[go: up one dir, main page]

CN108366078A - The penetrating method and penetrating system of equipment under different NAT nodes - Google Patents

The penetrating method and penetrating system of equipment under different NAT nodes Download PDF

Info

Publication number
CN108366078A
CN108366078A CN201810372057.2A CN201810372057A CN108366078A CN 108366078 A CN108366078 A CN 108366078A CN 201810372057 A CN201810372057 A CN 201810372057A CN 108366078 A CN108366078 A CN 108366078A
Authority
CN
China
Prior art keywords
address
data transfer
transfer server
data
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810372057.2A
Other languages
Chinese (zh)
Inventor
陈志兴
熊第彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Onething Technologies Co Ltd
Original Assignee
Shenzhen Onething Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Onething Technologies Co Ltd filed Critical Shenzhen Onething Technologies Co Ltd
Priority to CN201810372057.2A priority Critical patent/CN108366078A/en
Publication of CN108366078A publication Critical patent/CN108366078A/en
Priority to PCT/CN2019/084447 priority patent/WO2019206254A1/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of penetrating methods and penetrating system of the equipment under different NAT nodes.Equipment includes the first equipment being located under the first NAT nodes and the second equipment under the 2nd NAT nodes, penetrating method include:First equipment and the second equipment obtain address and the key seed of data relay server respectively;First equipment further obtains the relay address of the second equipment, and takes relay address and establish data channel to the request of data relay server;First equipment establishes data channel with the second equipment, and generates corresponding secret key according to secret key seed, uses corresponding cipher mode transmission data.Therefore, the present invention can solve the problems, such as reliable data transmission, the transmission of data secret since the communication information of equipment room is transmitted by the cipher mode of agreement, and further very fast establish transmission channel.

Description

处于不同NAT节点下的设备的穿透方法和穿透系统The penetration method and penetration system of devices under different NAT nodes

技术领域technical field

本发明涉及通信技术领域,特别是涉及一种处于不同NAT节点下的设备的穿透方法和穿透系统。The invention relates to the technical field of communication, in particular to a penetration method and a penetration system of devices under different NAT nodes.

背景技术Background technique

目前网络应用中对于穿透NAT(Network Address Translation,网络地址转换)的解决方案大都基于STUN(Simple Traversal of UDP Through NATs,简单的用UDP穿透NAT)和TURN(Traversal Using Relays around NAT,使用中继穿透NAT)协议族。两个位于NAT背后的客户端使用STUN协议获取到客户端所在公网地址,并且通过TURN协议获取客户端所在公网的中继地址,最后通过信令服务器交互对端公网地址和中继地址,优先尝试P2P(peer-to-peer,点对点技术)通讯,失败则使用TURN协议进行数据中转。At present, the solutions for traversing NAT (Network Address Translation, Network Address Translation) in network applications are mostly based on STUN (Simple Traversal of UDP Through NATs, simply using UDP to penetrate NAT) and TURN (Traversal Using Relays around NAT, in use Following the traversal of NAT) protocol family. The two clients behind the NAT use the STUN protocol to obtain the public network address of the client, and obtain the relay address of the client's public network through the TURN protocol, and finally exchange the public network address and the relay address of the peer through the signaling server , try P2P (peer-to-peer, point-to-point technology) communication first, and use TURN protocol for data transfer if it fails.

但由于目前大多数两个不同NAT背后的客户端通讯的应用场景都是语音、视频等实时流媒体服务,其中以VoIP服务最为典型。由于这类实时流媒体服务体验更看重实时传输,并不追求数据的可靠传输,并且由于传输的是多媒体数据因此对数据传输的安全性也不会特别苛刻,再者通常这类服务对建立传输通道的速度也较为宽容。However, most of the current application scenarios for client communication behind two different NATs are real-time streaming media services such as voice and video, among which VoIP service is the most typical. Because this kind of real-time streaming media service experience pays more attention to real-time transmission, and does not pursue reliable data transmission, and because the transmission is multimedia data, the security of data transmission is not particularly demanding. The speed of the channel is also more forgiving.

发明内容Contents of the invention

本发明主要解决的技术问题是提供一种处于不同NAT节点下的设备的穿透方法和穿透系统,能够解决数据可靠传输、数据私密传输、极速建立传输通道的问题。The technical problem mainly solved by the present invention is to provide a penetration method and penetration system for devices under different NAT nodes, which can solve the problems of reliable data transmission, data private transmission, and extremely fast establishment of transmission channels.

为解决上述技术问题,本发明采用的一个技术方案是:提供一种处于不同NAT节点下的设备的穿透方法,其中,设备包括位于第一NAT节点下的第一设备和位于第二NAT节点下的第二设备,穿透方法包括:In order to solve the above technical problems, a technical solution adopted by the present invention is to provide a penetration method for devices under different NAT nodes, wherein the devices include a first device under the first NAT node and a device under the second NAT node Under the second device, the penetration methods include:

第一设备和第二设备分别获取数据中转服务器的地址和密钥种子;The first device and the second device respectively obtain the address of the data transfer server and the key seed;

第一设备进一步获取第二设备的中继地址,并携中继地址向数据中转服务器请求建立数据通道;The first device further obtains the relay address of the second device, and requests the data transfer server to establish a data channel with the relay address;

第一设备与第二设备建立数据通道,并且按照秘钥种子生成对应的秘钥,使用对应的加密方式传输数据。The first device establishes a data channel with the second device, generates a corresponding secret key according to the secret key seed, and uses a corresponding encryption method to transmit data.

其中,密钥种子包括AES密钥种子、DES密钥种子与RSA密钥种子的至少一种。Wherein, the key seed includes at least one of AES key seed, DES key seed and RSA key seed.

其中,第一设备获取数据中转服务器的地址和密钥种子包括:Wherein, the first device obtains the address of the data transfer server and the key seed including:

第一设备向位于第一NAT节点下的第一信令服务器请求数据中转服务器的地址,并进一步接收第一信令服务器返回的数据中转服务器的地址和密钥种子。The first device requests the address of the data transfer server from the first signaling server under the first NAT node, and further receives the address of the data transfer server and the key seed returned by the first signaling server.

其中,第二设备获取数据中转服务器的地址和密钥种子包括:Wherein, the second device obtains the address of the data transfer server and the key seed including:

第二设备接收位于第二NAT节点下的第二信令服务器发送的数据中转服务器的地址和密钥种子。The second device receives the address of the data transfer server and the key seed sent by the second signaling server under the second NAT node.

其中,穿透方法还包括:Among them, the penetration method also includes:

第一设备和第二设备向数据中转服务器请求资源分配。The first device and the second device request resource allocation from the data transfer server.

其中,第一设备和第二设备向数据中转服务器请求资源分配的步骤还包括:Wherein, the steps of the first device and the second device requesting resource allocation from the data transfer server further include:

第一设备和第二设备分别通过第一信令服务器和第二信令服务器向数据中转服务器请求资源分配。The first device and the second device request resource allocation from the data transfer server through the first signaling server and the second signaling server respectively.

其中,穿透方法还包括:Among them, the penetration method also includes:

第一设备通过数据通道访问第二设备的HTTP服务。The first device accesses the HTTP service of the second device through the data channel.

其中,穿透方法还包括:Among them, the penetration method also includes:

第一设备通过数据通道访问第二设备的HTTPS服务。The first device accesses the HTTPS service of the second device through the data channel.

为解决上述技术问题,本发明采用的另一个技术方案是:提供一种处于不同NAT节点下的设备的穿透系统,穿透系统包括位于第一NAT节点下的第一设备、位于第二NAT节点下的第二设备以及数据中转服务器,其中:In order to solve the above technical problems, another technical solution adopted by the present invention is to provide a traversal system for devices under different NAT nodes, the traversal system includes the first device under the first NAT node, the second NAT device The second device under the node and the data transfer server, wherein:

第一设备和第二设备分别获取数据中转服务器的地址和密钥种子;The first device and the second device respectively obtain the address of the data transfer server and the key seed;

第一设备进一步获取第二设备的中继地址,并携中继地址向数据中转服务器请求建立数据通道;The first device further obtains the relay address of the second device, and requests the data transfer server to establish a data channel with the relay address;

第一设备与第二设备建立数据通道,并且按照秘钥种子生成对应的秘钥,使用对应的加密方式传输数据。The first device establishes a data channel with the second device, generates a corresponding secret key according to the secret key seed, and uses a corresponding encryption method to transmit data.

其中,密钥种子包括AES密钥种子、DES密钥种子与RSA密钥种子的至少一种。Wherein, the key seed includes at least one of AES key seed, DES key seed and RSA key seed.

其中,穿透系统还包括位于第一NAT节点下的第一信令服务器;Wherein, the penetration system further includes a first signaling server located under the first NAT node;

第一设备向第一信令服务器请求数据中转服务器的地址,并进一步接收第一信令服务器返回的数据中转服务器的地址和密钥种子。The first device requests the address of the data transfer server from the first signaling server, and further receives the address of the data transfer server and the key seed returned by the first signaling server.

其中,穿透系统还包括位于第二NAT节点下的第二信令服务器;Wherein, the penetration system further includes a second signaling server located under the second NAT node;

第二设备接收第二信令服务器发送的数据中转服务器的地址和密钥种子。The second device receives the address of the data transfer server and the key seed sent by the second signaling server.

其中,第一设备和第二设备向数据中转服务器请求资源分配。Wherein, the first device and the second device request resource allocation from the data transfer server.

其中,第一设备和第二设备分别通过第一信令服务器和第二信令服务器向数据中转服务器请求资源分配。Wherein, the first device and the second device request resource allocation to the data transfer server through the first signaling server and the second signaling server respectively.

其中,第一设备通过数据通道访问第二设备的HTTP服务。Wherein, the first device accesses the HTTP service of the second device through the data channel.

其中,第一设备通过数据通道访问第二设备的HTTPS服务。Wherein, the first device accesses the HTTPS service of the second device through the data channel.

本发明的有益效果是:区别于现有技术的情况,本发明提供一种处于不同NAT节点下的设备的穿透方法和穿透系统,其中,设备包括位于第一NAT节点下的第一设备和位于第二NAT节点下的第二设备,穿透方法包括:首先第一设备和第二设备分别获取数据中转服务器的地址和密钥种子,然后第一设备进一步获取第二设备的中继地址,并携中继地址向数据中转服务器请求建立数据通道,最后第一设备与第二设备建立数据通道,并且按照秘钥种子生成对应的秘钥,使用对应的加密方式传输数据。因此,本发明由于设备间的通信信息是通过约定的加密方式进行传输的,能够解决数据可靠传输、数据私密传输的问题,并进一步极速建立传输通道。The beneficial effects of the present invention are: different from the situation in the prior art, the present invention provides a penetration method and penetration system for devices under different NAT nodes, wherein the devices include the first device located under the first NAT node and the second device under the second NAT node, the penetration method includes: first, the first device and the second device respectively obtain the address of the data transfer server and the key seed, and then the first device further obtains the relay address of the second device , and bring the relay address to the data transfer server to request to establish a data channel, and finally the first device establishes a data channel with the second device, and generates a corresponding secret key according to the secret key seed, and uses the corresponding encryption method to transmit data. Therefore, the present invention can solve the problems of reliable data transmission and data private transmission because the communication information between devices is transmitted through an agreed encryption method, and can further establish a transmission channel extremely quickly.

附图说明Description of drawings

图1是本发明实施例提供的一种处于不同NAT节点下的设备的穿透方法的流程示意图;FIG. 1 is a schematic flowchart of a device penetration method under different NAT nodes provided by an embodiment of the present invention;

图2是对应图1所示的穿透方法的网络架构示意图;FIG. 2 is a schematic diagram of a network architecture corresponding to the penetration method shown in FIG. 1;

图3是发明实施例提供的一种处于不同NAT节点下的设备的穿透系统的结构示意图;FIG. 3 is a schematic structural diagram of a penetration system for devices under different NAT nodes provided by an embodiment of the invention;

图4是Remote模块的报文格式示意图。FIG. 4 is a schematic diagram of a message format of the Remote module.

具体实施方式Detailed ways

请参阅图1和图2,图1是本发明实施例提供的一种处于不同NAT节点下的设备的穿透方法的流程示意图,图2是对应图1所示的穿透方法的网络架构示意图。其中,设备包括位于第一NAT节点下的第一设备和位于第二NAT节点下的第二设备。Please refer to Figure 1 and Figure 2, Figure 1 is a schematic flow chart of a penetration method for devices under different NAT nodes provided by an embodiment of the present invention, and Figure 2 is a schematic diagram of the network architecture corresponding to the penetration method shown in Figure 1 . Wherein, the device includes a first device located under the first NAT node and a second device located under the second NAT node.

当在专用网内部的一些主机本来已经分配到了本地IP地址(即仅在本专用网内使用的专用地址),但现在又想和因特网上的主机通信(并不需要加密)时,可使用NAT方法。When some hosts in the private network have been assigned local IP addresses (that is, private addresses used only in this private network), but now want to communicate with hosts on the Internet (no encryption is required), NAT can be used method.

这种方法需要在专用网连接到因特网的路由器上安装NAT软件。装有NAT软件的路由器叫做NAT路由器,它至少有一个有效的外部全球IP地址。这样,所有使用本地地址的主机在和外界通信时,都要在NAT路由器上将其本地地址转换成全球IP地址,才能和因特网连接。This method requires NAT software to be installed on the router that connects the private network to the Internet. A router equipped with NAT software is called a NAT router, and it has at least one valid external global IP address. In this way, when all hosts using local addresses communicate with the outside world, their local addresses must be converted into global IP addresses on the NAT router in order to connect to the Internet.

如图1和图2所示,本实施例的穿透方法包括以下步骤:As shown in Figure 1 and Figure 2, the penetration method of this embodiment includes the following steps:

步骤S10:第一设备和第二设备分别获取数据中转服务器的地址和密钥种子。Step S10: the first device and the second device respectively obtain the address of the data transfer server and the key seed.

本步骤中,第一设备具体是向位于第一NAT节点下的第一信令服务器IS请求数据中转服务器TS的地址,并进一步接收第一信令服务器IS返回的数据中转服务器TS的地址和密钥种子。In this step, the first device specifically requests the address of the data transfer server TS from the first signaling server IS located under the first NAT node, and further receives the address and password of the data transfer server TS returned by the first signaling server IS. key seed.

具体的,第一设备是通过HTTPS(Hyper Text Transfer Protocol over SecureSocket Layer,超文本传输安全协议)协议向第一信令服务器IS获取数据中转服务器TS地址。Specifically, the first device obtains the address of the data transfer server TS from the first signaling server IS through the HTTPS (Hyper Text Transfer Protocol over SecureSocket Layer) protocol.

HTTPS协议是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。它是一个URI scheme(抽象标识符体系),句法类同http:体系。用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。这个系统的最初研发由网景公司(Netscape)进行,并内置于其浏览器Netscape Navigator中,提供了身份验证与加密通讯方法。现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。The HTTPS protocol is an HTTP channel with security as its goal. Simply speaking, it is a secure version of HTTP. That is, the SSL layer is added under HTTP, and the security basis of HTTPS is SSL, so the detailed content of encryption requires SSL. It is a URI scheme (abstract identifier system), the syntax is similar to the http: system. For secure HTTP data transfer. The https: URL indicates that it uses HTTP, but HTTPS has a default port different from HTTP and an encryption/authentication layer (between HTTP and TCP). The system was initially developed by Netscape and built into its browser, Netscape Navigator, providing authentication and encrypted communication methods. It is now widely used for security-sensitive communications on the World Wide Web, such as transaction payments.

可以理解的是,第一设备还可以通过其他协议,例如HTTP协议向第一信令服务器IS获取数据中转服务器TS地址。It can be understood that the first device may also obtain the address of the data transfer server TS from the first signaling server IS through other protocols, such as the HTTP protocol.

第二设备具体是接收位于第二NAT节点下的第二信令服务器CS发送的数据中转服务器TS的地址和密钥种子。Specifically, the second device receives the address and key seed of the data transfer server TS sent by the second signaling server CS under the second NAT node.

值得注意的是,在第一设备接收到第一信令服务器IS返回的数据中转服务器TS的地址和密钥种子的同时,第二设备也接收位于第二信令服务器CS发送的数据中转服务器TS的地址和密钥种子。因此,可保证信息发送的及时性,使得后续数据通道的建立也能及时、快速。It should be noted that while the first device receives the address and key seed of the data transfer server TS returned by the first signaling server IS, the second device also receives the data transfer server TS from the second signaling server CS. address and key seed. Therefore, the timeliness of information transmission can be guaranteed, so that the establishment of subsequent data channels can also be timely and fast.

本实施例中,密钥种子包括AES(Advanced Encryption Standard,高级加密标准)密钥种子、DES(DES全称为Data Encryption Standard,即数据加密标准)密钥种子与RSA(Ron Rivest、Adi Shamir、Leonard Adleman提出的非对称加密算法)密钥种子的至少一种。In this embodiment, the key seeds include AES (Advanced Encryption Standard, Advanced Encryption Standard) key seeds, DES (DES full name is Data Encryption Standard, i.e. Data Encryption Standard) key seeds and RSA (Ron Rivest, Adi Shamir, Leonard At least one of the key seeds of the asymmetric encryption algorithm proposed by Adleman.

例如,可以仅采用AES密钥种子、DES密钥种子或RSA密钥种子的其中一种密钥种子。也就是说仅采用AES、DES或RSA的其中一种加密方式。For example, only one of AES key seed, DES key seed or RSA key seed may be used. That is to say, only one of the encryption methods of AES, DES or RSA is used.

还可以采用AES密钥种子、DES密钥种子或RSA密钥种子的其中两种或三种密钥种子。也就是说采用AES、DES或RSA的其中两种或三种组合的加密方式。Two or three of AES key seeds, DES key seeds or RSA key seeds may also be used. That is to say, the encryption method of two or three combinations of AES, DES or RSA is adopted.

由于每种加密方式都会有其特有的优点,也会有其不足之处,因此采用组合的加密方式可以更好的融合优点,避免缺点。例如,采用DES与RSA相结合的加密方式,使DES与RSA的优缺点正好互补,即DES加密速度快,适合加密较长的报文,可用其加密明文;RSA加密速度慢,安全性好,应用于DES密钥的加密,可解决DES密钥分配的问题。Since each encryption method has its own advantages and disadvantages, the combination of encryption methods can better integrate the advantages and avoid the disadvantages. For example, the combination of DES and RSA is used to make the advantages and disadvantages of DES and RSA complement each other. That is, DES has a fast encryption speed and is suitable for encrypting long messages, and can be used to encrypt plaintext; Encryption applied to DES keys can solve the problem of DES key distribution.

目前这种RSA和DES结合的方法已成为EMAIL保密通信标准。At present, the combination of RSA and DES has become the EMAIL security communication standard.

步骤S11:第一设备进一步获取第二设备的中继地址,并携中继地址向数据中转服务器请求建立数据通道。Step S11: The first device further obtains the relay address of the second device, and requests the data transfer server to establish a data channel with the relay address.

其中,在本步骤之前,第一设备和第二设备均向数据中转服务器TS请求allocation(资源分配)。本实施例的数据中转服务器TS可为支持RFC6062协议的TURN服务器。因此,第一设备和第二设备具体是按照RFC6062协议的方式向数据中转服务器TS请求allocation。Wherein, before this step, both the first device and the second device request allocation (resource allocation) to the data transfer server TS. The data transfer server TS in this embodiment may be a TURN server supporting the RFC6062 protocol. Therefore, the first device and the second device specifically request allocation from the data transfer server TS in accordance with the RFC6062 protocol.

进一步的,第一设备和第二设备可分别通过第一信令服务器IS和第二信令服务器CS向数据中转服务器TS请求资源分配。Further, the first device and the second device may request resource allocation to the data transfer server TS through the first signaling server IS and the second signaling server CS respectively.

本步骤具体是第一设备向第一信令服务器IS请求获取第二设备的中继地址。应理解,此时,第一信令服务器IS向数据中转服务器TS请求获取第二设备的中继地址,数据中转服务器TS向第二设备请求获取第二设备的中继地址,并且,第二设备向数据中转服务器TS上报其自身的中继地址。数据中转服务器TS向第一信令服务器IS返回第二设备的中继地址,第一信令服务器IS向第一设备返回第二设备的中继地址。In this step, specifically, the first device requests the first signaling server IS to obtain the relay address of the second device. It should be understood that at this time, the first signaling server IS requests the data transfer server TS to obtain the relay address of the second device, the data transfer server TS requests the second device to obtain the relay address of the second device, and the second device Report its own relay address to the data transfer server TS. The data transfer server TS returns the relay address of the second device to the first signaling server IS, and the first signaling server IS returns the relay address of the second device to the first device.

进一步的,第一设备向数据中转服务器TS请求建立数据通道,然后第二设备与数据中转服务器TS完成连接捆绑,同时第一设备与数据中转服务器TS也完成连接捆绑。Further, the first device requests the data transfer server TS to establish a data channel, and then the second device and the data transfer server TS complete the connection binding, and at the same time, the first device and the data transfer server TS also complete the connection binding.

步骤S12:第一设备与第二设备建立数据通道,并且按照秘钥种子生成对应的秘钥,使用对应的加密方式传输数据。Step S12: The first device establishes a data channel with the second device, generates a corresponding key according to the key seed, and transmits data using a corresponding encryption method.

应理解,前文步骤S10获取的是哪种密钥种子,本步骤即使用哪种加密方式进行数据传输。It should be understood that what kind of key seed is obtained in the previous step S10, and which encryption method is used for data transmission in this step.

若步骤S10获取的是AES密钥种子,则本步骤生成AES密钥,并使用AES加密方式传输数据。If the AES key seed is obtained in step S10, then this step generates an AES key, and uses AES encryption to transmit data.

因此,本发明能够解决数据可靠传输、数据私密传输的问题,并进一步极速建立传输通道。本实施例中,第一设备可为客户端的软件应用,第二设备可为可向第一设备提供HTTP服务的云盘等。其中,第一设备通过数据通道访问第二设备的HTTP服务。Therefore, the present invention can solve the problems of reliable data transmission and data private transmission, and further establish a transmission channel extremely quickly. In this embodiment, the first device may be a software application of the client, and the second device may be a cloud disk that can provide HTTP services to the first device. Wherein, the first device accesses the HTTP service of the second device through the data channel.

第一设备还可为客户端的软件应用,第二设备还可为可向第一设备提供HTTPS服务的云盘等。其中,第一设备通过数据通道访问第二设备的HTTPS服务。The first device can also be a software application of the client, and the second device can also be a cloud disk that can provide HTTPS services to the first device. Wherein, the first device accesses the HTTPS service of the second device through the data channel.

请参阅图3,图3是发明实施例提供的一种处于不同NAT节点下的设备的穿透系统的结构示意图。如图3所示,本实施例的穿透系统10包括位于第一NAT节点下的第一设备11、位于第二NAT节点下的第二设备12以及数据中转服务器13。Please refer to FIG. 3 . FIG. 3 is a schematic structural diagram of a traversal system for devices under different NAT nodes provided by an embodiment of the invention. As shown in FIG. 3 , the traversal system 10 of this embodiment includes a first device 11 located under a first NAT node, a second device 12 located under a second NAT node, and a data transfer server 13 .

其中,第一设备11和第二设备12分别获取数据中转服务器13的地址和密钥种子。Wherein, the first device 11 and the second device 12 respectively obtain the address of the data transfer server 13 and the key seed.

具体的,穿透系统10还包括位于第一NAT节点下的第一信令服务器14。第一设备11向第一信令服务器14请求数据中转服务器13的地址,并进一步接收第一信令服务器14返回的数据中转服务器13的地址和密钥种子。具体的,第一设备11是通过HTTPS协议向第一信令服务器14获取数据中转服务器13地址。Specifically, the penetration system 10 further includes a first signaling server 14 located under the first NAT node. The first device 11 requests the address of the data transfer server 13 from the first signaling server 14, and further receives the address of the data transfer server 13 and the key seed returned by the first signaling server 14. Specifically, the first device 11 obtains the address of the data transfer server 13 from the first signaling server 14 through the HTTPS protocol.

可以理解的是,第一设备11还可通过HTTP协议向第一信令服务器14获取数据中转服务器13地址。It can be understood that the first device 11 may also obtain the address of the data transfer server 13 from the first signaling server 14 through the HTTP protocol.

HTTPS和HTTP的区别主要为以下四点:The difference between HTTPS and HTTP is mainly in the following four points:

一、https协议需要到ca申请证书,一般免费证书很少,需要交费。1. The https protocol needs to go to CA to apply for a certificate. Generally, there are few free certificates and a fee is required.

二、http是超文本传输协议,信息是明文传输,https则是具有安全性的ssl加密传输协议。2. http is a hypertext transfer protocol, information is transmitted in plain text, and https is a secure ssl encrypted transfer protocol.

三、http和https使用的是完全不同的连接方式,用的端口也不一样,前者是80,后者是443。3. http and https use completely different connection methods, and the ports used are also different. The former is 80, and the latter is 443.

四、http的连接很简单,是无状态的;HTTPS协议是由SSL+HTTP协议构建的可进行加密传输、身份认证的网络协议,比http协议安全。4. The http connection is very simple and stateless; the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, which is safer than the http protocol.

因此,可以根据需要进行选择协议。Therefore, the protocol can be selected as desired.

穿透系统10还包括位于第二NAT节点下的第二信令服务器15。第二设备12接收第二信令服务器15发送的数据中转服务器13的地址和密钥种子。The traversal system 10 also includes a second signaling server 15 located under the second NAT node. The second device 12 receives the address of the data transfer server 13 and the key seed sent by the second signaling server 15 .

值得注意的是,在第一设备11接收到第一信令服务器14返回的数据中转服务器13的地址和密钥种子的同时,第二设备12也接收位于第二信令服务器15发送的数据中转服务器13的地址和密钥种子。因此,可保证信息发送的及时性,使得后续数据通道的建立也能及时、快速。It should be noted that while the first device 11 receives the address and key seed of the data transfer server 13 returned by the first signaling server 14, the second device 12 also receives the data transfer server 13 sent by the second signaling server 15. The address of the server 13 and the key seed. Therefore, the timeliness of information transmission can be guaranteed, so that the establishment of subsequent data channels can also be timely and fast.

本实施例中,密钥种子包括AES(Advanced Encryption Standard,高级加密标准)密钥种子、DES(DES全称为Data Encryption Standard,即数据加密标准)密钥种子与RSA(Ron Rivest、Adi Shamir、Leonard Adleman提出的非对称加密算法)密钥种子的至少一种。In this embodiment, the key seeds include AES (Advanced Encryption Standard, Advanced Encryption Standard) key seeds, DES (DES full name is Data Encryption Standard, i.e. Data Encryption Standard) key seeds and RSA (Ron Rivest, Adi Shamir, Leonard At least one of the key seeds of the asymmetric encryption algorithm proposed by Adleman.

例如,可以仅采用AES密钥种子、DES密钥种子或RSA密钥种子的其中一种密钥种子。也就是说仅采用AES、DES或RSA的其中一种加密方式。For example, only one of AES key seed, DES key seed or RSA key seed may be used. That is to say, only one of the encryption methods of AES, DES or RSA is used.

还可以采用AES密钥种子、DES密钥种子或RSA密钥种子的其中两种或三种密钥种子。也就是说采用AES、DES或RSA的其中两种或三种组合的加密方式。Two or three of AES key seeds, DES key seeds or RSA key seeds may also be used. That is to say, the encryption method of two or three combinations of AES, DES or RSA is adopted.

由于每种加密方式都会有其特有的优点,也会有其不足之处,因此采用组合的加密方式可以更好的融合优点,避免缺点。例如,采用DES与RSA相结合的加密方式,使DES与RSA的优缺点正好互补,即DES加密速度快,适合加密较长的报文,可用其加密明文;RSA加密速度慢,安全性好,应用于DES密钥的加密,可解决DES密钥分配的问题。Since each encryption method has its own advantages and disadvantages, the combination of encryption methods can better integrate the advantages and avoid the disadvantages. For example, the combination of DES and RSA is used to make the advantages and disadvantages of DES and RSA complement each other. That is, DES has a fast encryption speed and is suitable for encrypting long messages, and can be used to encrypt plaintext; Encryption applied to DES keys can solve the problem of DES key distribution.

目前这种RSA和DES结合的方法已成为EMAIL保密通信标准。At present, the combination of RSA and DES has become the EMAIL security communication standard.

第一设备11和第二设备12均向数据中转服务器13请求allocation(资源分配)。本实施例的数据中转服务器13可为支持RFC6062协议的TURN服务器。因此,第一设备11和第二设备12具体是按照RFC6062协议的方式向数据中转服务器13请求allocation。Both the first device 11 and the second device 12 request allocation (resource allocation) from the data transfer server 13 . The data transfer server 13 in this embodiment may be a TURN server supporting the RFC6062 protocol. Therefore, the first device 11 and the second device 12 specifically request allocation from the data transfer server 13 in accordance with the RFC6062 protocol.

进一步的,第一设备和第二设备可分别通过第一信令服务器IS和第二信令服务器CS向数据中转服务器TS请求资源分配。Further, the first device and the second device may request resource allocation to the data transfer server TS through the first signaling server IS and the second signaling server CS respectively.

第一设备11进一步获取第二设备12的中继地址,并携中继地址向数据中转服务器13请求建立数据通道。具体过程如前文所述,在此不再赘述。The first device 11 further obtains the relay address of the second device 12, and requests the data transfer server 13 to establish a data channel with the relay address. The specific process is as described above, and will not be repeated here.

第一设备11与第二设备12建立数据通道,并且按照秘钥种子生成对应的秘钥,使用对应的加密方式传输数据。The first device 11 establishes a data channel with the second device 12, generates a corresponding key according to the key seed, and transmits data using a corresponding encryption method.

应理解,前文获取的是哪种密钥种子,即使用哪种加密方式进行数据传输。It should be understood that what kind of key seed is obtained above, that is, which encryption method is used for data transmission.

若前文获取的是AES密钥种子,则生成AES密钥,并使用AES加密方式传输数据。If the AES key seed is obtained above, generate an AES key and use AES encryption to transmit data.

因此,本发明能够解决数据可靠传输、数据私密传输的问题,并进一步极速建立传输通道。本实施例中,第一设备11可为客户端的软件应用,第二设备12可为可向第一设备提供HTTP服务的云盘等。其中,第一设备通过数据通道访问第二设备的HTTP服务。Therefore, the present invention can solve the problems of reliable data transmission and data private transmission, and further establish a transmission channel extremely quickly. In this embodiment, the first device 11 may be a software application of the client, and the second device 12 may be a cloud disk that can provide HTTP services to the first device. Wherein, the first device accesses the HTTP service of the second device through the data channel.

其中,第一设备11和第二设备12都集成了Remote(远程)模块。其通过Remote模块与数据中转服务器13进行通信。具体如3所示,第一设备11包括Http客户端111和Remote模块112,第二设备12包括Http服务器121、NGINX服务器122以及Remote模块123。Wherein, both the first device 11 and the second device 12 are integrated with a Remote (remote) module. It communicates with the data transfer server 13 through the Remote module. Specifically as shown in 3 , the first device 11 includes an Http client 111 and a Remote module 112 , and the second device 12 includes an Http server 121 , an NGINX server 122 and a Remote module 123 .

当第一设备11与第二设备12分别处于不通NAT节点背后时,第一设备11将通过Remote模块112实现快速安全访问第二设备12。Remote模块完成数据可靠传输、加密传输、快速建立传输通道等工作,其报文格式如图4所示。When the first device 11 and the second device 12 are respectively behind the NAT nodes, the first device 11 will realize fast and secure access to the second device 12 through the Remote module 112 . The Remote module completes reliable data transmission, encrypted transmission, and rapid establishment of transmission channels. Its message format is shown in Figure 4.

以上所述仅为本发明的实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above is only an embodiment of the present invention, and does not limit the patent scope of the present invention. Any equivalent structure or equivalent process transformation made by using the description of the present invention and the contents of the accompanying drawings, or directly or indirectly used in other related technologies fields, all of which are equally included in the scope of patent protection of the present invention.

Claims (10)

1.一种处于不同NAT节点下的设备的穿透方法,其中,所述设备包括位于第一NAT节点下的第一设备和位于第二NAT节点下的第二设备,其特征在于,所述穿透方法包括:1. A penetration method for devices under different NAT nodes, wherein the device includes a first device under a first NAT node and a second device under a second NAT node, wherein the Penetration methods include: 所述第一设备和所述第二设备分别获取数据中转服务器的地址和密钥种子;The first device and the second device respectively obtain the address of the data transfer server and the key seed; 所述第一设备进一步获取所述第二设备的中继地址,并携所述中继地址向数据中转服务器请求建立数据通道;The first device further obtains the relay address of the second device, and requests the data transfer server to establish a data channel with the relay address; 所述第一设备与所述第二设备建立数据通道,并且按照所述秘钥种子生成对应的秘钥,使用对应的加密方式传输数据。The first device establishes a data channel with the second device, generates a corresponding secret key according to the secret key seed, and transmits data using a corresponding encryption method. 2.根据权利要求1所述的穿透方法,其特征在于,所述第一设备获取数据中转服务器的地址和密钥种子包括:2. The penetration method according to claim 1, wherein the acquisition by the first device of the address of the data transfer server and the key seed comprises: 所述第一设备向位于所述第一NAT节点下的第一信令服务器请求所述数据中转服务器的地址,并进一步接收所述第一信令服务器返回的所述数据中转服务器的地址和所述密钥种子。The first device requests the address of the data transfer server from the first signaling server under the first NAT node, and further receives the address of the data transfer server and the address of the data transfer server returned by the first signaling server. The above key seed. 3.根据权利要求1所述的穿透方法,其特征在于,所述第二设备获取数据中转服务器的地址和密钥种子包括:3. The penetration method according to claim 1, wherein the acquisition of the address and key seed of the data transfer server by the second device comprises: 所述第二设备接收位于所述第二NAT节点下的第二信令服务器发送的所述数据中转服务器的地址和所述密钥种子。The second device receives the address of the data transfer server and the key seed sent by the second signaling server under the second NAT node. 4.根据权利要求1所述的穿透方法,其特征在于,所述穿透方法还包括:4. The penetration method according to claim 1, further comprising: 所述第一设备和所述第二设备向所述数据中转服务器请求资源分配。The first device and the second device request resource allocation from the data transfer server. 5.根据权利要求1所述的穿透方法,其特征在于,所述穿透方法还包括:5. The penetration method according to claim 1, further comprising: 所述第一设备通过所述数据通道访问所述第二设备的HTTP服务。The first device accesses the HTTP service of the second device through the data channel. 6.一种处于不同NAT节点下的设备的穿透系统,其特征在于,所述穿透系统包括位于第一NAT节点下的第一设备、位于第二NAT节点下的第二设备以及数据中转服务器,其中:6. A traversal system for devices under different NAT nodes, characterized in that the traversal system includes a first device under a first NAT node, a second device under a second NAT node, and a data transfer server, where: 所述第一设备和所述第二设备分别获取所述数据中转服务器的地址和密钥种子;The first device and the second device respectively obtain the address and key seed of the data transfer server; 所述第一设备进一步获取所述第二设备的中继地址,并携所述中继地址向所述数据中转服务器请求建立数据通道;The first device further obtains the relay address of the second device, and requests the data transfer server to establish a data channel with the relay address; 所述第一设备与所述第二设备建立数据通道,并且按照所述秘钥种子生成对应的秘钥,使用对应的加密方式传输数据。The first device establishes a data channel with the second device, generates a corresponding secret key according to the secret key seed, and transmits data using a corresponding encryption method. 7.根据权利要求6所述的穿透系统,其特征在于,所述穿透系统还包括位于所述第一NAT节点下的第一信令服务器;7. The penetration system according to claim 6, further comprising a first signaling server located under the first NAT node; 所述第一设备向所述第一信令服务器请求所述数据中转服务器的地址,并进一步接收所述第一信令服务器返回的所述数据中转服务器的地址和所述密钥种子。The first device requests the address of the data transfer server from the first signaling server, and further receives the address of the data transfer server and the key seed returned by the first signaling server. 8.根据权利要求6所述的穿透系统,其特征在于,所述穿透系统还包括位于所述第二NAT节点下的第二信令服务器;8. The penetration system according to claim 6, further comprising a second signaling server located under the second NAT node; 所述第二设备接收所述第二信令服务器发送的所述数据中转服务器的地址和所述密钥种子。The second device receives the address of the data transfer server and the key seed sent by the second signaling server. 9.根据权利要求6所述的穿透系统,其特征在于,所述第一设备和所述第二设备向所述数据中转服务器请求资源分配。9. The traversal system according to claim 6, wherein the first device and the second device request resource allocation from the data transfer server. 10.根据权利要求6所述的穿透系统,其特征在于,所述第一设备通过所述数据通道访问所述第二设备的HTTP服务。10. The penetration system according to claim 6, wherein the first device accesses the HTTP service of the second device through the data channel.
CN201810372057.2A 2018-04-24 2018-04-24 The penetrating method and penetrating system of equipment under different NAT nodes Pending CN108366078A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810372057.2A CN108366078A (en) 2018-04-24 2018-04-24 The penetrating method and penetrating system of equipment under different NAT nodes
PCT/CN2019/084447 WO2019206254A1 (en) 2018-04-24 2019-04-26 Penetration method, device, server and medium for devices under different nat nodes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810372057.2A CN108366078A (en) 2018-04-24 2018-04-24 The penetrating method and penetrating system of equipment under different NAT nodes

Publications (1)

Publication Number Publication Date
CN108366078A true CN108366078A (en) 2018-08-03

Family

ID=63009347

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810372057.2A Pending CN108366078A (en) 2018-04-24 2018-04-24 The penetrating method and penetrating system of equipment under different NAT nodes

Country Status (2)

Country Link
CN (1) CN108366078A (en)
WO (1) WO2019206254A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019206254A1 (en) * 2018-04-24 2019-10-31 深圳市网心科技有限公司 Penetration method, device, server and medium for devices under different nat nodes
CN111065097A (en) * 2019-10-11 2020-04-24 上海交通大学 Method and system for channel protection based on shared key in mobile internet
CN111666583A (en) * 2020-04-16 2020-09-15 福建省万物智联科技有限公司 Drainage business mode of campus private cloud disk

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1606304A (en) * 2003-10-10 2005-04-13 华为技术有限公司 Method for traversing NAT equipment/firewall by NGN service
CN103067158A (en) * 2012-12-27 2013-04-24 华为技术有限公司 Encryption and decryption method, terminal device, gateway device and key management system
CN103957287A (en) * 2014-04-25 2014-07-30 浙江大学城市学院 Internet of things device P2P connection method based on NAT penetration adapter
US20140365770A1 (en) * 2010-04-07 2014-12-11 Apple Inc. Apparatus and method for efficiently and securely exchanging connection data
CN107517206A (en) * 2017-08-18 2017-12-26 北京北信源软件股份有限公司 A kind of method, apparatus of secure communication, computer-readable recording medium and storage control

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8224985B2 (en) * 2005-10-04 2012-07-17 Sony Computer Entertainment Inc. Peer-to-peer communication traversing symmetric network address translators
US7903671B2 (en) * 2005-08-04 2011-03-08 Cisco Technology, Inc. Service for NAT traversal using IPSEC
CN101567831B (en) * 2008-04-21 2011-11-16 成都市华为赛门铁克科技有限公司 Method and device for transmitting and receiving messages among local area networks and communication system
WO2010127610A1 (en) * 2009-05-04 2010-11-11 成都市华为赛门铁克科技有限公司 Method, equipment and system for processing visual private network node information
CN103916485A (en) * 2012-12-31 2014-07-09 北京新媒传信科技有限公司 Nat traversal method and server
CN108366078A (en) * 2018-04-24 2018-08-03 深圳市网心科技有限公司 The penetrating method and penetrating system of equipment under different NAT nodes

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1606304A (en) * 2003-10-10 2005-04-13 华为技术有限公司 Method for traversing NAT equipment/firewall by NGN service
US20140365770A1 (en) * 2010-04-07 2014-12-11 Apple Inc. Apparatus and method for efficiently and securely exchanging connection data
CN103067158A (en) * 2012-12-27 2013-04-24 华为技术有限公司 Encryption and decryption method, terminal device, gateway device and key management system
CN103957287A (en) * 2014-04-25 2014-07-30 浙江大学城市学院 Internet of things device P2P connection method based on NAT penetration adapter
CN107517206A (en) * 2017-08-18 2017-12-26 北京北信源软件股份有限公司 A kind of method, apparatus of secure communication, computer-readable recording medium and storage control

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019206254A1 (en) * 2018-04-24 2019-10-31 深圳市网心科技有限公司 Penetration method, device, server and medium for devices under different nat nodes
CN111065097A (en) * 2019-10-11 2020-04-24 上海交通大学 Method and system for channel protection based on shared key in mobile internet
CN111065097B (en) * 2019-10-11 2021-08-10 上海交通大学 Channel protection method and system based on shared secret key in mobile internet
CN111666583A (en) * 2020-04-16 2020-09-15 福建省万物智联科技有限公司 Drainage business mode of campus private cloud disk
CN111666583B (en) * 2020-04-16 2022-07-26 福建省万物智联科技有限公司 Drainage method for campus private cloud disk

Also Published As

Publication number Publication date
WO2019206254A1 (en) 2019-10-31

Similar Documents

Publication Publication Date Title
US11848961B2 (en) HTTPS request enrichment
US20250254156A1 (en) System and Method for Using a Proxy to Communicate Between Secure and Unsecure Devices
US8549614B2 (en) Establishing internet protocol security sessions using the extensible messaging and presence protocol
US8214635B2 (en) Transparent proxy of encrypted sessions
US9369491B2 (en) Inspection of data channels and recording of media streams
US7890759B2 (en) Connection assistance apparatus and gateway apparatus
JP6359184B2 (en) Communication apparatus and method for traversing application layer gateway firewall when establishing RTC communication connection between RTC client and RTC server
US9380030B2 (en) Firewall traversal for web real-time communications
CN104168173B (en) The method, apparatus and network system of terminal crosses private network and server communication in IMS core net
CN101911645B (en) Method and endpoint for authenticating key information between endpoints of a communication relationship
TW201002018A (en) Method for predicting port number of NAT apparatus based on two STUN server inquiry results
CN105429962B (en) A kind of general go-between service construction method and system towards encryption data
CN114553414B (en) Intranet penetration method and system based on HTTPS service
CN108366078A (en) The penetrating method and penetrating system of equipment under different NAT nodes
CN101471767A (en) Method, equipment and system for distributing cipher key
CN101098336B (en) IMS terminal configuration server and IMS localization entry point detection method
CN111131182A (en) VoIP communication network penetration device and method
CN109995723B (en) Method, device and system for DNS information interaction of domain name resolution system
JP2013513268A5 (en)
WO2025156510A1 (en) Intranet access method and system
CN113055398A (en) SIP architecture-based multi-level cross-domain equipment certificate management system
Khandkar et al. Extended TLS: Masking Server Host Identity on the Internet Using Encrypted TLS Handshake
WO2014180415A1 (en) Media stream packet nat traversal method, mdu and iptv system
Yang et al. Design of mVoIP service based authentication system
Yang et al. mVoIP for P2P service based authentication system using AA authentication server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180803