CN114301639B - Connection establishment method and device - Google Patents
Connection establishment method and device Download PDFInfo
- Publication number
- CN114301639B CN114301639B CN202111521828.8A CN202111521828A CN114301639B CN 114301639 B CN114301639 B CN 114301639B CN 202111521828 A CN202111521828 A CN 202111521828A CN 114301639 B CN114301639 B CN 114301639B
- Authority
- CN
- China
- Prior art keywords
- sdp
- user
- authentication
- connection
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The specification provides a connection establishment method, a connection establishment device and an access authentication system. The user sends the user information to an SDP controller, and the SDP controller carries out SDP authentication on the target user based on the user information; after passing the authentication, the connection information of the service proxy equipment is sent to the user side; the user client establishes a connection with the service agent device based on the connection information. When the user client accesses the user service which is accessed in an isolated way through the service proxy equipment, the connection information of the service proxy equipment can be obtained after SDP authentication controlled by the SDP, so that the connection information of the service proxy equipment is not directly exposed to the user client any more, and the risk of the attack of the service proxy equipment can be reduced.
Description
Technical Field
Embodiments of the present application relate to the field of communications, and more particularly, to a connection establishment method.
Background
Conventional networks, typically protected by devices such as IPS, firewalls, etc., may typically be implemented by deploying VPN devices if it is desired to access isolated access services deployed within the network from outside. But deployed VPN devices may be exposed to the risk of being attacked.
Disclosure of Invention
In a first aspect of embodiments of the present application, a connection establishment method is provided, which is applied to a user client in an SDP access authentication system, where the SDP access authentication system includes at least one user client, at least one SDP controller and at least one service proxy device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the method comprises the following steps:
responding to connection establishment operation initiated by a target user, and acquiring user information of the target user;
the user information is sent to the SDP controller, so that the SDP controller carries out SDP authentication on the target user based on the user information;
and acquiring connection information of the service proxy equipment, which is transmitted after the SDP controller passes SDP authentication on the target user, and establishing connection with the service proxy equipment based on the connection information so as to further access the user service based on the established connection.
In a second aspect of the embodiments of the present application, a connection establishment method is provided, which is applied to an SDP controller of an SDP access authentication system, where the SDP access authentication system includes at least one user client terminal, at least one SDP controller and at least one service proxy device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the method comprises the following steps:
Receiving user information sent by a user client, and performing SDP authentication on the target user based on the user information;
after SDP authentication is passed on the target user, the connection information of the service agent equipment is sent to a user client; so that the user client establishes a connection with the service agent device.
In a third aspect of the embodiments of the present application, a connection establishment apparatus is provided, which is applied to a user client in an SDP access authentication system, where the SDP access authentication system includes at least one user client, at least one SDP controller and at least one service proxy device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the device comprises:
the acquisition module is used for responding to connection establishment operation initiated by a target user and acquiring user information of the target user;
a first sending module, configured to send the user information to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information;
And the connection module is used for acquiring the connection information of the service proxy equipment, which is sent after the SDP controller passes the SDP authentication on the target user, and establishing connection with the service proxy equipment based on the connection information so as to further access the user service based on the established connection.
In a fourth aspect of embodiments of the present application, there is provided a connection establishment apparatus applied to an SDP controller of an SDP access authentication system including at least one user client, at least one SDP controller, and at least one service proxy device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the device comprises:
the authentication module is used for receiving user information sent by a user client and carrying out SDP authentication on the target user based on the user information;
the second sending module sends the connection information of the service agent equipment to the user client after SDP authentication of the target user is passed; so that the user client establishes a connection with the service agent device.
In a fifth aspect of embodiments of the present application, there is provided an SDP access authentication system comprising at least one user client, at least one SDP controller and at least one service proxy device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the system comprises:
the user client responds to connection establishment operation initiated by a target user and acquires user information of the target user;
the user client sends the user information to the SDP controller;
the SDP controller receives user information sent by a user client and carries out SDP authentication on the target user based on the user information;
after SDP authentication is passed on the target user, the SDP controller sends the connection information of the service agent device to a user client;
and the user client acquires the connection information of the service proxy equipment, which is sent after the SDP controller carries out SDP authentication on the target user, and establishes connection with the service proxy equipment based on the connection information so as to further access the user service based on the established connection.
In the above embodiments of the present application, at least the following advantageous effects are provided:
when the user client accesses the user service which is accessed in an isolated way through the service proxy equipment, the connection information of the service proxy equipment can be obtained after SDP authentication controlled by the SDP, so that the connection information of the service proxy equipment is not directly exposed to the user client any more, and the risk of the attack of the service proxy equipment can be reduced.
Drawings
The above, as well as additional purposes, features, and advantages of exemplary embodiments of the present application will become readily apparent from the following detailed description when read in conjunction with the accompanying drawings. Several embodiments of the present application are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings, in which:
fig. 1 schematically shows a schematic diagram of an access authentication system of a service proxy device according to an embodiment of the present application.
Fig. 2 schematically illustrates a login page provided by a service proxy device according to an embodiment of the present application.
Fig. 3 schematically illustrates an access authentication system provided by another service proxy device according to an embodiment of the present application.
Fig. 4 schematically shows a landing page provided by an SDP controller according to an embodiment of the present application.
Fig. 5 schematically shows a flow chart of a method of establishing a connection according to an embodiment of the present application.
Fig. 6 schematically shows a flow chart of another method of establishing a connection according to an embodiment of the present application.
Fig. 7 schematically shows a block diagram of a connection establishment device according to an embodiment of the present application.
Fig. 8 schematically shows a block diagram of another means of establishing a connection according to an embodiment of the present application.
Detailed Description
The principles of the present application will be described below with reference to several exemplary embodiments. It should be understood that these embodiments are presented merely to enable one skilled in the art to better understand and practice the present application and are not intended to limit the scope of the present application in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Those skilled in the art will appreciate that embodiments of the present application may be implemented as a system, apparatus, device, method, or computer program product. Thus, the present application may be embodied in the form of: complete hardware, complete software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
Application scenario overview
Referring to fig. 1, fig. 1 is a schematic diagram of an access authentication system of a service proxy device shown in the present specification. As shown in fig. 1, in the above access authentication system, a user client and a service proxy device may be included. The user client can access the isolated access user service located inside the network by establishing a connection with the service proxy device and by the established connection.
For example, the service proxy device may specifically be a VPN device, and the user client may access, through the VPN device, a user service located inside the network and isolated from access.
When a user establishes a connection with the service proxy device through the client, the user can log in a log-in page provided by the service proxy device, please refer to fig. 2, fig. 2 is a log-in page provided by a service proxy device shown in the present specification. The page shows the server address of the service proxy device, the user's account number and password. After the user inputs the server address of the service proxy equipment through the user client, the user account and the password are input for login, the service proxy equipment authenticates the user account and the password, and after the authentication is successful, the service proxy equipment establishes connection with the user client. In this process, since the service proxy device cannot hide its own server address, a TCP connection port needs to be exposed in the network, and is vulnerable to hacking.
Summary of The Invention
Referring to fig. 3, fig. 3 is a schematic diagram of an access authentication system provided by another service agent device shown in the present specification. As shown in fig. 3, in the above access authentication system, an SDP controller may be included in addition to the user client terminal and the service proxy device.
In the above access authentication system, the connection information of the service agent device may not be directly exposed to the user client. When a user establishes a connection with the service proxy device through the client, the user can log in a login page provided by the SDP controller, please refer to fig. 4, fig. 4 is a login page provided by the SDP controller shown in the present specification, and the page shows a server address of the SDP controller, an account number and a password of the user. After a user inputs the server address of the SDP controller through the user client, the user account and the password are input for login, and the SDP controller authenticates the user account and the password. After the authentication is successful, the SDP controller sends the connection information of the service proxy equipment to the user client, and the user client establishes connection with the service proxy equipment.
Therefore, the present disclosure provides a technical scheme that a user client firstly sends user information to an SDP controller, and after the SDP controller passes authentication, the user client establishes connection with a service proxy device.
When the SDP authentication method is realized, a user firstly sends user information to an SDP controller, and the SDP controller carries out SDP authentication on a target user based on the user information; after passing the authentication, the connection information of the service proxy equipment is sent to the user side; the user client establishes a connection with the service agent device based on the connection information. When the user client accesses the user service which is accessed in an isolated way through the service proxy equipment, the connection information of the service proxy equipment can be obtained after SDP authentication controlled by the SDP, so that the connection information of the service proxy equipment is not directly exposed to the user client any more, and the risk of the attack of the service proxy equipment can be reduced.
Exemplary method
The following describes the specific embodiments in detail with reference to specific application scenarios.
Referring to fig. 5, fig. 5 is a flowchart of a method for establishing a connection according to an exemplary embodiment. The method may be applied to the user client in the above-described access authentication system shown in fig. 3. The method comprises the following implementation steps:
step 501, responding to a connection establishment operation initiated by a target user, and acquiring user information of the target user;
when a target user initiates a connection establishment operation, a user client can acquire user information of the target user, wherein the user information of the user can comprise information such as an account number and a password of the user so as to be authenticated by an SDP controller; the user client may obtain the user information through a login page provided by the SDP controller shown in fig. 4, or may obtain the user information through a configuration page of the client in a command line or other manner, which is not limited in this application.
In one embodiment, the user client may generate a first SPA (single packet authentication) request packet for the SDP controller to perform SDP authentication based on the user information. The first SPA request message may include the user information, that is, a user account and a password, obtained by the user client; the system also can contain information such as a hardware serial number, a local IP address, a network card MAC address and the like; and encrypting all the information to generate a first SPA request message. The encryption may be performed by using the AES algorithm, or may be performed by using another algorithm, which is not limited in this application.
For example, in practical application, the content format of the first SPA request packet is: the method comprises the steps of random number 6 bits, client version number, authentication interaction type, client authentication request ID, second time stamp, user account number, password, user intranet IPv4, verification code/dynamic password issuing mode, mobile phone/computer serial number, operating system information, hard disk information and computer name. The data format of the first SPA request message is as follows: random number 6 bits + attribute 1+ attribute 2+ attribute N. The user account number, the password, the user intranet IPv4 and the like are all used as one attribute. Wherein the data format of the attribute is 3-bit attribute ID+3-bit attribute length+attribute value.
Referring to table 1, table 1 is an exemplary first SPA message portion attribute table.
| Attribute ID | Meaning of | Encoding | Length of | Classification | Attribute value |
| 001 | User account | UTF-8 | <001-255> | Basic attributes | |
| 002 | Password code | UTF-8 | <001-255> | Basic attributes | |
| 003 | Client version number | UTF-8 | <001-020> | Basic attributes | |
| 004 | IPv4 of user intranet | UTF-8 | <001-010> | Basic attributes |
TABLE 1
As shown in table 1, the attribute table of the first SPA request message portion may specifically include fields such as an attribute ID, a meaning, a code, a length, a class, and a description.
Wherein the attribute ID is used to uniquely identify the attribute; the meaning is used for setting names for all the attributes, and in practical application, a user can determine popular and easy-to-understand names for all the attributes based on the sources of the attributes; coding, namely coding of attribute values, wherein a common coding format is UTF-8; the length is different lengths set by the user for each attribute; the classification is used for labeling whether the attribute is necessary, wherein the basic attribute such as user account number, password and the like is the attribute which the message must contain.
Step 502, the user information is sent to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information;
after the user client generates the first SPA request message based on the user information, the first SPA request message may be sent to a first UDP port of the SDP controller, which is open to the user client and corresponds to the SDP authentication service. After the SDP controller receives the first SPA request message, the message content can be decrypted to obtain user information such as user account numbers, passwords and the like in the message. The SDP controller authenticates the user information decrypted in the message, namely, the SDP controller authenticates the target user based on the user information. After the authentication is successful, the SDP controller may grant the access right of the first TCP port for establishing the TCP connection to the user client in a preset time. The preset time may be 30 seconds, or the corresponding time may be preset in the SDP controller configuration by the user, which is not limited in this application. If authentication fails, the SDP controller does not open any TCP ports.
Step 503, obtaining connection information of the service proxy device sent by the SDP controller after passing SDP authentication on the target user, and establishing connection with the service proxy device based on the connection information, so as to further access the service based on the established connection;
and after the user information in the SPA request message passes the authentication, the SDP controller grants the access right of the first TCP port for establishing the TCP connection to the user client. The user client may initiate a connection request to the first TCP port, and establish a first TCP connection with the SDP controller. Through the first TCP connection, the user client can acquire an authentication result after SDP authentication is passed by the SDP controller facing the target user. Wherein the authentication result includes connection information of the service agent device.
In one embodiment, the foregoing SDP controller further includes a token credential generated by the SDP control and used for indicating that the target user passes the SDP authentication, where the token passes the SDP authentication, towards the target user. The connection information of the service proxy device includes a second UDP port number corresponding to the SDP authentication service, where the service proxy device is opened to the user client terminal.
After receiving the authentication result, the user client may generate a second SPA request packet for SDP authentication. The second SPA request message may include a token credential generated by the SDP controller; the system also can contain information such as a hardware serial number, a local IP address, a network card MAC address and the like; and encrypting all the information to generate a second SPA request message. The encryption may be performed by using the AES algorithm, or may be performed by using another algorithm, which is not limited in this application. For example, in practical application, the content format of the second SPA request packet is as follows: random number 6 bits + session ID + client version number + second timestamp + intranet IPv4+ token.
After the user client generates the second SPA request message based on the user information, the second SPA request message may be sent to a second UDP port of the service proxy device, which is open to the user client and corresponds to the SDP authentication service. After the service proxy device receives the second SPA request message, the service proxy device can decrypt the message content to obtain token credentials in the message. When the SDP controller generates a token credential for indicating the target user to pass SDP authentication, the token credential is also sent to the service proxy device. The service proxy device can determine whether the token credential obtained by decryption is consistent with the received token credential issued by the SDP controller, and if so, authentication is successful. The service proxy device may grant the access right of the second TCP port for establishing the TCP connection to the user client within a preset time. The preset time may be 30 seconds, or the corresponding time may be preset in the service agent device configuration by the user, which is not limited in this application. And the service proxy equipment returns the second TCP port number to the user client.
The user client receives the second TCP port number, and may send a TCP connection establishment request to the second TCP port number, establish a second TCP connection with the service proxy device, and further access the user service provided by the service proxy device based on the second TCP connection.
In another embodiment, the connection information of the service proxy device in the authentication result after the SDP authentication is passed by the SDP controller facing the target user includes a third UDP port number corresponding to the SDP authentication service, where the service proxy device is opened facing the user client terminal.
After receiving the authentication result, the user client may generate a third SPA request packet for SDP authentication. The third SPA request message may include user information, that is, an account number and a password; the system also can contain information such as a hardware serial number, a local IP address, a network card MAC address and the like; and encrypting all the information to generate a third SPA request message. For example, in practical application, the content format of the third SPA request message is: random number 6 bits, session ID, client version number, user account number, password, second timestamp, intranet IPv4.
After the service proxy device receives the third SPA request message, the service proxy device can decrypt the message content to obtain user information such as user account numbers and passwords in the message. The service proxy equipment authenticates the user information decrypted in the message, namely, SDP authentication is performed on the target user based on the user information. After the authentication is successful, the service proxy device may grant the access right of the second TCP port for establishing the TCP connection to the user client within a preset time. The preset time may be 30 seconds, or the corresponding time may be preset in the service agent device configuration by the user, which is not limited in this application. If authentication fails, the service proxy device does not open any TCP port. And the service proxy equipment returns the second TCP port number to the user client.
The user client receives the second TCP port number, and can directly send a TCP connection establishment request to the second TCP port number, establish a second TCP connection with the service proxy device, and further access the user service provided by the service proxy device based on the second TCP connection.
In another embodiment, the connection information of the service proxy device in the authentication result after the SDP authentication is passed by the SDP controller facing the target user may include a second TCP port number opened by the service proxy device facing the user client terminal and used for establishing a TCP connection with the service proxy device.
That is, after the SDP controller passes the authentication, the service proxy device may grant the access right of the second TCP port for establishing the TCP connection to the user client directly within a preset time. Wherein, the preset time can be 30 seconds, or the corresponding time can be preset in the service agent equipment configuration by the user, which is not limited in the application
After receiving the authentication result, the user client may send a TCP connection establishment request to the second TCP port number, establish a second TCP connection with the service proxy device, and further access the user service provided by the service proxy device based on the second TCP connection.
Referring to fig. 6, fig. 6 is a flowchart of a method for establishing a connection according to an exemplary embodiment. The method may be applied to an SDP controller in an SDP access authentication system shown in fig. 3. The method comprises the following implementation steps:
step 601, receiving user information sent by a user client, and performing SDP authentication on the target user based on the user information;
and the SDP controller receives the user information sent by the user client and carries out SDP authentication on the account number and the password in the user information.
In one embodiment, the user client may generate a first SPA (single packet authentication) request packet for the SDP controller to perform SDP authentication based on the user information. The first SPA request message may include the user information, that is, a user account and a password, obtained by the user client; the system also can contain information such as a hardware serial number, a local IP address, a network card MAC address and the like; and encrypting all the information to generate a first SPA request message. The encryption may be performed by using the AES algorithm, or may be performed by using another algorithm, which is not limited in this application.
The SDP controller opens a UDP port corresponding to an SDP authentication service, and the user client may send the first SPA request packet to the SDP controller through the UDP port. After the SDP controller receives the first SPA request message, the message content can be decrypted to obtain user information such as user account numbers, passwords and the like in the message. The SDP controller authenticates the user information decrypted in the message, namely, the SDP controller authenticates the target user based on the user information.
Step 602, after passing the SDP authentication of the target user, sending connection information of the service proxy device to a user client; so that the user client establishes a connection with the service agent device.
In one embodiment, after the target user passes the SDP authentication, the SDP controller may grant the access right of the first TCP port for establishing the TCP connection to the user client terminal within a preset time. The preset time may be 30 seconds, or the corresponding time may be preset in the SDP controller configuration by the user, which is not limited in this application. If authentication fails, the SDP controller does not open any TCP ports.
After the SDP controller successfully establishes TCP connection with the user client, the SDP controller sends an authentication result of the target user through SDP authentication to the user client. The authentication result may include connection information of the service proxy device, where the connection information includes a second UDP port number corresponding to the SDP authentication service that is opened by the service proxy device for the user client terminal, and a token credential generated by the SDP control and used to instruct the target user to pass SDP authentication. The user client may generate a second SPA request message including token credentials, and send the second SPA request message to a second UDP port of the service proxy device, which is open to the user client and corresponds to the SDP authentication service.
In another embodiment, after the SDP controller successfully establishes a TCP connection with the user client terminal, the connection information of the service proxy device in the authentication result generated by the SDP controller may include a third UDP port number corresponding to an SDP authentication service that is opened by the service proxy device for the user client terminal. The user client may generate a third SPA request packet containing user information, and send the third SPA request packet to a third UDP port of the service proxy device, which is open to the user client and corresponds to the SDP authentication service.
In another embodiment, after the SDP controller successfully establishes a TCP connection with the user client, the connection information of the service proxy device in the authentication result generated by the SDP controller may include a second TCP port number that is opened by the service proxy device for the user client and used for establishing a TCP connection with the service proxy device. The user client may directly send a TCP connection establishment request to the second TCP port number, establish a second TCP connection with the service proxy device, and further access the user service provided by the service proxy device based on the second TCP connection.
In an exemplary embodiment of the present specification, a connection establishment apparatus is also provided. Referring to fig. 7, fig. 7 is a block diagram of a connection establishment apparatus according to an embodiment of the present specification. The device is applied to a user client in an SDP access authentication system, wherein the SDP access authentication system comprises at least one user client, at least one SDP controller and at least one service agent device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the device comprises:
An obtaining module 710, configured to obtain user information of a target user in response to a connection establishment operation initiated by the target user;
a first sending module 720, configured to send the user information to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information;
and a connection module 730, configured to obtain connection information of the service proxy device sent after the SDP authentication of the target user by the SDP controller passes, and establish a connection with the service proxy device based on the connection information, so as to further access the user service based on the established connection.
In an exemplary embodiment of the present specification, another connection establishment apparatus is also provided. Referring to fig. 8, fig. 8 is a block diagram of another access information synchronizing apparatus according to an embodiment of the present specification. The device is applied to an SDP controller of an SDP access authentication system, wherein the SDP access authentication system comprises at least one user client, at least one SDP controller and at least one service agent device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the device comprises:
An authentication module 810, configured to receive user information sent by a user client, and perform SDP authentication on the target user based on the user information;
a second sending module 820, configured to send connection information of the service proxy device to a user client after passing SDP authentication on the target user; so that the user client establishes a connection with the service agent device. The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It should be noted that although several units/modules or sub-units/modules of the apparatus are mentioned in the above detailed description, this division is merely exemplary and not mandatory. Indeed, the features and functions of two or more units/modules described above may be embodied in one unit/module, in accordance with embodiments of the present description. Conversely, the features and functions of one unit/module described above may be further divided into ones that are embodied by a plurality of units/modules.
Furthermore, although the operations of the methods of the present description are illustrated in the accompanying drawings in a particular order, this is not required to or suggested that these operations must be performed in this particular order or that all of the illustrated operations must be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
While the spirit and principles of this specification have been described with reference to several particular embodiments, it is to be understood that this specification is not limited to the particular embodiments disclosed nor does it imply that features in the various aspects are not useful in combination, nor are they intended to be in any way useful for the convenience of the description. The description is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (17)
1. A connection establishment method applied to a user client in an SDP access authentication system, wherein the SDP access authentication system comprises at least one user client, at least one SDP controller and at least one service agent device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the method comprises the following steps:
responding to connection establishment operation initiated by a target user, and acquiring user information of the target user;
the user information is sent to the SDP controller, so that the SDP controller carries out SDP authentication on the target user based on the user information;
Acquiring connection information of the service proxy equipment, which is transmitted after SDP authentication of the target user by the SDP controller is passed, and establishing connection with the service proxy equipment based on the connection information so as to further access the user service based on the established connection;
the SDP controller opens a first UDP port corresponding to an SDP authentication service to the user client;
the sending the user information to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information, including:
generating a first SPA request message for SDP authentication; wherein, the first SPA request message includes the user information;
the first SPA request message is sent to the first UDP port, so that the SDP controller responds to the received first SPA request message, carries out SDP authentication on the target user based on the user information in the first SPA request message, and grants the access right of the first TCP port for establishing TCP connection with the target user to the user client after the target user passes the local SDP authentication;
the obtaining the connection information of the service agent device, which is sent by the SDP controller after passing the SDP authentication of the target user, includes:
A TCP connection request is sent to the first TCP port, and a first TCP connection is established with the SDP controller;
acquiring an authentication result sent by the SDP controller after SDP authentication of the target user is passed through the first TCP connection; wherein the authentication result includes connection information of the service agent device.
2. The method of claim 1, the authentication result further comprising token credentials generated by the SDP controller that indicate the target user authenticated by SDP; the connection information of the service proxy equipment comprises a second UDP port number which is opened by the service proxy equipment towards the user client and corresponds to the SDP authentication service;
establishing a connection with the service proxy device based on the connection information to further access the service based on the established connection, comprising:
generating a second SPA request message for SDP authentication; wherein the second SPA request message includes the token credential;
the second SPA request message is sent to the second UDP port, so that the service proxy equipment responds to the received second SPA request message, SDP authentication is conducted on the target user based on the token credential in the second SPA request message, after the target user passes the local SDP authentication, the access right of a second TCP port for establishing TCP connection with the target user is authorized to the user client, and the second TCP port is returned to the user client;
And sending a TCP connection establishment request to the second TCP port to establish a second TCP connection with the service proxy device so as to further access the user service based on the established TCP connection.
3. The method of claim 1, the connection information of the service proxy device comprising a third UDP port number for SDP authentication opened by the service proxy device to the user client;
establishing a connection with the service proxy device based on the connection information to further access the user service based on the established connection, comprising:
generating a third SPA request message for SDP authentication; wherein, the third SPA request message includes the user information;
the third SPA request message is sent to the third UDP port, so that the service proxy equipment responds to the received third SPA request message, SDP authentication is conducted on the target user based on the user information in the third SPA request message, after the target user passes the local SDP authentication, the access right of a second TCP port of the TCP connection established by the user and the target user is authorized to the user client, and the second TCP port is returned to the user client;
And sending a TCP connection establishment request to the second TCP port to establish a second TCP connection with the service proxy device so as to further access the service based on the established second TCP connection.
4. The method of claim 1, the connection information of the service proxy device comprising a second TCP port number that the service proxy device opens to the user client for establishing a TCP connection therewith;
establishing a connection with the service proxy device based on the connection information to further access the service based on the established connection includes:
and sending a TCP connection establishment request to the second TCP port to establish a second TCP connection with the service proxy device so as to further access the user service based on the established second TCP connection.
5. The method of any of claims 1-4, the TCP connection comprising a TLS connection.
6. The method of claim 1, the service proxy device comprising a VPN device.
7. The method according to any of claims 1-4, said granting access rights of a TCP port to a user client, comprising:
and authorizing the access authority of the TCP port in a preset time period to the user client.
8. A connection establishment method applied to an SDP controller of an SDP access authentication system comprising at least one user client, at least one SDP controller and at least one service proxy device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the method comprises the following steps:
receiving user information sent by a user client, and carrying out SDP authentication on a target user based on the user information;
after SDP authentication is passed on the target user, the connection information of the service agent equipment is sent to a user client; so that the user client establishes connection with the service agent equipment;
the user client generates a first SPA request message for SDP authentication; wherein, the first SPA request message includes the user information;
the user client sends the first SPA request message to the SDP controller, and opens a UDP port corresponding to SDP authentication service for the user client;
the performing SDP authentication on the target user based on the user information includes:
Responding to the received first SPA request message, and carrying out SDP authentication on the target user based on the user information in the first SPA request message;
after passing SDP authentication, the target user grants access right of a first TCP port for establishing TCP connection with the target user to the user client;
the user client sends a TCP connection request to the first TCP port, and establishes a first TCP connection with the SDP controller;
after the SDP authentication of the target user is passed, the method sends the connection information of the service agent device to a user client, and comprises the following steps:
and sending an authentication result after the SDP authentication of the target user is passed to a user client through a first TCP connection, wherein the authentication result comprises the connection information of the service proxy equipment.
9. The method of claim 8, the authentication result further comprising token credentials generated by the SDP controller that indicate the target user authenticated by SDP; the connection information of the service proxy device includes a second UDP port number corresponding to an SDP authentication service, which is opened by the service proxy device for the user client terminal.
10. The method of claim 8, the method comprising the service proxy device opening a third UDP port number for SDP authentication to a user client.
11. The method of claim 8, the service proxy device being open to a user client a second TCP port number for establishing a TCP connection therewith.
12. The method of claim 8, the TCP connection comprising a TLS connection.
13. The method of claim 8, the service proxy device comprising a VPN device.
14. The method of claim 8, the granting access rights to the TCP port to the user client, comprising:
and authorizing the access authority of the TCP port in a preset time period to the user client.
15. A connection establishment apparatus applied to a user client in an SDP access authentication system comprising at least one user client, at least one SDP controller and at least one service agent device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the device comprises:
the acquisition module is used for responding to connection establishment operation initiated by a target user and acquiring user information of the target user;
A first sending module, configured to send the user information to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information;
the connection module is used for acquiring connection information of the service proxy equipment, which is sent after the SDP controller passes SDP authentication on the target user, and establishing connection with the service proxy equipment based on the connection information so as to further access the user service based on the established connection; the SDP controller opens a first UDP port corresponding to an SDP authentication service to the user client; the sending the user information to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information, including:
generating a first SPA request message for SDP authentication; wherein, the first SPA request message includes the user information;
the first SPA request message is sent to the first UDP port, so that the SDP controller responds to the received first SPA request message, carries out SDP authentication on the target user based on the user information in the first SPA request message, and grants the access right of the first TCP port for establishing TCP connection with the target user to the user client after the target user passes the local SDP authentication;
The obtaining the connection information of the service agent device, which is sent by the SDP controller after passing the SDP authentication of the target user, includes:
a TCP connection request is sent to the first TCP port, and a first TCP connection is established with the SDP controller;
acquiring an authentication result sent by the SDP controller after SDP authentication of the target user is passed through the first TCP connection; wherein the authentication result includes connection information of the service agent device.
16. A connection establishment apparatus applied to an SDP controller of an SDP access authentication system comprising at least one user client, at least one SDP controller and at least one service proxy device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the device comprises:
the authentication module receives user information sent by a user client and carries out SDP authentication on a target user based on the user information;
the second sending module sends the connection information of the service agent equipment to the user client after SDP authentication of the target user is passed; so that the user client establishes connection with the service agent equipment;
The user client generates a first SPA request message for SDP authentication; wherein, the first SPA request message includes the user information;
the user client sends the first SPA request message to the SDP controller, and opens a UDP port corresponding to SDP authentication service for the user client;
the performing SDP authentication on the target user based on the user information includes:
responding to the received first SPA request message, and carrying out SDP authentication on the target user based on the user information in the first SPA request message;
after passing SDP authentication, the target user grants access right of a first TCP port for establishing TCP connection with the target user to the user client;
the user client sends a TCP connection request to the first TCP port, and establishes a first TCP connection with the SDP controller;
after the SDP authentication of the target user is passed, the method sends the connection information of the service agent device to a user client, and comprises the following steps:
and sending an authentication result after the SDP authentication of the target user is passed to a user client through a first TCP connection, wherein the authentication result comprises the connection information of the service proxy equipment.
17. An SDP access authentication system comprising at least one user client, at least one SDP controller and at least one service proxy device; the SDP controller is used for controlling the client to establish connection with the service proxy equipment; the system comprises:
the user client responds to connection establishment operation initiated by a target user and acquires user information of the target user;
the user client sends the user information to the SDP controller;
the SDP controller receives user information sent by a user client and carries out SDP authentication on the target user based on the user information;
after SDP authentication is passed on the target user, the SDP controller sends the connection information of the service agent device to a user client;
the user client acquires connection information of the service proxy equipment, which is sent after SDP authentication of the target user by the SDP controller is passed, and establishes connection with the service proxy equipment based on the connection information so as to further access the user service based on the established connection;
The SDP controller opens a first UDP port corresponding to an SDP authentication service to the user client;
the sending the user information to the SDP controller, so that the SDP controller performs SDP authentication on the target user based on the user information, including:
generating a first SPA request message for SDP authentication; wherein, the first SPA request message includes the user information;
the first SPA request message is sent to the first UDP port, so that the SDP controller responds to the received first SPA request message, carries out SDP authentication on the target user based on the user information in the first SPA request message, and grants the access right of the first TCP port for establishing TCP connection with the target user to the user client after the target user passes the local SDP authentication;
the obtaining the connection information of the service agent device, which is sent by the SDP controller after passing the SDP authentication of the target user, includes:
a TCP connection request is sent to the first TCP port, and a first TCP connection is established with the SDP controller;
acquiring an authentication result sent by the SDP controller after SDP authentication of the target user is passed through the first TCP connection; wherein the authentication result includes connection information of the service agent device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111521828.8A CN114301639B (en) | 2021-12-13 | 2021-12-13 | Connection establishment method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111521828.8A CN114301639B (en) | 2021-12-13 | 2021-12-13 | Connection establishment method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301639A CN114301639A (en) | 2022-04-08 |
| CN114301639B true CN114301639B (en) | 2024-02-27 |
Family
ID=80966670
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111521828.8A Active CN114301639B (en) | 2021-12-13 | 2021-12-13 | Connection establishment method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301639B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115865370B (en) * | 2022-11-25 | 2024-06-04 | 四川启睿克科技有限公司 | Single-packet authorization verification method based on TCP options |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1835480A (en) * | 2005-03-15 | 2006-09-20 | 合勤科技股份有限公司 | Method of Using SIP Communication Protocol Architecture as Mobile VPN Proxy |
| CN101155227A (en) * | 2006-09-29 | 2008-04-02 | 北电网络有限公司 | Method and system for trusted contextual communications |
| CN107980216A (en) * | 2017-05-26 | 2018-05-01 | 深圳前海达闼云端智能科技有限公司 | Communication means, device, system, electronic equipment and computer-readable recording medium |
| CN111182537A (en) * | 2019-12-31 | 2020-05-19 | 北京指掌易科技有限公司 | Network access method, device and system for mobile application |
| CN111901355A (en) * | 2020-08-04 | 2020-11-06 | 北京天融信网络安全技术有限公司 | Authentication method and device |
| CN113190828A (en) * | 2021-05-25 | 2021-07-30 | 网宿科技股份有限公司 | Request proxy method, client device and proxy service device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8161171B2 (en) * | 2007-11-20 | 2012-04-17 | Oracle International Corporation | Session initiation protocol-based internet protocol television |
| US11175964B2 (en) * | 2019-02-01 | 2021-11-16 | Virtustream Ip Holding Company Llc | Partner enablement services for managed service automation |
-
2021
- 2021-12-13 CN CN202111521828.8A patent/CN114301639B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1835480A (en) * | 2005-03-15 | 2006-09-20 | 合勤科技股份有限公司 | Method of Using SIP Communication Protocol Architecture as Mobile VPN Proxy |
| CN101155227A (en) * | 2006-09-29 | 2008-04-02 | 北电网络有限公司 | Method and system for trusted contextual communications |
| CN107980216A (en) * | 2017-05-26 | 2018-05-01 | 深圳前海达闼云端智能科技有限公司 | Communication means, device, system, electronic equipment and computer-readable recording medium |
| CN111182537A (en) * | 2019-12-31 | 2020-05-19 | 北京指掌易科技有限公司 | Network access method, device and system for mobile application |
| CN111901355A (en) * | 2020-08-04 | 2020-11-06 | 北京天融信网络安全技术有限公司 | Authentication method and device |
| CN113190828A (en) * | 2021-05-25 | 2021-07-30 | 网宿科技股份有限公司 | Request proxy method, client device and proxy service device |
Non-Patent Citations (1)
| Title |
|---|
| 网络安全技术中VPN技术的应用探究;杜平;《中国新通信》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301639A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109561066B (en) | Data processing method and device, terminal and access point computer | |
| US7228438B2 (en) | Computer network security system employing portable storage device | |
| CN113343210B (en) | Identity broker that provides access control and single sign-on | |
| EP3723399A1 (en) | Identity verification method and apparatus | |
| CN112235235B (en) | SDP authentication protocol implementation method based on cryptographic algorithm | |
| KR101265873B1 (en) | Distributed Single Signing Service Method | |
| US8074264B2 (en) | Secure key distribution to internet clients | |
| US8301876B2 (en) | Techniques for secure network communication | |
| CA2463034C (en) | Method and system for providing client privacy when requesting content from a public server | |
| US9729514B2 (en) | Method and system of a secure access gateway | |
| US7992193B2 (en) | Method and apparatus to secure AAA protocol messages | |
| US9461820B1 (en) | Method and apparatus for providing a conditional single sign on | |
| US8532620B2 (en) | Trusted mobile device based security | |
| US20020090089A1 (en) | Methods and apparatus for secure wireless networking | |
| US20180375648A1 (en) | Systems and methods for data encryption for cloud services | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN113872974B (en) | Method, server and computer readable storage medium for network session encryption | |
| CN114301639B (en) | Connection establishment method and device | |
| US11431761B2 (en) | Systems and methods for network management | |
| CN113079506B (en) | Network security authentication method, device and equipment | |
| CN110784305B (en) | Single sign-on authentication method based on inadvertent pseudo-random function and signcryption | |
| CN115152258A (en) | Transmission of security information in a content distribution network | |
| CN114500074B (en) | Single-point system security access method and device and related equipment | |
| KR101962349B1 (en) | Consolidated Authentication Method based on Certificate | |
| JP2015158881A (en) | Accessibility management system and program to prevent session hijacking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |