WO2023174143A1 - Data transmission method, device, medium and product - Google Patents

Data transmission method, device, medium and product Download PDF

Info

Publication number
WO2023174143A1
WO2023174143A1 PCT/CN2023/080407 CN2023080407W WO2023174143A1 WO 2023174143 A1 WO2023174143 A1 WO 2023174143A1 CN 2023080407 W CN2023080407 W CN 2023080407W WO 2023174143 A1 WO2023174143 A1 WO 2023174143A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
destination
authentication
data packet
server
Prior art date
Application number
PCT/CN2023/080407
Other languages
French (fr)
Chinese (zh)
Inventor
聂百川
Original Assignee
阿里巴巴(中国)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴(中国)有限公司 filed Critical 阿里巴巴(中国)有限公司
Publication of WO2023174143A1 publication Critical patent/WO2023174143A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Definitions

  • the embodiments of the present disclosure relate to the field of communication technology, and specifically relate to a data transmission method, device, medium and product.
  • the service provider of the cloud platform will deploy physical servers and other physical networks into the user's computer room, and deploy cloud products to these physical servers.
  • the underlay of the cloud platform bottom layer
  • the network will be exposed beyond the boundaries of the service provider's network isolation and security operation and maintenance, and it will rely heavily on the user's management and protection methods.
  • the risk of attacking the cloud platform through the underlying network will rise sharply.
  • the east-west and north-south communications of the cloud platform are exposed on the underlying network and can be subject to network attacks such as network sniffing, packet hijacking/tampering, listening port scanning and port attacks. Therefore, how to reduce the exposure of the underlying network in the delivery data center Security risks, protecting the cloud platform has become an urgent technical issue that needs to be solved.
  • Embodiments of the present disclosure provide a data transmission method, device, medium and product.
  • an embodiment of the present disclosure provides a data transmission method.
  • the data transmission method includes:
  • the destination unreachable message carries a random value
  • the method further includes:
  • the information to be encrypted includes the client identification, or may also include the current timestamp;
  • Generate and return authentication data packets including:
  • generating and returning an authentication data packet includes:
  • the client's transport layer or socket layer responds to the destination unreachable message and generates and returns an authentication data packet.
  • the socket layer is located between the transport layer and the application layer in the protocol stack.
  • the method further includes:
  • using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code includes:
  • the number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication.
  • an embodiment of the present disclosure provides a data transmission method.
  • the data transmission method includes:
  • the first data packet resent by the client is received through the destination port.
  • the destination unreachable message carries a random value
  • the authentication information includes information to be encrypted and an authentication code
  • the information to be encrypted includes a client identifier, or also includes a current timestamp
  • the shared key and access rights of the client are obtained, and the access rights are used to limit the accessible ports of the client on the destination server;
  • the accessible port of the destination server by the client includes the destination port to which the first data packet is to arrive, it is determined that the client has the ability to access the destination port. permissions.
  • the method further includes:
  • using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code includes:
  • the number of verification times includes the number of times the destination server verifies whether the client has permission to access the destination port. .
  • an embodiment of the present disclosure provides a data transmission method.
  • the data transmission method includes:
  • the client executes the method described in the first aspect
  • the destination server executes the method described in the second aspect.
  • an embodiment of the present disclosure provides a data transmission device.
  • the data transmission device includes:
  • the first sending module is configured to send the first data packet to the destination port of the destination server for the first time
  • the first receiving module is configured to receive a destination unreachable message sent by the destination server, where the destination unreachable message is used to instruct the client to initiate authentication;
  • a response module configured to generate and return an authentication data packet in response to receiving the destination unreachable message, where the authentication data packet carries authentication information
  • the second sending module is configured to resend the first data packet to the destination port of the destination server.
  • the destination unreachable message carries a random value
  • the device further includes:
  • a first acquisition module configured to acquire the shared key of the client
  • the first calculation module is configured to use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code, where the information to be encrypted includes a client identification or a current timestamp;
  • the part of the response module that generates and returns authentication data packets is configured as:
  • the part of the response module that generates and returns an authentication data packet in response to receiving the destination unreachable message is configured as:
  • the client's transport layer or socket layer responds to the destination unreachable message and generates and returns an authentication data packet.
  • the socket layer is located between the transport layer and the application layer in the protocol stack.
  • the device further includes:
  • the second receiving module is configured to regularly receive destination unreachable messages sent by the destination server.
  • the first computing module is configured as:
  • the number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication.
  • an embodiment of the present disclosure provides a data transmission device.
  • the data transmission device includes:
  • a discarding module configured to discard the first data packet sent by the client for the first time when receiving the first data packet
  • the third sending module is configured to return a destination unreachable message to the client, where the destination unreachable message is used to instruct the client to initiate authentication;
  • the third receiving module is configured to receive the authentication data packet sent by the client, where the authentication data packet carries authentication information;
  • An opening module configured to allow access to the destination port for the client when it is determined based on the authentication information that the client has the authority to access the destination port;
  • the fourth receiving module is configured to receive the first data packet resent by the client through the destination port.
  • the destination unreachable message carries a random value
  • the authentication information includes information to be encrypted and an authentication code
  • the information to be encrypted includes a client identifier, or also includes a current timestamp
  • the part of the opening module that determines that the client has the permission to access the destination port based on the authentication information is configured as:
  • the shared key and access rights of the client are obtained, and the access rights are used to limit the accessible ports of the client on the destination server;
  • the accessible port of the destination server by the client includes the destination port to which the first data packet is to arrive, it is determined that the client has the ability to access the destination port. permissions.
  • the device further includes:
  • the fourth sending module is configured to regularly send destination unreachable messages to the client.
  • using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code includes:
  • the number of verification times includes the number of times the destination server verifies whether the client has permission to access the destination port. .
  • an embodiment of the present disclosure provides a data transmission device.
  • the data transmission device includes:
  • a client configured to perform the method described in the first aspect
  • the destination server is configured to perform the method described in the second aspect.
  • embodiments of the present disclosure provide an electronic device, including a memory and a processor.
  • the memory is used to store one or more computer instructions that support the above device to perform the above method.
  • the processor is configured to Execute computer instructions stored in the memory.
  • embodiments of the present disclosure provide a computer-readable storage medium on which computer instructions are stored. When the computer instructions are executed by a processor, the method steps described in any of the above aspects are implemented.
  • embodiments of the present disclosure provide a computer program product, including a computer program/instruction, wherein when the computer program/instruction is executed by a processor, the method steps described in any of the above aspects are implemented.
  • the above technical solution can be used when the client sends the first data packet to the destination port of the server for the first time, and the server refuses to receive it and sends a destination unreachable message to the client, instructing the client to initiate authentication; the client responds by receiving the destination The unreachable message generates and returns an authentication data packet carrying authentication information. Only when the server determines that the client has the authority to access the destination port based on the authentication information will it open access to the destination port for the client. , at this time, the client can legally access the destination port of the server, and the client can re-send the first data packet to the destination port of the server for access.
  • Figure 1 shows a structural block diagram of a cloud platform according to an embodiment of the present disclosure.
  • FIG. 2 shows a flow chart of a data transmission method applied to a client according to an embodiment of the present disclosure.
  • FIG. 3 shows a flow chart of a data transmission method applied to a destination server according to an embodiment of the present disclosure.
  • FIG. 4 shows an overall flow chart of a data transmission method according to an embodiment of the present disclosure.
  • FIG. 5 shows a structural block diagram of a data transmission device applied to a client according to an embodiment of the present disclosure.
  • FIG. 6 shows a structural block diagram of a data transmission device applied to a destination server according to an embodiment of the present disclosure.
  • FIG. 7 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a computer system suitable for implementing the method according to an embodiment of the present disclosure.
  • the acquisition of user information or user data is an operation authorized, confirmed by the user, or actively selected by the user.
  • the service provider of the cloud platform will deploy physical servers and physical networks into the user's computer room, and deploy cloud products to these physical servers.
  • the cloud platform The underlying network will be exposed outside the boundaries of the service provider's network isolation and security operation and maintenance, and is greatly dependent on the user's management and protection methods.
  • the risk of attacking the cloud platform through the underlying network has increased sharply.
  • the east-west and north-south communications of the cloud platform are exposed on the underlying network and can be subject to network attacks such as network sniffing, packet hijacking/tampering, listening port scanning and port attacks. Therefore, how to reduce the exposure of the underlying network in the delivery data center Security risks, protecting the cloud platform has become an urgent technical issue that needs to be solved.
  • Figure 1 shows a structural block diagram of a cloud platform according to an embodiment of the present disclosure.
  • the service provider side provides various cloud products for enterprises on the enterprise user side. These cloud products will be deployed on the user-side servers on the enterprise user side.
  • the east-west traffic of the underlying network is switched on the local switching network on the enterprise user side.
  • the northbound traffic of the underlying network requires the service provider side to open the southbound port of the service provider server on the enterprise user side, and the southbound traffic of the underlying network requires the enterprise user side to open the northbound port of the user-side server on the service provider side.
  • the service provider side will configure network isolation and security operation and maintenance to protect the network on the service provider side, while the network on the enterprise user side relies heavily on the user's management and protection methods.
  • the present disclosure proposes a data transmission method.
  • the server refuses to receive it and sends a destination unreachable message to the client, instructing the client to initiate Authentication:
  • the client In response to receiving the destination unreachable message, the client generates and returns an authentication data packet carrying authentication information.
  • the server will only provide authentication information based on the authentication information when it determines that the client has the authority to access the destination port.
  • the client opens access to the destination port.
  • the client can legally access the destination port of the server, and the client can re-send the first data packet to the destination port of the server for access.
  • the server port can only be accessed after passing the authentication, which reduces the security risk of the underlying network exposure in the delivery data center and protects the cloud platform. .
  • FIG. 2 shows a flow chart of a data transmission method applied to a client according to an embodiment of the present disclosure.
  • the data transmission method includes the following steps S201-S204:
  • step S201 the first data packet is sent to the destination port of the destination server for the first time
  • step S202 receive a destination unreachable message sent by the destination server, where the destination unreachable message is used to instruct the client to initiate authentication;
  • step S203 in response to receiving the destination unreachable message, generate and return an authentication data packet, where the authentication data packet carries authentication information;
  • step S204 the first data packet is re-sent to the destination port of the destination server.
  • the data transmission method can be applied to data transmission within the underlying network in a delivery data center.
  • the data transmission in the underlying network is as shown in Figure 1, including user-side servers on the enterprise user side. access between the east-west ports of the enterprise user side and the southbound port of the service provider side server from the user-side server on the enterprise user side.
  • Each server in the network is installed with multiple applications, and different applications can provide different services.
  • the application in the source server that initiates access is called a client, which can also be called IH (Initiating Host). , initiating host) process
  • the application that receives the destination server for access is called the server, which can also be called AH (Accepting Host, receiving host) process.
  • Each client initiating access has its own IHIP and IHport (IH port ), that is, source IP and source port.
  • the server receiving the access also has its own AHIP and AHport, that is, destination IP and destination port.
  • the data packet sent by the client to the server carries the source IP, source port, and destination. IP, destination port to indicate the source and destination of the packet.
  • the client when the client wants to initiate access to the server, it will send a request to the destination where the server is located.
  • the destination port of the server (that is, the port corresponding to the server) sends the first data packet.
  • the first data packet at this time is sent for the first time.
  • the client passes through each protocol layer in the process of sending data, it must attach the protocol header and protocol tail of the corresponding layer, that is, the data must be protocol encapsulated to identify the communication protocol used by the corresponding layer.
  • TCP/IP There are two main protocols at the transport layer, namely TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). Therefore, the first data packet sent by the client can be a TCP packet or It's a UDP packet.
  • the client needs to perform a three-way handshake with the server to establish a connection.
  • the first data packet sent by the client is TCP SYN (Synchronize Sequence Numbers, Synchronization sequence number) packet
  • the transport layer of the client protocol stack will construct a TCP SYN packet and send it to the lower layer protocol stack for data transmission.
  • the client protocol The transport layer of the stack will directly encapsulate the UDP data message and send it to the lower protocol stack for data transmission.
  • each server in the underlying network is configured with a firewall, such as an SDP (Software Defined Perimeter, Software Defined Perimeter) firewall, and the client's access to each server on the server needs to pass through the firewall.
  • the firewall has a deny all policy that denies access to all unverified clients, so each port of the server is invisible to the network. Therefore, when the destination server receives the first data packet sent by the client for the first time, it will directly discard the first data packet and send a destination unreachable message to the client, instructing the client to initiate authentication. In the example, the destination is unreachable.
  • the message may be an ICMP (Internet Control Message Protocol) message, and the ICMP message carries an identifier, which is an identifier that instructs the client to initiate authentication.
  • ICMP Internet Control Message Protocol
  • the client after receiving the destination unreachable message, the client will immediately construct an authentication data packet and send the authentication data packet to the destination server for authentication.
  • the authentication data packet carries authentication information.
  • the destination server after the destination server receives the authentication data packet, it will determine whether the client has the authority to access its destination port based on the authentication information. If it is determined that the client has the authority to access its destination port, it indicates that the client It is a legal visitor to the destination port. At this time, the destination server will authorize the client's IHIP and IHport to access the server's AHIP and AHport.
  • the IHIP refers to the IP of the destination server where the client is located.
  • the IHport refers to the port corresponding to the client on the destination server
  • the AHIP refers to the IP of the destination server where the server is located
  • the AHport refers to the destination port corresponding to the server on the destination server.
  • the data packet sent by the client carries the client's IHIP, IHport and required information.
  • the AHIP and AHport of the accessed server After the destination server receives the packet, since it has been authorized to allow the client's IHIP and IHport to access the AHIP and AHport of the server, the firewall of the destination server will allow the source IP and source port carried.
  • the server's AHport can receive the data packet, allowing the server to provide corresponding services to the client. .
  • the client after the client sends the authentication data packet to the destination server, it will directly start the retransmission mechanism and resend the first data packet to the destination port of the destination server. If the authentication information determines that the client has the authority to access its destination port, the destination server can receive the first data packet through the destination port. Of course, if the destination server determines that the client does not have access based on the authentication information, If the destination port does not have the permissions, the destination server will discard the first data packet.
  • This implementation method sets the server to reject all access from unverified clients and hides the server port. Only authorized ports can be accessed after passing the authentication. This reduces the security risk of the underlying network exposure in the delivery data center and protects the cloud. platform.
  • the authorization granularity of the access rights for each port is for the client level, and the policy control granularity is refined to the client, that is, the IH process. After an illegal application client invades the destination server, it cannot access without authorization.
  • the destination port service of the destination server it also provides authentication capabilities for each server's firewall, instead of setting up an independent authentication server for authentication, avoiding a single point of failure.
  • the destination unreachable message carries a random value
  • the method further includes:
  • the information to be encrypted includes the client identification, or may also include the current timestamp;
  • Generate and return authentication data packets including:
  • the destination unreachable message may be an ICMP destination unreachable message
  • the message format of the ICMP destination unreachable message may be as shown in Table 1 below:
  • the type field in the ICMP destination unreachable message has 8 bits, which is used to identify the type of this message as an ICMP error report message.
  • the code field has 8 bits, which is used to identify the error report message.
  • the type of error report message is destination unreachable, which can be identified by a predetermined code field.
  • the checksum field has 16 bits and is the checksum of the entire ICMP data packet including the data part.
  • the ICMP error report message conforms to the RFC (Request For Comments) 792 protocol.
  • the existing technology if the ICMP error report message is of destination unreachable type, the data part is unused.
  • the ICMP destination unreachable message provided in this embodiment is different from the existing destination unreachable message. An identifier needs to be filled in the data part to indicate that the ICMP destination unreachable message instructs the client to initiate authentication.
  • the destination unreachable message carries a random value, which is a Nonce (Number once) value.
  • Nonce is an arbitrary or non-repeating random value that is used only once. This random value is used for subsequent authentication.
  • the random value can be filled in the corresponding field in the data part of the ICMP unreachable message.
  • the client after receiving the destination unreachable message, the client can take out the random value from the destination unreachable message, and then start building an authentication data packet.
  • the authentication data packet can be SPA (Single Packet Authorization (single packet authentication) packet, the authentication data packet includes information to be encrypted and an authentication code.
  • the information to be encrypted may include the client identification (ClientID), or may also include the current timestamp.
  • the ClientID is an identity assigned to the client. It can index the client's shared key and port access permissions, that is, the destination port that the client is authorized to access.
  • the client's shared key is the client and the port it can access.
  • the authentication code can be HMAC (Hash Operation Message Authentication) Hash-based Message Authentication Code), which is used for identity authentication, message integrity protection and message replay attack prevention.
  • HMAC Hash Operation Message Authentication
  • the client needs to encapsulate the information to be encrypted and the authentication code in a data packet, construct an authentication data packet, and then send the authentication data packet to the destination server.
  • the firewall of the destination server receives the authentication data packet.
  • the information to be encrypted and the authentication code in the data packet can be obtained.
  • the destination server can query the client's shared key and access rights based on the ClientID in the information to be encrypted, and use the shared secret key.
  • the key performs encryption calculation on the random value (sent to the client by the destination server, so the destination server knows the random value) and the information to be encrypted to obtain a verification code. If the verification code is the same as the authentication code, then Indicates that the client is a legitimate client.
  • the destination server will query the client's access rights to determine whether the client has the authority to access the destination port. If the client has the authority to access the destination port, the destination server will Opening the destination port for the client means allowing the client's IHIP and IHport to access the server's AHIP and AHport (i.e. the destination port). If the client does not have the permission to access the destination port, the destination server will not access the destination port for the client. The end-end opens the destination port and refuses to receive the data packet sent by the client to the destination port. If the verification code is different from the authentication code, it means that the client is not a legitimate client. At this time, the destination server will continue to reject the data packets sent by the client.
  • step S103 in the above data transmission method may include the following steps:
  • the client's transport layer or socket layer responds to the destination unreachable message and generates and returns an authentication data packet.
  • the socket layer is located between the transport layer and the application layer in the client protocol stack.
  • this implementation needs to modify the transport layer, or add a socket layer between the transport layer and the application layer to process the destination unreachable message and Construct authentication data packet.
  • the client's protocol stack when the client's protocol stack receives the destination unreachable message, it will process it step by step and finally feed it back to the application layer for processing. This will be opaque to the application and requires the client to explicitly send an authentication data packet. Then resend the first data packet.
  • the client's protocol stack when the client's protocol stack receives the destination unreachable message, it will process it step by step. When it reaches the transport layer or socket layer, the transport layer or socket layer can directly In response to the destination unreachable message, an authentication data packet is generated and returned.
  • the above data transmission method may also include the following steps:
  • the destination server will authorize and allow the client's IHIP and IHport to access the server's AHIP and AHport.
  • the attacker blocks the legitimate client's data packets and impersonates
  • the client's IHIP and IHport can access the server's AHIP and AHport.
  • a continuous authentication mechanism is introduced. The firewall in the destination server will periodically send destination unreachable messages and require the client sending the packet to continue authentication. If the other party does not respond or the returned authentication packet is incorrect, then Disconnect the connection and refuse to receive data packets from the client.
  • the client will regularly receive the destination unreachable message sent by the destination server, and in response to receiving the destination unreachable message, generate and return an authentication data packet.
  • the authentication data packet carries authentication information; after the firewall authentication in the destination server passes, the connection with the client will be maintained and the destination port of the server will continue to be opened for the client.
  • the shared key is used to perform encryption calculations on the random value and the information to be encrypted.
  • the part of obtaining the authentication code may also include the following steps:
  • the number of authentication times includes the number of times the client is instructed to initiate authentication when accessing the port of the destination server.
  • the shared key can be used to perform encryption calculations on the random value, the information to be encrypted, and the number of authentication times. , obtain the authentication code, and the number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication.
  • the destination server receives the authentication data packet, it can use the found shared key to verify the random value (known) and the number of verifications (that is, the destination server determines whether the client has permission to access the destination port).
  • the number of verifications (the destination server can record) and the information to be encrypted are encrypted and calculated to obtain a verification code. If the number of verifications is the same as the number of verifications, then the calculated verification code is the same as the verification code, indicating that the customer The client is a legitimate client.
  • Figure 3 shows a flow chart of a data transmission method applied to a destination server according to an embodiment of the present disclosure.
  • the data transmission method includes the following steps S301-S305:
  • step S301 when receiving the first data packet sent by the client for the first time, discard the first data packet
  • step S302 a destination unreachable message is returned to the client, where the destination unreachable message is used to instruct the client to initiate authentication;
  • step S303 receive the authentication data packet sent by the client, where the authentication data packet carries authentication information
  • step S304 when it is determined that the client has the authority to access the destination port based on the authentication information, access to the destination port is granted to the client;
  • step S305 the first data packet resent by the client is received through the destination port.
  • the client when the client wants to initiate access to the server, it will send the first data packet to the destination port of the destination server where the server is located (that is, the port corresponding to the server). At this time, the first data packet Sent for the first time.
  • Each server in the underlying network is configured with a firewall, such as an SDP (Software Defined Perimeter) firewall. This firewall has a deny all policy, which denies access to all unverified clients. Therefore, the server's ports are not visible to the network. Therefore, when the destination server receives the client When the first data packet is sent for the first time, the first data packet will be discarded directly, and a destination unreachable message will be sent to the client, instructing the client to initiate authentication.
  • the destination unreachable message may be ICMP (Network Control Message). Protocol, Internet Control Message Protocol) message, the ICMP message carries an identifier, and the identifier is an identifier that instructs the client to initiate authentication.
  • the client after receiving the destination unreachable message, the client will immediately construct an authentication data packet and send the authentication data packet to the destination server for authentication.
  • the authentication data packet carries authentication information.
  • the destination server after the destination server receives the authentication data packet, it will determine whether the client has the authority to access its destination port based on the authentication information. If it is determined that the client has the authority to access its destination port, it indicates that the client It is a legal visitor to the destination port. At this time, the destination server will authorize the client's IHIP and IHport to access the server's AHIP and AHport.
  • the IHIP refers to the IP of the destination server where the client is located.
  • the IHport refers to the port corresponding to the client on the destination server
  • the AHIP refers to the IP of the destination server where the server is located
  • the AHport refers to the destination port corresponding to the server on the destination server.
  • the data packet sent by the client carries the client's IHIP, IHport and required information.
  • the AHIP and AHport of the accessed server After the destination server receives the packet, since it has been authorized to allow the client's IHIP and IHport to access the AHIP and AHport of the server, the firewall of the destination server will allow the source IP and source port carried.
  • the server's AHport can receive the data packet, allowing the server to provide corresponding services to the client. .
  • the client after the client sends the authentication data packet to the destination server, it will directly start the retransmission mechanism and resend the first data packet to the destination port of the destination server. If the destination server is based on the authentication If the information determines that the client has the authority to access its destination port, the destination server can receive the first data packet through the destination port. Of course, if the destination server determines that the client does not have the authority to access its destination based on the authentication information. port permissions, the destination server will discard the first data packet.
  • This implementation method sets the server to reject all access from unverified clients and hides the server port. Only authorized ports can be accessed after passing the authentication. This reduces the security risk of the underlying network exposure in the delivery data center and protects the cloud. platform.
  • the destination unreachable message carries a random value
  • the authentication information includes information to be encrypted and an authentication code
  • the information to be encrypted includes a client identifier, or also includes a current timestamp
  • the shared key and access rights of the client are obtained, and the access rights are used to limit the accessible ports of the client on the server;
  • the client includes all If the first data packet reaches the destination port, it is determined that the client has the authority to access the destination port.
  • the destination unreachable message carries a random value, which is a Nonce (Number once) value.
  • Nonce is an arbitrary or non-repeating random value that is used only once. This random value is used for subsequent authentication.
  • the random value can be filled in the corresponding field in the data part of the ICMP unreachable message.
  • the client can take out the random value from the destination unreachable message, and then start building an authentication data packet.
  • the authentication data packet includes the information to be encrypted and the authentication code.
  • the information to be encrypted may include the client identification (ClientID), or may also include the current timestamp.
  • the ClientID is an identity assigned to the client, which can index the client's shared secret key and port access rights, that is, the destination port that the client is authorized to access.
  • the authentication code is calculated by encrypting the random value and the information to be encrypted using the client's shared key.
  • the authentication code can be HMAC.
  • the authentication code is used for identity authentication, message integrity protection and reporting. Defend against replay attacks.
  • the client needs to encapsulate the information to be encrypted and the authentication code in a data packet, construct an authentication data packet, and then send the authentication data packet to the destination server.
  • the firewall of the destination server receives the authentication data packet.
  • the information to be encrypted and the authentication code in the data packet can be obtained.
  • the destination server can query the client's shared key and access rights based on the ClientID in the information to be encrypted, and use the shared secret key.
  • the key performs encryption calculation on the random value (sent to the client by the destination server, so the destination server knows the random value) and the information to be encrypted to obtain a verification code. If the verification code is the same as the authentication code, then Indicates that the client is a legitimate client.
  • the destination server will query the client's access rights to determine whether the client has the authority to access the destination port. If the client has the authority to access the destination port, the destination server will Opening the destination port for the client means allowing the client's IHIP and IHport to access the server's AHIP and AHport (i.e. the destination port). If the client does not have the permission to access the destination port, the destination server will not access the destination port for the client. The end-end opens the destination port and refuses to receive the data packet sent by the client to the destination port. If the verification code is different from the authentication code, it means that the client is not a legitimate client. At this time, the destination server will continue to reject the data packets sent by the client.
  • the method further includes:
  • the destination server will authorize and allow the client's IHIP and IHport to access the server's AHIP and AHport.
  • the attacker blocks the legitimate client's data packets and impersonates the client's IHIP and IHport can access the AHIP and AHport of the server.
  • a continuous authentication mechanism is introduced. The firewall in the destination server will periodically send destination unreachable messages and require The client that sends the data packet continues to authenticate. If the other party does not respond or the returned authentication data packet is incorrect, the connection is interrupted and the client's data packet is refused to be received.
  • the client will regularly receive the destination unreachable message sent by the destination server, and in response to receiving the destination unreachable message, generate and return an authentication data packet.
  • the authentication data packet carries authentication information; after the firewall authentication in the destination server passes, the connection with the client will be maintained and the destination port of the server will continue to be opened for the client.
  • using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code includes:
  • the number of verification times includes the number of times the server verifies whether the client has permission to access the destination port.
  • the shared key can be used to perform encryption calculations on the random value, the information to be encrypted, and the number of authentication times. , obtain the authentication code, and the number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication.
  • the destination server receives the authentication data packet, it can use the found shared key to verify the random value (known) and the number of verifications (that is, the destination server determines whether the client has permission to access the destination port).
  • the number of verifications (the destination server can record) and the information to be encrypted are encrypted and calculated to obtain a verification code. If the number of verifications is the same as the number of verifications, then the calculated verification code is the same as the verification code, indicating that the customer The client is a legitimate client,
  • Figure 4 shows an overall flow chart of a data transmission method according to an embodiment of the present disclosure. As shown in Figure 4, the data transmission method includes the following steps S401-S406:
  • step S401 the client sends the first data packet to the destination port of the destination server for the first time
  • step S402 when receiving the first data packet sent by the client for the first time, the destination server discards the first data packet
  • step S403 the destination server returns a destination unreachable message to the client, where the destination unreachable message is used to instruct the client to initiate authentication;
  • step S404 the client generates and returns an authentication data packet in response to receiving the destination unreachable message, and the authentication data packet carries authentication information;
  • step S405 when the destination server determines that the client has the authority to access the destination port based on the authentication information, it allows the client to access the destination port;
  • step S406 the client resends the first data packet to the destination port of the destination server, and the destination server receives the first data packet resent by the client through the destination port.
  • the first data packet sent by the client to the destination port of the destination server for the first time will be intercepted and discarded by the firewall on the destination server, and the firewall on the destination server will The client returns a destination unreachable message, instructing the client to initiate authentication; the client responds to receiving the destination unreachable message, Generate and return an authentication data packet.
  • the destination server determines that the client has the authority to access the destination port based on the authentication information, it allows the client access to the destination port; in this way, the client re- The first data packet sent to the destination port of the destination server can be sent to the destination port of the destination server through the firewall and received by the server.
  • the destination unreachable message carries a random value
  • the method further includes:
  • the client obtains the shared key of the client, uses the shared key to perform encryption calculations on the random value and the information to be encrypted, and obtains an authentication code.
  • the information to be encrypted includes the client identification, or also includes the current timestamp;
  • the client generates and returns authentication data packets, including:
  • the client encapsulates the information to be encrypted and the authentication code in a data packet, generates an authentication data packet, and sends the authentication data packet to the destination server.
  • the destination server determines that the client has the authority to access the destination port based on the authentication information, including:
  • the destination server queries to obtain the shared key and access rights of the client based on the client identification.
  • the access rights are used to limit the accessible ports of the client on the destination server; using the shared key Perform encryption calculation on the random value and the information to be encrypted to obtain a verification code; when the verification code and the authentication code are the same, if the client includes the header on the accessible port of the destination server, If the destination port that the data packet reaches is determined, it is determined that the client has the permission to access the destination port.
  • the client in response to receiving the destination unreachable message, the client generates and returns an authentication data packet, including:
  • the client responds to the destination unreachable message through the client's transport layer or socket layer, which is located between the transport layer and the application layer in the protocol stack, and generates and returns an authentication data packet.
  • the method further includes:
  • the destination server periodically sends destination unreachable messages to the client.
  • the client uses the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code, which includes:
  • the client uses the shared key to perform encrypted calculations on the random value, the information to be encrypted, and the number of authentication times to obtain an authentication code.
  • the number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication;
  • the destination server uses the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code, which includes:
  • the destination server uses the shared key to perform encryption calculations on the random value, the information to be encrypted, and the number of verifications to obtain a verification code.
  • the number of verifications includes whether the destination server has permission to access the destination port for the client. The number of times verification is performed.
  • Figure 5 shows a structural block diagram of a data transmission device applied to a client according to an embodiment of the present disclosure.
  • the device can be implemented as part or all of an electronic device through software, hardware, or a combination of both.
  • the data transmission device includes:
  • the first sending module 501 is configured to send the first data packet to the destination port of the destination server for the first time;
  • the first receiving module 502 is configured to receive a destination unreachable message sent by the destination server, where the destination unreachable message is used to instruct the client to initiate authentication;
  • the response module 503 is configured to generate and return an authentication data packet in response to receiving the destination unreachable message, where the authentication data packet carries authentication information;
  • the second sending module 504 is configured to re-send the first data packet to the destination port of the destination server.
  • the destination unreachable message carries a random value
  • the device further includes:
  • a first acquisition module configured to acquire the shared key of the client
  • the first calculation module is configured to use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code, where the information to be encrypted includes a client identification or a current timestamp;
  • the part of the response module that generates and returns authentication data packets is configured as:
  • the part of the response module that generates and returns an authentication data packet in response to receiving the destination unreachable message is configured as:
  • the client's transport layer or socket layer responds to the destination unreachable message and generates and returns an authentication data packet.
  • the socket layer is located between the transport layer and the application layer in the protocol stack.
  • the device further includes:
  • the second receiving module is configured to regularly receive destination unreachable messages sent by the destination server.
  • the first computing module is configured as:
  • the number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication.
  • Figure 6 shows a structural block diagram of a data transmission device applied to a destination server according to an embodiment of the present disclosure.
  • the device can be implemented as part or all of an electronic device through software, hardware, or a combination of both.
  • the data transmission device includes:
  • the discarding module 601 is configured to discard the first data packet when receiving the first data packet sent by the client for the first time;
  • the third sending module 602 is configured to return a destination unreachable message to the client.
  • the destination unreachable message The information is used to instruct the client to initiate authentication;
  • the third receiving module 603 is configured to receive the authentication data packet sent by the client, where the authentication data packet carries authentication information;
  • the opening module 604 is configured to allow the client to access the destination port when it is determined based on the authentication information that the client has the authority to access the destination port;
  • the fourth receiving module 605 is configured to receive the first data packet resent by the client through the destination port.
  • the destination unreachable message carries a random value
  • the authentication information includes information to be encrypted and an authentication code
  • the information to be encrypted includes a client identifier or a current timestamp
  • the open module is based on the authentication
  • the part of the information that determines that the client has the permission to access the destination port is configured as:
  • the shared key and access rights of the client are obtained, and the access rights are used to limit the accessible ports of the client on the destination server;
  • the accessible port of the destination server by the client includes the destination port to which the first data packet is to arrive, it is determined that the client has the ability to access the destination port. permissions.
  • the device further includes:
  • the fourth sending module is configured to regularly send destination unreachable messages to the client.
  • using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code includes:
  • the number of verification times includes the number of times the destination server verifies whether the client has permission to access the destination port. .
  • FIG. 7 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure.
  • the electronic device 700 includes a memory 701 and a processor 702; wherein,
  • the memory 701 is used to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor 702 to implement the above method steps.
  • FIG. 8 is a schematic structural diagram of a computer system suitable for implementing the method according to an embodiment of the present disclosure.
  • the computer system 800 includes a processing unit 801 that can perform the above-described implementation according to a program stored in a read-only memory (ROM) 802 or loaded from a storage portion 808 into a random access memory (RAM) 803 Various processing methods. In the RAM 803, various programs and data required for the operation of the system 800 are also stored.
  • the processing unit 801, ROM 802 and RAM 803 are connected to each other via a bus 804. Input/output (I/O) interface 805 Also connected to bus 804.
  • I/O Input/output
  • the following components are connected to the I/O interface 805: an input section 806 including a keyboard, a mouse, etc.; an output section 807 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., speakers, etc.; and a storage section 808 including a hard disk, etc. ; and a communication section 809 including a network interface card such as a LAN card, a modem, etc.
  • the communication section 809 performs communication processing via a network such as the Internet.
  • Driver 810 is also connected to I/O interface 805 as needed.
  • Removable media 811 such as magnetic disks, optical disks, magneto-optical disks, semiconductor memories, etc.
  • the processing unit 801 can be implemented as a processing unit such as CPU, GPU, TPU, FPGA, NPU, etc.
  • the method described above may be implemented as a computer software program.
  • embodiments of the present disclosure include a computer program product including a computer program tangibly embodied on a readable medium thereof, the computer program containing program code for performing the method described above.
  • the computer program may be downloaded and installed from the network via communications portion 809 and/or installed from removable media 811 .
  • each block in the roadmap or block diagram may represent a module, segment, or portion of code that contains one or more functions for implementing the specified logical function. Executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown one after another may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved.
  • each block of the block diagram and/or flowchart illustration, and combinations of blocks in the block diagram and/or flowchart illustration can be implemented by special purpose hardware-based systems that perform the specified functions or operations. , or can be implemented using a combination of specialized hardware and computer instructions.
  • the units or modules described in the embodiments of the present disclosure may be implemented in software or hardware.
  • the described units or modules may also be provided in the processor, and the names of these units or modules do not constitute a limitation on the units or modules themselves under certain circumstances.
  • embodiments of the present disclosure also provide a computer-readable storage medium.
  • the computer-readable storage medium may be the computer-readable storage medium included in the device described in the above embodiments; it may also exist independently. , a computer-readable storage medium that is not installed in the device.
  • the computer-readable storage medium stores one or more programs, which are used by one or more processors to execute the methods described in the embodiments of the present disclosure.

Abstract

Disclosed in embodiments of the present disclosure are a data transmission method, a device, a medium and a product. The method comprises: sending a first data packet to a destination port of a destination server for the first time; receiving a destination unreachable message sent by the destination server, the destination unreachable message being used for instructing a client to initiate authentication; in response to receiving the destination unreachable message, generating and returning an authentication data packet, the authentication data packet carrying authentication information; and re-sending the first data packet to the destination port of the destination server. According to the technical solution, the security risk of the exposed surface of the underlying network in the delivery type data center can be reduced, and the cloud platform is protected.

Description

数据传输方法、设备、介质及产品Data transmission methods, equipment, media and products
本申请要求于2022年03月18日提交中国专利局、申请号为202210273119.0、申请名称为“数据传输方法、设备、介质及产品”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the China Patent Office on March 18, 2022, with the application number 202210273119.0 and the application name "Data transmission method, equipment, media and products", the entire content of which is incorporated herein by reference. Applying.
技术领域Technical field
本公开实施例涉及通信技术领域,具体涉及一种数据传输方法、设备、介质及产品。The embodiments of the present disclosure relate to the field of communication technology, and specifically relate to a data transmission method, device, medium and product.
背景技术Background technique
在新型的交付型数据中心场景中,云平台的服务提供者会将物理服务器这些物理网络部署到用户的机房中,并将云产品部署到这些物理服务器上,如此,云平台的underlay(底层)网络会暴露于服务商的网络隔离和安全运维的边界之外,极大依赖于用户的管理和防护手段,通过底层网络攻击云平台的风险急剧上升。云平台东西向、南北向通信暴露在底层网络上,可以被实施网络嗅探、报文劫持/篡改、监听端口扫描和端口攻击等网络攻击,因此,如何消减交付型数据中心中底层网络暴露面的安全风险,保护云平台成为目前亟待解决的技术问题。In the new delivery data center scenario, the service provider of the cloud platform will deploy physical servers and other physical networks into the user's computer room, and deploy cloud products to these physical servers. In this way, the underlay of the cloud platform (bottom layer) The network will be exposed beyond the boundaries of the service provider's network isolation and security operation and maintenance, and it will rely heavily on the user's management and protection methods. The risk of attacking the cloud platform through the underlying network will rise sharply. The east-west and north-south communications of the cloud platform are exposed on the underlying network and can be subject to network attacks such as network sniffing, packet hijacking/tampering, listening port scanning and port attacks. Therefore, how to reduce the exposure of the underlying network in the delivery data center Security risks, protecting the cloud platform has become an urgent technical issue that needs to be solved.
发明内容Contents of the invention
本公开实施例提供一种数据传输方法、设备、介质及产品。Embodiments of the present disclosure provide a data transmission method, device, medium and product.
第一方面,本公开实施例中提供了一种数据传输方法。In a first aspect, an embodiment of the present disclosure provides a data transmission method.
具体的,所述数据传输方法,包括:Specifically, the data transmission method includes:
向目的服务器的目的端口首次发送首数据包;Send the first data packet to the destination port of the destination server for the first time;
接收所述目的服务器发送的目的不可达消息,所述目的不可达消息用于指示客户端发起认证;Receive a destination unreachable message sent by the destination server, where the destination unreachable message is used to instruct the client to initiate authentication;
响应于接收所述目的不可达消息,生成并返回认证数据包,所述认证数据包中携带认证信息;In response to receiving the destination unreachable message, generate and return an authentication data packet, the authentication data packet carrying authentication information;
重新向目的服务器的目的端口发送所述首数据包。Resend the first data packet to the destination port of the destination server.
在一种可能的实现方式中,所述目的不可达消息中携带有随机值,所述方法还包括:In a possible implementation, the destination unreachable message carries a random value, and the method further includes:
获取所述客户端的共享密钥;Obtain the shared secret key of the client;
使用所述共享密钥对所述随机值和待加密信息进行加密计算,得到认证码,所述待加密信息包括客户端标识,或者还包括当前时间戳;Use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code. The information to be encrypted includes the client identification, or may also include the current timestamp;
所述生成并返回认证数据包,包括:Generate and return authentication data packets, including:
将所述待加密信息和所述认证码封装在数据包内,生成认证数据包;Encapsulate the information to be encrypted and the authentication code in a data packet to generate an authentication data packet;
向所述目的服务器发送所述认证数据包。 Send the authentication data packet to the destination server.
在一种可能的实现方式中,所述响应于接收所述目的不可达消息,生成并返回认证数据包,包括:In a possible implementation, in response to receiving the destination unreachable message, generating and returning an authentication data packet includes:
通过所述客户端的传输层或套接层响应所述目的不可达消息,生成并返回认证数据包,所述套接层位于协议栈中的传输层和应用层之间。The client's transport layer or socket layer responds to the destination unreachable message and generates and returns an authentication data packet. The socket layer is located between the transport layer and the application layer in the protocol stack.
在一种可能的实现方式中,所述方法还包括:In a possible implementation, the method further includes:
定期接收所述目的服务器发送的目的不可达消息。Periodically receive destination unreachable messages sent by the destination server.
在一种可能的实现方式中,所述使用所述共享密钥对所述随机值和待加密信息进行加密计算,得到认证码,包括:In a possible implementation, using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code includes:
使用所述共享密钥对所述随机值、待加密信息以及认证次数进行加密计算,得到认证码,所述认证次数包括所述客户端被所述目的服务器指示发起认证的次数。Using the shared key, the random value, the information to be encrypted, and the number of authentication times are encrypted and calculated to obtain an authentication code. The number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication.
第二方面,本公开实施例中提供了一种数据传输方法。In a second aspect, an embodiment of the present disclosure provides a data transmission method.
具体的,所述数据传输方法,包括:Specifically, the data transmission method includes:
在接收到客户端首次发送的首数据包时,丢弃所述首数据包;When receiving the first data packet sent by the client for the first time, discard the first data packet;
向所述客户端返回目的不可达消息,所述目的不可达消息用于指示客户端发起认证;Return a destination unreachable message to the client, where the destination unreachable message is used to instruct the client to initiate authentication;
接收所述客户端发送的认证数据包,所述认证数据包中携带认证信息;Receive an authentication data packet sent by the client, where the authentication data packet carries authentication information;
基于所述认证信息确定所述客户端具有访问目的端口的权限时,为所述客户端放通所述目的端口的访问;When it is determined based on the authentication information that the client has the authority to access the destination port, grant access to the destination port for the client;
通过所述目的端口接收所述客户端重新发送的所述首数据包。The first data packet resent by the client is received through the destination port.
在一种可能的实施方式中,所述目的不可达消息中携带有随机值,所述认证信息包括待加密信息和认证码,所述待加密信息包括客户端标识,或者还包括当前时间戳;所述基于所述认证信息确定所述客户端具有访问目的端口的权限,包括:In a possible implementation, the destination unreachable message carries a random value, the authentication information includes information to be encrypted and an authentication code, and the information to be encrypted includes a client identifier, or also includes a current timestamp; Determining that the client has the authority to access the destination port based on the authentication information includes:
基于所述客户端标识查询得到所述客户端的共享密钥和访问权限,所述访问权限用于限定所述客户端在所述目的服务器的可访问端口;Based on the client identification query, the shared key and access rights of the client are obtained, and the access rights are used to limit the accessible ports of the client on the destination server;
使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码;Use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code;
在所述验证码和所述认证码相同时,若所述客户端在所述目的服务器的可访问端口包括所述首数据包要到达的目的端口,则确定所述客户端具有访问目的端口的权限。When the verification code and the authentication code are the same, if the accessible port of the destination server by the client includes the destination port to which the first data packet is to arrive, it is determined that the client has the ability to access the destination port. permissions.
在一种可能的实施方式中,在为所述客户端放通所述目的端口的访问之后,所述方法还包括:In a possible implementation, after allowing access to the destination port for the client, the method further includes:
定期向所述客户端发送目的不可达消息。Periodically send destination unreachable messages to the client.
在一种可能的实施方式中,所述使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码,包括:In a possible implementation, using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code includes:
使用所述共享密钥对所述随机值、待加密信息以及验证次数进行加密计算,得到验证码,所述验证次数包括所述目的服务器对所述客户端是否具有访问目的端口权限进行验证的次数。Use the shared key to perform encryption calculations on the random value, the information to be encrypted, and the number of verification times to obtain a verification code. The number of verification times includes the number of times the destination server verifies whether the client has permission to access the destination port. .
第三方面,本公开实施例中提供了一种数据传输方法。 In a third aspect, an embodiment of the present disclosure provides a data transmission method.
具体的,所述数据传输方法,包括:Specifically, the data transmission method includes:
所述客户端执行第一方面中所述的方法,所述目的服务器执行第二方面中所述的方法。The client executes the method described in the first aspect, and the destination server executes the method described in the second aspect.
第四方面,本公开实施例中提供了一种数据传输装置。In a fourth aspect, an embodiment of the present disclosure provides a data transmission device.
具体的,所述数据传输装置,包括:Specifically, the data transmission device includes:
第一发送模块,被配置为向目的服务器的目的端口首次发送首数据包;The first sending module is configured to send the first data packet to the destination port of the destination server for the first time;
第一接收模块,被配置为接收所述目的服务器发送的目的不可达消息,所述目的不可达消息用于指示客户端发起认证;The first receiving module is configured to receive a destination unreachable message sent by the destination server, where the destination unreachable message is used to instruct the client to initiate authentication;
响应模块,被配置为响应于接收所述目的不可达消息,生成并返回认证数据包,所述认证数据包中携带认证信息;A response module configured to generate and return an authentication data packet in response to receiving the destination unreachable message, where the authentication data packet carries authentication information;
第二发送模块,被配置为重新向目的服务器的目的端口发送所述首数据包。The second sending module is configured to resend the first data packet to the destination port of the destination server.
在一种可能的实现方式中,所述目的不可达消息中携带有随机值,所述装置还包括:In a possible implementation, the destination unreachable message carries a random value, and the device further includes:
第一获取模块,被配置为获取所述客户端的共享密钥;A first acquisition module configured to acquire the shared key of the client;
第一计算模块,被配置为使用所述共享密钥对所述随机值和待加密信息进行加密计算,得到认证码,所述待加密信息包括客户端标识,或者还包括当前时间戳;The first calculation module is configured to use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code, where the information to be encrypted includes a client identification or a current timestamp;
所述响应模块中生成并返回认证数据包的部分被配置为:The part of the response module that generates and returns authentication data packets is configured as:
将所述待加密信息和所述认证码封装在数据包内,生成认证数据包;Encapsulate the information to be encrypted and the authentication code in a data packet to generate an authentication data packet;
向所述目的服务器发送所述认证数据包。Send the authentication data packet to the destination server.
在一种可能的实现方式中,所述响应模块中响应于接收所述目的不可达消息,生成并返回认证数据包的部分被配置为:In a possible implementation, the part of the response module that generates and returns an authentication data packet in response to receiving the destination unreachable message is configured as:
通过所述客户端的传输层或套接层响应所述目的不可达消息,生成并返回认证数据包,所述套接层位于协议栈中的传输层和应用层之间。The client's transport layer or socket layer responds to the destination unreachable message and generates and returns an authentication data packet. The socket layer is located between the transport layer and the application layer in the protocol stack.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第二接收模块,被配置为定期接收所述目的服务器发送的目的不可达消息。The second receiving module is configured to regularly receive destination unreachable messages sent by the destination server.
在一种可能的实现方式中,所述第一计算模块被配置为:In a possible implementation, the first computing module is configured as:
使用所述共享密钥对所述随机值、待加密信息以及认证次数进行加密计算,得到认证码,所述认证次数包括所述客户端被所述目的服务器指示发起认证的次数。Using the shared key, the random value, the information to be encrypted, and the number of authentication times are encrypted and calculated to obtain an authentication code. The number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication.
第四方面,本公开实施例中提供了一种数据传输装置。In a fourth aspect, an embodiment of the present disclosure provides a data transmission device.
具体的,所述数据传输装置,包括:Specifically, the data transmission device includes:
丢弃模块,被配置为在接收到客户端首次发送的首数据包时,丢弃所述首数据包;A discarding module configured to discard the first data packet sent by the client for the first time when receiving the first data packet;
第三发送模块,被配置为向所述客户端返回目的不可达消息,所述目的不可达消息用于指示客户端发起认证;The third sending module is configured to return a destination unreachable message to the client, where the destination unreachable message is used to instruct the client to initiate authentication;
第三接收模块,被配置为接收所述客户端发送的认证数据包,所述认证数据包中携带认证信息;The third receiving module is configured to receive the authentication data packet sent by the client, where the authentication data packet carries authentication information;
开放模块,被配置为基于所述认证信息确定所述客户端具有访问目的端口的权限时,为所述客户端放通所述目的端口的访问; An opening module configured to allow access to the destination port for the client when it is determined based on the authentication information that the client has the authority to access the destination port;
第四接收模块,被配置为通过所述目的端口接收所述客户端重新发送的所述首数据包。The fourth receiving module is configured to receive the first data packet resent by the client through the destination port.
在一种可能的实施方式中,所述目的不可达消息中携带有随机值,所述认证信息包括待加密信息和认证码,所述待加密信息包括客户端标识,或者还包括当前时间戳;所述开放模块中基于所述认证信息确定所述客户端具有访问目的端口的权限的部分被配置为:In a possible implementation, the destination unreachable message carries a random value, the authentication information includes information to be encrypted and an authentication code, and the information to be encrypted includes a client identifier, or also includes a current timestamp; The part of the opening module that determines that the client has the permission to access the destination port based on the authentication information is configured as:
基于所述客户端标识查询得到所述客户端的共享密钥和访问权限,所述访问权限用于限定所述客户端在所述目的服务器的可访问端口;Based on the client identification query, the shared key and access rights of the client are obtained, and the access rights are used to limit the accessible ports of the client on the destination server;
使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码;Use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code;
在所述验证码和所述认证码相同时,若所述客户端在所述目的服务器的可访问端口包括所述首数据包要到达的目的端口,则确定所述客户端具有访问目的端口的权限。When the verification code and the authentication code are the same, if the accessible port of the destination server by the client includes the destination port to which the first data packet is to arrive, it is determined that the client has the ability to access the destination port. permissions.
在一种可能的实施方式中,所述装置还包括:In a possible implementation, the device further includes:
第四发送模块,被配置为定期向所述客户端发送目的不可达消息。The fourth sending module is configured to regularly send destination unreachable messages to the client.
在一种可能的实施方式中,所述使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码,包括:In a possible implementation, using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code includes:
使用所述共享密钥对所述随机值、待加密信息以及验证次数进行加密计算,得到验证码,所述验证次数包括所述目的服务器对所述客户端是否具有访问目的端口权限进行验证的次数。Use the shared key to perform encryption calculations on the random value, the information to be encrypted, and the number of verification times to obtain a verification code. The number of verification times includes the number of times the destination server verifies whether the client has permission to access the destination port. .
第六方面,本公开实施例中提供了一种数据传输装置。In a sixth aspect, an embodiment of the present disclosure provides a data transmission device.
具体的,所述数据传输装置,包括:Specifically, the data transmission device includes:
客户端,被配置为执行第一方面中所述的方法;a client configured to perform the method described in the first aspect;
目的服务器,被配置为执行第二方面中所述的方法。The destination server is configured to perform the method described in the second aspect.
第七方面,本公开实施例提供了一种电子设备,包括存储器和处理器,所述存储器用于存储一条或多条支持上述装置执行上述方法的计算机指令,所述处理器被配置为用于执行所述存储器中存储的计算机指令。In a seventh aspect, embodiments of the present disclosure provide an electronic device, including a memory and a processor. The memory is used to store one or more computer instructions that support the above device to perform the above method. The processor is configured to Execute computer instructions stored in the memory.
第八方面,本公开实施例提供了一种计算机可读存储介质,其上存储有计算机指令,该计算机指令被处理器执行时实现上述任一方面所述的方法步骤。In an eighth aspect, embodiments of the present disclosure provide a computer-readable storage medium on which computer instructions are stored. When the computer instructions are executed by a processor, the method steps described in any of the above aspects are implemented.
第九方面,本公开实施例提供了一种计算机程序产品,包括计算机程序/指令,其中,该计算机程序/指令被处理器执行时实现上述任一方面所述的方法步骤。In a ninth aspect, embodiments of the present disclosure provide a computer program product, including a computer program/instruction, wherein when the computer program/instruction is executed by a processor, the method steps described in any of the above aspects are implemented.
本公开实施例提供的技术方案可包括以下有益效果:The technical solutions provided by the embodiments of the present disclosure may include the following beneficial effects:
上述技术方案可以在客户端向服务端的目的端口首次发送首数据包时,服务端都是拒绝接收并向该客户端发送目的不可达消息,指示客户端发起认证;客户端响应于接收所述目的不可达消息,生成并返回携带有认证信息的认证数据包,服务端基于所述认证信息确定所述客户端具有访问目的端口的权限时,才会为所述客户端开放所述目的端口的访问,此时,客户端才可以合法地访问该服务端的目的端口,客户端可以重新向服务端的目的端口发送首数据包进行访问。这样,通过设置服务端全部拒绝接收未验证的客户端的访问,隐藏服务端的端口,只有通过认证后才能访问该服务端的端口,消减了交付型数据中心中 底层网络暴露面的安全风险,保护云平台。The above technical solution can be used when the client sends the first data packet to the destination port of the server for the first time, and the server refuses to receive it and sends a destination unreachable message to the client, instructing the client to initiate authentication; the client responds by receiving the destination The unreachable message generates and returns an authentication data packet carrying authentication information. Only when the server determines that the client has the authority to access the destination port based on the authentication information will it open access to the destination port for the client. , at this time, the client can legally access the destination port of the server, and the client can re-send the first data packet to the destination port of the server for access. In this way, by setting the server to reject all access from unverified clients and hiding the server's port, only those who pass authentication can access the server's port, which reduces the cost in the delivery data center. Security risks on the exposed surface of the underlying network to protect the cloud platform.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本公开实施例。It should be understood that the above general description and the following detailed description are only exemplary and explanatory, and do not limit the embodiments of the present disclosure.
附图说明Description of the drawings
结合附图,通过以下非限制性实施方式的详细描述,本公开实施例的其它特征、目的和优点将变得更加明显。在附图中:Other features, objects, and advantages of embodiments of the present disclosure will become more apparent from the following detailed description of the non-limiting embodiments in conjunction with the accompanying drawings. In the attached picture:
图1示出了根据本公开实施例的云平台的结构框图。Figure 1 shows a structural block diagram of a cloud platform according to an embodiment of the present disclosure.
图2示出根据本公开一实施方式的应用于客户端的数据传输方法的流程图。FIG. 2 shows a flow chart of a data transmission method applied to a client according to an embodiment of the present disclosure.
图3示出根据本公开一实施方式的应用于目的服务器的数据传输方法的流程图。FIG. 3 shows a flow chart of a data transmission method applied to a destination server according to an embodiment of the present disclosure.
图4示出根据本公开一实施方式的数据传输方法的整体流程图。FIG. 4 shows an overall flow chart of a data transmission method according to an embodiment of the present disclosure.
图5示出根据本公开一实施方式的应用于客户端的数据传输装置的结构框图。FIG. 5 shows a structural block diagram of a data transmission device applied to a client according to an embodiment of the present disclosure.
图6示出根据本公开一实施方式的应用于目的服务器的数据传输装置的结构框图。FIG. 6 shows a structural block diagram of a data transmission device applied to a destination server according to an embodiment of the present disclosure.
图7示出根据本公开一实施方式的电子设备的结构框图。FIG. 7 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure.
图8是适于用来实现根据本公开实施例所述方法的计算机系统的结构示意图。FIG. 8 is a schematic structural diagram of a computer system suitable for implementing the method according to an embodiment of the present disclosure.
具体实施方式Detailed ways
下文中,将参考附图详细描述本公开实施例的示例性实施方式,以使本领域技术人员可容易地实现它们。此外,为了清楚起见,在附图中省略了与描述示例性实施方式无关的部分。Hereinafter, exemplary implementations of embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily implement them. Furthermore, for the sake of clarity, parts irrelevant to describing the exemplary embodiments are omitted in the drawings.
在本公开实施例中,应理解,诸如“包括”或“具有”等的术语旨在指示本说明书中所公开的特征、数字、步骤、行为、部件、部分或其组合的存在,并且不欲排除一个或多个其他特征、数字、步骤、行为、部件、部分或其组合存在或被添加的可能性。In the embodiments of the present disclosure, it should be understood that terms such as "comprising" or "having" are intended to indicate the presence of features, numbers, steps, acts, components, portions, or combinations thereof disclosed in this specification, and are not intended to indicate Excludes the possibility that one or more other features, numbers, steps, acts, parts, portions or combinations thereof exist or are added.
另外还需要说明的是,在不冲突的情况下,本公开中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本公开实施例。In addition, it should be noted that the embodiments and features in the embodiments of the present disclosure can be combined with each other as long as there is no conflict. The embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings and embodiments.
在本公开中,对用户信息或用户数据的获取均为经用户授权、确认,或由用户主动选择的操作。In this disclosure, the acquisition of user information or user data is an operation authorized, confirmed by the user, or actively selected by the user.
如前所述,在新型的交付型数据中心场景中,云平台的服务提供者会将物理服务器这些物理网络部署到用户的机房中,并将云产品部署到这些物理服务器上,如此,云平台的underlay(底层)网络会暴露于服务商的网络隔离和安全运维的边界之外,极大依赖于用户的管理和防护手段,通过底层网络攻击云平台的风险急剧上升。云平台东西向、南北向通信暴露在底层网络上,可以被实施网络嗅探、报文劫持/篡改、监听端口扫描和端口攻击等网络攻击,因此,如何消减交付型数据中心中底层网络暴露面的安全风险,保护云平台成为目前亟待解决的技术问题。As mentioned before, in the new delivery data center scenario, the service provider of the cloud platform will deploy physical servers and physical networks into the user's computer room, and deploy cloud products to these physical servers. In this way, the cloud platform The underlying network will be exposed outside the boundaries of the service provider's network isolation and security operation and maintenance, and is greatly dependent on the user's management and protection methods. The risk of attacking the cloud platform through the underlying network has increased sharply. The east-west and north-south communications of the cloud platform are exposed on the underlying network and can be subject to network attacks such as network sniffing, packet hijacking/tampering, listening port scanning and port attacks. Therefore, how to reduce the exposure of the underlying network in the delivery data center Security risks, protecting the cloud platform has become an urgent technical issue that needs to be solved.
图1示出了根据本公开实施例的云平台的结构框图。 Figure 1 shows a structural block diagram of a cloud platform according to an embodiment of the present disclosure.
如图1所示,服务提供侧为企业用户侧的企业提供各种云产品,这些云产品会部署在企业用户侧的用户侧服务器上,底层网络的东西向流量在企业用户侧的本地交换网络完成,底层网络的北向流量需要服务提供侧为企业用户侧开放服务提供侧服务器的南向端口完成,底层网络的南向流量需要企业用户侧为服务提供侧开放用户侧服务器的北向端口完成。服务提供侧会配置网络隔离和安全运维对服务提供侧的网络实施保护,而企业用户侧的网络极大依赖于用户的管理和防护手段,从一个服务器到另一个服务器的端口访问的过程中,由于东西向和南向端口都是暴露给企业用户侧的,故可以被实施网络嗅探、报文劫持/篡改、监听端口扫描和端口攻击等网络攻击,使得通过底层网络攻击云平台的风险急剧上升。As shown in Figure 1, the service provider side provides various cloud products for enterprises on the enterprise user side. These cloud products will be deployed on the user-side servers on the enterprise user side. The east-west traffic of the underlying network is switched on the local switching network on the enterprise user side. Complete, the northbound traffic of the underlying network requires the service provider side to open the southbound port of the service provider server on the enterprise user side, and the southbound traffic of the underlying network requires the enterprise user side to open the northbound port of the user-side server on the service provider side. The service provider side will configure network isolation and security operation and maintenance to protect the network on the service provider side, while the network on the enterprise user side relies heavily on the user's management and protection methods. In the process of port access from one server to another server Since the east-west and south-bound ports are exposed to the enterprise user side, network attacks such as network sniffing, packet hijacking/tampering, listening port scanning and port attacks can be implemented, which increases the risk of attacking the cloud platform through the underlying network. increase rapidly.
考虑到上述问题,本公开提出一种数据传输方法,在客户端向服务端的目的端口首次发送首数据包时,服务端都是拒绝接收并向该客户端发送目的不可达消息,指示客户端发起认证;客户端响应于接收所述目的不可达消息,生成并返回携带有认证信息的认证数据包,服务端基于所述认证信息确定所述客户端具有访问目的端口的权限时,才会为所述客户端开放所述目的端口的访问,此时,客户端才可以合法地访问该服务端的目的端口,客户端可以重新向服务端的目的端口发送首数据包进行访问。这样,通过设置服务端全部拒绝接收未验证的客户端的访问,隐藏服务端的端口,只有通过认证后才能访问该服务端的端口,消减了交付型数据中心中底层网络暴露面的安全风险,保护云平台。Considering the above problems, the present disclosure proposes a data transmission method. When the client sends the first data packet to the destination port of the server for the first time, the server refuses to receive it and sends a destination unreachable message to the client, instructing the client to initiate Authentication: In response to receiving the destination unreachable message, the client generates and returns an authentication data packet carrying authentication information. The server will only provide authentication information based on the authentication information when it determines that the client has the authority to access the destination port. The client opens access to the destination port. At this time, the client can legally access the destination port of the server, and the client can re-send the first data packet to the destination port of the server for access. In this way, by setting the server to reject all access from unverified clients and hiding the server port, the server port can only be accessed after passing the authentication, which reduces the security risk of the underlying network exposure in the delivery data center and protects the cloud platform. .
图2示出根据本公开一实施方式的应用于客户端的数据传输方法的流程图,如图2所示,所述数据传输方法包括以下步骤S201-S204:Figure 2 shows a flow chart of a data transmission method applied to a client according to an embodiment of the present disclosure. As shown in Figure 2, the data transmission method includes the following steps S201-S204:
在步骤S201中,向目的服务器的目的端口首次发送首数据包;In step S201, the first data packet is sent to the destination port of the destination server for the first time;
在步骤S202中,接收所述目的服务器发送的目的不可达消息,所述目的不可达消息用于指示客户端发起认证;In step S202, receive a destination unreachable message sent by the destination server, where the destination unreachable message is used to instruct the client to initiate authentication;
在步骤S203中,响应于接收所述目的不可达消息,生成并返回认证数据包,所述认证数据包中携带认证信息;In step S203, in response to receiving the destination unreachable message, generate and return an authentication data packet, where the authentication data packet carries authentication information;
在步骤S204中,重新向目的服务器的目的端口发送所述首数据包。In step S204, the first data packet is re-sent to the destination port of the destination server.
在本公开一实施方式中,所述数据传输方法可适用于交付型数据中心中底层网络内的数据传输,该底层网络中的数据传输如图1所示,包括企业用户侧的用户侧服务器之间的东西向端口之间的访问,以及企业用户侧的用户侧服务器对服务提供侧服务器的南向端口的访问。该网络中的每个服务器内都安装有多种应用,不同的应用可以提供不同的服务,本实施例中将发起访问的源服务器内的应用称为客户端,也可称为IH(Initiating Host,发起主机)进程,将接收访问的目的服务器的应用称为服务端,也可称为AH(Accepting Host,接收主机)进程,每个发起访问的客户端都有自己的IHIP和IHport(IH端口),也即源IP和源端口,接收访问的服务端也有自己的AHIP和AHport,也即目的IP和目的端口,客户端向服务端发送的数据包中就携带有源IP,源端口,目的IP,目的端口来指示该数据包的来源和目的地。In an embodiment of the present disclosure, the data transmission method can be applied to data transmission within the underlying network in a delivery data center. The data transmission in the underlying network is as shown in Figure 1, including user-side servers on the enterprise user side. access between the east-west ports of the enterprise user side and the southbound port of the service provider side server from the user-side server on the enterprise user side. Each server in the network is installed with multiple applications, and different applications can provide different services. In this embodiment, the application in the source server that initiates access is called a client, which can also be called IH (Initiating Host). , initiating host) process, the application that receives the destination server for access is called the server, which can also be called AH (Accepting Host, receiving host) process. Each client initiating access has its own IHIP and IHport (IH port ), that is, source IP and source port. The server receiving the access also has its own AHIP and AHport, that is, destination IP and destination port. The data packet sent by the client to the server carries the source IP, source port, and destination. IP, destination port to indicate the source and destination of the packet.
在本公开一实施方式中,客户端要发起对服务端的访问时,会向该服务端所在的目的 服务器的目的端口(即该服务端对应的端口)发送首数据包,此时的首数据包为首次发送。客户端在发送数据的过程中经过各协议层时都要附加上相应层的协议头和协议尾部分,也就是要对数据进行协议封装,以标识对应层所用的通信协议,在TCP/IP中传输层的协议主要有两种,分别是TCP(Transmission Control Protocol,传输控制协议)和UDP(User Datagram Protocol,用户数据报协议),故该客户端发送的首数据包可以是TCP包,也可以是UDP包。示例的,如果客户端与服务端之间的数据传输协议是TCP协议,则客户端需要先与服务端进行三次握手建立连接,此时客户端发送的首数据包就是TCP SYN(Synchronize Sequence Numbers,同步序列编号)包,该客户端协议栈的传输层会构造TCP SYN包下发给下层协议栈进行数据传输,如果客户端与服务端之间的数据传输协议是UDP协议,则该客户端协议栈的传输层会直接将UDP的数据报文封装后发送给下层协议栈进行数据传输。In an embodiment of the present disclosure, when the client wants to initiate access to the server, it will send a request to the destination where the server is located. The destination port of the server (that is, the port corresponding to the server) sends the first data packet. The first data packet at this time is sent for the first time. When the client passes through each protocol layer in the process of sending data, it must attach the protocol header and protocol tail of the corresponding layer, that is, the data must be protocol encapsulated to identify the communication protocol used by the corresponding layer. In TCP/IP There are two main protocols at the transport layer, namely TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). Therefore, the first data packet sent by the client can be a TCP packet or It's a UDP packet. For example, if the data transmission protocol between the client and the server is the TCP protocol, the client needs to perform a three-way handshake with the server to establish a connection. At this time, the first data packet sent by the client is TCP SYN (Synchronize Sequence Numbers, Synchronization sequence number) packet, the transport layer of the client protocol stack will construct a TCP SYN packet and send it to the lower layer protocol stack for data transmission. If the data transmission protocol between the client and the server is the UDP protocol, then the client protocol The transport layer of the stack will directly encapsulate the UDP data message and send it to the lower protocol stack for data transmission.
在本公开一实施方式中,该底层网络中的各服务器中都配置有防火墙,比如说SDP(Software Defined Perimeter,软件定义边界)防火墙,客户端对服务器上各服务端的访问都需要经过该防火墙,该防火墙是deny all(全部拒绝)的策略即对所有未验证的客户端全部拒绝访问,因此服务器的各端口对网络是不可见的。因此目的服务器在接收到该客户端首次发送的首数据包时,会直接丢弃该首数据包,并向该客户端发送目的不可达消息,指示该客户端发起认证,示例的,该目的不可达消息可以是ICMP(网络控制报文协议,Internet Control Message Protocol)消息,该ICMP消息中携带有标识符,该标识符为指示该客户端发起认证的标识符。In an embodiment of the present disclosure, each server in the underlying network is configured with a firewall, such as an SDP (Software Defined Perimeter, Software Defined Perimeter) firewall, and the client's access to each server on the server needs to pass through the firewall. The firewall has a deny all policy that denies access to all unverified clients, so each port of the server is invisible to the network. Therefore, when the destination server receives the first data packet sent by the client for the first time, it will directly discard the first data packet and send a destination unreachable message to the client, instructing the client to initiate authentication. In the example, the destination is unreachable. The message may be an ICMP (Internet Control Message Protocol) message, and the ICMP message carries an identifier, which is an identifier that instructs the client to initiate authentication.
在本公开一实施方式中,客户端在接收到该目的不可达消息后,就会立即构造认证数据包,并向该目的服务器发送该认证数据包进行认证,该认证数据包中携带有认证信息,目的服务器接收到该认证数据包后,就会基于所述认证信息确定所述客户端是否具有访问其目的端口的权限,如果确定该客户端具有访问其目的端口的权限,则表明该客户端对于该目的端口来说是一个合法的访问者,此时,该目的服务器就会授权允许该客户端的IHIP,IHport访问该服务端的AHIP,AHport,该IHIP指的是客户端所在目的服务器的IP,该IHport指的是目的服务器上该客户端对应的端口,该AHIP指的是服务端所在目的服务器的IP,该AHport指的是目的服务器上该服务端对应的目的端口。如此,目的服务器就为所述客户端放通所述目的端口的访问,该客户端就可以向该目的端口发送数据包,该客户端发送的数据包中携带有该客户端的IHIP和IHport以及要访问的服务端的AHIP和AHport,目的服务器接收到该数据包后,由于已授权允许该客户端的IHIP,IHport访问服务端的AHIP,AHport,故该目的服务器的防火墙就会让携带的源IP和源端口为该客户端的IHIP和IHport以及目的IP和目的端口为该服务端的AHIP和AHport的数据包通过,该服务器的AHport也即目的端口就可以接收该数据包,使服务端为该客户端提供相应服务。In an embodiment of the present disclosure, after receiving the destination unreachable message, the client will immediately construct an authentication data packet and send the authentication data packet to the destination server for authentication. The authentication data packet carries authentication information. , after the destination server receives the authentication data packet, it will determine whether the client has the authority to access its destination port based on the authentication information. If it is determined that the client has the authority to access its destination port, it indicates that the client It is a legal visitor to the destination port. At this time, the destination server will authorize the client's IHIP and IHport to access the server's AHIP and AHport. The IHIP refers to the IP of the destination server where the client is located. The IHport refers to the port corresponding to the client on the destination server, the AHIP refers to the IP of the destination server where the server is located, and the AHport refers to the destination port corresponding to the server on the destination server. In this way, the destination server allows the client access to the destination port, and the client can send a data packet to the destination port. The data packet sent by the client carries the client's IHIP, IHport and required information. The AHIP and AHport of the accessed server. After the destination server receives the packet, since it has been authorized to allow the client's IHIP and IHport to access the AHIP and AHport of the server, the firewall of the destination server will allow the source IP and source port carried. If the data packet of the client's IHIP and IHport as well as the destination IP and destination port is the server's AHIP and AHport, the server's AHport, also the destination port, can receive the data packet, allowing the server to provide corresponding services to the client. .
在本公开一实施方式中,客户端在向目的服务器发送认证数据包之后,就会直接启动重传机制,重新向该目的服务器的目的端口再次发送该首数据包,如果目的服务器基于所 述认证信息确定所述客户端具有访问其目的端口的权限,则该目的服务器就可以通过该目的端口接收该首数据包,当然,如果目的服务器基于所述认证信息确定所述客户端不具有访问其目的端口的权限,则该目的服务器就会丢弃该首数据包。In an embodiment of the present disclosure, after the client sends the authentication data packet to the destination server, it will directly start the retransmission mechanism and resend the first data packet to the destination port of the destination server. If the authentication information determines that the client has the authority to access its destination port, the destination server can receive the first data packet through the destination port. Of course, if the destination server determines that the client does not have access based on the authentication information, If the destination port does not have the permissions, the destination server will discard the first data packet.
本实施方式通过设置服务器全部拒绝接收未验证的客户端的访问,隐藏服务器的端口,只有通过认证后才能访问被授权访问的端口,消减了交付型数据中心中底层网络暴露面的安全风险,保护云平台。另外,对各端口的访问权限的授权粒度是针对客户端级别的,对策略控制粒度细化到客户端即IH进程,非法的应用客户端入侵目的服务器后,也不能在无授权的情况下访问该目的服务器的目的端口的服务;还为每个服务器的防火墙提供认证能力,而不是设置独立的认证服务器来进行认证,避免了单点故障。This implementation method sets the server to reject all access from unverified clients and hides the server port. Only authorized ports can be accessed after passing the authentication. This reduces the security risk of the underlying network exposure in the delivery data center and protects the cloud. platform. In addition, the authorization granularity of the access rights for each port is for the client level, and the policy control granularity is refined to the client, that is, the IH process. After an illegal application client invades the destination server, it cannot access without authorization. The destination port service of the destination server; it also provides authentication capabilities for each server's firewall, instead of setting up an independent authentication server for authentication, avoiding a single point of failure.
在一种可能的实施方式中,上述数据传输方法中,所述目的不可达消息中携带有随机值,所述方法还包括:In a possible implementation, in the above data transmission method, the destination unreachable message carries a random value, and the method further includes:
获取所述客户端的共享密钥;Obtain the shared secret key of the client;
使用所述共享密钥对所述随机值和待加密信息进行加密计算,得到认证码,所述待加密信息包括客户端标识,或者还包括当前时间戳;Use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code. The information to be encrypted includes the client identification, or may also include the current timestamp;
所述生成并返回认证数据包,包括:Generate and return authentication data packets, including:
将所述待加密信息和所述认证码封装在数据包内,生成认证数据包;Encapsulate the information to be encrypted and the authentication code in a data packet to generate an authentication data packet;
向所述目的服务器发送所述认证数据包。Send the authentication data packet to the destination server.
在该实施方式中,示例的,该目的不可达消息可以是ICMP目的不可达消息,该ICMP目的不可达消息的报文格式可以如下表1所示:
In this implementation, for example, the destination unreachable message may be an ICMP destination unreachable message, and the message format of the ICMP destination unreachable message may be as shown in Table 1 below:
表1Table 1
如表1所示,该ICMP目的不可达消息的报文中的类型字段有8位,用于标识本报文的类型为ICMP差错报告报文,代码字段有8位,用于标识差错报告报文的类型,本实施方式中差错报告报文的类型为目的不可达,可用预定的代码字段标识,校验和字段有16位,包括数据部分在内的整个ICMP数据包的检验和。该ICMP差错报告报文符合RFC(Request For Comments)792协议,在现有技术中,如果该ICMP差错报告报文是目的不可达类型,数据部分是unused(不使用的)。本实施方式中提供的ICMP目的不可达消息与现有的目的不可达报文是不同的,需要在数据部分填入标识符,用来表明该ICMP目的不可达消息是指示客户端发起认证的。As shown in Table 1, the type field in the ICMP destination unreachable message has 8 bits, which is used to identify the type of this message as an ICMP error report message. The code field has 8 bits, which is used to identify the error report message. The type of message. In this embodiment, the type of error report message is destination unreachable, which can be identified by a predetermined code field. The checksum field has 16 bits and is the checksum of the entire ICMP data packet including the data part. The ICMP error report message conforms to the RFC (Request For Comments) 792 protocol. In the existing technology, if the ICMP error report message is of destination unreachable type, the data part is unused. The ICMP destination unreachable message provided in this embodiment is different from the existing destination unreachable message. An identifier needs to be filled in the data part to indicate that the ICMP destination unreachable message instructs the client to initiate authentication.
在该实施方式中,该目的不可达消息中携带有随机值,该随机值为Nonce(Number once)值,在密码学中Nonce是一个只被使用一次的任意或非重复的随机数值。该随机值用于之后的认证,示例的,可以在该ICMP不可达报文的数据部分的相应字段处填入该随机值。In this implementation, the destination unreachable message carries a random value, which is a Nonce (Number once) value. In cryptography, Nonce is an arbitrary or non-repeating random value that is used only once. This random value is used for subsequent authentication. For example, the random value can be filled in the corresponding field in the data part of the ICMP unreachable message.
在该实施方式中,客户端在接收到目的不可达消息后,可以从该目的不可达消息中取出该随机值,然后开始构建认证数据包,该认证数据包可以是SPA(Single Packet  Authorization,单包认证)包,该认证数据包包括待加密信息和认证码,该待加密信息可以包括客户端标识(ClientID),或者,还可以包括当前时间戳。该ClientID是为该客户端分配的身份标识,可以索引该客户端的共享密钥和端口访问权限即该客户端被授权访问的目的端口,该客户端的共享密钥是该客户端和其能够访问的目的端口的服务器两方都知道的,该认证码是使用该客户端的共享密钥对该随机值和该待加密信息加密计算出来的,示例的,该认证码可以是HMAC(哈希运算消息认证码,Hash-based Message Authentication Code),该认证码用于身份认证、报文完整性保护和报文防重放攻击。In this embodiment, after receiving the destination unreachable message, the client can take out the random value from the destination unreachable message, and then start building an authentication data packet. The authentication data packet can be SPA (Single Packet Authorization (single packet authentication) packet, the authentication data packet includes information to be encrypted and an authentication code. The information to be encrypted may include the client identification (ClientID), or may also include the current timestamp. The ClientID is an identity assigned to the client. It can index the client's shared key and port access permissions, that is, the destination port that the client is authorized to access. The client's shared key is the client and the port it can access. Both parties of the destination port server know that the authentication code is calculated by using the client's shared key to encrypt the random value and the information to be encrypted. For example, the authentication code can be HMAC (Hash Operation Message Authentication) Hash-based Message Authentication Code), which is used for identity authentication, message integrity protection and message replay attack prevention.
在该实施方式中,客户端需要将所述待加密信息和所述认证码封装在数据包内,构建认证数据包,然后将该认证数据包发送给目的服务器,该目的服务器的防火墙接收到该认证数据包时,可以获取该数据包中的待加密信息和认证码,该目的服务器可以基于该待加密信息中的ClientID查询得到所述客户端的共享密钥和访问权限,并使用所述共享密钥对所述随机值(由目的服务器发送给客户端的,故目的服务器是知道该随机值的)和所述待加密信息进行加密计算,得到验证码,如果该验证码和该认证码相同,则表明该客户端是合法的客户端,此时,目的服务器会查询该客户端的访问权限,确定客户端是否具有访问目的端口的权限,如果客户端具有访问该目的端口的权限,该目的服务器就会为该客户端开放该目的端口,即允许该客户端的IHIP和IHport访问服务端的AHIP和AHport(即目的端口),如果客户端不具有访问该目的端口的权限,则该目的服务器不会为该客户端端开放该目的端口,拒绝接收该客户端发送给目的端口的数据包。如果该验证码和该认证码不同,则表明该客户端不是合法的客户端,此时,目的服务器会继续拒绝该客户端发送的数据包。In this implementation, the client needs to encapsulate the information to be encrypted and the authentication code in a data packet, construct an authentication data packet, and then send the authentication data packet to the destination server. The firewall of the destination server receives the authentication data packet. When authenticating a data packet, the information to be encrypted and the authentication code in the data packet can be obtained. The destination server can query the client's shared key and access rights based on the ClientID in the information to be encrypted, and use the shared secret key. The key performs encryption calculation on the random value (sent to the client by the destination server, so the destination server knows the random value) and the information to be encrypted to obtain a verification code. If the verification code is the same as the authentication code, then Indicates that the client is a legitimate client. At this time, the destination server will query the client's access rights to determine whether the client has the authority to access the destination port. If the client has the authority to access the destination port, the destination server will Opening the destination port for the client means allowing the client's IHIP and IHport to access the server's AHIP and AHport (i.e. the destination port). If the client does not have the permission to access the destination port, the destination server will not access the destination port for the client. The end-end opens the destination port and refuses to receive the data packet sent by the client to the destination port. If the verification code is different from the authentication code, it means that the client is not a legitimate client. At this time, the destination server will continue to reject the data packets sent by the client.
在一种可能的实施方式中,上述数据传输方法中的步骤S103可以包括以下步骤:In a possible implementation, step S103 in the above data transmission method may include the following steps:
通过所述客户端的传输层或套接层响应所述目的不可达消息,生成并返回认证数据包,所述套接层位于所述客户端协议栈中传输层和应用层之间。The client's transport layer or socket layer responds to the destination unreachable message and generates and returns an authentication data packet. The socket layer is located between the transport layer and the application layer in the client protocol stack.
在该实施方式中,为了实现认证过程对该客户端的透明性,本实施方式需要改造传输层,或者在该传输层与应用层之间加上一个套接层来对目的不可达消息进行处理以及构造认证数据包。In this implementation, in order to realize the transparency of the authentication process to the client, this implementation needs to modify the transport layer, or add a socket layer between the transport layer and the application layer to process the destination unreachable message and Construct authentication data packet.
现有技术中,当客户端的协议栈收到目的不可达消息后,会逐级处理,最终反馈至应用层进行处理,这样就会对应用程序不透明,需要客户端显式地发送认证数据包,然后再重发首数据包。而本实施方式为了实现对该客户端的透明性,当客户端的协议栈收到目的不可达消息后,会逐级处理,到达该传输层或套接层时,该传输层或套接层可以直接响应所述目的不可达消息,生成并返回认证数据包。In the existing technology, when the client's protocol stack receives the destination unreachable message, it will process it step by step and finally feed it back to the application layer for processing. This will be opaque to the application and requires the client to explicitly send an authentication data packet. Then resend the first data packet. In order to achieve transparency to the client, in this embodiment, when the client's protocol stack receives the destination unreachable message, it will process it step by step. When it reaches the transport layer or socket layer, the transport layer or socket layer can directly In response to the destination unreachable message, an authentication data packet is generated and returned.
在一种可能的实施方式中,上述数据传输方法还可以包括以下步骤:In a possible implementation, the above data transmission method may also include the following steps:
定期接收所述目的服务器发送的目的不可达消息。Periodically receive destination unreachable messages sent by the destination server.
在该实施方式中,在该客户端认证通过,目的服务器就会授权允许该客户端的IHIP,IHport访问该服务端的AHIP,AHport,这时如果攻击者阻断合法客户端的数据包,冒充 该客户端的IHIP,IHport就可以访问到该服务端的AHIP,AHport了。为了避免出现中间人攻击,引入持续认证机制,目的服务器中的防火墙会周期发送目的不可达消息,并要求发送该数据包的客户端持续进行认证,如果对方没有响应或返回的认证数据包错误,则中断连接,拒绝接收该客户端的数据包。In this implementation, after the client passes the authentication, the destination server will authorize and allow the client's IHIP and IHport to access the server's AHIP and AHport. At this time, if the attacker blocks the legitimate client's data packets and impersonates The client's IHIP and IHport can access the server's AHIP and AHport. In order to avoid man-in-the-middle attacks, a continuous authentication mechanism is introduced. The firewall in the destination server will periodically send destination unreachable messages and require the client sending the packet to continue authentication. If the other party does not respond or the returned authentication packet is incorrect, then Disconnect the connection and refuse to receive data packets from the client.
在该实施方式中,如果没有被攻击,客户端会定期接收所述目的服务器发送的目的不可达消息,并响应于接收所述目的不可达消息,生成并返回认证数据包,所述认证数据包中携带认证信息;目的服务器中的防火墙认证通过后,会保持与该客户端之间的连接,继续为该客户端开放该服务端的目的端口。In this implementation, if it is not attacked, the client will regularly receive the destination unreachable message sent by the destination server, and in response to receiving the destination unreachable message, generate and return an authentication data packet. The authentication data packet carries authentication information; after the firewall authentication in the destination server passes, the connection with the client will be maintained and the destination port of the server will continue to be opened for the client.
在一种可能的实施方式中,上述数据传输方法中所述使用所述共享密钥对所述随机值和待加密信息进行加密计算,得到认证码的部分还可以包括以下步骤:In a possible implementation, in the above data transmission method, the shared key is used to perform encryption calculations on the random value and the information to be encrypted. The part of obtaining the authentication code may also include the following steps:
使用所述共享密钥对所述随机值、待加密信息以及认证次数进行加密计算,得到认证码,所述认证次数包括所述客户端访问所述目的服务器的端口时被指示发起认证的次数。Using the shared key, the random value, the information to be encrypted, and the number of authentication times are encrypted and calculated to obtain an authentication code. The number of authentication times includes the number of times the client is instructed to initiate authentication when accessing the port of the destination server.
在该实施方式中,在目的服务器定期发送目的不可达消息的情况下,为了使认证更安全以及更准确,可以使用所述共享密钥对所述随机值、待加密信息以及认证次数进行加密计算,得到认证码,所述认证次数包括所述客户端被所述目的服务器指示发起认证的次数。这样目的服务器在接收到该认证数据包时,可以使用查找到的共享密钥对所述随机值(已知)、验证次数(即所述目的服务器对所述客户端是否具有访问目的端口权限进行验证的次数,目的服务器可以记录)和所述待加密信息进行加密计算,得到验证码,如果验证次数与该认证次数是相同的,则计算出的验证码和该认证码相同,则表明该客户端是合法的客户端。In this implementation, when the destination server regularly sends destination unreachable messages, in order to make the authentication more secure and more accurate, the shared key can be used to perform encryption calculations on the random value, the information to be encrypted, and the number of authentication times. , obtain the authentication code, and the number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication. In this way, when the destination server receives the authentication data packet, it can use the found shared key to verify the random value (known) and the number of verifications (that is, the destination server determines whether the client has permission to access the destination port). The number of verifications (the destination server can record) and the information to be encrypted are encrypted and calculated to obtain a verification code. If the number of verifications is the same as the number of verifications, then the calculated verification code is the same as the verification code, indicating that the customer The client is a legitimate client.
图3示出根据本公开一实施方式的应用于目的服务器的数据传输方法的流程图,如图3所示,所述数据传输方法包括以下步骤S301-S305:Figure 3 shows a flow chart of a data transmission method applied to a destination server according to an embodiment of the present disclosure. As shown in Figure 3, the data transmission method includes the following steps S301-S305:
在步骤S301中,在接收到客户端首次发送的首数据包时,丢弃所述首数据包;In step S301, when receiving the first data packet sent by the client for the first time, discard the first data packet;
在步骤S302中,向所述客户端返回目的不可达消息,所述目的不可达消息用于指示客户端发起认证;In step S302, a destination unreachable message is returned to the client, where the destination unreachable message is used to instruct the client to initiate authentication;
在步骤S303中,接收所述客户端发送的认证数据包,所述认证数据包中携带认证信息;In step S303, receive the authentication data packet sent by the client, where the authentication data packet carries authentication information;
在步骤S304中,基于所述认证信息确定所述客户端具有访问目的端口的权限时,为所述客户端放通所述目的端口的访问;In step S304, when it is determined that the client has the authority to access the destination port based on the authentication information, access to the destination port is granted to the client;
在步骤S305中,通过所述目的端口接收所述客户端重新发送的所述首数据包。In step S305, the first data packet resent by the client is received through the destination port.
在本公开一实施方式中,客户端要发起对服务端的访问时,会向该服务端所在的目的服务器的目的端口(即该服务端对应的端口)发送首数据包,此时的首数据包为首次发送。该底层网络中的各服务器中都配置有防火墙,比如说SDP(Software Defined Perimeter,软件定义边界)防火墙,该防火墙是deny all(全部拒绝)的策略即对所有未验证的客户端全部拒绝访问,因此服务器的各端口对网络是不可见的。因此目的服务器在接收到该客户端 首次发送的首数据包时,会直接丢弃该首数据包,并向该客户端发送目的不可达消息,指示该客户端发起认证,示例的,该目的不可达消息可以是ICMP(网络控制报文协议,Internet Control Message Protocol)消息,该ICMP消息中携带有标识符,该标识符为指示该客户端发起认证的标识符。In an embodiment of the present disclosure, when the client wants to initiate access to the server, it will send the first data packet to the destination port of the destination server where the server is located (that is, the port corresponding to the server). At this time, the first data packet Sent for the first time. Each server in the underlying network is configured with a firewall, such as an SDP (Software Defined Perimeter) firewall. This firewall has a deny all policy, which denies access to all unverified clients. Therefore, the server's ports are not visible to the network. Therefore, when the destination server receives the client When the first data packet is sent for the first time, the first data packet will be discarded directly, and a destination unreachable message will be sent to the client, instructing the client to initiate authentication. For example, the destination unreachable message may be ICMP (Network Control Message). Protocol, Internet Control Message Protocol) message, the ICMP message carries an identifier, and the identifier is an identifier that instructs the client to initiate authentication.
在本公开一实施方式中,客户端在接收到该目的不可达消息后,就会立即构造认证数据包,并向该目的服务器发送该认证数据包进行认证,该认证数据包中携带有认证信息,目的服务器接收到该认证数据包后,就会基于所述认证信息确定所述客户端是否具有访问其目的端口的权限,如果确定该客户端具有访问其目的端口的权限,则表明该客户端对于该目的端口来说是一个合法的访问者,此时,该目的服务器就会授权允许该客户端的IHIP,IHport访问该服务端的AHIP,AHport,该IHIP指的是客户端所在目的服务器的IP,该IHport指的是目的服务器上该客户端对应的端口,该AHIP指的是服务端所在目的服务器的IP,该AHport指的是目的服务器上该服务端对应的目的端口。如此,目的服务器就为所述客户端放通所述目的端口的访问,该客户端就可以向该目的端口发送数据包,该客户端发送的数据包中携带有该客户端的IHIP和IHport以及要访问的服务端的AHIP和AHport,目的服务器接收到该数据包后,由于已授权允许该客户端的IHIP,IHport访问服务端的AHIP,AHport,故该目的服务器的防火墙就会让携带的源IP和源端口为该客户端的IHIP和IHport以及目的IP和目的端口为该服务端的AHIP和AHport的数据包通过,该服务器的AHport也即目的端口就可以接收该数据包,使服务端为该客户端提供相应服务。In an embodiment of the present disclosure, after receiving the destination unreachable message, the client will immediately construct an authentication data packet and send the authentication data packet to the destination server for authentication. The authentication data packet carries authentication information. , after the destination server receives the authentication data packet, it will determine whether the client has the authority to access its destination port based on the authentication information. If it is determined that the client has the authority to access its destination port, it indicates that the client It is a legal visitor to the destination port. At this time, the destination server will authorize the client's IHIP and IHport to access the server's AHIP and AHport. The IHIP refers to the IP of the destination server where the client is located. The IHport refers to the port corresponding to the client on the destination server, the AHIP refers to the IP of the destination server where the server is located, and the AHport refers to the destination port corresponding to the server on the destination server. In this way, the destination server allows the client access to the destination port, and the client can send a data packet to the destination port. The data packet sent by the client carries the client's IHIP, IHport and required information. The AHIP and AHport of the accessed server. After the destination server receives the packet, since it has been authorized to allow the client's IHIP and IHport to access the AHIP and AHport of the server, the firewall of the destination server will allow the source IP and source port carried. If the data packet of the client's IHIP and IHport as well as the destination IP and destination port is the server's AHIP and AHport, the server's AHport, also the destination port, can receive the data packet, allowing the server to provide corresponding services to the client. .
在本公开一实施方式中,客户端在向目的服务器发送认证数据包之后,就会直接启动重传机制,重新向该目的服务器的目的端口再次发送该首数据包,如果目的服务器基于所述认证信息确定所述客户端具有访问其目的端口的权限,则该目的服务器就可以通过该目的端口接收该首数据包,当然,如果目的服务器基于所述认证信息确定所述客户端不具有访问其目的端口的权限,则该目的服务器就会丢弃该首数据包。In an embodiment of the present disclosure, after the client sends the authentication data packet to the destination server, it will directly start the retransmission mechanism and resend the first data packet to the destination port of the destination server. If the destination server is based on the authentication If the information determines that the client has the authority to access its destination port, the destination server can receive the first data packet through the destination port. Of course, if the destination server determines that the client does not have the authority to access its destination based on the authentication information. port permissions, the destination server will discard the first data packet.
这里需要说明的是,目的服务器对客户端的认证通过之后,其防火墙会重新恢复Deny ALL的状态,已建立的连接由Connection Tracking(连接跟踪)机制保持。What needs to be explained here is that after the destination server passes the authentication of the client, its firewall will restore the Deny ALL state, and the established connection is maintained by the Connection Tracking mechanism.
本实施方式通过设置服务器全部拒绝接收未验证的客户端的访问,隐藏服务器的端口,只有通过认证后才能访问被授权访问的端口,消减了交付型数据中心中底层网络暴露面的安全风险,保护云平台。This implementation method sets the server to reject all access from unverified clients and hides the server port. Only authorized ports can be accessed after passing the authentication. This reduces the security risk of the underlying network exposure in the delivery data center and protects the cloud. platform.
在一种可能的实施方式中,所述目的不可达消息中携带有随机值,所述认证信息包括待加密信息和认证码,所述待加密信息包括客户端标识,或者还包括当前时间戳;所述基于所述认证信息确定所述客户端具有访问目的端口的权限,包括:In a possible implementation, the destination unreachable message carries a random value, the authentication information includes information to be encrypted and an authentication code, and the information to be encrypted includes a client identifier, or also includes a current timestamp; Determining that the client has the authority to access the destination port based on the authentication information includes:
基于所述客户端标识查询得到所述客户端的共享密钥和访问权限,所述访问权限用于限定所述客户端在所述服务器的可访问端口;Based on the client identification query, the shared key and access rights of the client are obtained, and the access rights are used to limit the accessible ports of the client on the server;
使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码;Use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code;
在所述验证码和所述认证码相同时,若所述客户端在所述服务器的可访问端口包括所 述首数据包要到达的目的端口,则确定所述客户端具有访问目的端口的权限。When the verification code and the authentication code are the same, if the client includes all If the first data packet reaches the destination port, it is determined that the client has the authority to access the destination port.
在该实施方式中,该目的不可达消息中携带有随机值,该随机值为Nonce(Number once)值,在密码学中Nonce是一个只被使用一次的任意或非重复的随机数值。该随机值用于之后的认证,示例的,可以在该ICMP不可达报文的数据部分的相应字段处填入该随机值。In this implementation, the destination unreachable message carries a random value, which is a Nonce (Number once) value. In cryptography, Nonce is an arbitrary or non-repeating random value that is used only once. This random value is used for subsequent authentication. For example, the random value can be filled in the corresponding field in the data part of the ICMP unreachable message.
在该实施方式中,客户端在接收到目的不可达消息后,可以从该目的不可达消息中取出该随机值,然后开始构建认证数据包,该认证数据包包括待加密信息和认证码,该待加密信息可以包括客户端标识(ClientID),或者,还可以包括当前时间戳。该ClientID是为该客户端分配的身份标识,可以索引该客户端的共享密钥和端口访问权限即该客户端被授权访问的目的端口。该认证码是使用该客户端的共享密钥对该随机值和该待加密信息加密计算出来的,示例的,该认证码可以是HMAC,该认证码用于身份认证、报文完整性保护和报文防重放攻击。In this implementation, after receiving the destination unreachable message, the client can take out the random value from the destination unreachable message, and then start building an authentication data packet. The authentication data packet includes the information to be encrypted and the authentication code. The information to be encrypted may include the client identification (ClientID), or may also include the current timestamp. The ClientID is an identity assigned to the client, which can index the client's shared secret key and port access rights, that is, the destination port that the client is authorized to access. The authentication code is calculated by encrypting the random value and the information to be encrypted using the client's shared key. For example, the authentication code can be HMAC. The authentication code is used for identity authentication, message integrity protection and reporting. Defend against replay attacks.
在该实施方式中,客户端需要将所述待加密信息和所述认证码封装在数据包内,构建认证数据包,然后将该认证数据包发送给目的服务器,该目的服务器的防火墙接收到该认证数据包时,可以获取该数据包中的待加密信息和认证码,该目的服务器可以基于该待加密信息中的ClientID查询得到所述客户端的共享密钥和访问权限,并使用所述共享密钥对所述随机值(由目的服务器发送给客户端的,故目的服务器是知道该随机值的)和所述待加密信息进行加密计算,得到验证码,如果该验证码和该认证码相同,则表明该客户端是合法的客户端,此时,目的服务器会查询该客户端的访问权限,确定客户端是否具有访问目的端口的权限,如果客户端具有访问该目的端口的权限,该目的服务器就会为该客户端开放该目的端口,即允许该客户端的IHIP和IHport访问服务端的AHIP和AHport(即目的端口),如果客户端不具有访问该目的端口的权限,则该目的服务器不会为该客户端端开放该目的端口,拒绝接收该客户端发送给目的端口的数据包。如果该验证码和该认证码不同,则表明该客户端不是合法的客户端,此时,目的服务器会继续拒绝该客户端发送的数据包。In this implementation, the client needs to encapsulate the information to be encrypted and the authentication code in a data packet, construct an authentication data packet, and then send the authentication data packet to the destination server. The firewall of the destination server receives the authentication data packet. When authenticating a data packet, the information to be encrypted and the authentication code in the data packet can be obtained. The destination server can query the client's shared key and access rights based on the ClientID in the information to be encrypted, and use the shared secret key. The key performs encryption calculation on the random value (sent to the client by the destination server, so the destination server knows the random value) and the information to be encrypted to obtain a verification code. If the verification code is the same as the authentication code, then Indicates that the client is a legitimate client. At this time, the destination server will query the client's access rights to determine whether the client has the authority to access the destination port. If the client has the authority to access the destination port, the destination server will Opening the destination port for the client means allowing the client's IHIP and IHport to access the server's AHIP and AHport (i.e. the destination port). If the client does not have the permission to access the destination port, the destination server will not access the destination port for the client. The end-end opens the destination port and refuses to receive the data packet sent by the client to the destination port. If the verification code is different from the authentication code, it means that the client is not a legitimate client. At this time, the destination server will continue to reject the data packets sent by the client.
这里需要说明的是,在定义访问权限时,不需要知道客户端的信息,只要定义对该目的IP和目的端口有访问权限的源IP和源端口即可,只要该认证数据包的IP层的源IP和sPort(源端口)字段中的源端口是具有该访问权限的源IP和源端口,即可认为该客户端具有访问该目的端口的权限。What needs to be explained here is that when defining access rights, you do not need to know the client’s information. You only need to define the source IP and source port that have access rights to the destination IP and destination port. As long as the source of the IP layer of the authentication packet is The source port in the IP and sPort (source port) fields is the source IP and source port with the access permission, which means that the client has the permission to access the destination port.
在一种可能的实施方式中,在为所述客户端放通所述目的端口的访问之后,所述方法还包括:In a possible implementation, after allowing access to the destination port for the client, the method further includes:
定期向所述客户端发送目的不可达消息。Periodically send destination unreachable messages to the client.
在该实施方式中,在该客户端认证通过,目的服务器就会授权允许该客户端的IHIP,IHport访问该服务端的AHIP,AHport,这时如果攻击者阻断合法客户端的数据包,冒充该客户端的IHIP,IHport就可以访问到该服务端的AHIP,AHport了。为了避免出现中间人攻击,引入持续认证机制,目的服务器中的防火墙会周期发送目的不可达消息,并要求 发送该数据包的客户端持续进行认证,如果对方没有响应或返回的认证数据包错误,则中断连接,拒绝接收该客户端的数据包。In this implementation, after the client passes the authentication, the destination server will authorize and allow the client's IHIP and IHport to access the server's AHIP and AHport. At this time, if the attacker blocks the legitimate client's data packets and impersonates the client's IHIP and IHport can access the AHIP and AHport of the server. In order to avoid man-in-the-middle attacks, a continuous authentication mechanism is introduced. The firewall in the destination server will periodically send destination unreachable messages and require The client that sends the data packet continues to authenticate. If the other party does not respond or the returned authentication data packet is incorrect, the connection is interrupted and the client's data packet is refused to be received.
在该实施方式中,如果没有被攻击,客户端会定期接收所述目的服务器发送的目的不可达消息,并响应于接收所述目的不可达消息,生成并返回认证数据包,所述认证数据包中携带认证信息;目的服务器中的防火墙认证通过后,会保持与该客户端之间的连接,继续为该客户端开放该服务端的目的端口。In this implementation, if it is not attacked, the client will regularly receive the destination unreachable message sent by the destination server, and in response to receiving the destination unreachable message, generate and return an authentication data packet. The authentication data packet carries authentication information; after the firewall authentication in the destination server passes, the connection with the client will be maintained and the destination port of the server will continue to be opened for the client.
在一种可能的实施方式中,所述使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码,包括:In a possible implementation, using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code includes:
使用所述共享密钥对所述随机值、待加密信息以及验证次数进行加密计算,得到验证码,所述验证次数包括所述服务器对所述客户端是否具有访问目的端口权限进行验证的次数。Using the shared key, the random value, the information to be encrypted, and the number of verification times are encrypted and calculated to obtain a verification code. The number of verification times includes the number of times the server verifies whether the client has permission to access the destination port.
在该实施方式中,在目的服务器定期发送目的不可达消息的情况下,为了使认证更安全以及更准确,可以使用所述共享密钥对所述随机值、待加密信息以及认证次数进行加密计算,得到认证码,所述认证次数包括所述客户端被所述目的服务器指示发起认证的次数。这样目的服务器在接收到该认证数据包时,可以使用查找到的共享密钥对所述随机值(已知)、验证次数(即所述目的服务器对所述客户端是否具有访问目的端口权限进行验证的次数,目的服务器可以记录)和所述待加密信息进行加密计算,得到验证码,如果验证次数与该认证次数是相同的,则计算出的验证码和该认证码相同,则表明该客户端是合法的客户端,In this implementation, when the destination server regularly sends destination unreachable messages, in order to make the authentication more secure and more accurate, the shared key can be used to perform encryption calculations on the random value, the information to be encrypted, and the number of authentication times. , obtain the authentication code, and the number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication. In this way, when the destination server receives the authentication data packet, it can use the found shared key to verify the random value (known) and the number of verifications (that is, the destination server determines whether the client has permission to access the destination port). The number of verifications (the destination server can record) and the information to be encrypted are encrypted and calculated to obtain a verification code. If the number of verifications is the same as the number of verifications, then the calculated verification code is the same as the verification code, indicating that the customer The client is a legitimate client,
图4示出根据本公开一实施方式的数据传输方法的整体流程图,如图4所示,所述数据传输方法包括以下步骤S401-S406:Figure 4 shows an overall flow chart of a data transmission method according to an embodiment of the present disclosure. As shown in Figure 4, the data transmission method includes the following steps S401-S406:
在步骤S401中,客户端向目的服务器的目的端口首次发送首数据包;In step S401, the client sends the first data packet to the destination port of the destination server for the first time;
在步骤S402中,目的服务器在接收到客户端首次发送的首数据包时,丢弃所述首数据包;In step S402, when receiving the first data packet sent by the client for the first time, the destination server discards the first data packet;
在步骤S403中,所述目的服务器向所述客户端返回目的不可达消息,所述目的不可达消息用于指示客户端发起认证;In step S403, the destination server returns a destination unreachable message to the client, where the destination unreachable message is used to instruct the client to initiate authentication;
在步骤S404中,所述客户端响应于接收所述目的不可达消息,生成并返回认证数据包,所述认证数据包中携带认证信息;In step S404, the client generates and returns an authentication data packet in response to receiving the destination unreachable message, and the authentication data packet carries authentication information;
在步骤S405中,所述目的服务器基于所述认证信息确定所述客户端具有访问目的端口的权限时,为所述客户端放通所述目的端口的访问;In step S405, when the destination server determines that the client has the authority to access the destination port based on the authentication information, it allows the client to access the destination port;
在步骤S406中,所述客户端重新向目的服务器的目的端口发送所述首数据包,所述目的服务器通过所述目的端口接收所述客户端重新发送的所述首数据包。In step S406, the client resends the first data packet to the destination port of the destination server, and the destination server receives the first data packet resent by the client through the destination port.
在一种可能的实施方式中,如图4所示,客户端首次向目的服务器的目的端口发送的首数据包会被该目的服务器上的防火墙拦截并丢弃,该目的服务器上的防火墙会向所述客户端返回目的不可达消息,指示客户端发起认证;客户端响应于接收所述目的不可达消息, 生成并返回认证数据包,所述目的服务器基于所述认证信息确定所述客户端具有访问目的端口的权限时,为所述客户端放通所述目的端口的访问;这样,所述客户端重新向目的服务器的目的端口发送所述首数据包就可以通过该防火墙发送至目的服务器的目的端口,被服务端接收。In a possible implementation, as shown in Figure 4, the first data packet sent by the client to the destination port of the destination server for the first time will be intercepted and discarded by the firewall on the destination server, and the firewall on the destination server will The client returns a destination unreachable message, instructing the client to initiate authentication; the client responds to receiving the destination unreachable message, Generate and return an authentication data packet. When the destination server determines that the client has the authority to access the destination port based on the authentication information, it allows the client access to the destination port; in this way, the client re- The first data packet sent to the destination port of the destination server can be sent to the destination port of the destination server through the firewall and received by the server.
在一种可能的实施方式中,所述目的不可达消息中携带有随机值,所述方法还包括:In a possible implementation, the destination unreachable message carries a random value, and the method further includes:
所述客户端获取所述客户端的共享密钥,使用所述共享密钥对所述随机值和待加密信息进行加密计算,得到认证码,所述待加密信息包括客户端标识,或者还包括当前时间戳;The client obtains the shared key of the client, uses the shared key to perform encryption calculations on the random value and the information to be encrypted, and obtains an authentication code. The information to be encrypted includes the client identification, or also includes the current timestamp;
所述客户端生成并返回认证数据包,包括:The client generates and returns authentication data packets, including:
所述客户端将所述待加密信息和所述认证码封装在数据包内,生成认证数据包;并向所述目的服务器发送所述认证数据包。The client encapsulates the information to be encrypted and the authentication code in a data packet, generates an authentication data packet, and sends the authentication data packet to the destination server.
所述目的服务器基于所述认证信息确定所述客户端具有访问目的端口的权限,包括:The destination server determines that the client has the authority to access the destination port based on the authentication information, including:
所述目的服务器基于所述客户端标识查询得到所述客户端的共享密钥和访问权限,所述访问权限用于限定所述客户端在所述目的服务器的可访问端口;使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码;在所述验证码和所述认证码相同时,若所述客户端在所述目的服务器的可访问端口包括所述首数据包要到达的目的端口,则确定所述客户端具有访问目的端口的权限。The destination server queries to obtain the shared key and access rights of the client based on the client identification. The access rights are used to limit the accessible ports of the client on the destination server; using the shared key Perform encryption calculation on the random value and the information to be encrypted to obtain a verification code; when the verification code and the authentication code are the same, if the client includes the header on the accessible port of the destination server, If the destination port that the data packet reaches is determined, it is determined that the client has the permission to access the destination port.
在一种可能的实施方式中,所述客户端响应于接收所述目的不可达消息,生成并返回认证数据包,包括:In a possible implementation, in response to receiving the destination unreachable message, the client generates and returns an authentication data packet, including:
所述客户端通过所述客户端的传输层或套接层响应所述目的不可达消息,生成并返回认证数据包,所述套接层位于协议栈中的传输层和应用层之间。The client responds to the destination unreachable message through the client's transport layer or socket layer, which is located between the transport layer and the application layer in the protocol stack, and generates and returns an authentication data packet.
在一种可能的实施方式中,所述方法还包括:In a possible implementation, the method further includes:
所述目的服务器定期向所述客户端发送目的不可达消息。The destination server periodically sends destination unreachable messages to the client.
在一种可能的实施方式中,所述客户端使用所述共享密钥对所述随机值和待加密信息进行加密计算,得到认证码,包括:In a possible implementation, the client uses the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code, which includes:
所述客户端使用所述共享密钥对所述随机值、待加密信息以及认证次数进行加密计算,得到认证码,所述认证次数包括所述客户端被所述目的服务器指示发起认证的次数;The client uses the shared key to perform encrypted calculations on the random value, the information to be encrypted, and the number of authentication times to obtain an authentication code. The number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication;
所述目的服务器使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码,包括:The destination server uses the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code, which includes:
所述目的服务器使用所述共享密钥对所述随机值、待加密信息以及验证次数进行加密计算,得到验证码,所述验证次数包括所述目的服务器对所述客户端是否具有访问目的端口权限进行验证的次数。The destination server uses the shared key to perform encryption calculations on the random value, the information to be encrypted, and the number of verifications to obtain a verification code. The number of verifications includes whether the destination server has permission to access the destination port for the client. The number of times verification is performed.
图4所示及相关实施方式中涉及的技术术语和技术特征与图1-图3所示及相关实施方式中提及的技术术语和技术特征相同或相似,对于图4所示及相关实施方式中涉及的技术术语和技术特征的解释和说明可参考上述对于图1-图3所示及相关实施方式的解释的说明,此处不再赘述。 The technical terms and technical features involved in the embodiments shown in Figure 4 and related embodiments are the same or similar to the technical terms and technical features shown in Figures 1-3 and related embodiments. For the embodiments shown in Figure 4 and related For explanations and explanations of the technical terms and technical features involved, please refer to the above explanations of the embodiments shown in FIGS. 1 to 3 and related embodiments, and will not be described again here.
下述为本公开装置实施例,可以用于执行本公开方法实施例。The following are device embodiments of the present disclosure, which can be used to perform method embodiments of the present disclosure.
图5示出根据本公开一实施方式的应用于客户端的数据传输装置的结构框图,该装置可以通过软件、硬件或者两者的结合实现成为电子设备的部分或者全部。如图5所示,所述数据传输装置包括:Figure 5 shows a structural block diagram of a data transmission device applied to a client according to an embodiment of the present disclosure. The device can be implemented as part or all of an electronic device through software, hardware, or a combination of both. As shown in Figure 5, the data transmission device includes:
第一发送模块501,被配置为向目的服务器的目的端口首次发送首数据包;The first sending module 501 is configured to send the first data packet to the destination port of the destination server for the first time;
第一接收模块502,被配置为接收所述目的服务器发送的目的不可达消息,所述目的不可达消息用于指示客户端发起认证;The first receiving module 502 is configured to receive a destination unreachable message sent by the destination server, where the destination unreachable message is used to instruct the client to initiate authentication;
响应模块503,被配置为响应于接收所述目的不可达消息,生成并返回认证数据包,所述认证数据包中携带认证信息;The response module 503 is configured to generate and return an authentication data packet in response to receiving the destination unreachable message, where the authentication data packet carries authentication information;
第二发送模块504,被配置为重新向目的服务器的目的端口发送所述首数据包。The second sending module 504 is configured to re-send the first data packet to the destination port of the destination server.
在一种可能的实现方式中,所述目的不可达消息中携带有随机值,所述装置还包括:In a possible implementation, the destination unreachable message carries a random value, and the device further includes:
第一获取模块,被配置为获取所述客户端的共享密钥;A first acquisition module configured to acquire the shared key of the client;
第一计算模块,被配置为使用所述共享密钥对所述随机值和待加密信息进行加密计算,得到认证码,所述待加密信息包括客户端标识,或者还包括当前时间戳;The first calculation module is configured to use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code, where the information to be encrypted includes a client identification or a current timestamp;
所述响应模块中生成并返回认证数据包的部分被配置为:The part of the response module that generates and returns authentication data packets is configured as:
将所述待加密信息和所述认证码封装在数据包内,生成认证数据包;Encapsulate the information to be encrypted and the authentication code in a data packet to generate an authentication data packet;
向所述目的服务器发送所述认证数据包。Send the authentication data packet to the destination server.
在一种可能的实现方式中,所述响应模块中响应于接收所述目的不可达消息,生成并返回认证数据包的部分被配置为:In a possible implementation, the part of the response module that generates and returns an authentication data packet in response to receiving the destination unreachable message is configured as:
通过所述客户端的传输层或套接层响应所述目的不可达消息,生成并返回认证数据包,所述套接层位于协议栈中的传输层和应用层之间。The client's transport layer or socket layer responds to the destination unreachable message and generates and returns an authentication data packet. The socket layer is located between the transport layer and the application layer in the protocol stack.
在一种可能的实现方式中,所述装置还包括:In a possible implementation, the device further includes:
第二接收模块,被配置为定期接收所述目的服务器发送的目的不可达消息。The second receiving module is configured to regularly receive destination unreachable messages sent by the destination server.
在一种可能的实现方式中,所述第一计算模块被配置为:In a possible implementation, the first computing module is configured as:
使用所述共享密钥对所述随机值、待加密信息以及认证次数进行加密计算,得到认证码,所述认证次数包括所述客户端被所述目的服务器指示发起认证的次数。Using the shared key, the random value, the information to be encrypted, and the number of authentication times are encrypted and calculated to obtain an authentication code. The number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication.
图5所示及相关实施方式中涉及的技术术语和技术特征与图1-图3所示及相关实施方式中提及的技术术语和技术特征相同或相似,对于图5所示及相关实施方式中涉及的技术术语和技术特征的解释和说明可参考上述对于图1-图3所示及相关实施方式的解释的说明,此处不再赘述。The technical terms and technical features involved in the embodiments shown in Figure 5 and related ones are the same or similar to the technical terms and technical features shown in Figures 1-3 and related embodiments. For the embodiments shown in Figure 5 and related For explanations and explanations of the technical terms and technical features involved, please refer to the above explanations of the embodiments shown in FIGS. 1 to 3 and related embodiments, and will not be described again here.
图6示出根据本公开一实施方式的应用于目的服务器的数据传输装置的结构框图,该装置可以通过软件、硬件或者两者的结合实现成为电子设备的部分或者全部。如图6所示,所述数据传输装置包括:Figure 6 shows a structural block diagram of a data transmission device applied to a destination server according to an embodiment of the present disclosure. The device can be implemented as part or all of an electronic device through software, hardware, or a combination of both. As shown in Figure 6, the data transmission device includes:
丢弃模块601,被配置为在接收到客户端首次发送的首数据包时,丢弃所述首数据包;The discarding module 601 is configured to discard the first data packet when receiving the first data packet sent by the client for the first time;
第三发送模块602,被配置为向所述客户端返回目的不可达消息,所述目的不可达消 息用于指示客户端发起认证;The third sending module 602 is configured to return a destination unreachable message to the client. The destination unreachable message The information is used to instruct the client to initiate authentication;
第三接收模块603,被配置为接收所述客户端发送的认证数据包,所述认证数据包中携带认证信息;The third receiving module 603 is configured to receive the authentication data packet sent by the client, where the authentication data packet carries authentication information;
开放模块604,被配置为基于所述认证信息确定所述客户端具有访问目的端口的权限时,为所述客户端放通所述目的端口的访问;The opening module 604 is configured to allow the client to access the destination port when it is determined based on the authentication information that the client has the authority to access the destination port;
第四接收模块605,被配置为通过所述目的端口接收所述客户端重新发送的所述首数据包。The fourth receiving module 605 is configured to receive the first data packet resent by the client through the destination port.
所述目的不可达消息中携带有随机值,所述认证信息包括待加密信息和认证码,所述待加密信息包括客户端标识,或者还包括当前时间戳;所述开放模块中基于所述认证信息确定所述客户端具有访问目的端口的权限的部分被配置为:The destination unreachable message carries a random value, the authentication information includes information to be encrypted and an authentication code, and the information to be encrypted includes a client identifier or a current timestamp; the open module is based on the authentication The part of the information that determines that the client has the permission to access the destination port is configured as:
基于所述客户端标识查询得到所述客户端的共享密钥和访问权限,所述访问权限用于限定所述客户端在所述目的服务器的可访问端口;Based on the client identification query, the shared key and access rights of the client are obtained, and the access rights are used to limit the accessible ports of the client on the destination server;
使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码;Use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code;
在所述验证码和所述认证码相同时,若所述客户端在所述目的服务器的可访问端口包括所述首数据包要到达的目的端口,则确定所述客户端具有访问目的端口的权限。When the verification code and the authentication code are the same, if the accessible port of the destination server by the client includes the destination port to which the first data packet is to arrive, it is determined that the client has the ability to access the destination port. permissions.
在一种可能的实施方式中,所述装置还包括:In a possible implementation, the device further includes:
第四发送模块,被配置为定期向所述客户端发送目的不可达消息。The fourth sending module is configured to regularly send destination unreachable messages to the client.
在一种可能的实施方式中,所述使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码,包括:In a possible implementation, using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code includes:
使用所述共享密钥对所述随机值、待加密信息以及验证次数进行加密计算,得到验证码,所述验证次数包括所述目的服务器对所述客户端是否具有访问目的端口权限进行验证的次数。Use the shared key to perform encryption calculations on the random value, the information to be encrypted, and the number of verification times to obtain a verification code. The number of verification times includes the number of times the destination server verifies whether the client has permission to access the destination port. .
图6所示及相关实施方式中涉及的技术术语和技术特征与图1-图3所示及相关实施方式中提及的技术术语和技术特征相同或相似,对于图6所示及相关实施方式中涉及的技术术语和技术特征的解释和说明可参考上述对于图1-图3所示及相关实施方式的解释的说明,此处不再赘述。The technical terms and technical features involved in the embodiments shown in Figure 6 and related embodiments are the same or similar to the technical terms and technical features shown in Figures 1-3 and related embodiments. For the embodiments shown in Figure 6 and related For explanations and explanations of the technical terms and technical features involved, please refer to the above explanations of the embodiments shown in FIGS. 1 to 3 and related embodiments, and will not be described again here.
本公开还公开了一种电子设备,图7示出根据本公开一实施方式的电子设备的结构框图,如图7所示,所述电子设备700包括存储器701和处理器702;其中,The present disclosure also discloses an electronic device. Figure 7 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure. As shown in Figure 7, the electronic device 700 includes a memory 701 and a processor 702; wherein,
所述存储器701用于存储一条或多条计算机指令,其中,所述一条或多条计算机指令被所述处理器702执行以实现上述方法步骤。The memory 701 is used to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor 702 to implement the above method steps.
图8是适于用来实现根据本公开实施例所述方法的计算机系统的结构示意图。FIG. 8 is a schematic structural diagram of a computer system suitable for implementing the method according to an embodiment of the present disclosure.
如图8所示,计算机系统800包括处理单元801,其可以根据存储在只读存储器(ROM)802中的程序或者从存储部分808加载到随机访问存储器(RAM)803中的程序而执行上述实施方式中的各种处理。在RAM803中,还存储有系统800操作所需的各种程序和数据。处理单元801、ROM802以及RAM803通过总线804彼此相连。输入/输出(I/O)接口805 也连接至总线804。As shown in FIG. 8 , the computer system 800 includes a processing unit 801 that can perform the above-described implementation according to a program stored in a read-only memory (ROM) 802 or loaded from a storage portion 808 into a random access memory (RAM) 803 Various processing methods. In the RAM 803, various programs and data required for the operation of the system 800 are also stored. The processing unit 801, ROM 802 and RAM 803 are connected to each other via a bus 804. Input/output (I/O) interface 805 Also connected to bus 804.
以下部件连接至I/O接口805:包括键盘、鼠标等的输入部分806;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分807;包括硬盘等的存储部分808;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分809。通信部分809经由诸如因特网的网络执行通信处理。驱动器810也根据需要连接至I/O接口805。可拆卸介质811,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器810上,以便于从其上读出的计算机程序根据需要被安装入存储部分808。其中,所述处理单元801可实现为CPU、GPU、TPU、FPGA、NPU等处理单元。The following components are connected to the I/O interface 805: an input section 806 including a keyboard, a mouse, etc.; an output section 807 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., speakers, etc.; and a storage section 808 including a hard disk, etc. ; and a communication section 809 including a network interface card such as a LAN card, a modem, etc. The communication section 809 performs communication processing via a network such as the Internet. Driver 810 is also connected to I/O interface 805 as needed. Removable media 811, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memories, etc., are installed on the drive 810 as needed, so that a computer program read therefrom is installed into the storage portion 808 as needed. Wherein, the processing unit 801 can be implemented as a processing unit such as CPU, GPU, TPU, FPGA, NPU, etc.
特别地,根据本公开的实施方式,上文描述的方法可以被实现为计算机软件程序。例如,本公开的实施方式包括一种计算机程序产品,其包括有形地包含在及其可读介质上的计算机程序,所述计算机程序包含用于执行上文描述的方法的程序代码。在这样的实施方式中,该计算机程序可以通过通信部分809从网络上被下载和安装,和/或从可拆卸介质811被安装。In particular, according to embodiments of the present disclosure, the method described above may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product including a computer program tangibly embodied on a readable medium thereof, the computer program containing program code for performing the method described above. In such embodiments, the computer program may be downloaded and installed from the network via communications portion 809 and/or installed from removable media 811 .
附图中的流程图和框图,图示了按照本公开各种实施方式的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,路程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operations of possible implementations of systems, methods, and computer program products according to various embodiments of the present disclosure. In this regard, each block in the roadmap or block diagram may represent a module, segment, or portion of code that contains one or more functions for implementing the specified logical function. Executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown one after another may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved. It will also be noted that each block of the block diagram and/or flowchart illustration, and combinations of blocks in the block diagram and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or operations. , or can be implemented using a combination of specialized hardware and computer instructions.
描述于本公开实施方式中所涉及到的单元或模块可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的单元或模块也可以设置在处理器中,这些单元或模块的名称在某种情况下并不构成对该单元或模块本身的限定。The units or modules described in the embodiments of the present disclosure may be implemented in software or hardware. The described units or modules may also be provided in the processor, and the names of these units or modules do not constitute a limitation on the units or modules themselves under certain circumstances.
作为另一方面,本公开实施例还提供了一种计算机可读存储介质,该计算机可读存储介质可以是上述实施方式中所述装置中所包含的计算机可读存储介质;也可以是单独存在,未装配入设备中的计算机可读存储介质。计算机可读存储介质存储有一个或者一个以上程序,所述程序被一个或者一个以上的处理器用来执行描述于本公开实施例的方法。As another aspect, embodiments of the present disclosure also provide a computer-readable storage medium. The computer-readable storage medium may be the computer-readable storage medium included in the device described in the above embodiments; it may also exist independently. , a computer-readable storage medium that is not installed in the device. The computer-readable storage medium stores one or more programs, which are used by one or more processors to execute the methods described in the embodiments of the present disclosure.
以上描述仅为本公开的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本公开实施例中所涉及的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离所述发明构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本公开实施例中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。 The above description is only a description of the preferred embodiments of the present disclosure and the technical principles applied. Persons skilled in the art should understand that the scope of the invention involved in the embodiments of the present disclosure is not limited to technical solutions composed of specific combinations of the above technical features, but should also cover the above-mentioned technical solutions without departing from the inventive concept. Other technical solutions formed by any combination of technical features or their equivalent features. For example, a technical solution is formed by replacing the above features with technical features with similar functions disclosed in the embodiments of the present disclosure (but not limited to).

Claims (13)

  1. 一种数据传输方法,其中,包括:A data transmission method, including:
    向目的服务器的目的端口首次发送首数据包;Send the first data packet to the destination port of the destination server for the first time;
    接收所述目的服务器发送的目的不可达消息,所述目的不可达消息用于指示客户端发起认证;Receive a destination unreachable message sent by the destination server, where the destination unreachable message is used to instruct the client to initiate authentication;
    响应于接收所述目的不可达消息,生成并返回认证数据包,所述认证数据包中携带认证信息;In response to receiving the destination unreachable message, generate and return an authentication data packet, the authentication data packet carrying authentication information;
    重新向目的服务器的目的端口发送所述首数据包。Resend the first data packet to the destination port of the destination server.
  2. 根据权利要求1所述的方法,其中,所述目的不可达消息中携带有随机值,所述方法还包括:The method according to claim 1, wherein the destination unreachable message carries a random value, and the method further includes:
    获取所述客户端的共享密钥;Obtain the shared secret key of the client;
    使用所述共享密钥对所述随机值和待加密信息进行加密计算,得到认证码,所述待加密信息包括客户端标识,或者还包括当前时间戳;Use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code. The information to be encrypted includes the client identification, or may also include the current timestamp;
    所述生成并返回认证数据包,包括:Generate and return authentication data packets, including:
    将所述待加密信息和所述认证码封装在数据包内,生成认证数据包;Encapsulate the information to be encrypted and the authentication code in a data packet to generate an authentication data packet;
    向所述目的服务器发送所述认证数据包。Send the authentication data packet to the destination server.
  3. 根据权利要求1所述的方法,其中,所述响应于接收所述目的不可达消息,生成并返回认证数据包,包括:The method according to claim 1, wherein the generating and returning an authentication data packet in response to receiving the destination unreachable message includes:
    通过所述客户端的传输层或套接层响应所述目的不可达消息,生成并返回认证数据包,所述套接层位于协议栈中的传输层和应用层之间。The client's transport layer or socket layer responds to the destination unreachable message and generates and returns an authentication data packet. The socket layer is located between the transport layer and the application layer in the protocol stack.
  4. 根据权利要求1或2所述的方法,其中,所述方法还包括:The method according to claim 1 or 2, wherein the method further includes:
    定期接收所述目的服务器发送的目的不可达消息。Periodically receive destination unreachable messages sent by the destination server.
  5. 根据权利要求4所述的方法,其中,所述使用所述共享密钥对所述随机值和待加密信息进行加密计算,得到认证码,包括:The method according to claim 4, wherein said using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain an authentication code includes:
    使用所述共享密钥对所述随机值、待加密信息以及认证次数进行加密计算,得到认证码,所述认证次数包括所述客户端被所述目的服务器指示发起认证的次数。Using the shared key, the random value, the information to be encrypted, and the number of authentication times are encrypted and calculated to obtain an authentication code. The number of authentication times includes the number of times the client is instructed by the destination server to initiate authentication.
  6. 一种数据传输方法,其中,包括:A data transmission method, including:
    在接收到客户端首次发送的首数据包时,丢弃所述首数据包;When receiving the first data packet sent by the client for the first time, discard the first data packet;
    向所述客户端返回目的不可达消息,所述目的不可达消息用于指示客户端发起认证;Return a destination unreachable message to the client, where the destination unreachable message is used to instruct the client to initiate authentication;
    接收所述客户端发送的认证数据包,所述认证数据包中携带认证信息;Receive an authentication data packet sent by the client, where the authentication data packet carries authentication information;
    基于所述认证信息确定所述客户端具有访问目的端口的权限时,为所述客户端放通所述目的端口的访问;When it is determined based on the authentication information that the client has the authority to access the destination port, grant access to the destination port for the client;
    通过所述目的端口接收所述客户端重新发送的所述首数据包。The first data packet resent by the client is received through the destination port.
  7. 根据权利要求6所述的方法,其中,所述目的不可达消息中携带有随机值,所述认证信息包括待加密信息和认证码,所述待加密信息包括客户端标识,或者还包括当前时 间戳;所述基于所述认证信息确定所述客户端具有访问目的端口的权限,包括:The method according to claim 6, wherein the destination unreachable message carries a random value, the authentication information includes information to be encrypted and an authentication code, the information to be encrypted includes a client identifier, or also includes the current time timestamp; determining that the client has the authority to access the destination port based on the authentication information includes:
    基于所述客户端标识查询得到所述客户端的共享密钥和访问权限,所述访问权限用于限定所述客户端在所述目的服务器的可访问端口;Based on the client identification query, the shared key and access rights of the client are obtained, and the access rights are used to limit the accessible ports of the client on the destination server;
    使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码;Use the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code;
    在所述验证码和所述认证码相同时,若所述客户端在所述目的服务器的可访问端口包括所述首数据包要到达的目的端口,则确定所述客户端具有访问目的端口的权限。When the verification code and the authentication code are the same, if the accessible port of the destination server by the client includes the destination port to which the first data packet is to arrive, it is determined that the client has the ability to access the destination port. permissions.
  8. 根据权利要求6或7所述的方法,其中,在为所述客户端放通所述目的端口的访问之后,所述方法还包括:The method according to claim 6 or 7, wherein after allowing access to the destination port for the client, the method further includes:
    定期向所述客户端发送目的不可达消息。Periodically send destination unreachable messages to the client.
  9. 根据权利要求8所述的方法,其中,所述使用所述共享密钥对所述随机值和所述待加密信息进行加密计算,得到验证码,包括:The method according to claim 8, wherein said using the shared key to perform encryption calculations on the random value and the information to be encrypted to obtain a verification code includes:
    使用所述共享密钥对所述随机值、待加密信息以及验证次数进行加密计算,得到验证码,所述验证次数包括所述目的服务器对所述客户端是否具有访问目的端口权限进行验证的次数。Use the shared key to perform encryption calculations on the random value, the information to be encrypted, and the number of verification times to obtain a verification code. The number of verification times includes the number of times the destination server verifies whether the client has permission to access the destination port. .
  10. 一种数据传输方法,其中,包括:A data transmission method, including:
    客户端执行权利要求1至5任一项所述的方法,目的服务器执行权利要求6至9任一项所述的方法。The client executes the method described in any one of claims 1 to 5, and the destination server executes the method described in any one of claims 6 to 9.
  11. 一种电子设备,包括存储器和至少一个处理器;其中,所述存储器用于存储一条或多条计算机指令,其中,所述一条或多条计算机指令被所述至少一个处理器执行以实现权利要求1-10任一项所述的方法步骤。An electronic device including a memory and at least one processor; wherein the memory is used to store one or more computer instructions, wherein the one or more computer instructions are executed by the at least one processor to implement the claims The method steps described in any one of 1-10.
  12. 一种计算机可读存储介质,其上存储有计算机指令,该计算机指令被处理器执行时实现权利要求1-10任一项所述的方法步骤。A computer-readable storage medium on which computer instructions are stored, which implement the method steps described in any one of claims 1-10 when executed by a processor.
  13. 一种计算机程序产品,包括计算机程序/指令,其中,该计算机程序/指令被处理器执行时实现权利要求1-10任一项所述的方法步骤。 A computer program product includes a computer program/instruction, wherein when the computer program/instruction is executed by a processor, the method steps described in any one of claims 1-10 are implemented.
PCT/CN2023/080407 2022-03-18 2023-03-09 Data transmission method, device, medium and product WO2023174143A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210273119.0 2022-03-18
CN202210273119.0A CN114726513A (en) 2022-03-18 2022-03-18 Data transmission method, apparatus, medium, and product

Publications (1)

Publication Number Publication Date
WO2023174143A1 true WO2023174143A1 (en) 2023-09-21

Family

ID=82237291

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/080407 WO2023174143A1 (en) 2022-03-18 2023-03-09 Data transmission method, device, medium and product

Country Status (2)

Country Link
CN (1) CN114726513A (en)
WO (1) WO2023174143A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726513A (en) * 2022-03-18 2022-07-08 阿里巴巴(中国)有限公司 Data transmission method, apparatus, medium, and product
CN117201200B (en) * 2023-11-07 2024-01-02 湖南密码工程研究中心有限公司 Data safety transmission method based on protocol stack

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330948A (en) * 2016-09-09 2017-01-11 杭州华三通信技术有限公司 Message control method and message control device
CN110351298A (en) * 2019-07-24 2019-10-18 中国移动通信集团黑龙江有限公司 Access control method, device, equipment and storage medium
CN112261067A (en) * 2020-12-21 2021-01-22 江苏易安联网络技术有限公司 Method and system for multi-stage single-packet authorization
CN112839062A (en) * 2021-04-20 2021-05-25 北京天维信通科技有限公司 Port hiding method, device and equipment with mixed authentication signals
US20210185018A1 (en) * 2019-12-16 2021-06-17 Vmware, Inc. Concealing internal applications that are accessed over a network
CN114726513A (en) * 2022-03-18 2022-07-08 阿里巴巴(中国)有限公司 Data transmission method, apparatus, medium, and product

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105025027A (en) * 2015-07-27 2015-11-04 浪潮(北京)电子信息产业有限公司 RPC security authentication method of multi-control storage system
CN107948201B (en) * 2017-12-29 2020-11-13 平安科技(深圳)有限公司 Authority authentication method and system for Docker mirror warehouse
US10437745B2 (en) * 2018-01-05 2019-10-08 Denso International America, Inc. Mobile de-whitening
CN113766567A (en) * 2020-06-05 2021-12-07 华为技术有限公司 Communication method and device
CN112968907B (en) * 2021-03-25 2023-04-28 北京鼎事兴教育咨询有限公司 Data transmission method, data storage method, data query method, medium and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330948A (en) * 2016-09-09 2017-01-11 杭州华三通信技术有限公司 Message control method and message control device
CN110351298A (en) * 2019-07-24 2019-10-18 中国移动通信集团黑龙江有限公司 Access control method, device, equipment and storage medium
US20210185018A1 (en) * 2019-12-16 2021-06-17 Vmware, Inc. Concealing internal applications that are accessed over a network
CN112261067A (en) * 2020-12-21 2021-01-22 江苏易安联网络技术有限公司 Method and system for multi-stage single-packet authorization
CN112839062A (en) * 2021-04-20 2021-05-25 北京天维信通科技有限公司 Port hiding method, device and equipment with mixed authentication signals
CN114726513A (en) * 2022-03-18 2022-07-08 阿里巴巴(中国)有限公司 Data transmission method, apparatus, medium, and product

Also Published As

Publication number Publication date
CN114726513A (en) 2022-07-08

Similar Documents

Publication Publication Date Title
US7552323B2 (en) System, apparatuses, methods, and computer-readable media using identification data in packet communications
US9438592B1 (en) System and method for providing unified transport and security protocols
US10178181B2 (en) Interposer with security assistant key escrow
US8418242B2 (en) Method, system, and device for negotiating SA on IPv6 network
WO2023174143A1 (en) Data transmission method, device, medium and product
JP2023514736A (en) Method and system for secure communication
CA2506418C (en) Systems and apparatuses using identification data in network communication
US20150249639A1 (en) Method and devices for registering a client to a server
WO2020020007A1 (en) Network access method and device, terminal, base station, and readable storage medium
CN116346375A (en) Access control method, access control system, terminal and storage medium
CN115603932A (en) Access control method, access control system and related equipment
WO2023279782A1 (en) Access control method, access control system and related device
EP3459224A1 (en) Web server security
US11689517B2 (en) Method for distributed application segmentation through authorization
CN113645115B (en) Virtual private network access method and system
CN116633562A (en) Network zero trust security interaction method and system based on WireGuard
Stergiou et al. An alternative architectural framework to the OSI security model
Zhang et al. EDP: An eBPF-based Dynamic Perimeter for SDP in Data Center
WO2024001885A1 (en) Data transmission method, electronic device and computer storage medium
US20240146728A1 (en) Access control method, access control system, and related device
EP3907967A1 (en) Method for preventing sip device from being attacked, calling device, and called device
Budzko et al. Analysis of the level of security provided by advanced information and communication technologies

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23769649

Country of ref document: EP

Kind code of ref document: A1