CN113347206B - Network access method and device - Google Patents
Network access method and device Download PDFInfo
- Publication number
- CN113347206B CN113347206B CN202110736763.2A CN202110736763A CN113347206B CN 113347206 B CN113347206 B CN 113347206B CN 202110736763 A CN202110736763 A CN 202110736763A CN 113347206 B CN113347206 B CN 113347206B
- Authority
- CN
- China
- Prior art keywords
- intranet
- determining
- access
- access request
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000012795 verification Methods 0.000 claims abstract description 54
- 230000004044 response Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 9
- 230000006854 communication Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 15
- 238000004891 communication Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
- H04L9/16—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a network access method and a device, which relate to the technical field of computers, and the method comprises the steps of receiving an intranet access request, determining a user identifier in the intranet access request, and verifying the authority of the user identifier; responding to the verification passing, sending an intranet access request to an intranet server cluster, so that the intranet server cluster obtains target data according to the intranet access request and returns the target data; receiving target data, generating a dynamic key, and dynamically encrypting the target data to obtain dynamic encrypted data; determining an access address and an access port identifier corresponding to the intranet access request, determining a corresponding security tunnel based on the access address and the access port identifier, and performing security tunnel encryption on the dynamic encrypted data to generate security tunnel encrypted data; and sending the secure tunnel encrypted data to the browser client for viewing. When the user has frequent access to the internal and external networks, the user does not need to frequently switch the internal and external networks, and the aim of information security is achieved.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a network access method and apparatus.
Background
At present, when a user browses network contents by using a browser, the browser can only access one network at the same time in the internet and the outside of an office network meeting, and frequent network switching brings inconvenience. In addition, if two networks are to be accessed simultaneously, although the two networks can be realized by setting an agent, some data can be obtained in the network by means of packet capturing, and the information security cannot be ensured.
In the process of implementing the present application, the inventor finds that at least the following problems exist in the prior art:
when the access requirement of the internal and external network is frequent, the access can be realized only by switching the internal and external network back and forth, and the inconvenience is brought to the user.
Disclosure of Invention
In view of this, the embodiments of the present application provide a network access method and apparatus, which can solve the problem that the existing network access method and apparatus can only be implemented by switching between the internal network and the external network when there is a frequent access requirement of the internal network and the external network, and bring inconvenience to users.
To achieve the above object, according to one aspect of the embodiments of the present application, there is provided a network access method, including:
receiving an intranet access request sent by a browser client, determining a user identifier in the intranet access request, and verifying the authority of the user identifier;
responding to the verification passing, sending an intranet access request to an intranet server cluster, so that the intranet server cluster obtains target data according to the intranet access request and returns the target data;
receiving target data, generating a dynamic key to dynamically encrypt the target data, and further obtaining dynamic encrypted data;
determining an access address and an access port identifier corresponding to the intranet access request, and further determining a corresponding secure tunnel based on the access address and the access port identifier so as to encrypt the dynamic encrypted data in the secure tunnel and generate secure tunnel encrypted data;
and sending the secure tunnel encrypted data to the browser client for viewing.
Optionally, before receiving the intranet access request sent by the browser client, the method further includes:
receiving a search keyword sent by a browser client;
and generating an intranet access request based on the search keyword in response to determining that the search keyword is matched with one intranet keyword in a preset intranet keyword set.
Optionally, generating the dynamic key to dynamically encrypt the target data includes:
dividing target data to generate a data block;
determining the number of the data blocks, and then randomly generating different dynamic secret keys according to the number;
the data blocks are encrypted with different dynamic keys, respectively.
Optionally, encrypting the data blocks with different dynamic keys, respectively, includes:
for each data block, determining a corresponding dynamic key from different dynamic keys;
the corresponding data block is encrypted using the corresponding dynamic key.
Optionally, determining the corresponding secure tunnel based on the access address and the access port identification includes:
generating an intranet access address according to the access address and the access port identification;
and determining a browser client service address, calling an optimal path algorithm, and determining a corresponding secure tunnel according to the browser client service address and the intranet access address.
Optionally, receiving the search keyword sent by the browser client includes:
and receiving the search keywords sent from the integrated web application of the browser client.
Optionally, verifying the authority of the user identifier includes:
sending a first verification code to a user corresponding to the user identifier;
receiving a second verification code returned by the browser client;
in response to determining that the first verification code is the same as the second verification code, verification is determined to pass.
In addition, the application also provides a network access device, which comprises:
the receiving unit is configured to receive an intranet access request sent by the browser client, determine a user identifier in the intranet access request and verify the authority of the user identifier;
the access request sending unit is configured to send an intranet access request to the intranet server cluster in response to the fact that verification is confirmed to be passed, so that the intranet server cluster can acquire target data according to the intranet access request and return the target data;
the dynamic encryption unit is configured to receive target data, generate a dynamic key and dynamically encrypt the target data so as to obtain dynamic encrypted data;
the security tunnel encryption unit is configured to determine an access address and an access port identifier corresponding to the intranet access request, and further determine a corresponding security tunnel based on the access address and the access port identifier so as to encrypt the dynamic encrypted data and generate security tunnel encrypted data;
and the encrypted data sending unit is configured to send the secure tunnel encrypted data to the browser client for viewing.
Optionally, the apparatus further includes an intranet access request generating unit configured to:
receiving a search keyword sent by a browser client;
and generating an intranet access request based on the search keyword in response to determining that the search keyword is matched with one intranet keyword in a preset intranet keyword set.
Optionally, the dynamic encryption unit is further configured to:
dividing target data to generate a data block;
determining the number of the data blocks, and then randomly generating different dynamic secret keys according to the number;
the data blocks are encrypted with different dynamic keys, respectively.
Optionally, the dynamic encryption unit is further configured to:
for each data block, determining a corresponding dynamic key from different dynamic keys;
the corresponding data block is encrypted using the corresponding dynamic key.
Optionally, the secure tunnel encryption unit is further configured to:
generating an intranet access address according to the access address and the access port identification;
and determining a browser client service address, calling an optimal path algorithm, and determining a corresponding secure tunnel according to the browser client service address and the intranet access address.
Optionally, the access request generating unit is further configured to:
and receiving the search keywords sent from the integrated web application of the browser client.
Optionally, the receiving unit is further configured to:
sending a first verification code to a user corresponding to the user identifier;
receiving a second verification code returned by the browser client;
in response to determining that the first verification code is the same as the second verification code, verification is determined to pass.
In addition, the application also provides a network access electronic device, which comprises: one or more processors; and a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the network access method as described above.
In addition, the application further provides a computer readable medium, on which a computer program is stored, which when executed by a processor, implements a network access method as described above.
One embodiment of the above invention has the following advantages or benefits: the method comprises the steps of determining a user identifier in an intranet access request by receiving the intranet access request sent by a browser client, and verifying the authority of the user identifier; responding to the verification passing, sending an intranet access request to an intranet server cluster, so that the intranet server cluster obtains target data according to the intranet access request and returns the target data; receiving target data, generating a dynamic key to dynamically encrypt the target data, and further obtaining dynamic encrypted data; determining an access address and an access port identifier corresponding to the intranet access request, and further determining a corresponding secure tunnel based on the access address and the access port identifier so as to encrypt the dynamic encrypted data in the secure tunnel and generate secure tunnel encrypted data; and sending the secure tunnel encrypted data to the browser client for viewing. Therefore, the method and the system are based on a Secure browser system, establish Secure tunnel connection with the user client through the intranet setting server cluster, and perform dynamic key encryption on the acquired intranet data, secure Shell (ssh) encryption multiple encryption to optimize the network access path, facilitate the network access path, avoid frequent switching between the intranet and the extranet when the user has frequent intranet and extranet access requirements, and achieve the purpose of information security.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the present application and are not to be construed as unduly limiting the present application. Wherein:
fig. 1 is a schematic diagram of the main flow of a network access method according to a first embodiment of the present application;
fig. 2 is a schematic diagram of the main flow of a network access method according to a second embodiment of the present application;
fig. 3 is an application scenario diagram of a network access method according to a third embodiment of the present application;
fig. 4 is a schematic diagram of main modules of a network access device according to an embodiment of the present application;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present application may be applied;
fig. 6 is a schematic diagram of a computer system suitable for use in implementing the terminal device or server of the embodiments of the present application.
Detailed Description
Exemplary embodiments of the present application are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present application to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram of main flow of a network access method according to a first embodiment of the present application, and as shown in fig. 1, the network access method includes:
step S101, receiving an intranet access request sent by a browser client, determining a user identifier in the intranet access request, and further verifying the authority of the user identifier.
In this embodiment, the execution body (for example, may be a processor or a server) of the network access method may be connected by a wired connection or a wireless connection,
in this embodiment, before receiving the intranet access request sent by the browser client, the network access method further includes:
and receiving the search keywords sent by the browser client. When a user accesses an intranet during an extranet, the user may directly input keywords, words or phrases corresponding to the content to be accessed to the intranet in a search box of a browser client, and the execution subject may receive the search keywords, words or phrases sent by the user through the browser client. The execution body may receive a search keyword, word, or phrase transmitted by the browser client.
And generating an intranet access request based on the search keyword in response to determining that the search keyword is matched with one intranet keyword in a preset intranet keyword set. The executing body can match the received search keywords with keywords which jump to the intranet in a preset intranet keyword set, and when the received search keywords are matched with one intranet keyword in the preset intranet keyword set, the executing body determines that the user wants to access the intranet, and then the executing body can generate an intranet access request based on the search keywords.
Specifically, receiving a search keyword sent by a browser client, including:
the execution body may receive a search keyword transmitted from an integrated web application of the browser client. Integrating web applications, including; web-IDE, cloud disk, office-online, etc.
The user identification can be the identification card number of the user, the mobile phone number of the user or the user name. The specific content of the user identifier is not specifically limited in the present application.
Specifically, verifying the authority of the user identifier includes:
and sending the first verification code to the user terminal corresponding to the user identifier, for example, when the user identifier is the user mobile phone number, the execution body can send a short message with the first verification code to the user mobile phone number. Of course, the executing body may send the mail with the first verification code to the mailbox bound to the mobile phone number of the user in the form of mail. The form and content of the first verification code transmission are not particularly limited in this application.
And receiving a second verification code returned by the browser client. In response to determining that the first verification code is the same as the second verification code, verification is determined to pass. After the execution body sends the first verification code, the user receives the first verification code, then the user can input the received first verification code into a verification code input box of the browser client, but when the user inputs errors, the user inputs a second verification code possibly, after the execution body receives the second verification code input by the user, the execution body can match the second verification code with the first verification code, and if the matching is successful, the user identity is verified to pass.
Step S102, in response to determining that the verification is passed, sending an intranet access request to the intranet server cluster, so that the intranet server cluster obtains target data according to the intranet access request and returns the target data.
After the user identity is verified, the execution main body allows the user to access the intranet and sends an intranet access request to the intranet server cluster, so that the intranet server cluster obtains target data according to a target data obtaining address in the intranet access request and returns the target data to the browser client for the user to review.
Step S103, receiving the target data, generating a dynamic key to dynamically encrypt the target data, and further obtaining dynamic encrypted data.
After the execution main body acquires the target data from the intranet server, a dynamic key can be generated aiming at the target data, wherein the dynamic key refers to that in the communication process, the data flow is divided into data blocks, each data block is encrypted by using different keys, and the safety of all other communication information can not be endangered even if an attacker intercepts part of communication data flow and corresponding keys. The execution body can divide the data blocks of the target data, then generates different dynamic keys with corresponding numbers according to the number of the data blocks, and further encrypts each data block divided by the target data by utilizing each different dynamic key. To improve the security of information transfer.
Step S104, determining an access address and an access port identifier corresponding to the intranet access request, and further determining a corresponding secure tunnel based on the access address and the access port identifier so as to encrypt the dynamic encrypted data in the secure tunnel and generate secure tunnel encrypted data.
The execution main body establishes a secure tunnel between each browser server and the intranet server cluster in advance. Then, the executing body may determine an access address and an access port identifier corresponding to the intranet access request, where the access address may be 172.16.10.5, the access port identifier may be 2222, and the network setting type may be SOCKS4 or SOCKS5 proxy. ssh only supports SOCKS4 and SOCKS5 proxies, and some client tools need to explicitly specify the proxy type.
Then, the executing body can acquire the intranet access address and the access port identification from the parameters in the intranet access request, and further determines a security tunnel of which the intranet connection port is matched with the acquired intranet access address and access port identification from a security tunnel pool between each browser client and the intranet server cluster.
In this embodiment, determining the corresponding secure tunnel based on the access address and the access port identifier includes:
according to the access address and the access port identification, an intranet access address is generated, and the execution body can determine a target address for acquiring target data based on the access address and the access port by way of example: a port may be, for example, "172.16.10.5:2222".
Determining a browser client service address, e.g., 172.16.10.4, and then invoking an optimal path algorithm based on the browser client service address 172.16.10.4 and the intranet access address 172.16.10.5:2222, determining the secure tunnel corresponding to the shortest path between the two addresses in the secure tunnel pool.
Step S105, sending the secure tunnel encrypted data to the browser client for viewing.
In the embodiment, the user identification in the intranet access request is determined by receiving the intranet access request sent by the browser client, so that the authority of the user identification is verified; responding to the verification passing, sending an intranet access request to an intranet server cluster, so that the intranet server cluster obtains target data according to the intranet access request and returns the target data; receiving target data, generating a dynamic key to dynamically encrypt the target data, and further obtaining dynamic encrypted data; determining an access address and an access port identifier corresponding to the intranet access request, and further determining a corresponding secure tunnel based on the access address and the access port identifier so as to encrypt the dynamic encrypted data in the secure tunnel and generate secure tunnel encrypted data; and sending the secure tunnel encrypted data to the browser client for viewing. Therefore, the method and the system are based on a Secure browser system, establish Secure tunnel connection with the user client through the server cluster arranged on the intranet, and perform dynamic key encryption and Secure Shell (ssh) encryption multiple encryption on the acquired intranet data, so that the network access path is optimized, the convenience is realized, the intranet and the extranet do not need to be frequently switched when the user has frequent intranet and extranet access requirements, and the aim of information security is achieved at the same time.
Fig. 2 is a main flow diagram of a network access method according to a second embodiment of the present application, and as shown in fig. 2, the network access method includes:
step S201, receiving an intranet access request sent by a browser client, determining a user identifier in the intranet access request, and further verifying the authority of the user identifier.
Step S202, in response to determining that the verification is passed, sending an intranet access request to the intranet server cluster, so that the intranet server cluster obtains target data according to the intranet access request and returns the target data.
Step S203, receiving the target data, generating a dynamic key to dynamically encrypt the target data, and further obtaining dynamic encrypted data.
The principle of step S201 to step S203 is similar to that of step S101 to step S103, and will not be described here again.
Specifically, step S203 may also be implemented by steps S2031 to S2033:
in step S2031, the target data is divided to generate a data block.
Step S2032, determining the number of data blocks, and then randomly generating different dynamic keys according to the number of divided data blocks. That is, the number of dynamic keys generated may be the same as the number of divided data blocks. Of course, the number of generated dynamic keys may be greater than the number of divided data blocks, so long as it is ensured that the dynamic keys when encrypting each data block are different.
Step S2033, encrypts the data blocks with different dynamic keys, respectively.
The dynamic key at the time of encrypting each data block is unique and different.
Specifically, encrypting the data blocks with different dynamic keys respectively includes:
for each data block, the corresponding dynamic key is determined from the different dynamic keys, and in particular, the selection of the corresponding dynamic key for each data block may be random.
The corresponding data block is encrypted using the corresponding dynamic key.
According to the embodiment, the data blocks divided by the target data are encrypted by applying the dynamic key, and each data block is encrypted by using a different dynamic key, so that the security of all other communication information can not be endangered after an attacker intercepts part of communication data flow and the corresponding key.
Step S204, determining an access address and an access port identifier corresponding to the intranet access request, and further determining a corresponding secure tunnel based on the access address and the access port identifier so as to encrypt the dynamic encrypted data by the secure tunnel and generate secure tunnel encrypted data.
In step S205, the secure tunnel encrypted data is sent to the browser client for viewing.
The principle of step S204 to step S205 is similar to that of step S104 to step S105, and will not be described here again.
Fig. 3 is an application scenario diagram of a network access method according to a third embodiment of the present application. The network access method of the embodiment can be applied to scenes with frequent access requirements of the internal and external networks. As shown in fig. 3, the overall architecture of the present application includes a browser client 301, a secure tunnel encryption system 302, and an intranet server cluster 303 (including server 1, servers 2, …, server n). The browser client 301 is a web browser used by a user, and achieves the purpose of safe web browsing by establishing an ssh channel with an intranet server cluster. The intranet server cluster 303 is a group of intranet servers, can access intranet resources, and ensures the security of channel information through ssh secure tunnels and dynamic key encryption. The network segments do not need to be frequently switched by the user, and the information security is ensured. According to the embodiment of the application, the server cluster is set through the intranet by the aid of the safety browser system, the safety tunnel connection is established with the user client, the network access path is optimized, convenience is brought, and meanwhile the purpose of information safety is achieved.
When a user browses the external network by using the browser client, the user wants to access information in the internal network, and first establishes a ssh security channel with the internal network server cluster 303 through the security tunnel encryption system 302. The secure tunnel encryption system 302 obtains login information (which may be a server address for accessing the intranet) of a server to access the intranet through an optimal path algorithm, thereby establishing a secure tunnel with the intranet service cluster 303, and maintaining a secure path of the secure tunnel through a dynamic key verification mode, so as to meet the requirement that a user can access the intranet and the extranet simultaneously by using a browser client. And the data obtained by accessing the intranet is subjected to multiple encryption of dynamic key encryption and ssh encryption when being transmitted and returned, so that the user experience is improved, meanwhile, the network packet grabbing is prevented, and the safe transmission of information is ensured.
Specifically, in fig. 3, arrow c represents the primary function of the secure tunnel encryption system 302. By way of example, enterprise employees may be allowed to directly access intranet data through a browser client through ssh tunnel encryption techniques and a series of security measures. Where arrow d represents that the user can access the lightweight WEB application through the browser client. The lightweight WEB applications B are some WEB applications integrated by the browser client 301, and may include applications such as WEB-IDE, cloud disk, office-online, etc., so that a user may conveniently call these applications to conveniently write codes, store files, and edit Office documents. Arrow f indicates that the user can also access the data of the intranet server cluster through the lightweight WEB application. Arrow e indicates that the user can access the office network forum a through the browser client 301, can query some office information, and can access the office network forum a only by connecting to the work network.
Specifically, the secure tunnel encryption system 302 includes hardware (may be a processor 3021) and a secure gateway 3022, where the secure gateway is a combination of software and hardware, and functions as the secure gateway 3022, and the secure gateway 3022 adopts the following policies to ensure security of data transmission: user login management 3023, tunnel management ssh encryption 3024, policy management 3025, ssh encryption 3026. The user login management 3023 may be to authenticate a user accessing the intranet, and only open the intranet access after the authentication is passed. The tunnel management ssh encryption 3024 may be to establish a secure tunnel with the intranet server cluster through an optimal path algorithm. Policy management 3025 may encrypt intranet access data using a dual encryption (dynamic key encryption and ssh encryption) policy to ensure security of data transmission. The dynamic key encryption means that in the communication process, the data stream is divided into data blocks, and each data block is encrypted by using a different key, so that the security of all other communication information can not be endangered after an attacker intercepts part of the communication data stream and the corresponding key. ssh encryption 3026 may compress and encrypt the transmitted data to improve the security of the data transmission. The security tunnel has a mode of encrypting through ssh, so that the aim of preventing the network from capturing the packet and thus leaking key information is fulfilled. Specifically, the x-numbered arrows a, b indicate that access is denied, i.e., the user cannot directly access the intranet server cluster 303 through the browser client 301 without going through the secure tunnel encryption system 302.
Fig. 4 is a schematic diagram of main modules of a network access device according to an embodiment of the present application. As shown in fig. 4, the network access device includes a receiving unit 401, an access request transmitting unit 402, a dynamic encryption unit 403, a secure tunnel encryption unit 404, and an encrypted data transmitting unit 405.
The receiving unit 401 is configured to receive the intranet access request sent by the browser client, determine the user identifier in the intranet access request, and further verify the authority of the user identifier.
The access request sending unit 402 is configured to send an intranet access request to the intranet server cluster in response to determining that the verification is passed, so that the intranet server cluster obtains the target data according to the intranet access request and returns.
The dynamic encryption unit 403 is configured to receive the target data, generate a dynamic key, and dynamically encrypt the target data, thereby obtaining dynamic encrypted data.
The secure tunnel encryption unit 404 is configured to determine an access address and an access port identifier corresponding to the intranet access request, and further determine a corresponding secure tunnel based on the access address and the access port identifier, so as to perform secure tunnel encryption on the dynamic encrypted data, and generate secure tunnel encrypted data.
The encrypted data transmitting unit 405 is configured to transmit the secure tunnel encrypted data to the browser client for viewing.
In some embodiments, the network access device further comprises an intranet access request generating unit, not shown in fig. 4, configured to: receiving a search keyword sent by a browser client; and generating an intranet access request based on the search keyword in response to determining that the search keyword is matched with one intranet keyword in a preset intranet keyword set.
In some embodiments, dynamic encryption unit 403 is further configured to: dividing target data to generate a data block; determining the number of the data blocks, and then randomly generating different dynamic secret keys according to the number; the data blocks are encrypted with different dynamic keys, respectively.
In some embodiments, dynamic encryption unit 403 is further configured to: for each data block, determining a corresponding dynamic key from different dynamic keys; the corresponding data block is encrypted using the corresponding dynamic key.
In some embodiments, the secure tunnel encryption unit 404 is further configured to: generating an intranet access address according to the access address and the access port identification; and determining a browser client service address, calling an optimal path algorithm, and determining a corresponding secure tunnel according to the browser client service address and the intranet access address.
In some embodiments, the intranet access request generation unit is further configured to: and receiving the search keywords sent from the integrated web application of the browser client.
In some embodiments, the receiving unit 401 is further configured to: sending a first verification code to a user corresponding to the user identifier; receiving a second verification code returned by the browser client; in response to determining that the first verification code is the same as the second verification code, verification is determined to pass.
In the present application, the network access method and the network access device have a corresponding relationship in terms of implementation content, and therefore, the description of the repeated content is not repeated.
Fig. 5 illustrates an exemplary system architecture 500 in which the network access method or network access device of embodiments of the present application may be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505. The network 504 is used as a medium to provide communication links between the terminal devices 501, 502, 503 and the server 505. The network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 505 via the network 504 using the terminal devices 501, 502, 503 to receive or send messages or the like. Various communication browser client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox browser clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 501, 502, 503.
The terminal devices 501, 502, 503 may be various electronic devices with a network access request processing screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 505 may be a server providing various services, such as a background management server (by way of example only) that provides support for intranet access requests submitted by users using the terminal devices 501, 502, 503. The background management server can receive an intranet access request sent by the browser client, determine a user identifier in the intranet access request and verify the authority of the user identifier; responding to the verification passing, sending an intranet access request to an intranet server cluster, so that the intranet server cluster obtains target data according to the intranet access request and returns the target data; receiving target data, generating a dynamic key to dynamically encrypt the target data, and further obtaining dynamic encrypted data; determining an access address and an access port identifier corresponding to the intranet access request, and further determining a corresponding secure tunnel based on the access address and the access port identifier so as to encrypt the dynamic encrypted data in the secure tunnel and generate secure tunnel encrypted data; and sending the secure tunnel encrypted data to the browser client for viewing. Therefore, the method and the system are based on a Secure browser system, establish Secure tunnel connection with the user client through the intranet setting server cluster, and perform dynamic key encryption on the acquired intranet data, secure Shell (ssh) encryption multiple encryption to optimize the network access path, facilitate the network access path, avoid frequent switching between the intranet and the extranet when the user has frequent intranet and extranet access requirements, and achieve the purpose of information security.
It should be noted that, the network access method provided in the embodiments of the present application is generally executed by the server 505, and accordingly, the network access device is generally disposed in the server 505.
It should be understood that the number of terminal devices, networks and servers in fig. 5 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 6, a schematic diagram of a computer system 600 suitable for use in implementing the terminal device of an embodiment of the present application is shown. The terminal device shown in fig. 6 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiments of the present application.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU) 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data required for the operation of the computer system 600 are also stored. The CPU601, ROM602, and RAM603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a liquid crystal credit authorization query processor (LCD), and the like, and a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments disclosed herein include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the system of the present application are performed when the computer program is executed by a Central Processing Unit (CPU) 601.
It should be noted that the computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present application may be implemented by software, or may be implemented by hardware. The described units may also be provided in a processor, for example, described as: a processor includes a receiving unit, an access request transmitting unit, a dynamic encryption unit, a secure tunnel encryption unit, and an encrypted data transmitting unit. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.
As another aspect, the present application also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs, and when the one or more programs are executed by the device, the device receives an intranet access request sent by a browser client, determines a user identifier in the intranet access request, and further verifies the authority of the user identifier; responding to the verification passing, sending an intranet access request to an intranet server cluster, so that the intranet server cluster obtains target data according to the intranet access request and returns the target data; receiving target data, generating a dynamic key to dynamically encrypt the target data, and further obtaining dynamic encrypted data; determining an access address and an access port identifier corresponding to the intranet access request, and further determining a corresponding secure tunnel based on the access address and the access port identifier so as to encrypt the dynamic encrypted data in the secure tunnel and generate secure tunnel encrypted data; and sending the secure tunnel encrypted data to the browser client for viewing.
According to the technical scheme of the embodiment of the application, based on the Secure browser system, the server cluster is set through the intranet, the Secure tunnel connection is established with the user client, the acquired intranet data is encrypted by a dynamic key, and the Secure Shell protocol (ssh) is encrypted for multiple encryption, so that the network access path is optimized and convenient, the purpose that the intranet and the extranet do not need to be frequently switched when a user has frequent intranet and extranet access requirements is achieved, and meanwhile, the information security is achieved.
The above embodiments do not limit the scope of the application. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present application are intended to be included within the scope of the present application.
Claims (11)
1. A network access method, comprising:
receiving an intranet access request sent by a browser client, determining a user identifier in the intranet access request, and further verifying the authority of the user identifier, wherein the method comprises the following steps: sending a first verification code to a user corresponding to the user identifier; receiving a second verification code returned by the browser client; in response to determining that the first verification code is the same as the second verification code, determining that verification passes;
responding to the verification passing, and sending the intranet access request to an intranet server cluster so that the intranet server cluster obtains target data according to the intranet access request and returns the target data;
receiving the target data, generating a dynamic key to dynamically encrypt the target data, and further obtaining dynamic encrypted data;
determining an access address and an access port identifier corresponding to the intranet access request, and further determining a corresponding secure tunnel based on the access address and the access port identifier so as to encrypt the dynamic encrypted data to generate secure tunnel encrypted data;
sending the secure tunnel encrypted data to a browser client for viewing;
the method comprises the steps of determining a secure tunnel from a secure tunnel pool between each browser client and an intranet server cluster, wherein the secure tunnel is established in advance.
2. The method of claim 1, wherein prior to said receiving the intranet access request sent by the browser client, the method further comprises:
receiving a search keyword sent by a browser client;
and generating an intranet access request based on the search keyword in response to determining that the search keyword is matched with one intranet keyword in a preset intranet keyword set.
3. The method of claim 1, wherein the generating a dynamic key to dynamically encrypt the target data comprises:
dividing the target data to generate a data block;
determining the number of the data blocks, and then randomly generating different dynamic secret keys according to the number;
the data blocks are encrypted with different dynamic keys, respectively.
4. A method according to claim 3, wherein said encrypting said data blocks with different dynamic keys, respectively, comprises:
for each data block, determining a corresponding dynamic key from different dynamic keys;
and encrypting the corresponding data block by using the corresponding dynamic key.
5. The method of claim 1, wherein the determining a corresponding secure tunnel based on the access address and the access port identification comprises:
generating an intranet access address according to the access address and the access port identifier;
and determining a browser client service address, calling an optimal path algorithm, and determining a corresponding security tunnel according to the browser client service address and the intranet access address.
6. The method of claim 2, wherein the receiving the search key sent by the browser client comprises:
and receiving the search keywords sent from the integrated web application of the browser client.
7. A network access device, comprising:
the receiving unit is configured to receive an intranet access request sent by a browser client, determine a user identifier in the intranet access request, and further verify the authority of the user identifier, and comprises: sending a first verification code to a user corresponding to the user identifier; receiving a second verification code returned by the browser client; in response to determining that the first verification code is the same as the second verification code, determining that verification passes;
the access request sending unit is configured to send the intranet access request to an intranet server cluster in response to the fact that verification is confirmed to be passed, so that the intranet server cluster obtains target data according to the intranet access request and returns the target data;
the dynamic encryption unit is configured to receive the target data, generate a dynamic key and dynamically encrypt the target data so as to obtain dynamic encrypted data;
the security tunnel encryption unit is configured to determine an access address and an access port identifier corresponding to the intranet access request, and further determine a corresponding security tunnel based on the access address and the access port identifier so as to encrypt the dynamic encrypted data and generate security tunnel encrypted data; determining a security tunnel from a security tunnel pool between each pre-established browser client and an intranet server cluster;
and the encrypted data sending unit is configured to send the secure tunnel encrypted data to the browser client for viewing.
8. The apparatus of claim 7, further comprising an intranet access request generation unit configured to:
receiving a search keyword sent by a browser client;
and generating an intranet access request based on the search keyword in response to determining that the search keyword is matched with one intranet keyword in a preset intranet keyword set.
9. The apparatus of claim 7, wherein the dynamic encryption unit is further configured to:
dividing the target data to generate a data block;
determining the number of the data blocks, and then randomly generating different dynamic secret keys according to the number;
the data blocks are encrypted with different dynamic keys, respectively.
10. A network access electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-6.
11. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110736763.2A CN113347206B (en) | 2021-06-30 | 2021-06-30 | Network access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110736763.2A CN113347206B (en) | 2021-06-30 | 2021-06-30 | Network access method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113347206A CN113347206A (en) | 2021-09-03 |
| CN113347206B true CN113347206B (en) | 2023-05-09 |
Family
ID=77481901
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110736763.2A Active CN113347206B (en) | 2021-06-30 | 2021-06-30 | Network access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113347206B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113973006B (en) * | 2021-09-18 | 2024-07-16 | 重庆云华科技有限公司 | Intranet data access management method and system |
| CN114143031B (en) * | 2021-11-01 | 2023-07-07 | 北京银盾泰安网络科技有限公司 | Remote encryption platform based on Web and SSH |
| CN114244598B (en) * | 2021-12-14 | 2024-01-19 | 浙江太美医疗科技股份有限公司 | Intranet data access control method, device, equipment and storage medium |
| CN114338204B (en) * | 2021-12-30 | 2024-05-03 | 中国电信股份有限公司 | Method for login verification of public network communication platform in intranet, electronic equipment and medium |
| CN114629678B (en) * | 2021-12-31 | 2023-09-19 | 绿盟科技集团股份有限公司 | TLS-based intranet penetration method and device |
| CN114640672B (en) * | 2022-02-11 | 2025-02-11 | 网宿科技股份有限公司 | A method, device and system for remotely accessing edge devices |
| CN115314242B (en) * | 2022-06-24 | 2024-06-21 | 贵州省气象信息中心(贵州省气象档案馆、贵州省气象职工教育培训中心) | Network data security encryption method and device |
| CN115225343A (en) * | 2022-06-27 | 2022-10-21 | 北京三快在线科技有限公司 | Method, device, system, equipment and storage medium for encryption and decryption processing |
| CN115001854B (en) * | 2022-07-18 | 2022-11-22 | 江苏艾盾网络科技有限公司 | Big data-based tracing-prevention server cluster management and control system and method |
| CN115348090A (en) * | 2022-08-16 | 2022-11-15 | 中国联合网络通信集团有限公司 | Interaction method, device and electronic equipment for intranet and extranet of enterprise |
| CN115758300B (en) * | 2022-11-28 | 2023-08-01 | 北京淘友天下技术有限公司 | Data processing method, device, electronic equipment and storage medium |
| CN117240618B (en) * | 2023-11-13 | 2024-03-01 | 中国联合网络通信集团有限公司 | Home cloud box access methods, devices, equipment and storage media |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733747A (en) * | 2017-07-28 | 2018-02-23 | 国网江西省电力公司上饶供电分公司 | Towards the common communication access system of multiple service supporting |
| CN110166432A (en) * | 2019-04-17 | 2019-08-23 | 平安科技(深圳)有限公司 | The access method of internal net destination service provides the method for Intranet destination service |
| CN111800402A (en) * | 2020-06-28 | 2020-10-20 | 格尔软件股份有限公司 | Method for realizing full link encryption proxy by using event certificate |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9270449B1 (en) * | 2014-01-17 | 2016-02-23 | Amazon Technologies, Inc. | Secured communication in network environments |
| CN109726567B (en) * | 2018-11-27 | 2023-08-01 | 南京邮电大学 | A Moving Target Encryption Method Based on Fully Homomorphic Encryption |
| CN110266715B (en) * | 2019-06-28 | 2023-03-24 | 深圳前海微众银行股份有限公司 | Remote access method, device, equipment and computer readable storage medium |
| CN110430179A (en) * | 2019-07-26 | 2019-11-08 | 西安交通大学 | A kind of control method and system for intranet and extranet secure access |
| CN112291279B (en) * | 2020-12-31 | 2021-04-06 | 南京敏宇数行信息技术有限公司 | Router intranet access method, system and equipment and readable storage medium |
-
2021
- 2021-06-30 CN CN202110736763.2A patent/CN113347206B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733747A (en) * | 2017-07-28 | 2018-02-23 | 国网江西省电力公司上饶供电分公司 | Towards the common communication access system of multiple service supporting |
| CN110166432A (en) * | 2019-04-17 | 2019-08-23 | 平安科技(深圳)有限公司 | The access method of internal net destination service provides the method for Intranet destination service |
| CN111800402A (en) * | 2020-06-28 | 2020-10-20 | 格尔软件股份有限公司 | Method for realizing full link encryption proxy by using event certificate |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113347206A (en) | 2021-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113347206B (en) | Network access method and device | |
| US12177351B2 (en) | Authorized data sharing using smart contracts | |
| US9521126B2 (en) | Processing data privately in the cloud | |
| US10623272B2 (en) | Authenticating connections and program identity in a messaging system | |
| CN106533665B (en) | Mthods, systems and devices for storing website private key plaintext | |
| US20200204530A1 (en) | Self-encrypting key management system | |
| WO2021136290A1 (en) | Identity authentication method and apparatus, and related device | |
| CN110569638B (en) | A method, device, storage medium and computing device for API authentication | |
| CN106453612A (en) | Data storage and sharing system | |
| US20180375648A1 (en) | Systems and methods for data encryption for cloud services | |
| CN114553480B (en) | Cross-domain single sign-on method and device, electronic equipment and readable storage medium | |
| CN111355726A (en) | Identity authorization login method and device, electronic equipment and storage medium | |
| US11489831B2 (en) | Communication system and computer readable storage medium | |
| CN107920060B (en) | Data access method and device based on account | |
| CN112437044B (en) | Instant messaging method and device | |
| CN111784887A (en) | Authorization releasing method, device and system for user access | |
| CN110138765B (en) | Data processing method, data processing device, computer equipment and computer readable storage medium | |
| CN112966287B (en) | Method, system, device and computer readable medium for acquiring user data | |
| CN116112172B (en) | Android client gRPC interface security verification method and device | |
| CN115190483B (en) | Method and device for accessing network | |
| CN116248351A (en) | Resource access method, device, electronic device and storage medium | |
| US11611541B2 (en) | Secure method to replicate on-premise secrets in a cloud environment | |
| US20130191886A1 (en) | Protecting authentication information of user applications when access to a users email account is compromised | |
| CN114567475A (en) | Multi-system login method and device, electronic equipment and storage medium | |
| CN114417369A (en) | File transmission method and device, electronic equipment and computer readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |