[go: up one dir, main page]

CN107342999A - A kind of system and method based on agent protection certificate is strengthened - Google Patents

A kind of system and method based on agent protection certificate is strengthened Download PDF

Info

Publication number
CN107342999A
CN107342999A CN201710538310.2A CN201710538310A CN107342999A CN 107342999 A CN107342999 A CN 107342999A CN 201710538310 A CN201710538310 A CN 201710538310A CN 107342999 A CN107342999 A CN 107342999A
Authority
CN
China
Prior art keywords
network data
data information
remote computer
computer
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710538310.2A
Other languages
Chinese (zh)
Inventor
钱兵
王幸福
张百林
张冲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201710538310.2A priority Critical patent/CN107342999A/en
Publication of CN107342999A publication Critical patent/CN107342999A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种基于强化代理保护证书的方法和系统,其中,方法包括:步骤1,拦截来自用户计算机的网络数据信息;步骤2,判断所述网络数据信息对应的所述用户计算机是否具有对要通信的远程计算机访问的权限;若是,步骤3,对所述网络数据信息进行加密签名,授权所述用户计算机对所述远程计算机进行访问。通过在与远程计算机进行通信时进行拦截,然后判断远程计算机是否可信,由于不使用本地信任数据库,避免了被不知情或恶意用户的软件进行垫付或修改,使得本地用户或软件处于可信任的整数通信环境,提高了通信的信息安全性。

The invention discloses a method and system for protecting a certificate based on a strengthened agent, wherein the method includes: step 1, intercepting network data information from a user computer; step 2, judging whether the user computer corresponding to the network data information has Access authority to the remote computer to be communicated; if yes, step 3, encrypting and signing the network data information, and authorizing the user computer to access the remote computer. By intercepting the communication with the remote computer, and then judging whether the remote computer is trustworthy, since the local trust database is not used, advance payment or modification by software of uninformed or malicious users is avoided, so that the local user or software is in a trusted position The integer communication environment improves the information security of communication.

Description

一种基于强化代理保护证书的系统和方法A system and method based on hardened proxy protection certificates

技术领域technical field

本发明涉及通信安全技术领域,特别是涉及一种基于强化代理保护证书的系统和方法。The invention relates to the technical field of communication security, in particular to a system and method for protecting certificates based on strengthened agents.

背景技术Background technique

从上世纪末一致到现在,网络技术的发展日新月异,信息的传播速度和数量一直在爆发性的增长。在信息传输的过程中,可能发生的信息泄露以及信息篡改,对于使用者来说,是非常危险的,尤其是智能时代来临之后,用户的大量信息出现在网络上,在方便生活的同时,信息的安全性需要更好的被维护。From the end of the last century to the present, the development of network technology is changing with each passing day, and the speed and quantity of information dissemination have been growing explosively. In the process of information transmission, possible information leakage and information tampering are very dangerous for users, especially after the advent of the intelligent age, a large amount of user information appears on the Internet. The security needs to be better maintained.

网络应用程序通常使用证书来验证远程实体的完整性以及远程位置通信的完整性和机密性。然而,证书也存在脆弱性,因为本地信任数据库(包含受信任的根证书)可能被不知情或恶意用户的软件颠覆或修改。这可能导致在企业政策中插入不可靠的信任根,从而导致本地用户或软件将置于不可信任的证书通信环境,使得在信息传播过程中出现信息泄露等网络安全隐患。Web applications often use certificates to verify the integrity of remote entities and the integrity and confidentiality of communications at remote locations. However, certificates are also vulnerable because the local trust database (containing trusted root certificates) can be subverted or modified by software from an unwitting or malicious user. This may lead to the insertion of an unreliable root of trust in the corporate policy, resulting in local users or software being placed in an untrustworthy certificate communication environment, resulting in network security risks such as information leakage during the information dissemination process.

发明内容Contents of the invention

本发明的目的是提供了一种基于强化代理保护证书的方法和系统,放置用户计算机与不可信的远程计算机进行通信,提高了本地用户或应用的通信安全性。The purpose of the present invention is to provide a method and system based on strengthened proxy protection certificates, which allow user computers to communicate with untrusted remote computers, and improve the communication security of local users or applications.

为解决上述技术问题,本发明实施例提供了一种基于强化代理保护证书的方法,包括:In order to solve the above technical problems, an embodiment of the present invention provides a method for protecting a certificate based on a strengthened agent, including:

步骤1,拦截来自用户计算机的网络数据信息;Step 1, intercepting network data information from the user's computer;

步骤2,判断所述网络数据信息对应的所述用户计算机是否具有对要通信的远程计算机访问的权限;Step 2, judging whether the user computer corresponding to the network data information has the authority to access the remote computer to be communicated;

若是,步骤3,对所述网络数据信息进行加密签名,授权所述用户计算机对所述远程计算机进行访问。If yes, step 3, encrypting and signing the network data information, and authorizing the user computer to access the remote computer.

其中,所述步骤2,包括:Wherein, said step 2 includes:

识别所述用户计算机将要通信的远程计算机的凭证和所述网络数据信息的网络请求;identifying credentials of a remote computer with which said user computer is to communicate and said network request for network data information;

计算所述凭证的加密信息,并输出所述网络数据信息的加密序列;Calculate the encryption information of the credential, and output the encryption sequence of the network data information;

判断所述远程计算机的证书、所述加密序列和所述网络数据信息是否包含在白名单数据库中,且不包含在黑名单数据库中。It is judged whether the certificate of the remote computer, the encryption sequence and the network data information are included in the whitelist database and not included in the blacklist database.

其中,还包括:Among them, also include:

防火墙检查所述网络数据信息,判断是否具有所述加密签名;The firewall checks the network data information to determine whether it has the encrypted signature;

若是,授权所述网络数据信息对所述远程计算机进行访问,否则,拒绝所述网络数据信息对所述远程计算机进行访问。If yes, authorize the network data information to access the remote computer; otherwise, deny the network data information to access the remote computer.

其中,所述对所述网络数据信息进行加密签名为通过向应用层协议添加加密序列字段对网络数据信息进行加密签名。Wherein, said encrypting and signing the network data information is performing encrypting and signing the network data information by adding an encryption sequence field to the application layer protocol.

其中,所述向所述网络数据信息中添加加密序列字段为将所述加密序列添加到IPv4报头选项字段或将所述加密序列添加到IPv6报头链字段。Wherein, adding the encryption sequence field to the network data information is adding the encryption sequence to the IPv4 header option field or adding the encryption sequence to the IPv6 header chain field.

除此之外,本发明实施例还提供了一种基于强化代理保护证书的系统,包括基于主机的凭证管理代理、可信凭证数据库和授权服务器,所述可信凭证数据库包含标识可信实体和相应加密证书的信息,所述基于主机的凭证管理代理与用户计算机连接,用于拦截来自所述用户计算机访问的远程计算机的网络流量信息,并根据所述网络流量信息识别所述远程计算机的证书和计算所述证书的机密信息,获得所述网络数据信息的加密序列后,将所述网络数据信息和所述加密序列发送到所述授权服务器,所述授权服务器判断所述远程计算机的证书、所述加密序列、所述网络数据信息是否包含在所述可信凭证数据库中的白名单数据库、黑名单数据库,若均包含在所述白名单数据库,且不包含在所述黑名单数据库,通过使用授权服务器密钥对所述网络流量信息进行加密签名,以授权网络访问被拦截的所述网络数据信息。In addition, an embodiment of the present invention also provides a system for protecting certificates based on a strengthened agent, including a host-based certificate management agent, a trusted certificate database, and an authorization server. The trusted certificate database includes identifying trusted entities and information corresponding to encrypted certificates, the host-based credential management agent is connected to the user computer for intercepting network traffic information from a remote computer accessed by the user computer, and identifying the certificate of the remote computer based on the network traffic information and calculate the confidential information of the certificate, and after obtaining the encryption sequence of the network data information, send the network data information and the encryption sequence to the authorization server, and the authorization server judges the certificate of the remote computer, Whether the encrypted sequence and the network data information are included in the whitelist database and blacklist database in the trusted credential database, if they are all included in the whitelist database and not included in the blacklist database, pass Encrypting and signing the network flow information by using an authorization server key to authorize the network to access the intercepted network data information.

其中,还包括防火墙,所述防火墙与所述授权服务器、所述用户计算机连接,用于检查来自所述用户计算机的网络数据信息是否具有所述授权服务器的授权服务器秘钥签名的加密签名,若有,授权所述网络数据信息对所述远程计算机进行访问,否则,拒绝所述网络数据信息对所述远程计算机进行访问。Wherein, it also includes a firewall, the firewall is connected with the authorization server and the user computer, and is used to check whether the network data information from the user computer has an encrypted signature signed by the authorization server secret key of the authorization server, if If yes, authorize the network data information to access the remote computer; otherwise, deny the network data information to access the remote computer.

其中,所述授权服务器为工作在公共计算机服务器的授权服务器或工作在独立网络设备的授权服务器。Wherein, the authorization server is an authorization server working on a public computer server or an authorization server working on an independent network device.

其中,所述基于主机的凭证管理代理为工作在所述用户计算机的基于主机的凭证管理代理或工作在专用的计算机的基于主机的凭证管理代理。Wherein, the host-based credential management agent is a host-based credential management agent working on the user computer or a host-based credential management agent working on a dedicated computer.

其中,还包括与所述防火墙、所述授权服务器、所述用户计算机连接的不信任反馈装置,用于向所述用户计算机反馈不能与所述远程计算机通信的原因。Wherein, it also includes a distrust feedback device connected with the firewall, the authorization server, and the user computer, and is used to feed back the reason why the user computer cannot communicate with the remote computer.

本发明实施例所提供的基于强化代理保护证书的系统和方法,与现有技术相比,具有以下优点:Compared with the prior art, the system and method based on the strengthened proxy protection certificate provided by the embodiment of the present invention has the following advantages:

本发明实施例提供的基于强化代理保护证书的方法,包括:The method for protecting a certificate based on a strengthened proxy provided by an embodiment of the present invention includes:

步骤1,拦截来自用户计算机的网络数据信息;Step 1, intercepting network data information from the user's computer;

步骤2,判断所述网络数据信息对应的所述用户计算机是否具有对要通信的远程计算机访问的权限;Step 2, judging whether the user computer corresponding to the network data information has the authority to access the remote computer to be communicated;

若是,步骤3,对所述网络数据信息进行加密签名,授权所述用户计算机对所述远程计算机进行访问。If yes, step 3, encrypting and signing the network data information, and authorizing the user computer to access the remote computer.

本发明实施例提供的基于强化代理保护证书的系统,包括基于主机的凭证管理代理、可信凭证数据库和授权服务器,所述可信凭证数据库包含标识可信实体和相应加密证书的信息,所述基于主机的凭证管理代理与用户计算机连接,用于拦截来自所述用户计算机访问的远程计算机的网络流量信息,并根据所述网络流量信息识别所述远程计算机的证书和计算所述证书的机密信息,获得所述网络数据信息的加密序列后,将所述网络数据信息和所述加密序列发送到所述授权服务器,所述授权服务器判断所述远程计算机的证书、所述加密序列、所述网络数据信息是否包含在所述可信凭证数据库中的白名单数据库、黑名单数据库,若均包含在所述白名单数据库,且不包含在所述黑名单数据库,通过使用授权服务器密钥对所述网络流量信息进行加密签名,以授权网络访问被拦截的所述网络数据信息。The system for protecting certificates based on a strengthened agent provided by an embodiment of the present invention includes a host-based certificate management agent, a trusted certificate database, and an authorization server. The trusted certificate database contains information identifying trusted entities and corresponding encrypted certificates. A host-based credential management agent connected to a user computer for intercepting network traffic information from a remote computer accessed by the user computer, and identifying a certificate of the remote computer based on the network traffic information and calculating confidential information of the certificate , after obtaining the encryption sequence of the network data information, sending the network data information and the encryption sequence to the authorization server, and the authorization server judges the certificate of the remote computer, the encryption sequence, the network Whether the data information is included in the whitelist database and blacklist database in the trusted credential database, if both are included in the whitelist database and not included in the blacklist database, by using the authorized server key to The network flow information is encrypted and signed to authorize the network to access the intercepted network data information.

所述基于强化代理保护证书的系统和方法,通过在与远程计算机进行通信时进行拦截,然后判断远程计算机是否可信,判断所述网络数据信息对应的用户计算机是否具有对所述远程计算机访问的权限,只有具有由于不使用本地信任数据库,避免了被不知情或恶意用户的软件进行垫付或修改,使得本地用户或软件处于可信任的整数通信环境,提高了通信的信息安全性。The system and method based on the strengthened proxy protection certificate intercepts the communication with the remote computer, then judges whether the remote computer is credible, and judges whether the user computer corresponding to the network data information has access to the remote computer. Permissions only have due to not using the local trust database, which avoids being advanced or modified by software of uninformed or malicious users, so that local users or software are in a trusted integer communication environment, which improves the information security of communication.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are For some embodiments of the present invention, those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明实施例提供的基于强化代理保护证书的方法的一种具体实施方式的步骤流程示意图;FIG. 1 is a schematic flow chart of steps in a specific implementation of a method for protecting a certificate based on a strengthened proxy provided by an embodiment of the present invention;

图2为本发明实施例提供的基于强化代理保护证书的系统的一种具体实施方式的结构示意图;FIG. 2 is a schematic structural diagram of a specific implementation of a system based on a strengthened proxy protection certificate provided by an embodiment of the present invention;

图3为本发明实施例提供的基于强化代理保护证书的系统的另一种具体实施方式的结构示意图。Fig. 3 is a schematic structural diagram of another specific implementation manner of a system for protecting certificates based on a strengthened proxy provided by an embodiment of the present invention.

具体实施方式detailed description

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

请参考图1~图3,图1为本发明实施例提供的基于强化代理保护证书的方法的一种具体实施方式的步骤流程示意图;图2为本发明实施例提供的基于强化代理保护证书的系统的一种具体实施方式的结构示意图;图3为本发明实施例提供的基于强化代理保护证书的系统的另一种具体实施方式的结构示意图。Please refer to Figures 1 to 3. Figure 1 is a schematic flowchart of a specific implementation of a method based on a strengthened proxy protection certificate provided by an embodiment of the present invention; Figure 2 is a schematic diagram of a method based on a strengthened proxy protection certificate provided by an embodiment of the invention A schematic structural diagram of a specific implementation of the system; FIG. 3 is a schematic structural diagram of another specific implementation of a system based on a strengthened proxy protection certificate provided by an embodiment of the present invention.

在一种具体实施方式中,所述基于强化代理保护证书的方法,包括:In a specific implementation manner, the method for protecting a certificate based on a strengthened agent includes:

步骤1,拦截来自用户计算机的网络数据信息;使得用户计算机在对远程计算机进行访问时,先被拦截,判断要访问的远程计算机是否可信,避免了与不可信远程计算机之间的通信。Step 1, intercepting network data information from the user's computer; making the user's computer be intercepted first when accessing the remote computer, judging whether the remote computer to be accessed is credible, and avoiding communication with untrustworthy remote computers.

步骤2,判断所述网络数据信息对应的所述用户计算机是否具有对要通信的远程计算机访问的权限;通过判断用户计算机中的网络数据信息访问的要通信的远程计算机是否可信,来判断是否具有访问权限。Step 2, judging whether the user computer corresponding to the network data information has the authority to access the remote computer to communicate; by judging whether the remote computer to communicate accessed by the network data information in the user computer is credible, to determine whether has access.

若是,步骤3,对所述网络数据信息进行加密签名,授权所述用户计算机对所述远程计算机进行访问,只有具有访问权限,获得加密签名才会具有访问对应的远程计算机的资格,获得访问通行证。If so, step 3, encrypting and signing the network data information, authorizing the user computer to access the remote computer, and only having the access authority and obtaining the encrypted signature will have the qualification to access the corresponding remote computer, and obtain an access pass .

通过在与远程计算机进行通信时进行拦截,然后判断远程计算机是否可信,判断所述网络数据信息对应的用户计算机是否具有对所述远程计算机访问的权限,只有具有由于不使用本地信任数据库,避免了被不知情或恶意用户的软件进行垫付或修改,使得本地用户或软件处于可信任的整数通信环境,提高了通信的信息安全性。By intercepting the communication with the remote computer, and then judging whether the remote computer is credible, judging whether the user computer corresponding to the network data information has the authority to access the remote computer, only if there is no local trust database, avoiding In order to avoid being advanced or modified by software of uninformed or malicious users, the local user or software is in a trusted integer communication environment, which improves the information security of communication.

而对于远程计算机是否可信,具有很多识别的方法,在本发明的一个实施例中,所述步骤2,包括:For whether the remote computer is credible, there are many methods for identification. In one embodiment of the present invention, the step 2 includes:

识别所述用户计算机将要通信的远程计算机的凭证和所述网络数据信息的网络请求;identifying credentials of a remote computer with which said user computer is to communicate and said network request for network data information;

计算所述凭证的加密信息,并输出所述网络数据信息的加密序列;Calculate the encryption information of the credential, and output the encryption sequence of the network data information;

判断所述远程计算机的证书、所述加密序列和所述网络数据信息是否包含在白名单数据库中,且不包含在黑名单数据库中。It is judged whether the certificate of the remote computer, the encryption sequence and the network data information are included in the whitelist database and not included in the blacklist database.

通过识别将要通信的远程计算机的凭证和所述网络数据信息的网络请求,与主机中的受信任的凭证数据库中的黑白名单进行对比,只有所述远程计算机的证书、所述加密序列和所述网络数据信息都包含在白名单数据库中,且不包含在黑名单数据库中,才会获得加密签名,获得访问对应的远程计算机的权限,采用这种方式能够避免与不受信任的远程计算机进行通信,提高通信的安全信。By identifying the credentials of the remote computer to be communicated and the network request for the network data information, only the certificate of the remote computer, the encrypted sequence, and the Only when the network data information is included in the whitelist database and not included in the blacklist database, can the encrypted signature be obtained and the permission to access the corresponding remote computer be obtained. This method can avoid communicating with untrusted remote computers , Improve the security letter of communication.

为进一步提高通信的安全性,基于强化代理保护证书的方法还包括:In order to further improve the security of communication, the method based on strengthening the proxy protection certificate also includes:

防火墙检查所述网络数据信息,判断是否具有所述加密签名;The firewall checks the network data information to determine whether it has the encrypted signature;

若是,授权所述网络数据信息对所述远程计算机进行访问,否则,拒绝所述网络数据信息对所述远程计算机进行访问。If yes, authorize the network data information to access the remote computer; otherwise, deny the network data information to access the remote computer.

即对拦截的用户计算机的网络数据信息进行防火墙检测,判断是否具有所述加密签名,只有具有与要访问的远程计算机对应的加密签名,才能够具有访问权限,避免了可能发生的即使网络数据信息被拦截,判断所述网络数据信息对应的所述用户计算机是否具有对要通信的远程计算机访问的权限有其他部件或设备没有被执行,或者没有被加密的情况发生。That is, the firewall detects the network data information of the intercepted user computer to determine whether it has the encrypted signature. Only with the encrypted signature corresponding to the remote computer to be accessed can it have access rights, avoiding possible network data information intercepted, it is judged whether the user computer corresponding to the network data information has the right to access the remote computer to be communicated, and other components or devices have not been executed, or have not been encrypted.

本发明中,对于对对所述网络数据信息进行加密签名的方式不作具体限定,在一实施例中,所述对所述网络数据信息进行加密签名为通过向应用层协议添加加密序列字段对网络数据信息进行加密签名。In the present invention, the method of encrypting and signing the network data information is not specifically limited. In one embodiment, the encrypting and signing of the network data information is adding an encryption sequence field to the application layer protocol to encrypt the network data. Data information is encrypted and signed.

具体的,所述向所述网络数据信息中添加加密序列字段可以为将所述加密序列添加到IPv4报头选项字段,也可以为将所述加密序列添加到IPv6报头链字段,是通过向应用层协议添加对应的加密序列对网络数据信息进行加密签名的。Specifically, the adding of the encryption sequence field to the network data information may be adding the encryption sequence to the IPv4 header option field, or adding the encryption sequence to the IPv6 header chain field, through the application layer The protocol adds the corresponding encryption sequence to encrypt and sign the network data information.

本发明中对于网络信息数据的处理是通过对其中的每个网络数据包进行加密签名访问的,同样的防火墙的检测也是以及网络数据包的形式进行加密签名检查的。In the present invention, the processing of network information data is accessed by encrypting and signing each network data packet, and the detection of the same firewall is also performed in the form of encrypting and signing network data packets.

除此之外,本发明实施例还提供了一种基于强化代理保护证书的系统,包括基于主机的凭证管理代理20、可信凭证数据库和授权服务器30,所述可信凭证数据库包含标识可信实体和相应加密证书的信息,所述基于主机的凭证管理代理20与用户计算机10连接,用于拦截来自所述用户计算机10访问的远程计算机50的网络流量信息,并根据所述网络流量信息识别所述远程计算机50的证书和计算所述证书的机密信息,获得所述网络数据信息的加密序列后,将所述网络数据信息和所述加密序列发送到所述授权服务器30,所述授权服务器30判断所述远程计算机50的证书、所述加密序列、所述网络数据信息是否包含在所述可信凭证数据库中的白名单数据库、黑名单数据库,若均包含在所述白名单数据库,且不包含在所述黑名单数据库,通过使用授权服务器30密钥对所述网络流量信息进行加密签名,以授权网络访问被拦截的所述网络数据信息。In addition, the embodiment of the present invention also provides a system for protecting certificates based on a strengthened agent, including a host-based certificate management agent 20, a trusted certificate database, and an authorization server 30. Entities and corresponding encryption certificate information, the host-based credential management agent 20 is connected with the user computer 10, and is used to intercept the network traffic information from the remote computer 50 accessed by the user computer 10, and identify according to the network traffic information The certificate of the remote computer 50 and the confidential information for calculating the certificate, after obtaining the encrypted sequence of the network data information, send the network data information and the encrypted sequence to the authorization server 30, and the authorization server 30. Judging whether the certificate of the remote computer 50, the encryption sequence, and the network data information are included in the whitelist database and blacklist database in the trusted credential database, if they are all included in the whitelist database, and Not included in the blacklist database, the network flow information is encrypted and signed by using the key of the authorization server 30 to authorize the network to access the intercepted network data information.

为了进一步提高与远程计算机50的通信安全性,所述基于强化代理保护证书的系统还包括防火墙60,所述防火墙60与所述授权服务器30、所述用户计算机10连接,用于检查来自所述用户计算机10的网络数据信息是否具有所述授权服务器30的授权服务器30秘钥签名的加密签名,若有,授权所述网络数据信息对所述远程计算机50进行访问,否则,拒绝所述网络数据信息对所述远程计算机50进行访问。In order to further improve the communication security with the remote computer 50, the system based on the strengthened proxy protection certificate also includes a firewall 60, the firewall 60 is connected with the authorization server 30 and the user computer 10, and is used to check the Whether the network data information of the user computer 10 has the encrypted signature signed by the authorization server 30 secret key of the authorization server 30, if so, authorize the network data information to access the remote computer 50, otherwise, reject the network data information Information is accessed to the remote computer 50 .

需要指出的是,这里的防火墙60并不是指用户计算机10的防火墙60,而是指用户计算机10所通过主机连接远程计算机50时设置在主机的防火墙60。It should be pointed out that the firewall 60 here does not refer to the firewall 60 of the user computer 10 , but refers to the firewall 60 set on the host when the user computer 10 is connected to the remote computer 50 through the host.

本发明中的基于强化代理保护证书的系统,通过基于主机的凭证管理代理20拦截来自所述用户计算机10访问的远程计算机50的网络流量信息由授权服务器30对该网络流量信息进行验证,确认其中要访问的远程计算机50是否受信任,避免了与不可信远程计算机50通信以及可能造成的不良后果。In the system based on the strengthened agent protection certificate in the present invention, the network flow information from the remote computer 50 accessed by the user computer 10 is intercepted by the host-based credential management agent 20, and the network flow information is verified by the authorization server 30 to confirm that Whether the remote computer 50 to be accessed is trusted, avoids communication with the untrusted remote computer 50 and possible adverse consequences.

本发明中的授权服务器30为可以为工作在公共计算机服务器的授权服务器30,也可以为工作在独立网络设备的授权服务器30,本发明对于授权服务器30及其工作的位置不做限定。The authorization server 30 in the present invention can be an authorization server 30 working on a public computer server, or an authorization server 30 working on an independent network device. The present invention does not limit the authorization server 30 and its working location.

同样的,本发明中的所述基于主机的凭证管理代理20可以为工作在所述用户计算机10的基于主机的凭证管理代理20,也可以为工作在专用的计算机的基于主机的凭证管理代理20。Similarly, the host-based credential management agent 20 in the present invention can be the host-based credential management agent 20 working on the user computer 10, or the host-based credential management agent 20 working on a dedicated computer. .

即用户计算机10在进行远程计算机50的访问时,由设置在用户计算机10或专用计算机的基于主机的凭证管理代理20进行拦截,识别远程计算机50的证书,计算出对应的加密信息,将该网络数据信息的加密序列发送到授权服务器30,由授权服务器30将该远程计算机50证书、网络数据信息以及加密序列是否都包含在与之连接的收信人的凭证数据库的报名单数据库中,且不包含在其中的黑名单数据库,然后对网络数据信息进行加密签名,之后再返回基于主机的凭证管理代理20,通过防火墙60验证之后,与远程计算机50通信。That is, when the user computer 10 accesses the remote computer 50, it is intercepted by the host-based certificate management agent 20 installed on the user computer 10 or a dedicated computer, identifies the certificate of the remote computer 50, calculates the corresponding encrypted information, and sends it to the network. The encrypted sequence of the data information is sent to the authorization server 30, whether the certificate of the remote computer 50, the network data information and the encrypted sequence are all included in the registration form database of the recipient's credential database connected to it by the authorization server 30, and do not include In the blacklist database therein, the network data information is then encrypted and signed, and then returned to the host-based credential management agent 20, and communicates with the remote computer 50 after being verified by the firewall 60.

在与远程计算机50通信的过程中,如果通信成功,可以从通信结果获得,如果通信不成功,本地的用户计算机10的用户是无法获得不能够通信的原因,并不能够确定是否是与不信任的远程计算机50通信,为了方便用户计算机10获取通信不成功的原因,在本发明的一个实施例中,所述基于强化代理保护证书的系统还包括与所述防火墙60、所述授权服务器30、所述用户计算机10连接的不信任反馈装置,用于向所述用户计算机10反馈不能与所述远程计算机50通信的原因。In the process of communicating with the remote computer 50, if the communication is successful, it can be obtained from the communication result; communication with the remote computer 50, in order to facilitate the user computer 10 to obtain the reasons for the unsuccessful communication, in one embodiment of the present invention, the system based on the strengthened proxy protection certificate also includes communication with the firewall 60, the authorization server 30, The distrust feedback device connected to the user computer 10 is used to feed back the reason why the user computer 10 cannot communicate with the remote computer 50 .

通过不信任反馈装置先用户反馈所通信的远程计算机50为不可信远程计算机50,使得用户快速获取不能通信的原因,从而不对其进行访问,提高了用户计算机10的通信可靠性和安全性。The remote computer 50 communicated by the user is fed back as an untrusted remote computer 50 through the distrust feedback device, so that the user can quickly obtain the reason why the communication cannot be performed, so as not to access it, and the communication reliability and security of the user computer 10 are improved.

综上所述,本发明实施例提供的基于强化代理保护证书的系统和方法,通过在与远程计算机进行通信时进行拦截,然后判断远程计算机是否可信,判断所述网络数据信息对应的用户计算机是否具有对所述远程计算机访问的权限,只有具有由于不使用本地信任数据库,避免了被不知情或恶意用户的软件进行垫付或修改,使得本地用户或软件处于可信任的整数通信环境,提高了通信的信息安全性。To sum up, the system and method based on the strengthened proxy protection certificate provided by the embodiment of the present invention intercepts the communication with the remote computer, then judges whether the remote computer is credible, and judges the user computer corresponding to the network data information Whether you have the right to access the remote computer, only because you do not use the local trust database, you can avoid being paid or modified by the software of the uninformed or malicious user, so that the local user or software is in a trusted integer communication environment, which improves the Information Security of Communications.

以上对本发明所提供的基于强化代理保护证书的系统和方法进行了详细介绍。本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以对本发明进行若干改进和修饰,这些改进和修饰也落入本发明权利要求的保护范围内。The system and method based on the strengthened proxy protection certificate provided by the present invention have been introduced in detail above. In this paper, specific examples are used to illustrate the principle and implementation of the present invention, and the descriptions of the above embodiments are only used to help understand the method and core idea of the present invention. It should be pointed out that for those skilled in the art, without departing from the principles of the present invention, some improvements and modifications can be made to the present invention, and these improvements and modifications also fall within the protection scope of the claims of the present invention.

Claims (10)

1.一种基于强化代理保护证书的方法,其特征在于,包括:1. A method for protecting certificates based on strengthening agents, characterized in that, comprising: 步骤1,拦截来自用户计算机的网络数据信息;Step 1, intercepting network data information from the user's computer; 步骤2,判断所述网络数据信息对应的所述用户计算机是否具有对要通信的远程计算机访问的权限;Step 2, judging whether the user computer corresponding to the network data information has the authority to access the remote computer to be communicated; 若是,步骤3,对所述网络数据信息进行加密签名,授权所述用户计算机对所述远程计算机进行访问。If yes, step 3, encrypting and signing the network data information, and authorizing the user computer to access the remote computer. 2.如权利要求1所述基于强化代理保护证书的方法,其特征在于,所述步骤2,包括:2. The method for protecting certificates based on strengthening agents as claimed in claim 1, wherein said step 2 includes: 识别所述用户计算机将要通信的远程计算机的凭证和所述网络数据信息的网络请求;identifying credentials of a remote computer with which said user computer is to communicate and said network request for network data information; 计算所述凭证的加密信息,并输出所述网络数据信息的加密序列;Calculate the encryption information of the credential, and output the encryption sequence of the network data information; 判断所述远程计算机的证书、所述加密序列和所述网络数据信息是否包含在白名单数据库中,且不包含在黑名单数据库中。It is judged whether the certificate of the remote computer, the encryption sequence and the network data information are included in the whitelist database and not included in the blacklist database. 3.如权利要求2所述基于强化代理保护证书的方法,其特征在于,还包括:3. The method for protecting certificates based on strengthening agents as claimed in claim 2, further comprising: 防火墙检查所述网络数据信息,判断是否具有所述加密签名;The firewall checks the network data information to determine whether it has the encrypted signature; 若是,授权所述网络数据信息对所述远程计算机进行访问,否则,拒绝所述网络数据信息对所述远程计算机进行访问。If yes, authorize the network data information to access the remote computer; otherwise, deny the network data information to access the remote computer. 4.如权利要求3所述基于强化代理保护证书的方法,其特征在于,所述对所述网络数据信息进行加密签名为通过向应用层协议添加加密序列字段对网络数据信息进行加密签名。4. The method according to claim 3, wherein said encrypting and signing said network data information is performing encrypting and signing network data information by adding an encryption sequence field to an application layer protocol. 5.如权利要求4所述基于强化代理保护证书的方法,其特征在于,所述向所述网络数据信息中添加加密序列字段为将所述加密序列添加到IPv4报头选项字段或将所述加密序列添加到IPv6报头链字段。5. The method for protecting certificates based on strengthening agents as claimed in claim 4, wherein said adding an encrypted sequence field to said network data information is adding said encrypted sequence to an IPv4 header option field or adding said encrypted Sequence to add to the IPv6 header chain field. 6.一种基于强化代理保护证书的系统,其特征在于,包括基于主机的凭证管理代理、可信凭证数据库和授权服务器,所述可信凭证数据库包含标识可信实体和相应加密证书的信息,所述基于主机的凭证管理代理与用户计算机连接,用于拦截来自所述用户计算机访问的远程计算机的网络流量信息,并根据所述网络流量信息识别所述远程计算机的证书和计算所述证书的机密信息,获得所述网络数据信息的加密序列后,将所述网络数据信息和所述加密序列发送到所述授权服务器,所述授权服务器判断所述远程计算机的证书、所述加密序列、所述网络数据信息是否包含在所述可信凭证数据库中的白名单数据库、黑名单数据库,若均包含在所述白名单数据库,且不包含在所述黑名单数据库,通过使用授权服务器密钥对所述网络流量信息进行加密签名,以授权网络访问被拦截的所述网络数据信息。6. A system for securing credentials based on a hardened agent, comprising a host-based credential management agent, a trusted credential database, and an authorization server, the trusted credential database containing information identifying trusted entities and corresponding encrypted certificates, The host-based credential management agent is connected to the user computer, and is used for intercepting network traffic information from a remote computer accessed by the user computer, and identifying a certificate of the remote computer and calculating a value of the certificate according to the network traffic information. Confidential information, after obtaining the encryption sequence of the network data information, send the network data information and the encryption sequence to the authorization server, and the authorization server judges the certificate of the remote computer, the encryption sequence, the Whether the above network data information is included in the whitelist database and blacklist database in the trusted credential database, if both are included in the whitelist database and not included in the blacklist database, by using the authorization server key pair The network flow information is encrypted and signed to authorize the network to access the intercepted network data information. 7.如权利要求6所述基于强化代理保护证书的系统,其特征在于,还包括防火墙,所述防火墙与所述授权服务器、所述用户计算机连接,用于检查来自所述用户计算机的网络数据信息是否具有所述授权服务器的授权服务器秘钥签名的加密签名,若有,授权所述网络数据信息对所述远程计算机进行访问,否则,拒绝所述网络数据信息对所述远程计算机进行访问。7. The system based on strengthening proxy protection certificates as claimed in claim 6, further comprising a firewall connected to the authorization server and the user computer for checking network data from the user computer Whether the information has an encrypted signature signed by the authorization server key of the authorization server, if yes, authorize the network data information to access the remote computer, otherwise, deny the network data information to access the remote computer. 8.如权利要求7所述基于强化代理保护证书的系统,其特征在于,所述授权服务器为工作在公共计算机服务器的授权服务器或工作在独立网络设备的授权服务器。8. The system based on a strengthened proxy protection certificate according to claim 7, wherein the authorization server is an authorization server working on a public computer server or an authorization server working on an independent network device. 9.如权利要求8所述基于强化代理保护证书的系统,其特征在于,所述基于主机的凭证管理代理为工作在所述用户计算机的基于主机的凭证管理代理或工作在专用的计算机的基于主机的凭证管理代理。9. The system for protecting credentials based on a hardened agent according to claim 8, wherein the host-based credential management agent is a host-based credential management agent working on the user computer or a dedicated computer-based credential management agent. The credential management agent for the host. 10.如权利要求9所述基于强化代理保护证书的系统,其特征在于,还包括与所述防火墙、所述授权服务器、所述用户计算机连接的不信任反馈装置,用于向所述用户计算机反馈不能与所述远程计算机通信的原因。10. The system based on strengthening proxy protection certificates as claimed in claim 9, further comprising a non-trust feedback device connected with the firewall, the authorization server, and the user computer, for sending the user computer Feedback the reason for not being able to communicate with the remote computer.
CN201710538310.2A 2017-07-04 2017-07-04 A kind of system and method based on agent protection certificate is strengthened Pending CN107342999A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710538310.2A CN107342999A (en) 2017-07-04 2017-07-04 A kind of system and method based on agent protection certificate is strengthened

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710538310.2A CN107342999A (en) 2017-07-04 2017-07-04 A kind of system and method based on agent protection certificate is strengthened

Publications (1)

Publication Number Publication Date
CN107342999A true CN107342999A (en) 2017-11-10

Family

ID=60218352

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710538310.2A Pending CN107342999A (en) 2017-07-04 2017-07-04 A kind of system and method based on agent protection certificate is strengthened

Country Status (1)

Country Link
CN (1) CN107342999A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112671781A (en) * 2020-12-24 2021-04-16 北京华顺信安信息技术有限公司 RASP-based firewall system
CN114707128A (en) * 2022-03-31 2022-07-05 腾讯科技(深圳)有限公司 Database access method, related device, storage medium and program product

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054890A1 (en) * 2000-09-13 2004-03-18 Francois-Joseph Vasseur Method for producing evidence of the transmittal and reception through a data transmission network of an electronic document and its contents
CN101720090A (en) * 2009-06-16 2010-06-02 中兴通讯股份有限公司 Method and device for realizing remote access control of home base station
CN102916983A (en) * 2012-11-22 2013-02-06 北京奇虎科技有限公司 Protection system for network access behavior
CN102930211A (en) * 2012-11-07 2013-02-13 北京奇虎科技有限公司 Method for intercepting malicious URLs in multi-kernel browser and multi-kernel browser
CN103428187A (en) * 2012-05-25 2013-12-04 腾讯科技(深圳)有限公司 Method and system for access controlling, and equipment
US20160080330A1 (en) * 2000-04-07 2016-03-17 At&T Intellectual Property Ii, L.P. Broadband Certified Mail
CN105872059A (en) * 2016-03-31 2016-08-17 北京奇艺世纪科技有限公司 Remote execution method and device
CN105893865A (en) * 2015-12-31 2016-08-24 乐视移动智能信息技术(北京)有限公司 File processing method and device
CN106161385A (en) * 2015-04-15 2016-11-23 腾讯科技(上海)有限公司 The long-range control method of a kind of equipment and device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160080330A1 (en) * 2000-04-07 2016-03-17 At&T Intellectual Property Ii, L.P. Broadband Certified Mail
US20040054890A1 (en) * 2000-09-13 2004-03-18 Francois-Joseph Vasseur Method for producing evidence of the transmittal and reception through a data transmission network of an electronic document and its contents
CN101720090A (en) * 2009-06-16 2010-06-02 中兴通讯股份有限公司 Method and device for realizing remote access control of home base station
CN103428187A (en) * 2012-05-25 2013-12-04 腾讯科技(深圳)有限公司 Method and system for access controlling, and equipment
CN102930211A (en) * 2012-11-07 2013-02-13 北京奇虎科技有限公司 Method for intercepting malicious URLs in multi-kernel browser and multi-kernel browser
CN102916983A (en) * 2012-11-22 2013-02-06 北京奇虎科技有限公司 Protection system for network access behavior
CN106161385A (en) * 2015-04-15 2016-11-23 腾讯科技(上海)有限公司 The long-range control method of a kind of equipment and device
CN105893865A (en) * 2015-12-31 2016-08-24 乐视移动智能信息技术(北京)有限公司 File processing method and device
CN105872059A (en) * 2016-03-31 2016-08-17 北京奇艺世纪科技有限公司 Remote execution method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112671781A (en) * 2020-12-24 2021-04-16 北京华顺信安信息技术有限公司 RASP-based firewall system
CN114707128A (en) * 2022-03-31 2022-07-05 腾讯科技(深圳)有限公司 Database access method, related device, storage medium and program product

Similar Documents

Publication Publication Date Title
US20240346161A1 (en) Data access control systems and methods
US7627896B2 (en) Security system providing methodology for cooperative enforcement of security policies during SSL sessions
US6804777B2 (en) System and method for application-level virtual private network
CN113614720B (en) An apparatus and method for dynamically configuring trusted application access control
CN105282157B (en) A kind of secure communication control method
CN102035838B (en) A trust service connection method and trust service system based on platform identity
WO2023279782A1 (en) Access control method, access control system and related device
US20070240197A1 (en) Platform posture and policy information exchange method and apparatus
Lonea et al. Identity management for cloud computing
CN112016073B (en) Construction method of server zero trust connection architecture
CN104683306A (en) A Safe and Controllable Internet Real-name Authentication Mechanism
CN115603932A (en) An access control method, access control system and related equipment
Simpson et al. Maintaining zero trust with federation
WO2007115495A1 (en) Cpk-based gateway authenticating apparatus and method
US8661246B1 (en) System and method for protecting certificate applications using a hardened proxy
CN107342999A (en) A kind of system and method based on agent protection certificate is strengthened
CN117728958A (en) A communication method, device and system
CN113242249B (en) Session control method and device
KR102086739B1 (en) Electronic re-signing method to support various digital signature algorithms in secure sockets layer decryption device
Mohamed Introduction to Cyber Security
Maidine et al. Key mechanisms and emerging issues in cloud identity systems
CN114785577B (en) A zero-trust verification method, system and storage medium
Zhang et al. A TLS Security Enhancement Scheme Based on TCM 2.0
Dixit Security Issues in Web Services
CN118413401A (en) Terminal communication method, system, computer device and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171110