSA”、“SHA256-RSA”、“SHA384-RSA”、“SHA512-RSA”等之一。In one embodiment, extended content 5: signature algorithm. The signature algorithm is determined by APP SERVER, including hash algorithm and public key encryption algorithm. In one implementation, such as "MD5-RSA", "SHA1-RSA", "SHA224-RSA", "SHA256-RSA", " One of "SHA384-RSA", "SHA512-RSA", etc.
在一实施方式中,扩展内容6:对扩展内容1~扩展内容5整体的MAC值。APP SERVER采用扩展内容7的MAC算法,使用第二步APP SERVER更新阶段从DPI SERVER获取的MAC密钥,对扩展内容1~扩展内容5整体生成MAC值。In one embodiment, extended content 6: the MAC value of the entire extended content 1 to extended content 5. APP SERVER adopts the MAC algorithm of extended content 7, and uses the MAC key obtained from DPI SERVER in the second step of APP SERVER update stage to generate a MAC value for the entire extended content 1 to 5.
在一实施方式中,扩展内容7:MAC算法。该MAC算法由APP SERVER决定,从由第二步APP SERVER更新阶段由DPI SERVER分配的多个MAC算法中,选择其中一个以使用。In one embodiment, extended content 7: MAC algorithm. The MAC algorithm is determined by the APP SERVER, and one of the multiple MAC algorithms allocated by the DPI SERVER in the second step of the APP SERVER update phase is selected for use.
在一实施方式中,DPI网元检测TLS流量中CLIENT HELLO消息是否包含相关的专用TLS扩展类型ID,如果包含,则需要继续对该TLS-TCP(Transmission Control Protocol,传输控制协议)流的SERVER HELLO消息进一步检测;如果不包含,则不需要继续对该TLS-TCP流的SERVER HELLO消息进一步检测。In one embodiment, the DPI network element detects whether the CLIENT HELLO message in the TLS traffic contains the relevant dedicated TLS extension type ID. If it does, it needs to continue the SERVER HELLO for the TLS-TCP (Transmission Control Protocol) flow The message is further checked; if it is not included, there is no need to continue to check the SERVER HELLO message of the TLS-TCP stream.
在一实施方式中,DPI网元检测TLS流量中SERVER HELLO消息是否包含相关的专用TLS扩展类型ID,如果包含,则继续对该扩展内容进一步检测并验证;如果不包含,则不需要继续对该扩展内容进一步检测并验证。在一实施方式中,DPI网元对该扩展内容的检测及验证方法如下:In one embodiment, the DPI network element detects whether the SERVER HELLO message in the TLS traffic contains the relevant dedicated TLS extension type ID, and if it does, it will continue to check and verify the extension content; if it does not, it does not need to continue to do so. The extended content is further tested and verified. In one embodiment, the method for detecting and verifying the extended content by the DPI network element is as follows:
在一实施方式中,DPI网元提取扩展内容1,作为APP TOKEN。如果后续验证通过,则将该APP TOKEN识别为相应APP,即将当前TLS流量准确识别为相应APP业务。In one embodiment, the DPI network element extracts extended content 1 as the APP TOKEN. If the subsequent verification is passed, the APP TOKEN is identified as the corresponding APP, that is, the current TLS traffic is accurately identified as the corresponding APP service.
在一实施方式中,DPI网元提取扩展内容2,作为成功分配APP TOKEN的日期时间,一方面可以用于对APP TOKEN唯一性的验证,另一方面可以用于对APP TOKEN版本信息的描述。In one embodiment, the DPI network element extracts the extended content 2 as the date and time for successfully assigning the APP TOKEN. On the one hand, it can be used to verify the uniqueness of the APP TOKEN, and on the other hand, it can be used to describe the APP TOKEN version information.
在一实施方式中,DPI网元提取扩展内容3,作为多区间计数器值。DPI网元检测该多区间计数器值是否在多区间计数器合法范围内。如果在合法范围内,则检查对于同一个APP SERVER(以网络侧IP地址+网络侧PORT区分)下的同一个APP CLIENT用户(以用户侧IP地址区分)的不同TLS流的SERVER HELLO消息多区间计数器值是否递增或达最大值回绕,如果是递增或达最大值回绕,则认为该多区间计数器值通过检查,否则认为不通过检查。如果不在合法范围内,则也认为不通过检查。对多区间计数器的合法取值检查,用于防止基于重放攻击的流量欺诈情况。In an embodiment, the DPI network element extracts the extended content 3 as the multi-interval counter value. The DPI network element detects whether the multi-interval counter value is within the legal range of the multi-interval counter. If it is within the legal range, check the multiple intervals of SERVER HELLO messages for different TLS flows of the same APP CLIENT user (distinguated by the user side IP address) under the same APP SERVER (distinguished by the network side IP address + network side PORT) Whether the counter value is incremented or reaches the maximum value and rewinds, if it is incremented or reaches the maximum rewind, the multi-interval counter value is deemed to pass the check, otherwise it is deemed to fail the check. If it is not within the legal scope, it is also deemed to have failed the inspection. The legal value check of the multi-range counter is used to prevent traffic fraud based on replay attacks.
在一实施方式中,DPI网元提取扩展内容4,作为APP SERVER对扩展内容1~扩展 内容3整体的签名;DPI网元对扩展内容1~扩展内容3整体,使用从扩展内容5提取到的签名算法,以及从第三步DPI特征更新阶段中获取的用于DPI识别的APP SERVER公钥,验证签名。在一实施方式中,从扩展内容5提取到的签名算法包括哈希算法和公钥加密算法,采用该哈希算法对扩展内容1~扩展内容3整体进行哈希获取哈希结果;采用该公钥加密算法,使用从第三步DPI特征更新阶段中获取的用于DPI识别的APP SERVER公钥,对扩展内容4进行解密获取解密结果;如果该哈希结果与该解密结果一致,则认为通过签名验证;否则认为未通过签名验证。对扩展的签名验证用于认证APP SERVER的身份合法性,以减少或防止流量欺诈情况。In one embodiment, the DPI network element extracts the extended content 4 as the APP SERVER's signature for the entire extended content 1 to the extended content 3; the DPI network element uses the extended content 1 to the extended content 3 as a whole, using the extracted content from the extended content 5. The signature algorithm, and the APP SERVER public key for DPI identification obtained in the DPI feature update phase of the third step, verify the signature. In one embodiment, the signature algorithm extracted from the extended content 5 includes a hash algorithm and a public key encryption algorithm. The hash algorithm is used to hash the entire extended content 1 to 3 to obtain the hash result; The key encryption algorithm uses the APP SERVER public key for DPI identification obtained in the third step of the DPI feature update stage to decrypt the extended content 4 to obtain the decryption result; if the hash result is consistent with the decryption result, it is considered passed Signature verification; otherwise, it is considered that the signature verification has not passed. The extended signature verification is used to verify the legitimacy of the APP SERVER's identity to reduce or prevent traffic fraud.
在一实施方式中,DPI网元提取扩展内容5,作为验证扩展内容4的签名算法。In one embodiment, the DPI network element extracts the extended content 5 as a signature algorithm for verifying the extended content 4.
在一实施方式中,DPI网元提取扩展内容6,作为APP SERVER对扩展内容1~扩展内容5整体的MAC值;DPI网元对扩展内容1~扩展内容5整体,使用从扩展内容7提取到的MAC算法,以及从第三步DPI特征更新阶段中获取的MAC密钥,计算生成MAC值;如果生成的MAC值与提取到MAC值一致,则认为MAC校验通过,否则认为MAC校验未通过。对扩展的MAC校验用于确保扩展内容的完整性,降低流量欺诈发生的可能性。In one embodiment, the DPI network element extracts the extended content 6 as the MAC value of the APP SERVER for the entire extended content 1 to the extended content 5; the DPI network element uses the extended content 1 to the extended content 5 as a whole to extract from the extended content 7 to The MAC algorithm and the MAC key obtained from the DPI feature update phase in the third step are calculated to generate the MAC value; if the generated MAC value is consistent with the extracted MAC value, the MAC check is considered passed, otherwise the MAC check is not considered by. The extended MAC check is used to ensure the integrity of the extended content and reduce the possibility of traffic fraud.
在一实施方式中,DPI网元提取扩展内容7,作为验证扩展内容6的MAC算法。In an embodiment, the DPI network element extracts the extended content 7 as a MAC algorithm for verifying the extended content 6.
在一实施方式中,DPI网元对于通过多区间计数器检查、签名验证、MAC校验的APP TOKEN,则可将该APP TOKEN识别为相应APP,即将当前TLS流量准确识别为相应APP业务。In an embodiment, the DPI network element can identify the APP TOKEN that has passed the multi-interval counter check, signature verification, and MAC verification as the corresponding APP, that is, accurately identify the current TLS traffic as the corresponding APP service.
在一实施方式中,在上述准确识别APP业务的情况下,DPI网元如果从第三步DPI特征更新阶段中,获取到APP SERVER公网IP地址,则可检查当前TLS-TCP流的网络侧IP地址是否在该APP SERVER公网IP地址范围内,如果是,则更可加强识别结果的准确性。In one embodiment, in the case of accurately identifying APP services described above, if the DPI network element obtains the APP SERVER public network IP address from the DPI feature update stage in the third step, it can check the network side of the current TLS-TCP flow Whether the IP address is within the range of the APP SERVER public network IP address, if it is, the accuracy of the identification result can be enhanced.
如图2所示,本公开实施例还提供一种TLS加密流量特征信息管理装置,包括:设置于DPI SERVER 200中的APP注册管理模块201。APP注册管理模块接收来自注册网站的APP注册请求信息,并为目标APP分配APP特征标识信息,且发送回注册网站。设置于DPI SERVER 200中的APP SERVER更新管理模块202。APP SERVER更新管理模块基于双向验证的TLS连接,与APP SERVER交换该APP的APP特征验证信息,交换后双方具有相同的APP特征标识信息以及APP特征验证信息。设置于DPI SERVER 200 中的DPI特征更新管理模块203。DPI特征更新管理模块基于双向验证的TLS连接,将该APP的APP特征标识信息以及APP特征验证信息,发送给DPI网元。As shown in FIG. 2, an embodiment of the present disclosure also provides a TLS encrypted traffic characteristic information management device, including: an APP registration management module 201 set in the DPI SERVER 200. The APP registration management module receives APP registration request information from the registration website, assigns APP characteristic identification information to the target APP, and sends it back to the registration website. The APP SERVER installed in the DPI SERVER 200 updates the management module 202. The APP SERVER update management module exchanges the APP feature verification information of the APP with the APP SERVER based on a two-way verification TLS connection. After the exchange, both parties have the same APP feature identification information and APP feature verification information. The DPI feature update management module 203 set in the DPI SERVER 200. The DPI feature update management module sends the APP feature identification information and APP feature verification information of the APP to the DPI network element based on the TLS connection of mutual verification.
如图3所示,本公开实施例还提供一种服务器300,包括:存储器301、处理器302、总线接口303、用户接口304、输出接口305,所述处理器302执行所述TLS加密流量识别方法。As shown in FIG. 3, an embodiment of the present disclosure also provides a server 300, which includes a memory 301, a processor 302, a bus interface 303, a user interface 304, and an output interface 305. The processor 302 executes the TLS encrypted traffic identification method.
本公开可实现针对电信运营商合作SP的应用业务TLS加密流量的防欺诈的精确细化的DPI识别,从而减少或防止流量欺诈现象的发生。The present disclosure can realize the precise and detailed DPI identification for anti-fraud of the application service TLS encrypted traffic of the telecommunications operator's cooperative SP, thereby reducing or preventing the occurrence of traffic fraud.
本公开不仅仅限于以上实施例,凡依本公开权利要求范围所做的等效变更,皆属于本公开权利要求涵盖范围。The present disclosure is not limited to the above embodiments, and all equivalent changes made in accordance with the scope of the claims of the present disclosure fall within the scope of the claims of the present disclosure.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些组件或所有组件可以被实施为由处理器,如数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。A person of ordinary skill in the art can understand that all or some of the steps, functional modules/units in the system, and apparatus in the methods disclosed above can be implemented as software, firmware, hardware, and appropriate combinations thereof. In hardware implementations, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may consist of several physical components. The components are executed cooperatively. Some or all components may be implemented as software executed by a processor, such as a digital signal processor or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or non-transitory medium) and a communication medium (or transitory medium). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and non-volatile memory implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Flexible, removable and non-removable media. Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassette, tape, magnetic disk storage or other magnetic storage device, or Any other medium used to store desired information and that can be accessed by a computer. In addition, as is well known to those of ordinary skill in the art, communication media usually contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as carrier waves or other transmission mechanisms, and may include any information delivery media .

Claims (9)

  1. 一种TLS加密流量识别方法,包括:A method for identifying TLS encrypted traffic, including:
    DPI SERVER接收来自注册网站的APP注册请求信息,并为目标APP分配APP特征标识信息,且发送回注册网站;DPI SERVER receives APP registration request information from the registration website, assigns APP feature identification information to the target APP, and sends it back to the registration website;
    DPI SERVER基于双向验证的TLS连接,与APP SERVER交换目标APP的APP特征验证信息,交换后双方具有相同的APP特征标识信息以及APP特征验证信息;DPI SERVER exchanges the APP feature verification information of the target APP with the APP SERVER based on a two-way verification TLS connection. After the exchange, both parties have the same APP feature identification information and APP feature verification information;
    DPI SERVER基于双向验证的TLS连接,将目标APP的APP特征标识信息以及APP特征验证信息,发送给DPI网元;DPI SERVER sends the APP feature identification information and APP feature verification information of the target APP to the DPI network element based on the TLS connection with mutual verification;
    DPI网元根据所述APP特征验证信息验证用户TLS流量中所述APP特征标识信息的合法性,并根据所述APP特征标识信息识别由目标APP产生的TLS流量。The DPI network element verifies the validity of the APP characteristic identification information in the user's TLS traffic according to the APP characteristic verification information, and identifies the TLS traffic generated by the target APP according to the APP characteristic identification information.
  2. 如权利要求1所述的方法,其中,所述APP特征验证信息,包含用于DPI识别的APP公钥信息、MAC密钥及MAC算法信息、多区间计数器合法范围信息。8. The method of claim 1, wherein the APP feature verification information includes APP public key information, MAC key and MAC algorithm information used for DPI identification, and legal range information of a multi-interval counter.
  3. 如权利要求2所述的方法,其中,DPI SERVER与APP SERVER建立的所述TLS连接中,所述APP SERVER的证书与DPI SERVER的证书,均由合法的第三方证书颁发机构签发。The method according to claim 2, wherein, in the TLS connection established between the DPI SERVER and the APP SERVER, the certificate of the APP SERVER and the certificate of the DPI SERVER are both issued by a legal third-party certification authority.
  4. 如权利要求3所述的方法,其中,所述DPI网元匹配用户APP流量信息中的SERVER HELLO消息中的APP特征标识信息,识别对应APP的流量信息。The method according to claim 3, wherein the DPI network element matches the APP feature identification information in the SERVER HELLO message in the user APP flow information to identify the flow information of the corresponding APP.
  5. 如权利要求4所述的方法,其中,所述DPI网元根据用户APP流量信息中的SERVER HELLO消息中的APP特征验证信息,验证对应APP特征标识信息的合法性。The method according to claim 4, wherein the DPI network element verifies the validity of the corresponding APP characteristic identification information according to the APP characteristic verification information in the SERVER HELLO message in the user APP flow information.
  6. 一种TLS加密流量特征信息管理装置,包括:A TLS encrypted flow characteristic information management device, including:
    置于DPI SERVER中的APP注册管理模块,其用于接收来自注册网站的APP注册请求信息,并为目标APP分配APP特征标识信息,且发送回注册网站;The APP registration management module placed in DPI SERVER is used to receive APP registration request information from the registration website, and assign APP characteristic identification information to the target APP, and send it back to the registration website;
    置于DPI SERVER中的APP SERVER更新管理模块,其基于双向验证的TLS连接, 与APP SERVER交换目标APP的APP特征验证信息,交换后双方具有相同的APP特征标识信息以及APP特征验证信息;The APP SERVER update management module placed in the DPI SERVER exchanges the APP feature verification information of the target APP with the APP SERVER based on the TLS connection of mutual verification. After the exchange, both parties have the same APP feature identification information and APP feature verification information;
    置于DPI SERVER中的DPI特征更新管理模块,其基于双向验证的TLS连接,将目标APP的APP特征标识信息以及APP特征验证信息,发送给DPI网元。The DPI feature update management module placed in the DPI SERVER sends the APP feature identification information and APP feature verification information of the target APP to the DPI network element based on the TLS connection with mutual verification.
  7. 如权利要求6所述的装置,其中,所述APP特征验证信息,包含用于DPI识别的APP公钥信息、MAC密钥及MAC算法信息、多区间计数器合法范围信息。7. The device of claim 6, wherein the APP feature verification information includes APP public key information, MAC key and MAC algorithm information used for DPI identification, and legal range information of a multi-interval counter.
  8. 如权利要求7所述的装置,其中,APP SERVER更新管理模块与APP SERVER建立的所述TLS连接中,所述APP SERVER的证书与DPI SERVER的证书,均由合法的第三方证书颁发机构签发。The device according to claim 7, wherein in the TLS connection established between the APP SERVER update management module and the APP SERVER, the certificate of the APP SERVER and the certificate of the DPI SERVER are both issued by a legal third-party certification authority.
  9. 一种服务器,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述程序时实现如权利要求1~8中任意一项所述TLS加密流量识别的方法。A server, comprising: a memory, a processor, and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program as described in any one of claims 1-8 TLS encrypted traffic identification method.
PCT/CN2020/080236 2019-05-09 2020-03-19 Method and apparatus for identifying tls encrypted traffic WO2020224341A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910396042.4A CN111917694B (en) 2019-05-09 2019-05-09 TLS encrypted traffic identification method and device
CN201910396042.4 2019-05-09

Publications (1)

Publication Number Publication Date
WO2020224341A1 true WO2020224341A1 (en) 2020-11-12

Family

ID=73051379

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/080236 WO2020224341A1 (en) 2019-05-09 2020-03-19 Method and apparatus for identifying tls encrypted traffic

Country Status (2)

Country Link
CN (1) CN111917694B (en)
WO (1) WO2020224341A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113518080A (en) * 2021-06-23 2021-10-19 北京观成科技有限公司 TLS encrypted traffic detection method and device and electronic equipment

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491910B (en) * 2020-12-01 2023-09-05 三六零数字安全科技集团有限公司 DOT protocol-based flow identification method, DOT protocol-based flow identification device, DOT protocol-based flow identification equipment and storage medium
CN112491909B (en) * 2020-12-01 2023-09-01 三六零数字安全科技集团有限公司 DOH protocol-based traffic identification method, device, equipment and storage medium
CN114449064B (en) * 2022-01-26 2023-12-29 普联技术有限公司 Application identification method and device for TLS encrypted traffic and application identification equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107135190A (en) * 2016-02-29 2017-09-05 阿里巴巴集团控股有限公司 The data traffic ownership recognition methods connected based on Transport Layer Security and device
CN107707508A (en) * 2016-08-09 2018-02-16 中兴通讯股份有限公司 Applied business recognition methods and device
US20180103056A1 (en) * 2016-10-06 2018-04-12 Cisco Technology, Inc. Analyzing encrypted traffic behavior using contextual traffic data
CN109309907A (en) * 2017-07-27 2019-02-05 中兴通讯股份有限公司 Method, apparatus and its relevant device for charge on traffic

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340289B (en) * 2008-08-19 2011-11-09 北京飞天诚信科技有限公司 Replay attack preventing method and system thereof
US10673869B2 (en) * 2014-02-28 2020-06-02 British Telecommunications Public Limited Company Profiling for malicious encrypted network traffic identification
CN105099802B (en) * 2014-05-15 2019-01-08 中国移动通信集团公司 A kind of method for recognizing flux, terminal and network element device
US9473979B2 (en) * 2014-06-30 2016-10-18 Motorola Solutions, Inc. Method and system for data transmission
US9628455B2 (en) * 2014-12-09 2017-04-18 Akamai Technologies, Inc. Filtering TLS connection requests using TLS extension and federated TLS tickets
CN106533689B (en) * 2015-09-15 2019-07-30 阿里巴巴集团控股有限公司 A kind of method and apparatus of the load digital certificates in SSL/TLS communication
CN109547400A (en) * 2017-09-22 2019-03-29 三星电子株式会社 The server registration method of communication means, integrity verification method and client
CN109617904A (en) * 2018-12-29 2019-04-12 江苏天创科技有限公司 A kind of HTTPS application and identification method in IPv6 network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107135190A (en) * 2016-02-29 2017-09-05 阿里巴巴集团控股有限公司 The data traffic ownership recognition methods connected based on Transport Layer Security and device
CN107707508A (en) * 2016-08-09 2018-02-16 中兴通讯股份有限公司 Applied business recognition methods and device
US20180103056A1 (en) * 2016-10-06 2018-04-12 Cisco Technology, Inc. Analyzing encrypted traffic behavior using contextual traffic data
CN109309907A (en) * 2017-07-27 2019-02-05 中兴通讯股份有限公司 Method, apparatus and its relevant device for charge on traffic

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113518080A (en) * 2021-06-23 2021-10-19 北京观成科技有限公司 TLS encrypted traffic detection method and device and electronic equipment
CN113518080B (en) * 2021-06-23 2021-11-19 北京观成科技有限公司 TLS encrypted traffic detection method and device and electronic equipment

Also Published As

Publication number Publication date
CN111917694A (en) 2020-11-10
CN111917694B (en) 2023-02-28

Similar Documents

Publication Publication Date Title
WO2020224341A1 (en) Method and apparatus for identifying tls encrypted traffic
CN110800331B (en) Network verification method, related equipment and system
KR100651715B1 (en) Method for generating and accepting address automatically in IPv6-based Internet and data structure thereof
US11388594B2 (en) Mutual authentication between wireless access devices
US8239549B2 (en) Dynamic host configuration protocol
US8806565B2 (en) Secure network location awareness
US8418242B2 (en) Method, system, and device for negotiating SA on IPv6 network
JP2018508146A (en) Efficient policy enforcement using network tokens for service-user plane approach
JP2015537471A (en) Restricted certificate enrollment for unknown devices in hotspot networks
US10397047B2 (en) Apparatus, system, and method for secure remote configuration of network devices
WO2013013481A1 (en) Access authentication method, device, server and system
KR20100126783A (en) Ip address delegation
US8955088B2 (en) Firewall control for public access networks
WO2018205148A1 (en) Data packet checking method and device
CN105721496A (en) Security authentication method for automatic distribution protocol of lightweight address
US20220174085A1 (en) Data Processing Method and Apparatus
CN111314269B (en) Address automatic allocation protocol security authentication method and equipment
US8275987B2 (en) Method for transmission of DHCP messages
EP3932044A1 (en) Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp)
Shete et al. DHCP protocol using OTP based two-factor authentication
WO2014201783A1 (en) Encryption and authentication method, system and terminal for ad hoc network
US20140331303A1 (en) Apparatus and method for authenticating access of a mobile station in a wireless communication system
Su et al. Secure DHCPv6 that uses RSA authentication integrated with self-certified address
WO2019076025A1 (en) Method for identifying encrypted data stream, device, storage medium, and system
US20230336535A1 (en) Method, device, and system for authentication and authorization with edge data network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20801827

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20801827

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 13/05/2022)