WO2023163514A1 - Système de commande d'accès au réseau basé sur un dispositif de commande et procédé associé - Google Patents

Système de commande d'accès au réseau basé sur un dispositif de commande et procédé associé Download PDF

Info

Publication number
WO2023163514A1
WO2023163514A1 PCT/KR2023/002558 KR2023002558W WO2023163514A1 WO 2023163514 A1 WO2023163514 A1 WO 2023163514A1 KR 2023002558 W KR2023002558 W KR 2023002558W WO 2023163514 A1 WO2023163514 A1 WO 2023163514A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
data flow
service
node
information
Prior art date
Application number
PCT/KR2023/002558
Other languages
English (en)
Korean (ko)
Inventor
김영랑
Original Assignee
프라이빗테크놀로지 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 프라이빗테크놀로지 주식회사 filed Critical 프라이빗테크놀로지 주식회사
Publication of WO2023163514A1 publication Critical patent/WO2023163514A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • Embodiments disclosed in this document relate to a system and method for controlling a controller-based network connection.
  • Multiple devices may communicate data over a network.
  • the terminal may transmit or receive data with a server through the Internet.
  • the network may include a private network such as an intranet as well as a public network such as the Internet.
  • the terminal performs communication with the server by utilizing IP (Internet Protocol)-based TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), and controls the connection between the source IP and destination IP authorized in TCP or UDP technology.
  • IP Internet Protocol
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • Firewall technology may be used.
  • IP communication since data packets are transmitted in plain text, there is a problem in that a third party can easily view important information of the data packet using sniffing technology such as tapping equipment or rouge WiFi.
  • VPN Virtual Private Network
  • tunneling technology for encrypting data packets between the terminal and the server are used.
  • MFA Multi Factor Authentication
  • the service since the service is always connected to the Internet, that is, it is already sending and receiving data packets at the stage of general authentication (based on user ID and password input) or MFA, it prevents the attack itself by substituting a random password. There is no way to do it. That is, if a continuous attack on a specific ID occurs, it may be inconvenient from the user's point of view because only functions requiring authentication may be provided through additional authentication.
  • the above problems can be applied not only to Internet-connected services but also to unit systems used by companies.
  • the unit system can be accessed, and authentication in the unit system can be more vulnerable to security because even the weaker security authentication system and minimum authentication standards are not observed than the above popular services.
  • a node includes communication circuitry, a processor operatively connected to the communication circuitry, and a memory operatively connected to the processor and storing a connection control application and a target application;
  • the node receives a first service authentication request of the target application through the access control application, and the first service authentication request identifies a service server to which the target application wants to access.
  • the access control application checks whether a data flow authorized from an external server exists, and if the data flow exists , Performs a second service authentication request to the external server based on the data flow identification information of the data flow or the identification information of the target application and the identification information of the service server, and in response to the second service authentication request Instructions for receiving a data flow with updated authentication information from an external server and delivering a result of the first service authentication request to the target application may be stored.
  • a server includes communication circuitry, a memory including a database, and a processor operatively connected to the communication circuitry and the memory, wherein the processor provides services from a node's access control application.
  • Receiving an authentication request wherein the service authentication request includes identification information of a target application of the node and identification information of a service server, and whether a data flow corresponding to the identification information of the target application and the identification information of the service server exists and if the data flow exists, it is determined whether authentication with the service server is possible based on the database, and if the authentication is possible, authentication information is generated based on the database, and the authentication information It may be configured to update the data flow based on and transmit the updated data flow to the access control application.
  • a service server includes communication circuitry, a memory including a database, and a processor operatively connected to the communication circuitry and the memory, wherein the processor provides services from a target application of a node.
  • Receive an authentication request the service authentication request includes data flow authentication information, request authentication information check from an external server based on the data flow authentication information, and receive a result of the authentication information check from the external server and transmit a response to the authentication process request to the target application based on a result of checking the authentication information.
  • a method of operating an access control application installed in a node includes receiving a first service authentication request of a target application, the first service authentication request of a service server to which the target application wants to access. including identification information, corresponding to the identification information of the target application and the identification information of the service server, and confirming whether or not there is a data flow authorized from an external server; if the data flow exists, the data flow Performing a second service authentication request to the external server based on data flow identification information or identification information of the target application and identification information of the service server, authentication from the external server in response to the second service authentication request
  • the method may include receiving a data flow having updated information and transmitting a result of the first service authentication request to the target application.
  • a method of operating a server includes receiving a service authentication request from an access control application of a node, the service authentication request including identification information of a target application of the node and identification information of a service server. and checking whether a data flow corresponding to the identification information of the target application and the identification information of the service server exists, and if the data flow exists, checking whether authentication with the service server is possible based on the database If the authentication is possible, generating authentication information based on the database, updating the data flow based on the authentication information, and transmitting the updated data flow to the access control application can include
  • a method of operating a service server includes receiving a service authentication request from a target application of a node, the service authentication request including data flow authentication information, and based on the data flow authentication information Requesting an authentication information check from an external server, receiving a result of the authentication information check from the external server, and transmitting a response to the authentication process request to the target application based on the result of the authentication information check. steps may be included.
  • a service request including an unnecessary service request transmitted from an unauthorized target or an attacking behavior is provided.
  • DDoS Distributed Denial of Service Attack
  • service requests passing through the gateway service requests including service attack behavior information may be filtered in advance, and it is possible to check whether a target has performed the corresponding attack behavior, At the same time, continuous DDoS attack behavior can be blocked by isolating the network access of the attacker.
  • session information that is not valid because it is not possible to know when the network connection of the terminal is terminated if the network connection to the terminal is not always maintained. and can prevent vulnerabilities from Session Hijacking attacks using this session information.
  • the service server can remove invalid session information by releasing the data flow at the time of network connection termination, and by blocking service requests using invalid session information, A more secure network service may be provided.
  • a unified service access and authentication structure can be provided without the need to apply a separate strong authentication method to each service.
  • a target requiring authentication identifies a service request of an unauthenticated target by providing a network access control method in which only an authenticated target can access a service server through an access control application. and the service request processing result corresponding to the security level of the non-authenticated object can be provided.
  • each service can provide a unified service access and authentication structure without the need to apply a separate strong authentication method.
  • FIG. 1 shows an environment including a plurality of networks.
  • FIG. 2 illustrates an architecture within a network environment according to various embodiments.
  • FIG. 3 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
  • FIG. 4 shows a functional block diagram of a node in accordance with various embodiments.
  • 5 and 6 describe an operation of controlling transmission of a data packet according to various embodiments.
  • FIG. 7 shows a signal flow diagram for controller connection according to various embodiments.
  • FIG. 8 shows a signal flow diagram for user authentication according to various embodiments.
  • FIG 9 illustrates a signal flow diagram for network access according to various embodiments.
  • FIG. 10 illustrates a signal flow diagram for processing a service authentication request according to various embodiments.
  • FIG. 11 illustrates an operational flow diagram for processing a service authentication processing request according to various embodiments.
  • FIG. 12 illustrates a signal flow diagram for processing a data flow authentication request and a service processing request according to various embodiments.
  • FIG. 13 shows a signal flow diagram for updating data flow according to various embodiments.
  • FIG. 14 illustrates a signal flow diagram for control flow update according to various embodiments.
  • 15 illustrates a signal flow diagram for disconnection according to various embodiments.
  • 16 illustrates a signal flow diagram for termination of application execution according to various embodiments.
  • FIG. 17 shows a flowchart of a method of operating a node according to various embodiments.
  • FIG. 18 is a flowchart of a method of operating a server according to various embodiments.
  • 19 is a flowchart illustrating a method of operating a service server according to various embodiments.
  • a (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.”
  • the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.
  • Each component (eg, module or program) of the components described in this document may include singular or plural entities. According to various embodiments, one or more components or operations among the corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, the actions performed by a module, program, or other component are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the actions are executed in a different order, or omitted. or one or more other actions may be added.
  • module used in this document may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit, for example.
  • a module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions.
  • the module may be implemented in the form of an application-specific integrated circuit (ASIC).
  • ASIC application-specific integrated circuit
  • Various embodiments of this document may be implemented as software (eg, a program or application) including one or more instructions stored in a storage medium (eg, memory) readable by a machine.
  • the processor of the device may call at least one command among one or more commands stored from a storage medium and execute it. This enables the device to be operated to perform at least one function according to the at least one command invoked.
  • the one or more instructions may include code generated by a compiler or code executable by an interpreter.
  • the device-readable storage medium may be provided in the form of a non-transitory storage medium.
  • 'non-temporary' only means that the storage medium is a tangible device and does not contain a signal (e.g. electromagnetic wave), and this term refers to the case where data is stored semi-permanently in the storage medium. It does not discriminate when it is temporarily stored.
  • Computer program products may be traded between sellers and buyers as commodities.
  • a computer program product is distributed in the form of a device-readable storage medium (eg compact disc read only memory (CD-ROM)), or through an application store or between two user devices (eg smartphones). It can be distributed (e.g., downloaded or uploaded) directly or online.
  • a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.
  • FIG. 1 shows an environment including a plurality of networks.
  • the first network 10 and the second network 20 may be different networks.
  • the first network 10 may be a public network such as the Internet
  • the second network 20 may be a private network such as an intranet or VPN.
  • the first network 10 may include a source node 101 .
  • the 'source node' may be various types of devices capable of performing data communication.
  • the source node 101 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, or a virtual reality (VR) device. , or home appliances, but is not limited to the aforementioned devices.
  • source node 101 may include a server or gateway capable of transmitting data packets through an application.
  • the source node 101 may also be referred to as 'electronic device' or 'terminal'.
  • the destination node 102 may include the same or similar device as the above-described source node 101 .
  • the destination node 102 can be substantially the same as the destination network.
  • the source node 101 may attempt access to the second network 20 and transmit data to the destination node 102 included in the second network 20 .
  • the source node 101 may transmit data to the destination node 102 via the gateway 103 .
  • the starting node 101 If access to the first network 10 of the starting node 101 is approved, since the starting node 101 can communicate with all servers included in the first network 10, the starting node 101 is malicious. ) can be exposed from program attacks. For example, the origin node 101 may be infected with malicious code 110c, as well as trusted and/or secure applications such as Internet web browser 110a and business application 110b. ) may receive data of an untrusted or unsecured application such as the business application 110d.
  • the starting node 101 infected by the malicious program may attempt access to the second network 20 and/or data transmission.
  • the second network 20 is formed based on IP, such as VPN, it may be difficult to individually monitor a plurality of devices included in the second network 20, and application in the OSI layer Security at the layer or transport layer may be vulnerable.
  • the source node 101 includes a malicious application after the channel has already been created, the data of the malicious application will be delivered to another electronic device (eg, the destination node 102) within the second network 20.
  • FIG. 2 illustrates an architecture within a network environment according to various embodiments.
  • nodes 201 , 204 , and 206 may be various types of devices capable of performing data communication.
  • nodes 201 , 204 , and 206 may include authenticating nodes 201 , 204 and non-certifying nodes 206 .
  • the nodes 201, 204, and 206 may be a portable device such as a smartphone or tablet, a computer device such as a desktop or laptop, a multimedia device, a medical device, a camera, a wearable device, a VR ( virtual reality) devices, or home appliances, but is not limited to the aforementioned devices.
  • nodes 201, 204, and 206 may include servers or gateways capable of transmitting data packets through applications.
  • the nodes 201, 204, and 206 may also be referred to as 'electronic devices' or 'terminals'.
  • the authentication node 201 may store a first target application 212 , a second target application 213 and a first access control application 211 .
  • the first target application 212 and the second target application 213 are controlled by the first connection control application 211, and transmit data packets to the service server 205 through the gateway 203 or vice versa.
  • can receive Some of the first target applications 212 or second target applications 213 may be trusted and/or secured applications, such as web browsers or business applications, while others may be untrusted or unsecured malicious programs.
  • the network access system may block access to the service server 205 of an unauthorized program (application) through network access control of the first access control application 211 and isolate the corresponding program. .
  • the first access control application 211 connects from the controller 202 before the first target application 212 or the second target application 213 according to embodiments communicates with the service server 205. You can check if it is possible. When authentication is completed, the first access control application 211 may control data packet transmission of the first target application 212 or the second target application 213 . That is, in order for the first target application 212 or the second target application 213 to access the network, it must go through the first access control application 211, and the first access control application 211 receives an application from the controller 202.
  • the first access control application 211 may receive information about authentication from the controller 202, and the first access control application 211 may use the first target application 212 or the second target application 213 ) can be transmitted based on information about authentication.
  • the first target application 212 or the second target application may transmit/receive data with the gateway 203 through a channel (or tunnel) or may transmit/receive data without creating a channel.
  • Another authentication node 204 may store a third target application 222 and a second connection control application 221 .
  • the third target application 222 is under the control of the second connection control application 221 and directly transmits a data packet to the service server 205 without going through the gateway 203 or, conversely, may receive the data packet. That is, the authentication node 204 may create and access a service session independently of the service server 205 .
  • the unauthenticated node 206 may store the fourth target application 216 .
  • the unauthenticated node 206 may be a node that does not have an access control application installed.
  • the fourth target application 216 may access the service server 205 in a state in which safety is not guaranteed.
  • the service server 205 may provide only functions suitable for the corresponding security level to the fourth target application 216 .
  • the controller 202 may be, for example, a server (or cloud server).
  • the controller 202 can ensure reliable data transmission within a network environment by managing data transmission between the authentication nodes 201 and 204, the gateway 203, and the service server 205.
  • the controller 202 may allow network access of the authorized authentication nodes 201 and 204 (or access control applications 211 and 221) through policy information or blacklist information.
  • the controller 202 may generate authentication-related information for authenticating the data packet based on the authentication policy, and transmits the generated authentication-related information to the access control applications 211 and 221 or the gateway 203. By doing so, it is possible to prevent data packets from being transmitted without authentication.
  • the network access of the first target application 212 in the service processing request may be blocked by the first access control application 211 , the controller 202 or the gateway 203 .
  • the controller 202 is used to perform various operations associated with network access of the authentication nodes 201 and 204 or access control applications 211 and 221 (eg, registration, authorization, authentication, renewal, termination). For this purpose, it is possible to transmit and receive control data packets with the access control applications 211 and 204 .
  • a flow through which the control data packet is transmitted (eg, 220) may be referred to as a 'control flow'.
  • the controller 202 immediately retrieves the tunneling and session according to the security event received from the interworking system (eg, the authentication nodes 201 and 204, the gateway 203, or the service server 205), thereby providing a secure system at all times. network status can be maintained.
  • the interworking system eg, the authentication nodes 201 and 204, the gateway 203, or the service server 205
  • the gateway 203 may be located at the boundary of the network to which the authentication node 201 belongs or the boundary of the network to which the service server 205 belongs. According to one embodiment, the gateway 203 may be connected to the controller 202 based on a cloud.
  • a flow in which data packets are transmitted between the first access control application 211 and the gateway 203 may be referred to as 'data flow'. Data flows can be created in granular units (eg applications) as well as nodes or IP units.
  • the gateway 203 relays data packets received through a channel such as authorized tunneling or session to the service server 205 so that the service server 205 can process the service request received from the authenticated target.
  • structure can be provided.
  • the service server 205 provides a separated network structure that can process service requests for the non-authenticated node 206 instead of the gateway 203, so that the service server 205 must use the gateway 203 to provide service. can solve the problem of inline structure that needs to be processed.
  • the authentication node 201 may include a connection control application 211 and a network driver (not shown) for managing the network connection of the first target application 212 stored in the authentication node 201 .
  • a connection control application 211 allows the first target application 212 to access. can decide whether If the first target application 212 is accessible, the first target application 212 may transmit a data packet including authentication information to the gateway 203 .
  • the access control application 211 may control transmission of data packets through a kernel including an operating system and a network driver within the authentication node 201 .
  • FIG. 3 is a functional block diagram illustrating a database stored in a controller according to various embodiments.
  • the controller includes a communication circuit for communicating with an external electronic device (eg, the communication circuit 430 of FIG. 4) and a processor for controlling the overall operation of the controller (eg, FIG. Four processors 410) may be further included.
  • node 201 may include authentication node 201 of FIG. 2 .
  • the unauthenticated node 206 of FIG. 2 may not have network access controlled by the controller 202 because the access control application is not installed.
  • the access policy database 311 may include information about networks and/or services to which the identified networks, nodes, or applications may access.
  • the controller 202 when requesting network access from the access control application 211, identifies a network based on a policy of the access policy database 311 (eg, a network to which the node 201 belongs), a node, A user (eg, a user of the node 201) and/or an application (eg, a target application 212 included in the node 201) may determine whether access to the service server 205 is possible.
  • the controller 202 may create a whitelist of target applications 212 accessible to a specific service (eg, IP and port) based on the access policy database 311 .
  • the channel policy database 312 is a gateway (eg, gateway 203 of FIG. 2) and a proxy existing between service servers (eg, service server 205 of FIG. 2) on a connection path according to policies. information may be included.
  • the blacklist policy database 313 is a target (e.g., a node ID (eg, node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID) may indicate a blacklist registration policy for blocking access.
  • a target e.g., a node ID (eg, node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID
  • a target e.g., a node ID (eg, node ID ( identifier), an IP address, a media access control (MAC) address, or a user ID
  • MAC media access control
  • the blacklist database 314 may include a list of objects blocked by the blacklist policy database 313 .
  • the controller 202 may isolate the node 201 by rejecting the network access request when identification information of the node 201 requesting network access is included in the blacklist database 314 .
  • the control flow table 315 is an example of a session table for managing a flow (eg, control flow) of control data packets generated between the node 201 and the controller 202 .
  • control flow information may be generated by the controller 202 .
  • the control flow information may include at least one of control flow identification information, an IP address identified during access to and authentication of a controller, a node ID, and a user ID.
  • the controller 202 may search for control flow information through control flow identification information received from the node 201, and the searched control flow Whether the node 201 can access the service server 205 by mapping at least one of the IP address, node ID, or user ID included in the information to the access policy database 311, data flow for data packet transmission It can be judged (determined) whether it is created or not.
  • a control flow may have an expiration time.
  • the node 201 needs to update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed.
  • the controller 202 may remove the control flow according to the connection termination request of the node 201 .
  • the connection of the node 201 may be blocked because the previously generated data flow is also removed.
  • the data flow table 316 is a table for managing a flow (eg, data flow) in which detailed data packets are transmitted between the node 201 and the gateway 203 and the service server 205 .
  • Data flows can be created in TCP sessions, applications, or more granular units.
  • the data flow table 316 may include data flow information for tunneling and session management of the application (eg, the first target application 212) of the node 201, the gateway 230, and the service server 205. there is.
  • the data flow table 316 may include an application ID, destination IP address, and/or service port for identifying whether a data packet transmitted from a source is an authorized data packet.
  • the data flow table 316 may be managed based on control flow IDs.
  • the data flow table 316 may include state information including whether or not the data flow is valid and authorized destination information for determining whether data packets are forwarded based on source IP, destination IP, and port information of the data packet. can According to an embodiment, the data flow table 316 may further include information indicating whether tunneling or a session is created between the application and the gateway 203 . According to the embodiment, the data flow table 316 includes information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and algorithm information for authentication information when the target application transmits authentication information when transmitting a data packet to the service server. It may include authentication information including a series of information included in (e.g., information such as Secret Key when generating HMAC OTP).
  • the data flow table 316 may be equally stored in the nodes 201 and 204, the gateway 203, or the service server 205.
  • the authentication policy database 317 determines whether or not the gateway 203 existing between the network boundaries of the service server 205 on a connection path authenticates a service request according to a policy and, if the authentication is performed, an authentication method and information.
  • a set of related policies can be set.
  • the authentication policy database 317 transmits authentication information when a target application transmits a data packet to a service server, information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and algorithm information. It may include information for generating authentication information including a series of included information (eg, information such as Secret Key when generating HMAC OTP).
  • authentication information generated based on the authentication policy database 317 may be transmitted to the nodes 201 and 204, the gateway 203, or the service server 205.
  • the target applications 212 , 213 , and 222 may perform a service processing request to the service server 205 based on authentication information received from the controller 202 .
  • the service server 205 may determine whether the service processing request has been received from the authenticated subject based on the authentication information.
  • FIG. 4 shows a functional block diagram of a node in accordance with various embodiments.
  • a node may include a processor 410 , a memory 420 , and a communication circuit 430 .
  • the node may further include a display 440 to interface with a user.
  • the nodes may include the authenticated nodes 201 and 204 and the non-authenticated node 206 of FIG. 2 .
  • the processor 410 may control the overall operation of the node.
  • the processor 410 may include a single processor core or may include a plurality of processor cores.
  • the processor 410 may include multi-cores such as dual-core, quad-core, and hexa-core.
  • the processor 410 may further include an internal or external cache memory.
  • the processor 410 may be configured with one or more processors.
  • the processor 410 may include at least one of an application processor, a communication processor, or a graphical processing unit (GPU).
  • GPU graphical processing unit
  • processor 410 is electrically or operatively coupled to other components within the node (e.g., memory 420, communication circuitry 430, or display 440). (coupled with) or connected to.
  • the processor 410 may receive commands from other components of the node, interpret the received commands, and perform calculations or process data according to the interpreted commands.
  • the processor 410 may interpret and process messages, data, commands, or signals received from the memory 420 , the communication circuit 430 , or the display 440 .
  • the processor 410 may generate a new message, data, command, or signal based on the received message, data, command, or signal.
  • Processor 410 may provide processed or generated messages, data, instructions, or signals to memory 420 , communication circuitry 430 , or display 440 .
  • the processor 410 may process data or signals generated or generated by a program. For example, the processor 410 may request instructions, data, or signals from the memory 420 to execute or control a program. The processor 410 may record (or store) or update instructions, data, or signals in the memory 420 to execute or control a program.
  • the memory 420 may store commands for controlling nodes, control command codes, control data, or user data.
  • the memory 420 may include at least one of an application program, an operating system (OS), middleware, or a device driver.
  • OS operating system
  • middleware middleware
  • device driver a device driver
  • the memory 420 may include one or more of volatile memory and non-volatile memory.
  • Volatile memory includes dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), and ferroelectric RAM (FeRAM).
  • DRAM dynamic random access memory
  • SRAM static RAM
  • SDRAM synchronous DRAM
  • PRAM phase-change RAM
  • MRAM magnetic RAM
  • RRAM resistive RAM
  • FeRAM ferroelectric RAM
  • the nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, and the like.
  • the memory 420 uses a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS). can include more.
  • a nonvolatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS).
  • HDD hard disk drive
  • SSD solid state disk
  • eMMC embedded multi media card
  • UFS universal flash storage
  • the memory 420 may store the first target application 212 , the second target application 213 , and the first connection control application 211 of FIG. 2 . Also, the memory 420 may store the third target application 222 , the second connection control application 221 , and the fourth target application 216 of FIG. 2 .
  • the access control applications 211 and 221 may perform control flow creation and update functions with the controller 202 . To this end, the access control applications 211 and 221 may include one or more security modules.
  • the memory 420 may store some of the information included in the memory of the controller (eg, the memory 330 of FIG. 3 ).
  • the memory 420 may store the data flow table 316 described in FIG. 3 .
  • the communication circuit 430 establishes a wired or wireless communication connection between the node and an external electronic device (eg, the controller 202, gateway 203 or service server 205 of FIG. 2) and performs communication through the established connection.
  • an external electronic device eg, the controller 202, gateway 203 or service server 205 of FIG. 2
  • the communication circuit 430 may be a wireless communication circuit (eg, cellular communication circuit, short-range wireless communication circuit, or global navigation satellite system (GNSS) communication circuit) or a wired communication circuit (eg, a local area network (LAN)).
  • GNSS global navigation satellite system
  • LAN local area network
  • communication circuit or power line communication circuit
  • a short-distance communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association) or a cellular network
  • IrDA infrared data association
  • long-distance communication such as the Internet
  • computer network It may communicate with an external electronic device through a network.
  • the various types of communication circuits 430 described above may be implemented as a single chip or may be implemented as separate chips.
  • the display 440 may output content, data, or signals.
  • the display 440 may display image data processed by the processor 410 .
  • the display 440 may be configured as an integral touch screen by being combined with a plurality of touch sensors (not shown) capable of receiving a touch input.
  • a plurality of touch sensors may be disposed above the display 440 or below the display 440 .
  • a server may include a processor 410 , a memory 420 , and a communication circuit 430 .
  • the processor 410, memory 420, and communication circuit 430 included in the server may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.
  • a gateway (eg, the gateway 203 of FIG. 2 ) according to an embodiment may include a processor 410 , a memory 420 , and a communication circuit 430 .
  • the processor 410, memory 420, and communication circuit 430 included in the gateway may be substantially the same as the processor 410, memory 420, and communication circuit 430 described above.
  • 5 and 6 describe an operation of controlling transmission of a data packet according to various embodiments.
  • the first access control application 211 detects a request for network access to the service server 205 from the first target application 212 included in the authentication node 201, and the authentication node 201 Alternatively, it may be determined whether the first connection control application 211 is connected to the controller 202 . When the authentication node 201 or the first access control application 211 is not connected to the controller 202, the first access control application 211 sends data packets from a kernel including an operating system or a network driver. transmission can be blocked. Through the first access control application 211, the authentication node 201 may block access of malicious applications in advance in the application layer of the OSI layer.
  • the data packet transmitted from the first access control application 211 is blocked by the gateway 203 and the first access control application 211 can only request access to the controller 202 .
  • the gateway 203 existing at the boundary of the network blocks data packets for which the corresponding channel does not exist, the data packets transmitted from the authentication node 201 (eg, data packets for TCP session creation) are sent to the service server. (205) may not be reached. In other words, the authentication node 201 can be isolated from the service server 205.
  • the service server 205 may request authentication of the data flow from the controller 202 when a service request is received (or when a data packet is received), and if the data flow authentication fails, the service request or block data packets.
  • a fourth target application 216 may provide a structure capable of always accessing the service server 205 through an existing network path.
  • the service server 205 provides a separate network structure capable of processing a service request for an unauthorized node 206 rather than the gateway 203 so that the service server 205 must pass through the gateway 203. It can solve the problem of the inline structure incurring cost because the service must be processed.
  • FIG. 7 shows a signal flow diagram for controller connection according to various embodiments.
  • node 201 Since the node 201 needs to be authorized by the controller 202 to access or receive the network, the access control application 211 of the node 201 requests the controller 202 to create a control flow, thereby 201) can try to connect to the controller.
  • node 201 and access control application 211 may be substantially the same as authentication node 201 and first connection control application 211 of FIG. 2 .
  • node 201 may detect a controller connection event. For example, when the connection control application 211 is installed and executed within the node 201, the node 201 may detect that a connection to the controller 202 is requested.
  • node 201 may request controller connection from controller 202 .
  • the access control application 211 may transmit identification information of the access control application 211 to the controller 202 .
  • the access control application 211 may include identification information of the node 201 (eg, terminal ID, IP address, MAC address), type, location, environment, identification information of the network to which the node 201 belongs, and/or network Arbitrary identification information generated by the system itself may be further transmitted.
  • the controller 202 may identify whether or not the controller connection request (eg, the access control application 211 or the node 201) is accessible. According to one embodiment, the controller 202 determines whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or the connection. Based on at least one of whether the identification information of the control application 211 is included in the blacklist database 314 , it is possible to check whether the controller connection requesting object is accessible.
  • the controller connection request eg, the access control application 211 or the node 201
  • the controller 202 determines whether information received from the node 201 is included in the access policy database 311, the node 201, the network to which the node 201 belongs, and/or the connection. Based on at least one of whether the identification information of the control application 211 is included in the blacklist database 314 , it is possible to check whether the controller connection requesting object is accessible.
  • the controller 202 may create a control flow between the node 201 (or the connection control application 211 ) and the controller 202 .
  • the controller 202 generates control flow identification information in the form of random numbers, and converts identification information of at least one of the node 201, the network to which the node 201 belongs, or the access control application 211 into a control flow table ( 315) can be stored.
  • Information stored in the control flow table 315 may be used for user authentication of the node 201 , information update of the node 201 , policy check for network access of the node 201 , and/or validation.
  • the controller 202 connects from the access policy database 311 and the channel policy database 312 corresponding to the identified information (eg, the node 201 and source network information to which the node 201 belongs).
  • the identified information eg, the node 201 and source network information to which the node 201 belongs.
  • Whitelist information of possible applications can be created.
  • the controller 202 may send the application white list to the connection control application 211 at operation 725 .
  • the controller 202 may transmit control flow identification information to the node 201 in response to the controller connection request. Depending on the embodiment, if the object requesting controller access is unavailable or is included in the blacklist, the controller 202 may transmit access unavailability information in operation 725 without generating a control flow. In one embodiment, the controller 202 may transmit the application white list generated through the execution of operation 720 to the connection control application 211 .
  • the access control application 211 may perform a check on the application.
  • the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 .
  • the access control application 211 may check whether the application exists (installed) in the node 201 based on the accessible application information, and in the case of the existing application, integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, fingerprint inspection) can be performed.
  • the access control application 211 may send the application check result to the controller 202 .
  • the access control application 211 may transmit information about existing applications and results of validation to the controller 202 .
  • the controller 202 may check whether the application is valid based on the received application information. If it is a valid application, the controller 202 selects the gateway 203 where the node 201 is located in the access policy database 311 and the authentication policy database 317 to allow access of the node 201 connected to the network. You can check. In addition, the controller 202 may generate a data flow based on source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure. According to the embodiment, the data flow includes information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and a series included in the algorithm when the target application transmits authentication information when transmitting data packets to the service server. It may include authentication information including information (eg, information such as Secret Key when generating HMAC OTP).
  • information eg, information such as Secret Key when generating HMAC OTP.
  • the controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 (operations 745 and 750).
  • the access control application 211 may process the resulting value according to the received response.
  • the connection control application 211 may store the received control flow identification information and display a user interface screen indicating completion of the controller connection to the user.
  • the request for network connection of the node 201 to the destination network may be controlled by the controller 202 .
  • controller 202 may determine that node 201 is unreachable. For example, if identification information of the node 201 and/or a network to which the node 201 belongs is included in a blacklist database, the controller 202 may determine that the node 201 is inaccessible. In this case, the controller 202 may transmit a response indicating that access to the controller is impossible in operation 725 without generating a control flow in operation 715 . Also, in this case, operations 730 to 750 may not be performed. Depending on the embodiment, if a controller connection needs to be retried, the connection control application 211 may perform operation 705 again.
  • the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed. Afterwards, when a data packet transmission request is detected, the access control application 211 may process the data packet to be transmitted based on authentication information included in the received data flow.
  • operations 730 to 750 may not be performed.
  • FIG. 8 shows a signal flow diagram for user authentication according to various embodiments.
  • the access control application 211 of the node 201 may authenticate the user of the node 201 from the controller 202 .
  • node 201 may be substantially the same as authentication node 201 of FIG. 2 in which access control application 211 is installed.
  • node 201 may receive an input for user authentication.
  • An input for user authentication may be, for example, a user input for inputting a user ID and password.
  • the input for user authentication may be a user input (eg, biometric information) for stronger authentication.
  • the access control application 211 of the node 201 may request user authentication from the controller 202 in operation 805 . If the control flow between the node 201 and the controller 202 has already been created, the access control application 211 may transmit input information for user authentication together with control flow identification information.
  • controller 202 may authenticate the user based on the information received from node 201 .
  • the controller 202 may use the user ID, password, and/or enhanced authentication information included in the received information and a database included in the memory of the controller 202 (e.g., the access policy database of FIG. 3). 311 or the blacklist database 314), it is possible to determine whether the user can access according to the access policy and whether the user is included in the blacklist.
  • the controller 202 may add user identification information (eg, user ID) to identification information of the control flow.
  • user identification information eg, user ID
  • the added user identification information can be used for the authenticated user's controller access or network access.
  • the controller 202 may generate accessible application information based on the access policy database 311 or the channel policy database 312 in operation 820 .
  • the accessible application information may be an application whitelist generated based on an access policy.
  • the controller 202 may transmit information indicating that the user is authenticated to the node 201 in response to the user authentication request. In addition, the controller 202 may transmit accessible application information to the access control application 211 .
  • the access control application 211 may perform a check on the application.
  • the access control application 211 can perform a check for applications based on the white list of accessible applications received from the controller 202 .
  • the access control application 211 may check whether the application exists (installed) in the node 201 based on the accessible application information, and in the case of the existing application, integrity and stability are checked according to the validation policy ( Above the application, tampering inspection, code signing inspection, fingerprint inspection) can be performed.
  • the access control application 211 may transmit the application check result to the controller 202 .
  • the access control application 211 may transmit information about existing applications and results of validation to the controller 202 .
  • the controller 202 may check whether the application is valid based on the received application information. If it is a valid application, the controller 202 selects the gateway 203 where the node 201 is located in the access policy database 311 and the authentication policy database 317 to allow access of the node 201 connected to the network. You can check. In addition, the controller 202 may generate a data flow based on source IP, destination IP, and port information so that the node 201 can transmit data packets without a network access request procedure. According to the embodiment, the data flow includes information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and a series included in the algorithm when the target application transmits authentication information when transmitting data packets to the service server. It may include authentication information including information (eg, information such as Secret Key when generating HMAC OTP).
  • information eg, information such as Secret Key when generating HMAC OTP.
  • the controller 202 may transmit the generated data flow to the gateway 203 and the access control application 211 (operations 845 and 850).
  • the access control application 211 may process the resulting value according to the received response. For example, the access control application 211 may store the received control flow identification information and display a user interface screen indicating completion of user authentication to the user. When user authentication is complete, the request for network access of the node 201 to the destination network may be controlled by the controller 202 .
  • controller 202 may determine that user authentication of node 201 is not possible. For example, if identification information of the node 201 and/or the network to which the node 201 belongs is included in the blacklist database, the controller 202 may determine that the node 201 is inaccessible and user authentication is not possible. . In this case, the controller 202 may not reflect user identification information in operation 815 and may transmit a response indicating that access to the controller is impossible in operation 825 . Also, in this case, operations 830 to 850 may not be performed.
  • the access control application 211 updates the data flow of the node 201 when the data flow received from the controller 202 exists, and transmits the data packet based on the data flow allowed in advance when accessing the network. data flow can be managed.
  • operations 830 to 850 may not be performed when the application test is not required.
  • FIG 9 illustrates a signal flow diagram for network access according to various embodiments.
  • node 201 After node 201 is authorized by controller 202, node 201 controls the network access of other applications stored in node 201 through node 201's access control application 211 to provide trusted data. delivery can be guaranteed. According to an embodiment, node 201 may be substantially the same as authentication node 201 of FIG. 2 in which access control application 211 is installed.
  • connection control application 211 may detect a network connection event of another application stored in the node 201 (eg, the first target application 212 of FIG. 2 ).
  • the access control application 211 may check the existence of a data flow corresponding to identification information of the application requesting network access, destination network identification information, and port information. Depending on the embodiment, if a data flow exists but is not valid, the access control application 211 may drop the data packet. According to another embodiment, if a data flow exists, the access control application 211 may transmit a data packet based on the data flow. According to the embodiment, the access control application 211 of the node 201 may perform a network access request in operation 915 without performing operation 910 .
  • the access control application 211 may request the controller 202 to access the network.
  • the network access request may include control flow identification information, destination network identification information, and port information.
  • the controller 202 determines the access requested identification information (eg, destination network identification information) in the access policy corresponding to the identified information (eg, node, user, source network identification information) based on the control flow identification information. and port information) and whether the destination network is accessible can be checked. According to an embodiment, the controller 202 may check whether the target application can access the gateway 203 or the service server 205 . Depending on the embodiment, the controller 202 may transmit a connection failure result to the connection control application 211 of the node 201 when network access is impossible (operation 935).
  • the access requested identification information eg, destination network identification information
  • the identified information eg, node, user, source network identification information
  • the controller 202 may check whether a channel between the node 201 and the gateway 203 can be created, whether data packet authentication is required, and an authentication method based on the channel policy and the authentication policy.
  • the controller 202 may check whether a channel such as tunneling or session to be created between the node 201 and the gateway 203 can be created in order to access the corresponding network. For example, if a channel can be created, but accessible channel information or valid data flow information does not exist in the data flow table, the channel A data flow including creation information may be created. According to an embodiment, when channel creation is not required, the controller 202 may not generate a data flow including channel creation information.
  • the controller 202 may check whether a valid data flow corresponding to the identification information and port information of the destination network exists in the data flow table. According to the embodiment, if a valid data flow exists in the data flow table, the controller 202 may transmit the corresponding data flow to the gateway 203 and the access control application (operations 930 and 935). According to another embodiment, if a valid data flow does not exist, the controller 202 may create a data flow based on a transport protocol, source IP, destination IP, port information, authentication policy, and service filtering policy. In this case, the controller 202 may transmit the generated data flow to the gateway 203 and the access control application (operations 930 and 935).
  • the data flow includes information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and a series included in the algorithm when the target application transmits authentication information when transmitting data packets to the service server. It may include authentication information including information (eg, information such as Secret Key when generating HMAC OTP).
  • the controller 202 may transmit a network connection failure result to the access control application in operation 935 .
  • the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 . For example, when the connection control application 211 receives a network connection failure result from the controller 202, it may drop a data packet to be transmitted by the target application. For another example, when a data flow is received from the controller 202 and channel creation is not required, the access control application 211 may transmit a data packet based on the received data flow.
  • the access control application 211 may receive a data flow including channel creation information and create a channel with the gateway 203 if channel creation is necessary (operation 945). For example, when channel creation is complete, the access control application 211 may transmit a data packet based on the created channel. For another example, if channel creation fails, the access control application 211 may drop the data packet.
  • the access control application 211 may perform validation on the access application according to the validation policy. For example, the access control application 211 may further perform an integrity and stability test of the access application (forgery or tampering test, code signing test, fingerprint test, etc.). The access control application 211 may perform operation 915 when the validation result is successful.
  • Node 201, target application 212 and access control application 211 of FIG. 10 are substantially similar to authentication node 201, first target application 212 and first connection control application 211 of FIG. 2, respectively. can be the same
  • the target application 212 may perform a service authentication request (first service authentication request) to the access control application 211.
  • the target application 212 accessing the service server (eg, the service server 205 of FIG. 2 ) through the access control application 211 based on the operations shown in FIG. 9 corresponds to the corresponding service request result.
  • a request for authenticating a major transaction of a service may be performed through an application programming interface (API) of the access control application 211 .
  • the service authentication request may include service server identification information (eg, IP and port information) for identifying the service server.
  • the network access control system is used for the purpose of confirming that the authenticated node 201 is connected between the target application 212 and the service server through a service authentication request and a specific transaction within the service (eg, transaction authentication, user Login, etc.) authentication, authentication based on authentication information between the target application 212 and the controller 202, not the service server's own authentication process, for the authenticated node and user. can provide a way to do it.
  • a service authentication request eg, transaction authentication, user Login, etc.
  • the access control application 211 may check the data flow in response to the service authentication request. For example, the access control application 211 may check existence of a data flow corresponding to the identification information of the service server included in the service authentication request and the identification information of the target application 212 requesting authentication. Depending on the embodiment, if the data flow does not exist, the access control application 211 may determine that the authentication request is for an abnormal application or a disallowed service server, and may transmit service authentication request failure information (operation 1045 ).
  • the access control application 211 may request additional confirmation of the service authentication request from the user (operation 1015). In this case, if there is a rejection of the user's authentication request, the access control application 211 may transmit service authentication request failure information to the target application 212 (operation 1045). According to other embodiments, operation 1015 may not be performed.
  • the access control application 211 requests a service authentication (second service authentication request).
  • the controller 202 may check whether a data flow corresponding to the service authentication request received from the access control application 211 exists. Depending on the embodiment, if the data flow does not exist, the controller 202 may transmit service authentication request failure information to the access control application 211 (operation 1040).
  • the controller 202 may check the access policy and authentication policy. For example, the controller 202 can check whether the service authentication request is valid in the access policy and authentication policy. Depending on the embodiment, when an identified object such as a node 201, a user, or a target application 212 cannot authenticate with a service server, or when a risk factor due to a periodic service authentication request is detected, service authentication is performed. If unsuccessful, the controller 202 may transmit service authentication request failure information to the access control application 211 (operation 1040).
  • the controller 202 uses information for encrypting or decrypting authentication information, algorithm information for generating and verifying authentication information, and algorithm for authentication of data flow between the target application 212 and the service server in the authentication policy. It is possible to generate authentication information including a series of information included in (e.g., information such as Secret Key when generating HMAC OTP). In addition, the controller 202 may update information for validating the service authentication required state of the data flow and the authentication information.
  • the controller 202 may transmit a service authentication request result to the access control application 211.
  • the controller 202 may transmit authentication information, service authentication request success information, and updated data flow to the access control application 211 .
  • the access control application 211 may transfer the service authentication request result received from the controller 202 to the target application 212 .
  • the access control application 211 may transfer authentication information received from the controller 202 to the target application 212 when the service authentication request result is successful.
  • the access control application 211 may transmit a service authentication request failure result to the target application 212 .
  • the target application 212 may process service authentication based on the service authentication request result. For example, when the result of the service authentication request is failure, the target application 212 may not perform the service authentication process request. For another example, if the service authentication request is successful, the target application 212 may perform a service authentication processing request. According to embodiments, the service authentication process request may be performed through operations shown in FIG. 11 .
  • FIG. 11 illustrates an operational flow diagram for processing a service authentication processing request according to various embodiments.
  • the target application 212 may request a service authentication process to the service server 205.
  • the target application 212 may perform a service authentication process request to the service server based on data flow authentication information including data flow identification information received in response to a service authentication request of the access control application 211 there is.
  • the service server 205 may receive a service authentication processing request from the target application 212 and check whether the service authentication processing request is received from an authorized subject. According to embodiments, the service server 205 may directly perform operation 1115 without performing operation 1110 .
  • the service server 205 may perform an authentication information check request to the controller 202 based on the data flow authentication information included in the received service authentication processing request.
  • the controller 202 may check whether a data flow corresponding to the data flow identification information included in the received data flow authentication information exists. For example, the controller 202 may check whether a corresponding data flow exists in a data flow table included in a database. Depending on the embodiment, if the data flow does not exist, the controller 202 may transmit the authentication information check failure result to the service server 205 (operation 1125).
  • the controller 202 may decrypt the authentication information based on the authentication information decryption algorithm and the decryption key included in the authentication information of the data flow to perform the data flow authentication information check. Depending on the embodiment, if the authentication information decryption fails, the controller 202 may transmit the authentication information check failure result to the service server 205 (operation 1125).
  • the controller 202 may check whether the decrypted authentication information is valid based on an authentication information check algorithm or additional information included in the authentication information of the data flow. Depending on the embodiment, if the authentication information is not valid, the controller 202 may transmit an authentication information check failure result to the service server 205 (operation 1125).
  • the controller 202 authenticates the service request target in the service server 205 based on the authentication policy, and additional information required for authentication (authenticated node, user, application identification information and access method, Information including access location, etc.) and data flow authentication success information may be transmitted to the service server 205 (operation 1125).
  • the service server 205 may perform a service authentication process based on the authentication information check result received from the controller 202. For example, if the authentication information check request fails, the service server 205 may transmit a service authentication processing request failure result to the target application 212 (operation 1135). For another example, if the authentication information check request is successful, the service server 205 based on the received data flow and authentication information (information including the authenticated node, user, application identification information, access method, access location, etc.) It can be matched with user identification information stored in the service server 205, service authentication or transaction authentication processing can be performed, and a service authentication processing request result can be transmitted to the target application 212 (operation 1135).
  • authentication information check request information including the authenticated node, user, application identification information, access method, access location, etc.
  • the service server 205 may store the received data flow.
  • the service server 205 may store a data flow in order to periodically check whether a user is connected through periodic data flow synchronization with the controller 202 .
  • the service server 205 may store the data flow received from the controller 202 in order to examine the data flow by itself thereafter.
  • FIG. 12 illustrates a signal flow diagram for processing a data flow authentication request and a service processing request according to various embodiments.
  • the target application 212 performs a data flow authentication and a service processing request so that whether the service server 205 is an authenticated node is authenticated with respect to the service server 205 and the created service unit or application unit session.
  • the service authentication process request operation performs authentication between the target application 212 and the service server 205 through the controller 202 at every authentication, a strong authentication factor is provided, and a certain authentication is performed at every authentication.
  • a specific transaction e.g., specific transaction authentication, user login authentication, etc.
  • the network access system may provide a simplified authentication factor for authenticating a session between a service server and application units in which service requests and processing frequently occur.
  • the target application 212 may perform a data flow authentication request to the access control application 211 .
  • a data flow authentication request may be performed.
  • the data flow authentication request may include data flow identification information or data flow authentication information.
  • the access control application 211 may check the data flow based on the received data flow identification information or data flow authentication information. For example, the access control application 211 may check whether a data flow corresponding to data flow identification information or data flow authentication information exists.
  • the access control application 211 may return a data flow authentication result.
  • the access control application 211 may transmit a data flow authentication failure result when the data flow does not exist.
  • the access control application 211 may transmit a data flow authentication success result when a data flow exists and is authenticated.
  • operations 1205 to 1215 may not be performed.
  • the target application 212 may perform a service processing request to the service server 205 without performing a data flow authentication request to the access control application 211 .
  • the target application 212 may perform a service processing request to the service server 205.
  • the target application 212 accessing the service server 205 through the access control application 211 based on the operations shown in FIG. 9 sends a request for authenticating the session according to the service request result to the access control application. It can be performed through API (Application Programming Interface) of (211).
  • the service processing request may include identification information (eg, IP and port information) of the service server 205 for the service server 205 .
  • the service server 205 may check whether data flow authentication information is included in the service processing request information. Depending on the embodiment, when data flow authentication information is not included in service processing request information, the service server 205 may transmit service processing request processing and results corresponding to the data flow non-authenticated state to the target application 212. Yes (act 1250).
  • the service server 205 may perform operations 1230 to 1240. For example, in operation 1230, the service server 205 may request a data flow from the controller 202 to authenticate data flow identification information included in service processing request information. In operation 1235, the controller 202 may check the presence of a valid data flow corresponding to the data flow identification information received from the service server 205. If the data flow exists, the controller 202 may transmit a valid data flow including data flow authentication information to the service server 205 in operation 1240 .
  • the controller 202 may transmit data flow request failure information to the service server 205 (operation 1240).
  • the service server 205 may transmit a service processing request failure result to the target application 212 (operation 1250).
  • operations 1230 to 1240 may not be performed when a data flow exists in the service server 205 . That is, after receiving the data flow from the controller 202, it may be unnecessary for the service server 205 to request a data flow from the controller 202 any more. It is possible to provide a network structure that does not require inquiry to (202).
  • the service server 205 determines the data included in the data flow authentication information. Based on the flow identification information, it may be checked whether a valid data flow exists in the data flow table stored in the service server 205 .
  • the service server 205 may decrypt the authentication information based on an authentication information decryption algorithm and a decryption key included in the authentication information of the data flow. Depending on the embodiment, if authentication information decryption fails, the service server 205 may transmit a service processing request failure result indicating a data flow authentication failure state to the target application 212 (operation 1250).
  • the service server 205 may check whether the decrypted authentication information is valid based on an authentication information checking algorithm or additional information included in the authentication information of the data flow. Depending on the embodiment, when the authentication information is invalid, the service server 205 may transmit a service processing request failure result indicating a data flow authentication failure state to the target application 212 (operation 1250).
  • the service server 205 may transmit a service processing request process and result corresponding to the data flow authentication success state to the target application 212 (operation 1250). For example, the service server 205 stores the user stored in the service server 205 based on the received data flow and authentication information (information including authenticated node, user, application identification information, access method, access location, etc.) Identification information may be matched, service authentication or transaction authentication processing may be performed, and a service authentication processing request result may be transmitted to the target application 212 (operation 1250).
  • authentication information information including authenticated node, user, application identification information, access method, access location, etc.
  • FIG. 13 shows a signal flow diagram for updating data flow according to various embodiments.
  • the service server 205 synchronizes the data flow with the controller 202 periodically. It may periodically check whether a user corresponding to the corresponding data flow is accessing.
  • the service server 205 may request a data flow update to the controller 202 .
  • the service server 205 may transmit a data flow identification information list to the controller 202 based on the data flow received from the controller 202 .
  • the controller 202 may update the data flow. For example, the controller 202 may check whether a data flow corresponding to the received data flow identification information exists. Depending on the embodiment, if the data flow does not exist, since the node or user corresponding to the corresponding data flow has terminated the network connection, the controller 202 can no longer use the authentication information of the corresponding data flow in the service server 205. Invalid data flow information may be transmitted to the service server 205 so that the network cannot be accessed (operation 1315).
  • the controller 202 may transmit information indicating that the data flow exists to the service server 205. That is, in operation 1315 , the controller 202 may transmit the data flow update result to the service server 205 .
  • the service server 205 may process the resulting value based on the data flow update result received from the controller 202. For example, the service server 205 may delete an invalid data flow based on the received data flow information, and delete session information managed by the service server 205 itself with the deleted data flow. and the subject authenticated with the deleted session can be processed so that it can no longer access.
  • FIG. 14 illustrates a signal flow diagram for control flow update according to various embodiments.
  • the access control application 211 may detect a control flow update event.
  • the access control application 211 may request a control flow update from the controller 202 based on the control flow identification information.
  • the controller 202 may check whether a control flow exists in a control flow table (eg, the control flow table 315 of FIG. 3) based on the received control flow identification information.
  • a control flow table eg, the control flow table 315 of FIG. 3
  • the controller 202 determines that the connection of the node 201 is valid. Therefore, a connection failure result may be transmitted to the connection control application 211 (operation 1420).
  • the controller 202 may update the update time when a control flow exists in the control flow table (eg, the control flow table 315 of FIG. 3 ). In this case, the controller 202 may transmit identification information of the updated control flow to the connection control application 211 (operation 1420).
  • the controller 202 is required to perform re-authentication among data flows subordinate to the identified control flow, or if there is a data flow to which access is no longer possible, the controller 202 transmits information about the corresponding data flow to an access control application ( 211) (operation 1420).
  • the connection control application 211 of the node 201 may process the resulting value of the response received from the controller 202 .
  • the access control application 211 may block all network accesses of applications when the control flow update result is impossible.
  • the access control application 211 may update the data flow when the control flow update result is normal and updated data flow information exists.
  • 15 illustrates a signal flow diagram for disconnection according to various embodiments.
  • node 201 terminates node 201, terminates access control application 211, terminates target application, no longer uses the network connection, and information identified from the interworking system. At least one of connection termination requests may be detected based on . In this case, at operation 1510, node 201 or access control application 211 may request controller 202 to remove the control flow.
  • the controller 202 may remove the identified control flow based on the received control flow identification information.
  • the controller 202 may remove all data flows dependent on the removed control flow. Thus, node 201 can no longer connect to the destination network based on the removed data flow.
  • the controller 202 may request the gateway 203 to remove all data flows dependent on the removed control flow.
  • the gateway 203 may remove the data flow, and thus data packets corresponding to source network, destination network, and port information included in the removed data flow may no longer be transmitted.
  • 16 illustrates a signal flow diagram for termination of application execution according to various embodiments.
  • the access control application 211 of the node 201 may check in real time whether or not the running application is terminated, and may detect an application execution end event.
  • the access control application 211 may check whether a data flow corresponding to terminated application identification information and PID (Process ID and Child Process ID Tree) information exists.
  • PID Process ID and Child Process ID Tree
  • the connection control application 211 may perform a data flow removal request to the controller 202 .
  • the access control application 211 may transmit identification information of a terminated application or data flow identification information of a data flow corresponding to the terminated application to the controller 202 and may perform a data flow removal request.
  • the controller 202 may delete the data flow requested to be removed.
  • the controller 202 may perform a removal request for the removed data flow to the gateway 203 (operation 1620).
  • the gateway 203 may remove the data flow, and thus data packets corresponding to source network, destination network, and port information included in the removed data flow may no longer be transmitted.
  • FIG. 17 shows a flowchart of a method of operating a node according to various embodiments. Depending on the embodiment, the operations shown in FIG. 17 may be performed through the first access control application 211 of the authentication node 201 of FIG. 2 .
  • the access control application 211 may receive a first service authentication request of the target application.
  • the access control application 211 may correspond to the identification information of the target application and the identification information of the service server, and may check whether a data flow authorized from an external server exists.
  • the access control application 211 may perform a second service authentication request to the external server based on the data flow identification information or the identification information of the target application and the identification information of the service server. .
  • the access control application 211 may receive a data flow with updated authentication information from an external server in response to the second service authentication request.
  • the access control application 211 may deliver a result of the first service authentication request to the target application.
  • FIG. 18 is a flowchart of a method of operating a server according to various embodiments. Depending on the embodiment, the operations shown in FIG. 18 may be performed through the controller 202 of FIG. 2 .
  • the server (eg, controller 202 of FIG. 2 ) may receive a service authentication request from the node's access control application.
  • the server may check whether a data flow corresponding to the identification information of the target application and the identification information of the service server exists.
  • the server may check whether authentication with the service server is possible based on the database.
  • the server may generate authentication information based on the database and update the data flow based on the authentication information.
  • the server may send the updated data flow to the connection control application.
  • FIG. 19 is a flowchart illustrating a method of operating a service server according to various embodiments. Depending on the embodiment, the operations shown in FIG. 19 may be performed through the service server 205 of FIG. 2 .
  • the service server 205 may receive a service authentication request from the node's target application.
  • the service server 205 may request an external server to check authentication information based on the data flow authentication information.
  • the service server 205 may receive a result of checking authentication information from an external server.
  • the service server 205 may transmit a response to the authentication process request to the target application based on a result of checking authentication information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Un nœud selon un mode de réalisation divulgué dans le présent document peut : recevoir, par l'intermédiaire d'une application de commande d'accès, une première demande d'authentification de service d'une application cible, la première demande d'authentification de service comprenant des informations d'identification d'un serveur de service auquel l'application cible doit accéder ; identifier l'existence ou non d'un flux de données appliqué à partir d'un serveur externe, le flux de données correspondant à des informations d'identification de l'application cible et aux informations d'identification du serveur de service ; lorsque le flux de données existe, transmettre une seconde demande d'authentification de service au serveur externe sur la base d'informations d'identification de flux de données du flux de données, ou des informations d'identification de l'application cible et des informations d'identification du serveur de service ; en réponse à la seconde demande d'authentification de service, recevoir un flux de données contenant des informations d'authentification mises à jour en provenance du serveur externe ; et fournir, à l'application cible, un résultat de la première demande d'authentification de service.
PCT/KR2023/002558 2022-02-24 2023-02-22 Système de commande d'accès au réseau basé sur un dispositif de commande et procédé associé WO2023163514A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020220024309A KR102460695B1 (ko) 2022-02-24 2022-02-24 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR10-2022-0024309 2022-02-24

Publications (1)

Publication Number Publication Date
WO2023163514A1 true WO2023163514A1 (fr) 2023-08-31

Family

ID=83803077

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2023/002558 WO2023163514A1 (fr) 2022-02-24 2023-02-22 Système de commande d'accès au réseau basé sur un dispositif de commande et procédé associé

Country Status (2)

Country Link
KR (1) KR102460695B1 (fr)
WO (1) WO2023163514A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102460695B1 (ko) * 2022-02-24 2022-10-31 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102564417B1 (ko) * 2022-12-21 2023-08-08 프라이빗테크놀로지 주식회사 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160269286A1 (en) * 2014-01-08 2016-09-15 Tencent Technology (Shenzhen) Company Limited Method and apparatus for transmitting data in network system
KR101662614B1 (ko) * 2012-10-19 2016-10-14 인텔 코포레이션 네트워크 환경에서 암호화된 데이터 검사
KR102204705B1 (ko) * 2019-09-24 2021-01-19 프라이빗테크놀로지 주식회사 네트워크 접속 제어 시스템 및 그 방법
KR102460695B1 (ko) * 2022-02-24 2022-10-31 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101662614B1 (ko) * 2012-10-19 2016-10-14 인텔 코포레이션 네트워크 환경에서 암호화된 데이터 검사
US20160269286A1 (en) * 2014-01-08 2016-09-15 Tencent Technology (Shenzhen) Company Limited Method and apparatus for transmitting data in network system
KR102204705B1 (ko) * 2019-09-24 2021-01-19 프라이빗테크놀로지 주식회사 네트워크 접속 제어 시스템 및 그 방법
KR102223827B1 (ko) * 2019-09-24 2021-03-08 프라이빗테크놀로지 주식회사 단말의 네트워크 접속을 인증 및 제어하기 위한 시스템 및 그에 관한 방법
KR20210045917A (ko) * 2019-09-24 2021-04-27 프라이빗테크놀로지 주식회사 터널 및 데이터 플로우에 기반하여 노드의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102460695B1 (ko) * 2022-02-24 2022-10-31 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Also Published As

Publication number Publication date
KR102460695B1 (ko) 2022-10-31

Similar Documents

Publication Publication Date Title
WO2023163509A1 (fr) Système de commande de connexion de réseau reposant sur un dispositif de commande et procédé associé
WO2021060856A1 (fr) Système et procédé pour un accès au réseau sécurisé d'un terminal
WO2022231306A1 (fr) Système de commande de connexion réseau basée sur un contrôleur et procédé correspondant
WO2023038387A1 (fr) Système de commande d'accès réseau d'application sur la base d'un flux de données, et procédé associé
WO2023033586A1 (fr) Système de commande d'accès réseau d'une application d'après une commande de session tcp, et procédé associé
WO2023146308A1 (fr) Système de commande d'accès au réseau sur la base d'un contrôleur, et procédé associé
WO2023163514A1 (fr) Système de commande d'accès au réseau basé sur un dispositif de commande et procédé associé
WO2023211124A1 (fr) Système de commande de connexion de réseau basée sur un contrôleur et procédé associé
WO2023085793A1 (fr) Système de commande d'accès au réseau sur la base d'un dispositif de commande, et procédé associé
WO2023177238A1 (fr) Système de commande de connexion au réseau basé sur un contrôleur, et son procédé
WO2023136658A1 (fr) Système et procédé reposant sur un dispositif de commande de commande d'accès réseau
WO2023211104A1 (fr) Système permettant de contrôler un accès au réseau basé sur un dispositif de commande, et procédé associé
WO2013085281A1 (fr) Procédé et dispositif de sécurité dans un service informatique en nuage
WO2023085791A1 (fr) Système de contrôle de l'accès au réseau basé sur un contrôleur et procédé associé
WO2023211122A1 (fr) Système de commande de transmission et de réception de fichier d'une application sur la base d'un mandataire et procédé associé
WO2017188610A1 (fr) Procédé et système d'authentification
WO2023090755A1 (fr) Système de contrôle d'accès au réseau d'instance de virtualisation, et procédé associé
WO2023146304A1 (fr) Système de commande de transmission et de réception d'un fichier d'une application et procédé associé
WO2022231304A1 (fr) Système de contrôle d'accès à un réseau basé sur un contrôleur et procédé associé
WO2020050424A1 (fr) SYSTÈME ET PROCÉDÉ BASÉS SUR UNE CHAÎNE DE BLOCS POUR UNE AUTHENTIFICATION DE SÉCURITÉ MULTIPLE ENTRE UN TERMINAL MOBILE ET UN DISPOSITIF D'IdO
WO2023033588A1 (fr) Système de commande de flux de données dans un terminal de virtualisation, et procédé associé
WO2021261728A1 (fr) Dispositif de communication sécurisée pour une fournir une fonction sécurisée multifonctions, et procédé de fonctionnement associé
WO2019027139A1 (fr) Procédé d'authentification d'utilisateur à auto-vérification basé sur une chaîne de blocs dépendant du temps
WO2021060859A1 (fr) Système d'authentification et de contrôle d'accès au réseau d'un terminal, et procédé associé
WO2023211121A1 (fr) Système de commande d'émission et de réception de fichier d'application sur la base d'un proxy, et procédé associé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23760388

Country of ref document: EP

Kind code of ref document: A1