[go: up one dir, main page]

CN112367365A - Method and system for directionally pushing data - Google Patents

Method and system for directionally pushing data Download PDF

Info

Publication number
CN112367365A
CN112367365A CN202011152288.6A CN202011152288A CN112367365A CN 112367365 A CN112367365 A CN 112367365A CN 202011152288 A CN202011152288 A CN 202011152288A CN 112367365 A CN112367365 A CN 112367365A
Authority
CN
China
Prior art keywords
data
information
authorization
server
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011152288.6A
Other languages
Chinese (zh)
Other versions
CN112367365B (en
Inventor
余培军
何春林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Yiqi Intelligent Technology Co ltd
Original Assignee
Nanjing Yiqi Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Yiqi Intelligent Technology Co ltd filed Critical Nanjing Yiqi Intelligent Technology Co ltd
Priority to CN202011152288.6A priority Critical patent/CN112367365B/en
Publication of CN112367365A publication Critical patent/CN112367365A/en
Application granted granted Critical
Publication of CN112367365B publication Critical patent/CN112367365B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/55Push-based network services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a system for directionally pushing data. In the system, when a pusher terminal located in an intranet pushes data to an extranet, firstly, when the intranet module of a gateway device is connected, the intranet module authenticates whether the pusher terminal has the authority of sending the data to the extranet according to an authorization identification code, after the authentication is passed, the pusher terminal carries the authorization identification code when sending the pushed data, then the intranet module determines the address information of a cache server or a target server according to the authorization identification code, then the address information of the cache server or the target server and the pushed data are sent to the extranet module, then the extranet module sends the address information and the pushed data to the cache server or the target server corresponding to the address information, and after the address information is sent to the cache server, the cache server caches the data and sends the data to a receiver terminal. Therefore, the pushed data can be only sent to a specific server or cached and transferred by the specific server.

Description

Method and system for directionally pushing data
Technical Field
The invention relates to a security technology for data interaction between an internal network and an external network.
Background
Patent document CN 107018154a discloses a router and a routing method for connecting an internal network and an external network based on an application layer. Patent document CN 107018155a discloses a method and system for an external network terminal to securely access internal network specific data. Both of these patent documents relate to the problem of how the extranet terminal accesses the intranet server. One of the conditions is that this solution first requires a request to be initiated by the foreign network terminal. If a server in the intranet needs to transmit data to a specific user, according to the above technical solution, a general method is to provide a server in the intranet, store the pushed data in the server, and connect the user terminal to the server by the method described in the above patent document and receive the pushed data transmitted by the server. However, the above method has three problems:
the first problem is that the intranet server does not know the target to push data, and the target to push needs to be determined by the server of the extranet, in which case the intranet server actively initiates connection with the extranet server. However, the technical solutions in the aforementioned patent documents do not support the active connection of the machines in the intranet to the machines in the extranet.
A second problem is that when pushing data to a user terminal, the user usually needs to be notified in a short message of the mobile network. Because the user terminal is unlikely to be online all the time, the push data must be stored by the server and sent to the user terminal by the server when the user terminal is online. If the server is in the intranet, the mobile network short message cannot be sent to the mobile terminal of the user. If the server is located in the external network, the technical solution in the above patent document does not support the active connection of the devices in the internal network to the devices in the external network.
The third problem is that the purpose of setting the intranet independently of the extranet is for information security. If the intranet server sends data to the extranet, information safety risks exist.
Disclosure of Invention
The problems to be solved by the invention are as follows: and actively pushing the data to the user terminal by the machine in the intranet.
In order to solve the problems, the invention adopts the following scheme:
the invention discloses a method for directionally pushing data, which relates to a pusher terminal, gateway equipment and a server; the system comprises a presenter terminal, a server, a gateway device and a server, wherein the presenter terminal is positioned in an intranet, the server is positioned in an extranet, and the gateway device is arranged between the extranet and the intranet; the pusher terminal is connected with the gateway equipment through an intranet network; the server is connected with the gateway equipment through an external network; the gateway equipment is provided with an internal network module and an external network module; the internal network module and the external network module are respectively connected with an internal network and an external network; the internal network module is connected with the external network module; the method comprises the following steps:
s1: the pusher terminal is connected with an intranet module of the gateway equipment and sends an authorization verification request to the intranet module;
s2: after receiving the authorization verification request, the intranet module judges whether the intranet module has the permission of sending data to an intranet according to the authorization verification request; if the authority of sending data to the outside is possessed, the pusher terminal sends authorization verification permission;
s3: the pusher terminal receives the authorization verification permission;
s4: when the pushed data exist, first data pushing information is formed according to the pushed data, and then the first data pushing information is sent to the intranet module;
the first data pushing information at least comprises pushed data and an authorization identification code;
s5: after receiving the first data push information, the intranet module finds out corresponding server address information according to the authorization identification code in the first data push information, then combines the server address information and the pushed data in the first data push information into second data push information, and submits the second data push information to the extranet module of the gateway device;
s6: and after receiving the second data push information, the external network module is connected with the server according to the server address information in the second data push information, then forms the pushed data in the second data push information into third data push information, and sends the third data push information to the server.
Further, according to the method for directionally pushing data of the present invention, in step S6, after the extranet module receives the second data pushing information, it determines whether a connection session exists between the extranet module and the corresponding server according to the server address information in the second data pushing information; and if the connection session of the server corresponding to the server address information does not exist, connecting the server according to the server address information, otherwise, directly sending the third data push information to the server according to the connection session.
Further, according to the method for the directional pushing of the data, the method also relates to a receiver terminal; the receiver terminal is positioned in an external network; the receiver terminal is connected with the server through an external network;
the first data pushing information, the second data pushing information and the third data pushing information comprise target person information;
the method also includes the steps of:
s7: after receiving the third data push information, the server finds a corresponding receiver according to target person information in the third data push information, and caches the pushed data in a receiver cache space;
s8: when a receiver terminal is connected with the server, the server extracts the pushed data from the corresponding receiver cache space, and then sends the pushed data to the receiver terminal.
Further, according to the method for pushing data directionally of the present invention, the step S7 further includes extracting summary data information according to the pushed data, and then sending the summary data information to the mobile terminal corresponding to the recipient in a mobile network short message manner.
Further, according to the method for pushing data directionally of the present invention,
the authorization verification request at least comprises a pusher identification code, an authorization identification code set and signature verification information;
the signature verification information is formed by encrypting the authorization verification information by a gateway public key after the signature is carried out on the authorization verification information by a private key of a pusher;
the authorization verification information at least comprises an authorization identification code set;
the step S2 includes the following steps:
s21: receiving the authorization verification request, extracting a pusher identification code, an authorization identification code set and signature verification information in the authorization verification request, and finding out a pusher public key according to the pusher identification code;
s22: decrypting the signature verification information to obtain authorization verification information according to a gateway private key and a pusher public key, and comparing whether an authorization identification code set in the authorization verification information is consistent with an authorization identification code set in the authorization verification request;
s23: finding out server address information corresponding to the authorized identification codes according to the authorized identification codes in the authorized identification code set to form a service authorization table;
the service authorization table is a set of service authorization information;
the service authorization information at least comprises an authorization identification code and server address information;
s24: and generating an authorization verification permission and sending the authorization verification permission to the pusher terminal.
Further, according to the method for pushing data directionally of the present invention,
in step S24, an authorization verification license is composed according to the authorization identification code in the service authorization table;
the step S3 further includes composing the authorization identification code in the authorization verification license into an authorization license table;
the step S4 further includes determining whether the authorization permission table has an authorization identifier corresponding to the first data pushing information.
Further, according to the method for pushing data directionally of the present invention,
in the step 5, in "finding the corresponding server address information according to the authorization identifier in the first data push information", the server address information corresponding to the authorization identifier is found from the service authorization table.
Further, according to the method for the directional pushing of the data, the method further comprises an initial configuration step;
in the initial configuration step, a corresponding relation between a pusher identification code and a pusher public key is configured for an intranet module of the gateway device, and a corresponding relation between an authorization identification code and server address information is configured.
The system for directionally pushing the data comprises a pusher terminal and a gateway device; the system comprises a presenter terminal, a gateway device and a server, wherein the presenter terminal is positioned in an intranet, and the gateway device is arranged between an extranet and the intranet; the pusher terminal is connected with the gateway equipment through an intranet network; the pusher terminal is configured with a pusher module; the gateway equipment is provided with an internal network module and an external network module; the internal network module and the external network module are respectively connected with an internal network and an external network; the internal network module is connected with the external network module;
the presenter module comprises the following modules:
MP1 for: the intranet module is connected with the gateway equipment and sends an authorization verification request to the intranet module;
MP2 for: receiving the authorization verification license;
MP3 for: forming first data pushing information according to the pushed data, and then sending the first data pushing information to the intranet module;
the first data pushing information at least comprises pushed data and an authorization identification code;
the intranet module comprises the following modules:
MGA1, for: after receiving the authorization verification request, judging whether the authorization verification request has the authority of sending data to an external network; if the authority of sending data to the outside is possessed, the pusher terminal sends authorization verification permission;
MGA2, for: after receiving the first data push information, the intranet module finds out corresponding server address information according to the authorization identification code in the first data push information, then combines the server address information and the pushed data in the first data push information into second data push information, and submits the second data push information to the extranet module of the gateway device;
the outer net module comprises the following modules:
MGB1, for: and after receiving the second data pushing information, connecting a server according to the server address information in the second data pushing information, forming pushed data in the second data pushing information into third data pushing information, and sending the third data pushing information to the server.
Further, according to the system for directionally pushing data of the present invention, in the module MGB1, after receiving the second data pushing information, the extranet module determines whether a connection session with the corresponding server exists according to the server address information in the second data pushing information; and if the connection session of the server corresponding to the server address information does not exist, connecting the server according to the server address information, otherwise, directly sending the third data push information to the server according to the connection session.
Further, according to the system for the directional pushing of the data, the system further comprises a server; the server is positioned in an external network; the server is connected with the gateway equipment through an external network; the server is configured with a cache service module;
the cache service module comprises the following modules:
MS1, for: after receiving the third data push information, finding a corresponding receiver according to target person information in the third data push information, and caching the pushed data in a receiver caching space;
MS2, for: and when the receiver terminal is connected with the server, extracting the pushed data from the corresponding receiver cache space, and then sending the pushed data to the receiver terminal.
Further, according to the system for pushing data directionally of the present invention, the module MS1 is further configured to extract data summary information according to the pushed data, and then send the data summary information to the mobile terminal corresponding to the recipient in a mobile network short message manner.
Further, according to the system for data directional pushing of the present invention,
the authorization verification request at least comprises a pusher identification code, an authorization identification code set and signature verification information;
the signature verification information is formed by encrypting the authorization verification information by a gateway public key after the signature is carried out on the authorization verification information by a private key of a pusher;
the authorization verification information at least comprises an authorization identification code set;
the module MGA1 comprises the following modules:
MGA11, for: receiving the authorization verification request, extracting a pusher identification code, an authorization identification code set and signature verification information in the authorization verification request, and finding out a pusher public key according to the pusher identification code;
MGA12, for: decrypting the signature verification information to obtain authorization verification information according to a gateway private key and a pusher public key, and comparing whether an authorization identification code set in the authorization verification information is consistent with an authorization identification code set in the authorization verification request;
MGA13, for: finding out server address information corresponding to the authorized identification codes according to the authorized identification codes in the authorized identification code set to form a service authorization table;
the service authorization table is a set of service authorization information; the service authorization information represents the corresponding relation between the authorization identification code and the server address information and at least comprises the authorization identification code and the server address information;
MGA14, for: and generating an authorization verification permission and sending the authorization verification permission to the pusher terminal.
Further, according to the system for data directional pushing of the present invention,
in the module MGA14, an authorization verification license is composed according to the authorization identification code in the service authorization table;
the module MP2 is further configured to: the authorization identification code in the authorization verification license is combined into an authorization license table;
the module MP3 is further configured to: and judging whether the authorization permission table has an authorization identification code corresponding to the first data push information.
The system for directional pushing of data according to claim 13,
the module MGA2 searches the server address information corresponding to the authorization identifier from the service authorization table in the "find the corresponding server address information according to the authorization identifier in the first data push information".
Further, according to the system for data directional pushing of the present invention,
the intranet module further comprises the following modules:
MGA01, for: receiving and storing push key configuration information;
MGA02, for: receiving and storing push authority configuration information;
the push key configuration information comprises a pusher identification code and a pusher public key;
the push permission configuration information comprises an authorization identification code and server address information.
The invention has the following technical effects: in the invention, when the intranet machine pushes data to the extranet, the pushed data can only be pushed to a specific machine in the extranet or sent to the specific machine in the extranet for caching and transferring through the authority verification of the gateway.
Drawings
Fig. 1 is a schematic logical structure diagram of a system for directional pushing of data according to an embodiment of the present invention.
Fig. 2 is a schematic overall step diagram of an embodiment of a method for pushing data directionally according to the present invention.
Among them, 100 is a pusher terminal, 200 is a gateway device, 210 is an intranet module, 220 is an extranet module, 300 is a server, 400 is a receiver terminal, 901 is an extranet network, and 902 is an intranet network.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
As shown in fig. 1, a system for directional pushing of data includes a sender terminal 100, a gateway device 200, a server 300, and a receiver terminal 400. The presenter terminal 100 is located in an intranet, typically a server in the intranet, and is connected to the gateway apparatus 200 through an intranet network 902. The receiver terminal 400 is located in an external network, is a terminal handled by a user, and may be a personal computer, a workstation, or even a mobile terminal such as a mobile phone, a palmtop computer, or the like. The gateway apparatus 200 is provided between an internal network and an external network. The gateway apparatus 200, the server 300, and the receiver terminal 400 are connected through an extranet network 901. The presenter terminal 100 is configured with a presenter module implemented by executing computer program instructions. Gateway device 200 is configured with an intranet module 210 and an extranet module 220 implemented by execution of computer program instructions.
In the present embodiment, the gateway device 200 employs the router technology disclosed in patent document CN 107018154a, and is provided with an intranet calculation unit and an extranet calculation unit. The inner network computing unit and the outer network computing unit are two relatively independent computing units and comprise relatively independent processors, random access memories, read-only memories and Ethernet interfaces. The ethernet interface of the intranet computing unit is connected to the intranet network 902, and the ethernet interface of the extranet computing unit is connected to the extranet network 901. For more details of the gateway device 200, reference may be made to corresponding patent documents, and details are not repeated in this specification. In the present invention, the intranet module 210 and the extranet module 220 are implemented by the intranet computing unit and the extranet computing unit executing computer program instructions, respectively.
The system for data oriented pushing of this embodiment is used to push data that needs to be pushed by the sender terminal 100 to the external network, or to a certain server 300, or to a certain receiver terminal 400. For example, a certain presenter terminal 100 needs to push certain data to a certain server 300, and another presenter terminal 100 needs to push certain data to a certain receiver terminal 400. When the presenter terminal 100 needs to push data to a certain receiver terminal 400, the pushed data needs to be pushed to a certain cache server first, and then the cache server caches the data; when the receiver terminal 400 connects to the cache server, the cache server sends the cached pushed data to the receiver terminal 400. In another possible implementation, a server 300 may receive the pushed data sent by some of the sender terminals 100 at the same time, and act as a cache server for other sender terminals 100 and receiver terminals 400. It is also possible that the presenter terminal 100 pushes some data to a certain server and some other data needs to be pushed to the recipient terminal 400. Thus, some servers 300 are configured with cache service modules that are implemented by executing computer program instructions. The cache service module is used for caching the pushed data when the pusher terminal 100 pushes the data to the receiver terminal 400.
The system for data directional pushing of this embodiment is an interactive process between data pushing, and as shown in fig. 2, includes an initial configuration step, an authentication connection step, and a data pushing step.
In the initial configuration step, configuration information required for configuring the intranet module 210 and configuration information required for configuring the presenter terminal 100 are configured. The configuration information required by the intranet module 210 includes: the gateway private key, the push key configuration information and the push authority configuration information. The configuration information required for the presenter terminal 100 includes: the system comprises a pusher identification code, a pusher private key, a gateway public key and an authorization identification code.
The push key configuration information is used for representing the corresponding relation between the pusher identification code and the pusher public key, and comprises the pusher identification code and the pusher public key. Each of the presenter terminals 100 corresponds to a presenter identification code and a presenter public key. As shown in fig. 1, the gateway device 200 corresponds to a plurality of presenter terminals 100 in an intranet, and each presenter terminal 100 corresponds to one presenter identification code. The presenter identification code is used to uniquely identify the presenter terminal 100, and may be a user ID of a certain configuration, an IP address of the presenter terminal 100 in the intranet, or a MAC address of the presenter terminal 100. In the configuration information required by the intranet module 210, the push key configuration information corresponding to each of the pusher terminals 100 constitutes a pusher key table. The pusher key table is typically persistently stored in a connected database or in a local file of the gateway device 200.
The push authority configuration information is used for representing the corresponding relation between the authorization identification code and the server address information, and comprises the authorization identification code and the server address information. The server address information includes an IP address and a port number. In this embodiment, the server address information is not limited to the address information of the server 300 shown in fig. 1, but also includes address information of other servers. These servers are servers that all intranet presenter terminals need to actively push data. Each authorized identification code corresponds to a server port for a function. Therefore, the IP addresses corresponding to different authorized identification codes may be the same, but the port numbers are different. In the configuration information required by the intranet module 210, the push authority configuration information corresponding to each different authorization identification code constitutes a push authority table. The push permission table is typically persistently stored in a connected database or in a local file of the gateway device 200. In the configuration information required by the presenter terminal 100, different authorization identification codes constitute an authorization identification code table, and each authorization identification code corresponds to a different functional module. The presenter terminal 100 stores an authorized identification code table.
The pusher private key and the pusher public key, and the gateway private key and the gateway public key are key pairs in asymmetric encryption. Asymmetric encryption, such as ECC encryption, RSA encryption, are familiar to those skilled in the art. The key pair may be issued by a trusted certification authority or may be generated autonomously by the machine. The gateway private key and the gateway public key may be generated by the intranet module 210 of the gateway device 200, the gateway private key is stored in the gateway device 200, the gateway public key may be transmitted to the presenter terminal 100 through the intranet network 902, and the presenter terminal 100 stores the gateway public key; the pusher private key and the pusher public key may be generated by the pusher terminal 100, the pusher private key is stored in the pusher terminal 100, and the pusher public key may be transmitted to the intranet module 210 of the gateway device 200 through the intranet network 902.
In another embodiment, the corresponding relationship between the authorization identifier and the server address information may be bound to the pusher identifier. At this time, the push authority configuration information further includes a pusher identification code.
The information typically associated with the presenter identification code and the authorization identification code is set manually. For the presenter module, the presenter module comprises a module for receiving and storing a presenter identity and an authorization identity. For the intranet module 210, the intranet module 210 includes a module for receiving and storing the push permission configuration information, which is the aforementioned module MGA 02. Here, "receiving" means receiving manually input push right configuration information. The "receiving" of the "receiving and storing push key configuration information" of the aforementioned module MGA01 may be "receiving push key configuration information sent by the presenter terminal 100", or receiving manually input push key configuration information.
The authentication connection step is initiated by the terminal 100 of the presenter. First, the presenter terminal 100 connects to the intranet module 210, and after the connection is successful, sends an authorization verification request to the intranet module 210. This step is the aforementioned step S1, and is also the function realized by the module MP 1. The authorization verification request includes at least a pusher identification code, a set of authorization identification codes, and signature verification information. The presenter id is stored in the presenter terminal 100 in the initial configuration step. The set of authorized identification codes is a set of authorized identification codes from the authorized identification code table stored in the presenter terminal 100 in the initial configuration step. The signature verification information is formed by encrypting the authorization verification information by the gateway public key after the signature is carried out on the authorization verification information by the private key of the pusher. The authorization verification information, in this embodiment, is composed of an authorization identification code set and a random number.
After receiving the authorization verification request, the intranet module 210 determines whether the data has the permission to send data to the extranet according to the authorization verification request. If the data has the authority of sending data to the outside, authorization verification permission is sent to the pusher terminal 100, otherwise, information without the authority of sending data to the outside network is sent to the pusher terminal 100, and meanwhile, the connection is disconnected. This step is the function performed by the module MGA1, as well as the aforementioned step S2. The specific process of the intranet module 210 judging whether the data sending permission to the intranet is provided according to the authorization verification request includes the following steps:
step S21: and receiving an authorization verification request, extracting a pusher identification code, an authorization identification code set and signature verification information in the authorization verification request, and finding out a pusher public key according to the pusher identification code. The public key of the presenter is obtained by searching the presenter key table stored in the intranet module 210 and matching the presenter identification code. In this step, if the pusher public key corresponding to the pusher identification code cannot be found, information that does not have the authority to send data to the external network is returned to the pusher terminal 100, and then the connection is disconnected.
Step S22: and decrypting the signature verification information to obtain authorization verification information according to the gateway private key and the pusher public key, and comparing whether an authorization identification code set in the authorization verification information is consistent with an authorization identification code set in the authorization verification request. If the two are not consistent, the information without the data transmission authority to the external network is returned to the pusher terminal 100, and then the connection is disconnected.
Step S23: and finding out server address information corresponding to the authorized identification codes according to the authorized identification codes in the authorized identification code set to form a service authorization table. The server address information corresponding to the authorized identification code is obtained by searching the push authority table stored in the intranet module 210 and matching the authorized identification code. The service authorization table is a collection of service authorization information. The service authorization information represents the corresponding relation between the authorization identification code and the server address information and at least comprises the authorization identification code and the server address information. The service authorization table is a table temporarily stored in the memory, and corresponds to the connection between the presenter terminal 100 and the intranet module 210. When the connection between the intranet module 210 and the presenter terminal 100 is disconnected, the service authorization table is released. It should be noted that, for the case that the corresponding relationship between the authorization identifier and the server address information is bound to the pusher identifier, the authorization identifier and the pusher identifier need to be matched when searching the push permission table.
Step S24: and forming authorization verification permission according to the authorization identification codes in the service authorization table, and sending the authorization verification permission to the pusher terminal 100. It should be noted that, in step 23, the authorization identifier included in the service authorization table is not completely the same as the authorization identifier included in the authorization verification request, that is, if a certain authorization identifier of the authorization verification request cannot find the corresponding server address information, the authorization identifier is not added to the service authorization table. Thus, there may be situations where the service authorization table is empty. If the service authorization table is empty, returning information without data transmission permission to the external network to the pusher terminal 100, and then disconnecting, otherwise, forming an authorization verification permission by the authorization identification code in the service authorization table, and then returning the authorization verification permission to the pusher terminal 100. It can be seen that the authorization validation license contains a set of authorized identification codes.
After the intranet module 210 successfully authenticates the authorization verification request, the presenter terminal 100 receives the authorization verification permission. In this embodiment, after receiving the authorization verification license, the presenter terminal 100 combines the authorization identification codes in the authorization verification license into an authorization license table. The authorization permission table is a table stored in the memory, and includes a set of authorization identifiers. This step is the function realized by the aforementioned step S3, i.e. the aforementioned module MP 2.
So far, the authentication connection step is finished, followed by the data push step. In the data pushing step, when the pushed data exists in the pusher terminal 100 and needs to be pushed to the server 300 of the external network or the receiver terminal 400, the pushed data is combined into first data pushing information, and then the first data pushing information is sent to the internal network module 210. This step is the function realized by the aforementioned step S4, i.e. the module MP 3. Furthermore, the above procedure also means that the connection between the presenter terminal 100 and the intranet module 210 is a long connection, i.e. after one authentication connection, the pushed data can be transmitted as long as the connection remains.
The first data push information at least comprises pushed data and an authorization identification code. When the pushed data is pushed to the receiver terminal 400, the first data pushing information may also generally include target person information. The target information is information for pointing to the recipient, and may be a user name or a user ID. In some applications, the target information may only define the scope of a user group, and the final recipients need to be determined individually by the server 300. For example, in a maintenance network of a device, the pushed data is failure data of the device, and the target information is model information of the device, after the pushed data is sent to the server 300, the server 300 allocates a free worker according to the target information, and sends the pushed data to a terminal of the worker, so that the worker responds to the failure of the device.
After receiving the first data push information, the intranet module 210 finds out corresponding server address information according to an authorization identification code in the first data push information, then combines the server address information and the pushed data in the first data push information into second data push information, and submits the second data push information to the extranet module 220 of the gateway device 200. This step is the function performed by the aforementioned step S5, i.e. the module MGA 2. In this embodiment, the server address information corresponding to the authorization identifier is obtained by searching the service authorization table stored in the intranet module 210 and matching the authorization identifier. The second data push information may also typically include target information for the pushed data to be pushed to the recipient terminal 400.
In the foregoing step, if the authorization identifier in the first data push message cannot find the corresponding server address information, no further processing is performed on the first data push message. That is, at this time, the pushed data is discarded. In order to avoid wasting the intranet network resources, in this embodiment, when the presenter terminal 100 composes the first data push message or sends the first data push message to the intranet module 210, the method further includes determining whether the authorization permission table has an authorization identifier corresponding to the first data push message. If the authorization identifier corresponding to the first data push information does not exist in the authorization permission table, the first data push information is not formed or the first data push information is not sent to the intranet module 210. In this way, it means that the pushed data is discarded in the sender terminal 100.
After receiving the second data push information, the extranet module 220 connects to the server 300 according to the server address information in the second data push information, then composes the pushed data in the second data push information into third data push information, and sends the third data push information to the server 300. In this embodiment, the connection between the extranet module 220 and the server 300 is a long connection. That is, the third data push message may be continuously sent after the extranet module 220 and the server 300 are connected once. Therefore, in this embodiment, after receiving the second data push information, the extranet module determines whether a connection session with the corresponding server exists according to the server address information in the second data push information; if the connection session of the server corresponding to the server address information does not exist, the server 300 is connected according to the server address information, and information is pushed to third data of the server 300 after the connection with the server is established; otherwise, the third data push message is directly sent to the server 300 according to the connection session.
For the situation that the server 300 pushes data to the server 300 by the presenter terminal 100, after receiving the third data push information, the process that the presenter terminal 100 pushes data to the server 300 is ended, and how to process the pushed data after the server 300 extracts the pushed data after receiving the third data push information is not the scope discussed in the present invention.
For the case where the presenter terminal 100 pushes data to the recipient terminal 400, the third data push information may also typically include target information. At this time, the server 300 functions as a cache server, and the server 300 is configured with a cache service module implemented by executing computer program instructions. In this embodiment, the cache service module is configured to: after receiving the third data push information, finding a corresponding receiver according to target person information in the third data push information, caching the pushed data in a corresponding receiver cache space, extracting data summary information according to the pushed data, and sending the data summary information to a mobile terminal corresponding to the receiver in a mobile network short message mode; when the recipient terminal 400 connects to the server 300, the pushed data is extracted from its corresponding recipient cache space and then transmitted to the recipient terminal 400. After the receiver terminal 400 receives the pushed data, the system for pushing data directionally in this embodiment ends the interaction process between the data pushing. How the recipient terminal 400 processes the pushed data after receiving it is not within the scope of the present invention.

Claims (16)

1. A method for directional pushing of data is characterized in that the method relates to a pusher terminal, a gateway device and a server; the system comprises a presenter terminal, a server, a gateway device and a server, wherein the presenter terminal is positioned in an intranet, the server is positioned in an extranet, and the gateway device is arranged between the extranet and the intranet; the pusher terminal is connected with the gateway equipment through an intranet network; the server is connected with the gateway equipment through an external network; the gateway equipment is provided with an internal network module and an external network module; the internal network module and the external network module are respectively connected with an internal network and an external network; the internal network module is connected with the external network module; the method comprises the following steps:
s1: the pusher terminal is connected with an intranet module of the gateway equipment and sends an authorization verification request to the intranet module;
s2: after receiving the authorization verification request, the intranet module judges whether the intranet module has the permission of sending data to an intranet according to the authorization verification request; if the authority of sending data to the outside is provided, an authorization verification permission is sent to the pusher terminal;
s3: the pusher terminal receives the authorization verification permission;
s4: when the pushed data exists in the pusher terminal, first data pushing information is formed according to the pushed data, and then the first data pushing information is sent to the intranet module;
the first data pushing information at least comprises pushed data and an authorization identification code;
s5: after receiving the first data push information, the intranet module finds out corresponding server address information according to the authorization identification code in the first data push information, then combines the server address information and the pushed data in the first data push information into second data push information, and submits the second data push information to the extranet module of the gateway device;
s6: and after receiving the second data push information, the external network module is connected with the server according to the server address information in the second data push information, then forms the pushed data in the second data push information into third data push information, and sends the third data push information to the server.
2. The method according to claim 1, wherein in step S6, after receiving the second data pushing information, the extranet module determines whether there is a connection session with the corresponding server according to server address information in the second data pushing information; and if the connection session of the server corresponding to the server address information does not exist, connecting the server according to the server address information, otherwise, directly sending the third data push information to the server according to the connection session.
3. A method for directed pushing of data as recited in claim 1, further comprising involving a recipient terminal; the receiver terminal is positioned in an external network; the receiver terminal is connected with the server through an external network;
the first data pushing information, the second data pushing information and the third data pushing information comprise target person information;
the method also includes the steps of:
s7: after receiving the third data push information, the server finds a corresponding receiver according to target person information in the third data push information, and caches the pushed data in a receiver cache space;
s8: when a receiver terminal is connected with the server, the server extracts the pushed data from the corresponding receiver cache space, and then sends the pushed data to the receiver terminal.
4. The method of claim 3, wherein the step S7 further comprises extracting data summary information according to the pushed data, and then sending the data summary information to the mobile terminal corresponding to the recipient by means of a mobile network short message.
5. The method of data directed pushing according to claim 1 or 2 or 3 or 4,
the authorization verification request at least comprises a pusher identification code, an authorization identification code set and signature verification information;
the signature verification information is formed by encrypting the authorization verification information by a gateway public key after the signature is carried out on the authorization verification information by a private key of a pusher;
the authorization verification information at least comprises an authorization identification code set;
the step S2 includes the following steps:
s21: receiving the authorization verification request, extracting a pusher identification code, an authorization identification code set and signature verification information in the authorization verification request, and finding out a pusher public key according to the pusher identification code;
s22: decrypting the signature verification information to obtain authorization verification information according to a gateway private key and a pusher public key, and comparing whether an authorization identification code set in the authorization verification information is consistent with an authorization identification code set in the authorization verification request;
s23: finding out server address information corresponding to the authorized identification codes according to the authorized identification codes in the authorized identification code set to form a service authorization table;
the service authorization table is a set of service authorization information;
the service authorization information at least comprises an authorization identification code and server address information;
s24: and generating an authorization verification permission and sending the authorization verification permission to the pusher terminal.
6. The method of data directed pushing according to claim 5,
in step S24, an authorization verification license is composed according to the authorization identification code in the service authorization table;
the step S3 further includes composing the authorization identification code in the authorization verification license into an authorization license table;
the step S4 further includes determining whether the authorization permission table has an authorization identifier corresponding to the first data pushing information.
7. The method of data directed pushing according to claim 5,
in the step 5, in "finding the corresponding server address information according to the authorization identifier in the first data push information", the server address information corresponding to the authorization identifier is found from the service authorization table.
8. A method for directional pushing of data according to claim 5, further comprising an initial configuration step;
in the initial configuration step, a corresponding relation between a pusher identification code and a pusher public key is configured for an intranet module of the gateway device, and a corresponding relation between an authorization identification code and server address information is configured.
9. A system for directional data push is characterized in that the system comprises a pusher terminal and a gateway device; the system comprises a presenter terminal, a gateway device and a server, wherein the presenter terminal is positioned in an intranet, and the gateway device is arranged between an extranet and the intranet; the pusher terminal is connected with the gateway equipment through an intranet network; the pusher terminal is configured with a pusher module; the gateway equipment is provided with an internal network module and an external network module; the internal network module and the external network module are respectively connected with an internal network and an external network; the internal network module is connected with the external network module;
the presenter module comprises the following modules:
MP1 for: the intranet module is connected with the gateway equipment and sends an authorization verification request to the intranet module;
MP2 for: receiving the authorization verification license;
MP3 for: forming first data pushing information according to the pushed data, and then sending the first data pushing information to the intranet module;
the first data pushing information at least comprises pushed data and an authorization identification code;
the intranet module comprises the following modules:
MGA1, for: after receiving the authorization verification request, judging whether the authorization verification request has the authority of sending data to an external network; if the authority of sending data to the outside is provided, an authorization verification permission is sent to the pusher terminal;
MGA2, for: after receiving the first data push information, the intranet module finds out corresponding server address information according to the authorization identification code in the first data push information, then combines the server address information and the pushed data in the first data push information into second data push information, and submits the second data push information to the extranet module of the gateway device;
the outer net module comprises the following modules:
MGB1, for: and after receiving the second data pushing information, connecting a server according to the server address information in the second data pushing information, forming pushed data in the second data pushing information into third data pushing information, and sending the third data pushing information to the server.
10. A system for directional pushing of data according to claim 9, wherein in the module MGB1, after receiving the second data pushing information, the extranet module determines whether there is a connection session with the corresponding server according to server address information in the second data pushing information; and if the connection session of the server corresponding to the server address information does not exist, connecting the server according to the server address information, otherwise, directly sending the third data push information to the server according to the connection session.
11. A system for directed pushing of data as recited in claim 9, further comprising a server; the server is positioned in an external network; the server is connected with the gateway equipment through an external network; the server is configured with a cache service module;
the cache service module comprises the following modules:
MS1, for: after receiving the third data push information, finding a corresponding receiver according to target person information in the third data push information, and caching the pushed data in a receiver caching space;
MS2, for: and when the receiver terminal is connected with the server, extracting the pushed data from the corresponding receiver cache space, and then sending the pushed data to the receiver terminal.
12. A system for directional pushing of data according to claim 10, wherein said module MS1 is further configured to extract data summary information according to the pushed data, and then send the data summary information to the corresponding mobile terminal of the recipient by means of a mobile network short message.
13. The system for directional pushing of data according to claim 9, 10, 11 or 12,
the authorization verification request at least comprises a pusher identification code, an authorization identification code set and signature verification information;
the signature verification information is formed by encrypting the authorization verification information by a gateway public key after the signature is carried out on the authorization verification information by a private key of a pusher;
the authorization verification information at least comprises an authorization identification code set;
the module MGA1 comprises the following modules:
MGA11, for: receiving the authorization verification request, extracting a pusher identification code, an authorization identification code set and signature verification information in the authorization verification request, and finding out a pusher public key according to the pusher identification code;
MGA12, for: decrypting the signature verification information to obtain authorization verification information according to a gateway private key and a pusher public key, and comparing whether an authorization identification code set in the authorization verification information is consistent with an authorization identification code set in the authorization verification request;
MGA13, for: finding out server address information corresponding to the authorized identification codes according to the authorized identification codes in the authorized identification code set to form a service authorization table;
the service authorization table is a set of service authorization information;
the service authorization information at least comprises an authorization identification code and server address information;
MGA14, for: and generating an authorization verification permission and sending the authorization verification permission to the pusher terminal.
14. The system for directional pushing of data according to claim 13,
in the module MGA14, an authorization verification license is composed according to the authorization identification code in the service authorization table;
the module MP2 is further configured to: the authorization identification code in the authorization verification license is combined into an authorization license table;
the module MP3 is further configured to: and judging whether the authorization permission table has an authorization identification code corresponding to the first data push information.
15. The system for directional pushing of data according to claim 13,
the module MGA2 searches the server address information corresponding to the authorization identifier from the service authorization table in the "find the corresponding server address information according to the authorization identifier in the first data push information".
16. The system for directional pushing of data according to claim 13,
the intranet module further comprises the following modules:
MGA01, for: receiving and storing push key configuration information;
MGA02, for: receiving and storing push authority configuration information;
the push key configuration information comprises a pusher identification code and a pusher public key;
the push permission configuration information comprises an authorization identification code and server address information.
CN202011152288.6A 2020-10-26 2020-10-26 Method and system for data directional pushing Active CN112367365B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011152288.6A CN112367365B (en) 2020-10-26 2020-10-26 Method and system for data directional pushing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011152288.6A CN112367365B (en) 2020-10-26 2020-10-26 Method and system for data directional pushing

Publications (2)

Publication Number Publication Date
CN112367365A true CN112367365A (en) 2021-02-12
CN112367365B CN112367365B (en) 2024-06-25

Family

ID=74512088

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011152288.6A Active CN112367365B (en) 2020-10-26 2020-10-26 Method and system for data directional pushing

Country Status (1)

Country Link
CN (1) CN112367365B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114580004A (en) * 2022-05-07 2022-06-03 四川大学 Authority management system, method, medium and equipment for the second classroom transcript system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016197993A1 (en) * 2015-10-08 2016-12-15 中兴通讯股份有限公司 Router, mobile terminal, and alarm information sending method, and alarm information receiving method
CN107018154A (en) * 2017-05-31 2017-08-04 南京燚麒智能科技有限公司 A kind of router and method for routing for being used to connect Intranet and outer net based on application layer
CN107018155A (en) * 2017-05-31 2017-08-04 南京燚麒智能科技有限公司 A kind of outer net terminal security accesses the method and system of the specific data of Intranet

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016197993A1 (en) * 2015-10-08 2016-12-15 中兴通讯股份有限公司 Router, mobile terminal, and alarm information sending method, and alarm information receiving method
CN106571937A (en) * 2015-10-08 2017-04-19 中兴通讯股份有限公司 Router, mobile terminal and alarm information sending and reception method
CN107018154A (en) * 2017-05-31 2017-08-04 南京燚麒智能科技有限公司 A kind of router and method for routing for being used to connect Intranet and outer net based on application layer
CN107018155A (en) * 2017-05-31 2017-08-04 南京燚麒智能科技有限公司 A kind of outer net terminal security accesses the method and system of the specific data of Intranet

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
佚名: "Accessing servers with public IP from private networks without NAT", Retrieved from the Internet <URL:https://serverfault.com/questions/998955/accessing-servers-with-public-ip-from-private-networks-without-nat> *
孙伟峰;张琳;林少锋;杨燕;陶波;: "一种增强型VPN安全隔离网关设计与实现", 中国电子科学研究院学报, no. 06, 20 December 2015 (2015-12-20) *
孟祥成;: "一种仿真企业网的综合组网实验设计", 实验室研究与探索, no. 06, 15 June 2018 (2018-06-15) *
徐伊丽;卢雪兵;哈捷;闫英杰;李波;: "内部邮件系统在检验检疫电子政务建设中的设计研究", 检验检疫学刊, no. 06, 20 December 2015 (2015-12-20) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114580004A (en) * 2022-05-07 2022-06-03 四川大学 Authority management system, method, medium and equipment for the second classroom transcript system

Also Published As

Publication number Publication date
CN112367365B (en) 2024-06-25

Similar Documents

Publication Publication Date Title
JP3937475B2 (en) Access control system and method
CN105491001B (en) Secure communication method and device
EP3316544B1 (en) Token generation and authentication method, and authentication server
JP2020080530A (en) Data processing method, device, terminal and access point computer
CN113141340A (en) Multi-node authentication method and device based on block chain
WO2019144948A1 (en) Decentralized biometric authentication platform
CN112367365B (en) Method and system for data directional pushing
KR20200125279A (en) User Identification Method Using Block Chain and System thereof
CN111817860B (en) Communication authentication method, device, equipment and storage medium
CN114257406A (en) Equipment communication method and device based on identification algorithm and computer equipment
CN110610418A (en) Transaction state query method, system, device and storage medium based on block chain
CN112261055B (en) Method, system and gateway equipment for directional pushing of real-time data
CN112437158A (en) Network security identity authentication method based on power Internet of things
CN114070573A (en) Authentication method, device and system for network access
CN115037549B (en) Application protection method, device and storage medium
CN111404680A (en) Password management method and device
CN107222498B (en) Binding processing method for shared data
CN119652526A (en) A blockchain-based information authentication method and related equipment
CN117407437A (en) Block chain-based data processing method, equipment and readable storage medium
CN113472546B (en) Data trusted processing method, block chain platform and terminal equipment
CN115134116B (en) Method and device for verifying identity of Internet registered user, server and storage medium
CN115134119B (en) Method and device for verifying identity of Internet registered user, server and storage medium
CN117014222B (en) Computer network information security event processing method
CN119865312B (en) Encrypted communication system and method
CN115134118B (en) Method, device, server, and storage medium for verifying the identity of registered Internet users

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant