CN114448706A - Single package authorization method and device, electronic equipment and storage medium - Google Patents
Single package authorization method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114448706A CN114448706A CN202210117616.1A CN202210117616A CN114448706A CN 114448706 A CN114448706 A CN 114448706A CN 202210117616 A CN202210117616 A CN 202210117616A CN 114448706 A CN114448706 A CN 114448706A
- Authority
- CN
- China
- Prior art keywords
- data
- authorized
- authorization
- packet
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 215
- 238000000034 method Methods 0.000 title claims abstract description 74
- 238000012795 verification Methods 0.000 claims abstract description 38
- 238000004590 computer program Methods 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 14
- 150000003839 salts Chemical class 0.000 claims description 11
- 238000001514 detection method Methods 0.000 claims description 8
- 238000011156 evaluation Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 239000013307 optical fiber Substances 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 241001391944 Commicarpus scandens Species 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000003321 amplification Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 238000003199 nucleic acid amplification method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a single-packet authorization method, a single-packet authorization device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring flow data to be authorized; generating single-packet authorization data for the traffic data to be authorized; wherein the single packet of authorization data comprises a confidence level value and/or a dynamic authorization code; adding the single packet of authorization data to the traffic data to be authorized to obtain the traffic data to be authorized; and sending the flow data to be authorized to a server so that the server performs single-packet authorization verification on the flow data to be authorized. The technical scheme of the embodiment of the invention can improve the safety and reliability of single-packet authorization, thereby improving the safety of network access.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a single-packet authorization method and device, electronic equipment and a storage medium.
Background
Spa (single Packet authorization), which is a single Packet authorization, is a core function of SDP (Software Defined Perimeter). By carrying out authentication and authorization on all data packets connected with the server, the server responds to the connection request after passing the authentication, thereby realizing the service stealth of enterprise services and the incapability of connection and scanning on the network. The SPA provides the following security roles for SPA-protected servers (zero trust control centers and security broker gateways): (1) protecting the server: the server does not respond to any connections from any clients until the true SPA is provided; (2) mitigating denial of service attacks on TLS (Transport Layer Security): an internet-oriented server running an HTTPS (Hyper Text Transfer Protocol over secure layer) Protocol is very vulnerable to DoS (Denial of Service) attacks. The SPA may mitigate these attacks because it allows the server to reject TLS connection attempts before entering TLS.
When a user accesses a service system from the Internet, the SPA single packet authorization is required, and the server responds after the authentication is passed. When the enterprise user accesses the service, the following scenes are taken: (1) the user logs in the intranet, and the server does not carry out SPA single-packet authorization verification on the data packet and can normally access the data packet; (2) the user has the requirement of internet access service, needs to install a client and is authorized by an administrator. After the user successfully logs in the intranet, the client side can obtain the SPA authorization code to serve as an authentication 'key' during internet environment access; (3) when an illegal user tries to access the Internet, because the SPA authorization code issued by an administrator does not exist, the illegal user cannot access the Internet.
In the process of implementing the invention, the inventor finds that the prior art has the following defects: in the existing SPA single-packet authorization mechanism, the generation mode of the SPA authorization code is simple, the safety and the reliability are low, and the SPA authorization code is easy to attack and crack, so that the SPA single-packet authorization fails, and great potential safety hazards are brought to network access.
Disclosure of Invention
The embodiment of the invention provides a single-packet authorization method, a single-packet authorization device, electronic equipment and a storage medium, which can improve the security and reliability of single-packet authorization, thereby improving the security of network access.
According to an aspect of the present invention, there is provided a single packet authorization method, applied to a client, including:
acquiring flow data to be authorized;
generating single-packet authorization data for the traffic data to be authorized; wherein the single packet of authorization data comprises a confidence level value and/or a dynamic authorization code;
adding the single packet of authorization data to the traffic data to be authorized to obtain the traffic data to be authorized;
and sending the flow data to be authorized to a server so that the server performs single-packet authorization verification on the flow data to be authorized.
According to another aspect of the present invention, there is provided a single package authorization method applied to a server, including:
acquiring flow data to be authorized sent by a client; the flow data to be authorized comprises single-packet authorized data, and the single-packet authorized data comprises a confidence level value and/or a dynamic authorized password;
and carrying out single-packet authorization verification on the traffic data to be authorized.
According to another aspect of the present invention, there is provided a single-package authorization apparatus configured at a client, including:
the traffic data to be authorized acquisition module is used for acquiring traffic data to be authorized;
the single packet authorization data generation module is used for generating single packet authorization data for the traffic data to be authorized; wherein the single packet of authorization data comprises a confidence level value and/or a dynamic authorization code;
the traffic data acquisition module to be authorized is used for adding the single packet of authorization data to the traffic data to be authorized to process to obtain the traffic data to be authorized;
and the to-be-authorized flow data sending module is used for sending the to-be-authorized flow data to a server so that the server performs single-packet authorization verification on the to-be-authorized flow data.
According to another aspect of the present invention, there is provided a single package authorization apparatus configured to a server, including:
the system comprises a to-be-authorized flow data receiving module, a flow data receiving module and a flow data transmitting module, wherein the to-be-authorized flow data receiving module is used for receiving to-be-authorized flow data transmitted by a client; the flow data to be authorized comprises single-packet authorized data, and the single-packet authorized data comprises a confidence level value and/or a dynamic authorized password;
and the single-packet authorization verification module is used for performing single-packet authorization verification on the traffic data to be authorized.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the method of single package authorization according to any of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions for causing a processor to implement the single package authorization method according to any one of the embodiments of the present invention when the computer instructions are executed.
The embodiment of the invention generates single-packet authorization data comprising a confidence level value and/or a dynamic authorization password for the acquired flow data to be authorized through the client, adds the single-packet authorization data to the flow data to be authorized to obtain the flow data to be authorized, and then sends the flow data to be authorized to the server, so that the server performs single-packet authorization verification on the flow data to be authorized, the problems that the existing single-packet authorization method is easy to attack and crack and the like are solved, the security and the reliability of single-packet authorization can be improved, and the security of network access is improved.
It should be understood that the statements in this section are not intended to identify key or critical features of the embodiments of the present invention, nor are they intended to limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a single-packet authorization method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a single-packet authorization between a client and a server according to an embodiment of the present invention;
fig. 3 is a flowchart of a single-packet authorization method according to a second embodiment of the present invention;
fig. 4 is a schematic diagram of a single-package authorization apparatus according to a third embodiment of the present invention;
fig. 5 is a schematic diagram of a single-package authorization apparatus according to a fourth embodiment of the present invention;
FIG. 6 illustrates a schematic structural diagram of an electronic device that may be used to implement embodiments of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a single-package authorization method according to an embodiment of the present invention, where the embodiment is applicable to a case where a client performs single-package authorization according to a credit level value and/or a dynamic authorization password as authorization data, and the method may be executed by a single-package authorization apparatus, where the apparatus may be implemented in a software and/or hardware manner, and may be generally integrated in an electronic device, where the electronic device may be a terminal device and is used in cooperation with a server for completing single-package authorization verification, and a specific device type of the electronic device is not limited in the embodiment of the present invention. Accordingly, as shown in fig. 1, the method comprises the following operations:
and S110, acquiring flow data to be authorized.
The traffic data to be authorized may be the traffic data of the access server that needs to perform SPA single packet authorization.
When an enterprise business can access the internet environment, it faces threats from the internet, such as: illegal personnel steal account number and password to access the service system, steal commercial secrets, or the illegal personnel carry out DoS attack on the service server, so that the service is paralyzed.
When enterprise branch office employees remotely access the server, it is desirable to enhance access security because the terminal environment is not controllable. Therefore, it is necessary to perform SPA single packet authorization on the traffic data of the access server to ensure the security of the traffic data of the access server. After opening the SPA single package authorization mechanism, the administrator may set: when a user accesses the service system from the Internet or an intranet, the SPA single-packet authorization is required, and the server responds after the authentication is passed. When the enterprise user accesses the service, the following scenes are taken: (1) all employees of the enterprise can not access the enterprise without obtaining the authorization of the client; (2) the administrator needs to issue an SPA security exclusive client, and the user can be successfully accessed after being successfully installed.
Accordingly, after the server starts the SPA single packet authorization mechanism, all traffic data accessing the server can be directed to the client. The client can acquire the traffic data to be authorized from the server side.
In an optional embodiment of the present invention, the obtaining of the traffic data to be authorized may include: obtaining server access flow data sent by the server through a local Domain Name System (DNS); and guiding the server access flow data to a virtual network card according to the routing table data to obtain the flow data to be authorized.
Wherein the server access traffic data may be traffic data of an initial access server. For example, the data content of the server access traffic data may be user authentication traffic, access traffic of a Web application, and the like, and the embodiment of the present invention does not limit the specific data content of the server access traffic data. The routing table data may be route forwarding data between the client and the server.
Specifically, the client may obtain server access traffic data such as user authentication traffic or access traffic of the Web application through the private DNS and stream the server access traffic data to the virtual network card. Optionally, the server access traffic data may be directed to the virtual network card of the client through the routing table data. At this time, the client may use the acquired server access traffic data as the traffic data to be authorized.
S120, generating single-packet authorization data for the traffic data to be authorized; wherein the single packet of authorization data comprises a confidence level value and/or a dynamic authorization code.
The single packet of authorization data is also data for performing SPA single packet authorization on traffic data to be authorized. The confidence level value can be generated by integrating the multidimensional association data of the client and can represent the confidence value of the security degree of the client. The dynamic authorization password can be generated by adopting a special password generation mode and can be a dynamically changed password for performing SPA authorization verification.
In the prior art, single-packet authorization data is generated only by a simple encryption algorithm and is easy to break. In order to improve the security and reliability of single-packet authorized data, the embodiment of the invention can synthesize the multi-dimensional associated data of the client to generate a confidence level value for judging the security of the client, and can generate a dynamic authorized password by adopting a special password generation mode. Correspondingly, the client can adopt the confidence level value and/or the dynamic authorization code as the single packet authorization data of the traffic data to be authorized, and perform SPA single packet authorization on the traffic data to be authorized.
In an optional embodiment of the present invention, the generating a confidence level value for the to-be-authorized traffic data may include: extracting confidence level evaluation associated data according to the flow data to be authorized; wherein the confidence level assessment associated data comprises at least one of terminal environment detection data, user data and built-in variable data; generating the confidence level value based on the confidence level assessment correlation data.
The confidence level evaluation associated data is also the relevant data used by the client to generate the confidence level value. The terminal environment detection data may be data obtained by detecting a terminal device where the client is located. The user data may be user related data for logging in to the client. The built-in variable data may be variable data of the client.
Specifically, the client may generate a confidence level value with reference to the confidence level evaluation association data such as the terminal environment detection data, the user data, and the built-in variable data. Optionally, the terminal environment detection data may include, but is not limited to, a client version, specific software installed, whether antivirus software is the latest version, whether an operation firewall is turned on, any antivirus software is run, specific antivirus software is installed, a process is run, whether a specific file exists, a patch installed by a Windows operating system, a terminal device name, a terminal device operating system version, a domain name added by a terminal device, a terminal device local IP list, a terminal device MAC (Media Access Control Address) Address list, and the like. The user data may include, but is not limited to, the time when the user logs in this time, the country where the user accesses this time, the city where the user accesses this time, the control center IP, and the like. The built-in variable data may include, but is not limited to, an accessed network area, whether logging is performed in an abnormal time period, whether logging is performed in a trusted domain environment, whether logging is performed in a trusted terminal, whether logging is performed in a different place, whether logging is performed in a weak password, and the like.
Correspondingly, the client can evaluate the flexible combination of the terminal environment detection data, the user data and the built-in variable data to obtain a confidence level value. Alternatively, the confidence level value may be a number, a character, a combination thereof, and the like, and the embodiment of the present invention does not limit the specific value type and the value content of the confidence level value.
In an optional embodiment of the present invention, the generating a dynamic authorization code for the to-be-authorized processing traffic data may include: generating a reference seed password according to a reference password generation algorithm; randomly generating random time and random salt values; encrypting the reference seed password, the random time and the random salt value to obtain the dynamic authorization password; wherein; the dynamic authorization password is dynamically changed according to a period.
The reference password generation algorithm may be any available algorithm that can be used for generating a password, and the embodiment of the present invention does not limit the type of the algorithm of the reference password generation algorithm. The reference seed password may be a password generated by a reference password generation algorithm, and may be further processed as a basic password to obtain a dynamic authorization password.
In the embodiment of the invention, the client generates the dynamic authorization key in a mode of 'seed + time + salt value'. Specifically, the client may generate a reference seed password according to a reference password generation algorithm, and randomly generate a random time and a random salt value. Further, on the basis of the reference seed password, a specific encryption algorithm is adopted for encryption by combining random time and random salt value, so that a dynamic authorization password is obtained. The dynamic authorization code generated by the above method may be referred to as an OTP (One Time Password) dynamic code. In addition, the dynamic authorization password can change along with time, so that the risk of being cracked caused by using a single password is prevented, and the safety and the reliability of the dynamic authorization password are further improved.
S130, adding the single packet of authorization data to the traffic data to be authorized to obtain the traffic data to be authorized.
The traffic data to be authorized is the traffic data including single packet authorization data, which is processed by the client single packet authorization.
And when the client generates the single packet of authorization data, the single packet of authorization data can be added into the traffic data to be authorized, so that the traffic data to be authorized can be obtained.
In an optional embodiment of the present invention, the adding the single packet of authorization data to the traffic data to be authorized to obtain the traffic data to be authorized may include: acquiring application layer handshake data generated in the application layer handshake process of the flow data to be authorized; and adding the single packet of authorization data in a target extension field of the application layer handshake data to obtain the flow data to be authorized.
The application layer handshake data may be data generated by the client and the server during an application layer handshake process. The target extension field may be an extension field in the application layer handshake data for adding single packet authorization data.
After the client acquires the traffic data to be authorized, the packet of the traffic data to be authorized can be changed to obtain the traffic data to be authorized. Fig. 2 is a schematic flowchart of performing single-packet authorization between a client and a server according to an embodiment of the present invention. In a specific example, as shown in fig. 2, the client establishes a link with the server through an HTTPS Protocol, and needs to generate application layer handshake data through three handshakes (transport layers) of a TCP (Transmission Control Protocol) and four handshakes (application layers) of a TLS, so that communication can be established after the handshakes are successful. Correspondingly, the client can add single-packet authorization data generated by the client in an extension field of the TLS handshake packet, such as adding a confidence level value and a dynamic authorization password, as a single-packet authorization check code for communication between the client and the server. The single-packet authorization check code can be used as a dynamic token to realize a single-packet authorization process.
S140, sending the traffic data to be authorized to a server so that the server performs single-packet authorization verification on the traffic data to be authorized.
Optionally, the client may send the traffic data to be authorized to the server through the local network card proxy, and the server may perform single-packet authorization verification on the received traffic data to be authorized.
Correspondingly, as shown in fig. 2, after the server side completes single-packet authorization verification on the received traffic data to be authorized, a certificate chain including a verification result may be fed back to the client side. The client may then feed back to the server the response procedure of the certificate chain for the received certificate chain, indicating that the client received the certificate chain. Meanwhile, the client can verify the received certificate chain, and can start to calculate a key after the verification is passed, wherein the key can be a key for the user to log in the client, so that the subsequent process of the user to safely access the server is realized.
The embodiment of the invention generates single-packet authorization data comprising a confidence level value and/or a dynamic authorization password for the acquired flow data to be authorized through the client, adds the single-packet authorization data to the flow data to be authorized to obtain the flow data to be authorized, and then sends the flow data to be authorized to the server, so that the server performs single-packet authorization verification on the flow data to be authorized, the problems that the existing single-packet authorization method is easy to attack and crack and the like are solved, the security and the reliability of single-packet authorization can be improved, and the security of network access is improved.
Example two
Fig. 3 is a flowchart of a single-package authorization method according to a second embodiment of the present invention, where this embodiment is applicable to a case where a server performs single-package authorization verification according to a credit level value and/or a dynamic authorization code, and the method may be executed by a single-package authorization apparatus, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device, where the electronic device may be a server device and is used in cooperation with a client for performing single-package authorization, and a specific device type of the electronic device is not limited in the embodiment of the present invention. Accordingly, as shown in fig. 3, the method includes the following operations:
s210, obtaining flow data to be authorized sent by a client; the flow data to be authorized comprises single-packet authorized data, and the single-packet authorized data comprises a confidence level value and/or a dynamic authorized password.
It will be appreciated that the type of traffic data to be authorized that the server may authorize the verification depends on the configuration of the single-packet authorization mechanism. After the server starts the SPA function, it can configure the SPA authenticated server access address (including the access addresses of the control center and the proxy gateway), and when the data packet enters the server from these access addresses, it needs to perform SPA authentication. For example, when SPA authentication is required for internet accessed traffic, the access address and port of the internet traffic on the server are filled in. Since both the control center and the proxy gateway can configure SPA authentication, it will work with the process of end user login authentication, tunneling, and web application access.
Correspondingly, the server access flow data of the server can be acquired by the client through the local DNS, and the client conducts the server access flow data to the virtual network card according to the routing table data to obtain the flow data to be authorized.
Further, the client generates single-packet authorization data for the traffic data to be authorized; wherein the single packet of authorization data comprises a confidence level value and/or a dynamic authorization code. Correspondingly, the client adds the single packet of authorization data to the traffic data to be authorized to obtain the traffic data to be authorized, and feeds the traffic data to be authorized back to the server.
Optionally, the client may extract confidence level evaluation associated data according to the traffic data to be authorized; the confidence level evaluation associated data comprises at least one item of terminal environment detection data, user data and built-in variable data, and the confidence level value is generated according to the confidence level evaluation associated data.
Optionally, the client may generate a reference seed password according to a reference password generation algorithm, and randomly generate random time and a random salt value, so as to encrypt the reference seed password, the random time and the random salt value, and obtain the dynamic authorization password. Wherein; the dynamic authorization code is dynamically changed according to the period.
Optionally, the client may obtain application layer handshake data generated in the application layer handshake process of the traffic data to be authorized, so as to add a single packet of authorization data in a target extension field of the application layer handshake data to obtain the traffic data to be authorized.
S220, performing single-packet authorization verification on the traffic data to be authorized.
Correspondingly, after receiving the traffic data to be authorized, the server can perform single-packet authorization verification on the traffic data to be authorized. For example, assuming that the single packet of authorization data of the traffic data to be authorized includes a confidence level value and a dynamic authorization code, when the server verifies the confidence level value, it may be determined whether the confidence level value satisfies a confidence condition, such as whether the value is greater than or equal to a%. The value of a may be set according to actual requirements, which is not limited in the embodiment of the present invention. If the server determines that the confidence level value satisfies the confidence condition, the confidence level value is determined to pass the verification. When the server verifies the dynamic authorization password, the dynamic authorization password to be matched can be generated in the same way as the dynamic authorization password generated by the client, the received dynamic authorization password generated by the dynamic authorization password core is compared and matched, and if the matching is successful, the dynamic authorization password is determined to pass the verification. When both the confidence level value and the dynamic authorization code pass verification, the server may respond to the client with a data packet request. If the confidence level value and/or the dynamic authorization code is not verified, the server can block the traffic data to be authorized, namely forbids the traffic data to be authorized from accessing the server, or can prompt the client or perform secondary verification on the traffic data to be authorized again through the verification code.
In the single packet authorization process, the client may send the data packet to the server by using an in-band knock technology, and the gateway does not need to open an additional UDP (User Datagram Protocol) port. When a browser or a C/S (Client-Server) application initiates a TCP connection to an intranet resource of a Server, such as the browser accessing an intranet OA (Office Automation), a Client adds a single packet of authorization data to a first data packet. And (4) checking by the server, and if the single packet of authorized data passes the checking, successfully establishing the connection. If the check fails, the connection is denied. The single packet of authorization data may include a confidence level value and/or a dynamic authorization code, with higher confidence and greater security for SPA authorization.
Therefore, compared with the existing single-packet authorization method, the single-packet authorization method provided by the embodiment of the invention mainly has the following advantages: the existing SPA method needs to additionally open a UDP port by adopting a common door knocking technology, before connection is initiated, the UDP port is knocked, and TCP connection can be carried out only after the door knocking is completed. At this Time, extra RTT (Round-Trip Time) packet interaction is added, and the delay is obviously aggravated due to the weak network environment. Since UDP is connectionless, if packet loss occurs, a knock failure occurs, and the cause of the knock failure cannot be located quickly. The embodiment of the invention can realize that the door knocking is finished in the TLS handshake phase, and the problem does not exist. In addition, iptalbs (a command line tool located in a user space) is adopted in the existing SPA process for releasing firewall rules, when the number of clients is large, the rules are too many, the removal is difficult, the device performance is affected, and the complicated network environment cannot be handled. That is, the existing SPA method releases the IP packet with UDP, which may cause the risk of knocking out and amplifying the IP packet in a special network environment, for example: if there is a SNAT (Source Address Translation) device before the link to the gateway, all Source IPs are the same, resulting in knock-in amplification.
The embodiment of the invention generates single-packet authorization data comprising a confidence level value and/or a dynamic authorization password for the obtained flow data to be authorized by the client, adds the single-packet authorization data to the flow data to be authorized to obtain the flow data to be authorized, and then sends the flow data to be authorized to the server, so that the server performs single-packet authorization verification on the flow data to be authorized.
It should be noted that any permutation and combination between the technical features in the above embodiments also belong to the scope of the present invention.
EXAMPLE III
Fig. 4 is a schematic diagram of a single-package authorization apparatus according to a third embodiment of the present invention, and as shown in fig. 4, the apparatus includes: a traffic data to be authorized acquisition module 310, a single packet authorization data generation module 320, a traffic data to be authorized acquisition module 330, and a traffic data to be authorized transmission module 340, where:
a to-be-authorized processing traffic data obtaining module 310, configured to obtain to-be-authorized processing traffic data;
a single packet authorization data generation module 320, configured to generate single packet authorization data for the traffic data to be authorized; wherein the single packet of authorization data comprises a confidence level value and/or a dynamic authorization code;
a to-be-authorized traffic data obtaining module 330, configured to add the single packet of authorized data to the to-be-authorized traffic data to obtain to-be-authorized traffic data;
a to-be-authorized traffic data sending module 340, configured to send the to-be-authorized traffic data to a server, so that the server performs single-packet authorization verification on the to-be-authorized traffic data.
The embodiment of the invention generates single-packet authorization data comprising a confidence level value and/or a dynamic authorization password for the acquired flow data to be authorized through the client, adds the single-packet authorization data to the flow data to be authorized to obtain the flow data to be authorized, and then sends the flow data to be authorized to the server, so that the server performs single-packet authorization verification on the flow data to be authorized, the problems that the existing single-packet authorization method is easy to attack and crack and the like are solved, the security and the reliability of single-packet authorization can be improved, and the security of network access is improved.
Optionally, the to-be-authorized processing traffic data obtaining module 310 is specifically configured to: obtaining server access flow data sent by the server through a local Domain Name System (DNS); and guiding the server access flow data to a virtual network card according to the routing table data to obtain the flow data to be authorized.
Optionally, the single-packet authorization data generating module 320 is specifically configured to: extracting confidence level evaluation associated data according to the flow data to be authorized; wherein the confidence level assessment associated data comprises at least one of terminal environment detection data, user data and built-in variable data; generating the confidence level value based on the confidence level assessment correlation data.
Optionally, the single-packet authorization data generating module 320 is specifically configured to: generating a reference seed password according to a reference password generation algorithm; randomly generating random time and random salt values; encrypting the reference seed password, the random time and the random salt value to obtain the dynamic authorization password; wherein; the dynamic authorization password is dynamically changed according to a period.
Optionally, the to-be-authorized traffic data obtaining module 330 is specifically configured to: acquiring application layer handshake data generated in the application layer handshake process of the flow data to be authorized; and adding the single packet of authorization data in a target extension field of the application layer handshake data to obtain the flow data to be authorized.
The single-packet authorization device can execute the single-packet authorization method executed by the client terminal provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For details of the technology that are not described in detail in this embodiment, reference may be made to the single-package authorization method executed by the client according to any embodiment of the present invention.
Example four
Fig. 5 is a schematic diagram of a single-package authorization apparatus according to a fourth embodiment of the present invention, and as shown in fig. 5, the apparatus includes: a to-be-authorized traffic data receiving module 410 and a single-packet authorization verification module 420, wherein:
a to-be-authorized traffic data receiving module 410, configured to receive to-be-authorized traffic data sent by a client; the flow data to be authorized comprises single-packet authorized data, and the single-packet authorized data comprises a confidence level value and/or a dynamic authorized password;
and the single-packet authorization verification module 420 is configured to perform single-packet authorization verification on the traffic data to be authorized.
The single-package authorization device can execute the single-package authorization method executed by the server provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For details of the technology not described in detail in this embodiment, reference may be made to the single packet authorization method executed by the server according to any embodiment of the present invention.
EXAMPLE five
FIG. 6 illustrates a schematic structural diagram of an electronic device 10 that may be used to implement an embodiment of the present invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 6, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM)12, a Random Access Memory (RAM)13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 can perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM)12 or the computer program loaded from a storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 can also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 11 performs the various methods and processes described above, such as the single packet authorization method.
In some embodiments, the single package authorization method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the single package authorization method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the single package authorization method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
EXAMPLE six
An embodiment of the present invention further provides a computer storage medium storing a computer program, where the computer program is used to execute the single-package authorization method according to any one of the above embodiments of the present invention when executed by a computer processor.
For example, a single-package authorization method performed by the client: acquiring flow data to be authorized; generating single-packet authorization data for the traffic data to be authorized; wherein the single packet of authorization data comprises a confidence level value and/or a dynamic authorization code; adding the single packet of authorization data to the traffic data to be authorized to obtain the traffic data to be authorized; and sending the flow data to be authorized to a server so that the server performs single-packet authorization verification on the flow data to be authorized.
Another example is a single-package authorization method performed by the execution server: acquiring flow data to be authorized sent by a client; the flow data to be authorized comprises single-packet authorized data, and the single-packet authorized data comprises a confidence level value and/or a dynamic authorized password; and carrying out single-packet authorization verification on the traffic data to be authorized.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read Only Memory (ROM), an Erasable Programmable Read Only Memory (EPROM, or flash Memory), an optical fiber, a portable compact disc Read Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, Radio Frequency (RF), etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A single-packet authorization method is applied to a client and comprises the following steps:
acquiring flow data to be authorized;
generating single-packet authorization data for the traffic data to be authorized; wherein the single packet of authorization data comprises a confidence level value and/or a dynamic authorization code;
adding the single packet of authorization data to the traffic data to be authorized to obtain the traffic data to be authorized;
and sending the flow data to be authorized to a server so that the server performs single-packet authorization verification on the flow data to be authorized.
2. The method of claim 1, wherein the obtaining traffic data to be authorized comprises:
obtaining server access flow data sent by the server through a local Domain Name System (DNS);
and guiding the server access flow data to a virtual network card according to the routing table data to obtain the flow data to be authorized.
3. The method of claim 1, wherein generating a confidence level value for the pending traffic data comprises:
extracting confidence level evaluation associated data according to the flow data to be authorized; wherein the confidence level assessment associated data comprises at least one of terminal environment detection data, user data and built-in variable data;
generating the confidence level value based on the confidence level assessment correlation data.
4. The method of claim 1, wherein the generating a dynamic authorization code for the to-be-authorized traffic data comprises:
generating a reference seed password according to a reference password generation algorithm;
randomly generating random time and random salt values;
encrypting the reference seed password, the random time and the random salt value to obtain the dynamic authorization password;
wherein; the dynamic authorization password is dynamically changed according to a period.
5. The method according to claim 1, wherein the adding the single packet of authorization data to the traffic data to be authorized to obtain the traffic data to be authorized comprises:
acquiring application layer handshake data generated in the application layer handshake process of the flow data to be authorized;
and adding the single-packet authorization data in a target extension field of the application layer handshake data to obtain the to-be-authorized flow data.
6. A single-packet authorization method is applied to a server and comprises the following steps:
acquiring flow data to be authorized sent by a client; the flow data to be authorized comprises single-packet authorized data, and the single-packet authorized data comprises a confidence level value and/or a dynamic authorized password;
and carrying out single-packet authorization verification on the traffic data to be authorized.
7. A single-package authorization device, configured at a client, comprising:
the device comprises a to-be-authorized processing flow data acquisition module, a to-be-authorized processing flow data acquisition module and a to-be-authorized processing flow data acquisition module, wherein the to-be-authorized processing flow data acquisition module is used for acquiring to-be-authorized processing flow data;
the single packet authorization data generation module is used for generating single packet authorization data for the traffic data to be authorized; wherein the single packet of authorization data comprises a confidence level value and/or a dynamic authorization code;
a to-be-authorized traffic data acquisition module, configured to add the single packet of authorization data to the to-be-authorized traffic data to obtain to-be-authorized traffic data;
and the to-be-authorized flow data sending module is used for sending the to-be-authorized flow data to a server so that the server performs single-packet authorization verification on the to-be-authorized flow data.
8. A single-package authorization device, configured to a server, comprising:
the system comprises a to-be-authorized flow data receiving module, a flow data receiving module and a flow data transmitting module, wherein the to-be-authorized flow data receiving module is used for receiving to-be-authorized flow data transmitted by a client; the flow data to be authorized comprises single-packet authorized data, and the single-packet authorized data comprises a confidence level value and/or a dynamic authorized password;
and the single-packet authorization verification module is used for performing single-packet authorization verification on the traffic data to be authorized.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the single package authorization method of any one of claims 1-5 or to implement the single package authorization method of claim 6.
10. A computer storage medium, characterized in that the computer-readable storage medium stores computer instructions for causing a processor to implement, when executed, the single package authorization method of any one of claims 1-5, or the single package authorization method of claim 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210117616.1A CN114448706B (en) | 2022-02-08 | 2022-02-08 | Single package authorization method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210117616.1A CN114448706B (en) | 2022-02-08 | 2022-02-08 | Single package authorization method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114448706A true CN114448706A (en) | 2022-05-06 |
| CN114448706B CN114448706B (en) | 2024-05-17 |
Family
ID=81370841
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210117616.1A Active CN114448706B (en) | 2022-02-08 | 2022-02-08 | Single package authorization method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114448706B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115001701A (en) * | 2022-05-17 | 2022-09-02 | 中国电信股份有限公司 | Method and device for authorization authentication, storage medium and electronic equipment |
| CN115865370A (en) * | 2022-11-25 | 2023-03-28 | 四川启睿克科技有限公司 | TCP option-based single-packet authorization verification method |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2014096101A (en) * | 2012-11-12 | 2014-05-22 | Bank Of Tokyo-Mitsubishi Ufj Ltd | User authentication device and user authentication program |
| CN104333530A (en) * | 2013-07-22 | 2015-02-04 | 深圳市腾讯计算机系统有限公司 | Information credibility verifying method and apparatus |
| CN104937909A (en) * | 2013-01-24 | 2015-09-23 | 国际商业机器公司 | User authentication |
| CN108429730A (en) * | 2018-01-22 | 2018-08-21 | 北京智涵芯宇科技有限公司 | Feedback-less safety certification and access control method |
| CN109587162A (en) * | 2018-12-26 | 2019-04-05 | 闻泰通讯股份有限公司 | Login validation method, device, terminal, cipher server and storage medium |
| CN111181912A (en) * | 2019-08-27 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Browser identifier processing method and device, electronic equipment and storage medium |
| CN111316611A (en) * | 2017-07-14 | 2020-06-19 | 赛门铁克公司 | User-directed authentication over the network |
| CN112887444A (en) * | 2021-01-19 | 2021-06-01 | 网宿科技股份有限公司 | VPN (virtual private network) request processing method, client device and system |
| CN113469670A (en) * | 2013-07-24 | 2021-10-01 | 维萨国际服务协会 | System and method for ensuring data transfer risk using tokens |
-
2022
- 2022-02-08 CN CN202210117616.1A patent/CN114448706B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2014096101A (en) * | 2012-11-12 | 2014-05-22 | Bank Of Tokyo-Mitsubishi Ufj Ltd | User authentication device and user authentication program |
| CN104937909A (en) * | 2013-01-24 | 2015-09-23 | 国际商业机器公司 | User authentication |
| CN104333530A (en) * | 2013-07-22 | 2015-02-04 | 深圳市腾讯计算机系统有限公司 | Information credibility verifying method and apparatus |
| CN113469670A (en) * | 2013-07-24 | 2021-10-01 | 维萨国际服务协会 | System and method for ensuring data transfer risk using tokens |
| CN111316611A (en) * | 2017-07-14 | 2020-06-19 | 赛门铁克公司 | User-directed authentication over the network |
| CN108429730A (en) * | 2018-01-22 | 2018-08-21 | 北京智涵芯宇科技有限公司 | Feedback-less safety certification and access control method |
| CN109587162A (en) * | 2018-12-26 | 2019-04-05 | 闻泰通讯股份有限公司 | Login validation method, device, terminal, cipher server and storage medium |
| CN111181912A (en) * | 2019-08-27 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Browser identifier processing method and device, electronic equipment and storage medium |
| CN112887444A (en) * | 2021-01-19 | 2021-06-01 | 网宿科技股份有限公司 | VPN (virtual private network) request processing method, client device and system |
Non-Patent Citations (2)
| Title |
|---|
| 于欣越: "1.基于零信任的软件定义边界 网络隐身技术研究", 通信技术, pages 2 * |
| 王爱华: "隐藏攻击面,提升信息安全防范能力", HTTPS://WWW.51CTO.COM/ARTICLE/617912.HTML? MOBILE * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115001701A (en) * | 2022-05-17 | 2022-09-02 | 中国电信股份有限公司 | Method and device for authorization authentication, storage medium and electronic equipment |
| CN115001701B (en) * | 2022-05-17 | 2023-10-31 | 中国电信股份有限公司 | Method and device for authorization authentication, storage medium and electronic equipment |
| CN115865370A (en) * | 2022-11-25 | 2023-03-28 | 四川启睿克科技有限公司 | TCP option-based single-packet authorization verification method |
| CN115865370B (en) * | 2022-11-25 | 2024-06-04 | 四川启睿克科技有限公司 | Single-packet authorization verification method based on TCP options |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114448706B (en) | 2024-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11190493B2 (en) | Concealing internal applications that are accessed over a network | |
| US9237168B2 (en) | Transport layer security traffic control using service name identification | |
| US10003616B2 (en) | Destination domain extraction for secure protocols | |
| US8910255B2 (en) | Authentication for distributed secure content management system | |
| EP2078260B1 (en) | Detecting stolen authentication cookie attacks | |
| US8677466B1 (en) | Verification of digital certificates used for encrypted computer communications | |
| US8959650B1 (en) | Validating association of client devices with sessions | |
| CN105430011B (en) | A method and apparatus for detecting distributed denial of service attacks | |
| CN110198297B (en) | Flow data monitoring method and device, electronic equipment and computer readable medium | |
| JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
| US8161538B2 (en) | Stateful application firewall | |
| WO2018010146A1 (en) | Response method, apparatus and system in virtual network computing authentication, and proxy server | |
| US11784993B2 (en) | Cross site request forgery (CSRF) protection for web browsers | |
| CN113904826A (en) | Data transmission method, apparatus, device and storage medium | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| WO2023279782A1 (en) | Access control method, access control system and related device | |
| CN115603932A (en) | An access control method, access control system and related equipment | |
| CN116961924A (en) | Digital certificate verification method, device, equipment and medium | |
| CN114448706B (en) | Single package authorization method and device, electronic equipment and storage medium | |
| CN105516066A (en) | Method and device for identifying existence of intermediary | |
| US11689517B2 (en) | Method for distributed application segmentation through authorization | |
| CN102098285A (en) | A method and device for preventing phishing attacks | |
| US11463433B1 (en) | Secure bearer-sensitive authentication and digital object transmission system and method for spoof prevention | |
| CN119652607A (en) | Method, device, equipment, storage medium and program product for processing access request | |
| EP3261009B1 (en) | System and method for secure online authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |