+

CN112615866B - Pre-authentication method, device and system for TCP connection - Google Patents

Pre-authentication method, device and system for TCP connection Download PDF

Info

Publication number
CN112615866B
CN112615866B CN202011523848.4A CN202011523848A CN112615866B CN 112615866 B CN112615866 B CN 112615866B CN 202011523848 A CN202011523848 A CN 202011523848A CN 112615866 B CN112615866 B CN 112615866B
Authority
CN
China
Prior art keywords
tcp
authentication
syn message
tcp syn
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011523848.4A
Other languages
Chinese (zh)
Other versions
CN112615866A (en
Inventor
秦益飞
闻权
杨正权
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Enlink Network Technology Co ltd
Original Assignee
Nanjing Enlink Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Enlink Network Technology Co ltd filed Critical Nanjing Enlink Network Technology Co ltd
Priority to CN202011523848.4A priority Critical patent/CN112615866B/en
Publication of CN112615866A publication Critical patent/CN112615866A/en
Application granted granted Critical
Publication of CN112615866B publication Critical patent/CN112615866B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a pre-authentication method, a device and a system of TCP connection, wherein the method comprises the following steps: capturing a TCP SYN message before the TCP SYN message is sent to a service port through a TCP protocol stack; wherein, the TCP SYN message carries the TCP option sent to the service port by the client; checking and matching the captured TCP SYN message, and verifying whether the TCP SYN message passes the authentication; if the authentication is judged to be passed, the TCP SYN message is sent back to a TCP protocol stack, and the subsequent link establishment process is completed. The invention solves the problems of high safety risk, high difficulty in operation and maintenance transformation, incapability of penetrating a knock-on message and the like in a method for establishing a TCP connection by adopting a Single Packet Authorization (SPA) method to authenticate the message and discarding a mismatch rule message through pre-authenticating the message.

Description

Pre-authentication method, device and system for TCP connection
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for pre-authentication of a TCP connection.
Background
Based on a network security system architecture, a traditional enterprise deploys a security gateway or a software firewall to perform access control of an external network besides deploying a physical firewall; according to the deployment, necessary services can be provided externally on the firewall by opening a specified port, but the risk of attack is brought; on the contrary, if all public network ports of the service end are closed, the safety can be guaranteed, but the service cannot be provided to the outside. In order to take both applicability and security into account, a scheme for ensuring that the internal application can be safely accessed by the trusted terminal in a port default closing scenario needs to be provided.
The industry commonly employs a Single Packet Authorization (SPA) approach to implement: and the service port is closed by default, so that the network of the service end is hidden, and the connection and the scanning cannot be carried out on the network. If the service is needed to be used, the authentication message information is sent to the server through the specific client, and after the server authenticates the message, the related service is opened for the client to establish TCP connection. However, such a treatment has at least the following drawbacks:
1. the authorization information is carried on the TCP/UDP message, and the server still needs to open a port of a transmission layer to receive the single-packet authorization message, so that the security risk is increased. When external access is performed on internal resource services of an organization, port rules need to be strongly added to the boundary exit of the organization in fire prevention, which increases the difficulty of operation and maintenance transformation
2. LB is deployed before application service, after WAF type safety equipment is deployed, a knock message cannot penetrate the equipment, and opening of a service port cannot be realized in a single-packet mode.
At present, no effective solution is provided for the problems of high security risk, high difficulty in operation and maintenance transformation, incapability of penetrating a knock message and the like in a method for establishing a TCP connection by adopting a Single Packet Authorization (SPA) method to authenticate a message in the related art.
Disclosure of Invention
The embodiment of the application provides a pre-authentication method, a pre-authentication device and a pre-authentication system for TCP connection, and aims to at least solve the problems that a Single Packet Authorization (SPA) method is adopted to authenticate a message, the method for establishing the TCP connection is high in security risk, high in difficulty of operation and maintenance transformation, incapable of enabling a knock message to penetrate through and the like.
In a first aspect, an embodiment of the present application provides a method for pre-authenticating a TCP connection, where the method includes: capturing the TCP SYN message before the TCP SYN message is sent to a service port through a TCP protocol stack; wherein, the TCP SYN message carries a TCP option which is sent to the service port by the client; checking and matching the captured TCP SYN message, and verifying whether the TCP SYN message passes the authentication; if the authentication is judged to be passed, the TCP SYN message is sent back to a TCP protocol stack, and the subsequent link establishment process is completed.
In some embodiments, performing check matching on the captured TCP SYN packet, and verifying whether the TCP SYN packet is authenticated includes: and (3) decryption: identifying the captured TCP SYN message, if the identification result is legal, decrypting the TCP SYN message and extracting authentication information; and (3) authentication: checking each dimension of the authentication information; controlling: and releasing and controlling service access of the terminal equipment, wherein the terminal equipment comprises a server side which initiates the TCP connection currently.
In some embodiments, the TCP SYN packet carries a TCP option sent by the client to the service port, and the decryption process includes: checking whether the TCP option carries a quick identifier or not, and if so, splitting the TCP option into a ciphertext and an HMAC according to a preset rule; carrying out digital signature on the ciphertext through a secret key stored by the server, verifying whether the HMACs are matched, and if so, decrypting the ciphertext through the secret key to obtain authentication information and a carried abstract; carrying out abstract calculation on the authentication information, and comparing whether the calculated abstract is the same as the carried abstract or not; and if the authentication information is the same, extracting the authentication information.
In some embodiments, the authentication information includes one or more of a random number, a hardware feature code, a user ID, and server port information; the authentication process includes one or more of the following steps: comparing the extracted random number with the mapping stored by the server to determine whether the random number conflicts with the mapping stored by the server; if not, carrying out user access authentication on the equipment feature code (hardware feature code) and the user ID; and if the authentication is passed, matching the port information of the server with the target port of the TCP SYN message to obtain a matching result.
In some embodiments, the service access release and control on the terminal device specifically include: in the decryption and authentication processes, if the rules are not matched, the TCP SYN message is directly discarded without any response; otherwise, sending back the TCP SYN message to the TCP protocol stack.
In some of these embodiments, the method further comprises: acquiring authentication information of a client; carrying out Hash calculation on the authentication information to obtain an abstract, and encrypting the authentication information and the abstract to obtain a ciphertext; and adding HMAC for the ciphertext, packaging the ciphertext and the HMAC as TCP options in a TCP SYN message, and sending the TCP SYN message to a server.
In a second aspect, an embodiment of the present application provides a system for pre-authentication of a TCP connection, including an encryption apparatus: the authentication information is used for acquiring the authentication information of the client; carrying out Hash calculation on the authentication information to obtain an abstract, and encrypting the authentication information and the abstract to obtain a ciphertext; adding HMAC for the ciphertext, packaging the ciphertext and the HMAC as TCP options in a TCP SYN message, and sending the TCP SYN message to a server; the authentication device: the TCP SYN message is captured, the decryption module is used for identifying the captured TCP SYN message, if the identification result is legal, the TCP SYN message is decrypted, and authentication information is extracted; an authentication module: the system is used for checking each dimension of the authentication information; a control module: for service access clearance and control of the terminal device.
In a third aspect, an embodiment of the present application provides a device for pre-authentication of a TCP connection, including an obtaining module, configured to capture a TCP SYN packet before the TCP SYN packet is sent to a service port through a TCP protocol stack; the pre-authentication module is used for checking and matching the captured TCP SYN message and verifying whether the TCP SYN message passes the authentication; and the processing module is used for sending the TCP SYN message back to the TCP protocol stack to complete the subsequent link establishment process after judging that the authentication is passed.
In a fourth aspect, an embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor, when executing the computer program, implements the method for pre-authentication of a TCP connection according to the first aspect.
In a fifth aspect, the present application provides a storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the method for pre-authentication of a TCP connection according to the first aspect.
Compared with a single-packet authorization method in the related art, the pre-authentication method, device and system for the TCP connection provided by the embodiment of the application encapsulate the access authorization information into the option field of the TCP SYN message, unlock the option information at the server, and determine whether to allow the access of the client according to the authorization information. By the method, additional service ports can be avoided, original security policy rules of the service end do not need to be changed, the capability of reducing the attack surface can be achieved, and SYN Flood and port scanning type attacks can be avoided.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flow diagram of pre-authentication information encryption according to an embodiment of the present application;
FIG. 2 is a schematic diagram of TCP option encapsulation according to an embodiment of the present application;
FIG. 3 is a block diagram of a module framework for pre-authentication by a server according to an embodiment of the present application;
FIG. 4 is a flow diagram of pre-authentication processing of a message according to an embodiment of the application;
FIG. 5 is a flow diagram of a method of pre-authentication of a TCP connection according to an embodiment of the application;
FIG. 6 is a diagram of a hardware structure of an electronic device according to an embodiment of the application;
fig. 7 is a block diagram of an apparatus for pre-authentication of a TCP connection according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of one or more embodiments of the specification, as detailed in the claims that follow.
It should be noted that: in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described herein. In some other embodiments, the method may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.
Fig. 5 is a flowchart of a pre-authentication method of a TCP connection according to an embodiment of the present application, and as shown in fig. 5, the flowchart includes the following steps:
step 101, capturing a TCP SYN message before the TCP SYN message is sent to a service port through a TCP protocol stack; wherein, the TCP SYN message carries the TCP option sent to the service port by the client.
And 102, checking and matching the captured TCP SYN message, and verifying whether the TCP SYN message passes the authentication.
And step 103, if the authentication is judged to be passed, sending the TCP SYN message back to a TCP protocol stack to complete the subsequent link establishment process.
Before step 101, the following steps are also included:
acquiring authentication information of a client; carrying out Hash calculation on the authentication information to obtain an abstract, and encrypting the authentication information and the abstract to obtain a ciphertext; and adding HMAC for the ciphertext, packaging the ciphertext and the HMAC as TCP options in a TCP SYN message, and sending the TCP SYN message to a server.
Specifically, before a client initiates an access request to a service, various authentication-related information at the client side is collected and constructed, encryption processing is performed on the authentication information by using a secret key, and an encrypted message is encapsulated into a TCP option and is sent to a server along with a first link-building SYN message.
The key pair for encryption and decryption is ensured by a unified management and distribution mechanism. In some embodiments, the encryption key and the decryption key are valid for a predetermined time, and the encryption key and the decryption key are symmetric keys.
For example, the client may include a timestamp to send information to the service port, and determine whether the current key has expired according to the timestamp, for example, the preset time is set to 30S, and if it is determined that the encryption key or the decryption key has exceeded 30S, error notification information is sent, in other embodiments, the preset time may also be set to other times such as 60S and 120S according to actual needs.
In this embodiment, the encryption key and the decryption key may be symmetric keys, which reduces the computation resources and increases the computation rate compared to an asymmetric encryption method. In other embodiments, a PKI may also be used to encrypt the authentication information using an asymmetric key.
For the above step 101, the flow before pre-authentication is as follows: and collecting and constructing various authentication related information of the client side, wherein the authentication information comprises one or more of random numbers, hardware feature codes, user IDs (user IDs) and server port information. Referring to fig. 1, the authentication information in this embodiment preferably includes a random number, a hardware feature code, a user ID, and server port information, performs digest calculation on the authentication information, attaches the obtained digest to the authentication information as a plaintext to be encrypted, encrypts the plaintext, adds an HMAC to the ciphertext, encapsulates the ciphertext and the HMAC as TCP options in a TCP SYN packet, and sends the TCP SYN packet to the server. Wherein, the message load concrete information includes: the message identification code is used for distinguishing message correctness; random numbers, which can be used to resist replay attacks; the hardware feature code and the user ID can be used as a preset database for searching and matching; the service port number is used for verifying the service port number; the summary information is HASH of the above four information, and is used to ensure the integrity of data. And the HMAC is used for verifying whether the ciphertext is possible to be tampered.
In step 102, the step of checking and matching the captured TCP SYN packet, and verifying whether the TCP SYN packet is authenticated includes: and (3) decryption: identifying the captured TCP SYN message, if the identification result is legal, decrypting the TCP SYN message and extracting authentication information; and (3) authentication: checking each dimension of the authentication information; controlling: and releasing and controlling service access of the terminal equipment, wherein the terminal equipment comprises a server side which initiates the TCP connection currently.
In the present embodiment, the decryption, authentication, and control processes are specifically explained as follows:
and (3) decryption process:
(1) firstly, checking whether a TCP option field carries a quick identifier; if not, directly discarding the message; if so, the next step is performed. The quick identification is to check the message validity quickly. Specifically, the fast identification refers to the identification of a legal link establishment message (SYN) that is directly performed without decryption. As the decryption process requires consumption of resources at the server. And in the first step, the rapid identification is used for identifying SYN without decryption, so that the Flood attack is relieved to a certain extent.
(2) Splitting the ciphertext and the HMAC according to rules; verifying whether the data signature HMAC is matched or not based on the ciphertext through a key stored by the server; if the messages are not matched, the messages are possible to be tampered, and the messages are discarded; and if the matching is carried out, the next step is carried out.
(3) After the ciphertext is decrypted, an abstract algorithm is carried out, the calculated abstract and the carried abstract are compared, if the calculated abstract and the carried abstract are different, the inner-layer information is possibly tampered, and the message is discarded; and if the match is found, the next step is executed. In this step, in particular, the quick identification is only the first step of the simple verification. The validity of the SYN connection is really verified, or the validity of the SYN connection can be confirmed only after further decryption, so the step decrypts the ciphertext first and then verifies the validity of the SYN connection.
(4) And extracting random numbers, hardware feature codes, user IDs and server port information according to corresponding rules.
And analyzing a plaintext according to the decryption process, and entering a service authentication process after acquiring the detailed information of the client equipment.
Authentication procedure, refer to fig. 4:
(1) the random number of the received message conflicts with the mapping stored by the server, which indicates that the message is a replay attack and can be discarded;
(2) carrying out user access control authentication on the device feature code and the user ID of the received message, and discarding the message if the search fails;
(3) matching the portable service port with a destination port of the TCP text protection, and discarding the portable service port and the destination port if the portable service port is not matched with the destination port of the TCP text protection;
and the parameter information passes the authentication and enters the control flow.
The control flow comprises the following steps:
(1) if the TCP SYN message passes the pre-authentication, the TCP SYN message is continuously sent back to a TCP protocol stack for processing, and the subsequent link establishment of the TCP is completed;
(2) otherwise, the TCP SYN message is discarded, and relevant logs and statistics are recorded.
Aiming at the step 102, the invention firstly carries out one-time pre-authentication on the TCP SYN message before the message is received by the service port, thereby avoiding the attack of SYN Flood class. Specifically, in the process of establishing a TCP connection, once the server receives a SYN packet sent by the Client, it needs to allocate a TCB (transmission control block) to the request, and if a large number of SYN packets are maliciously sent to a certain server port, the server can open a large number of half-open connections and allocate the TCB, so that a large number of server resources are consumed, a normal connection request cannot be responded, and resource consumption of an attack initiator is negligible. Aiming at the SYN Flood type attack, the TCB is not distributed to the request before the server receives the SYN message, the SYN message is intercepted and verified quickly, the message which is not verified is directly discarded, and the message which is verified to be passed is sent to the server after being pre-authenticated, so that the server normally opens the connection.
In step 103, service access to the terminal device is released and controlled through the control flow. The method specifically comprises the following steps: in the decryption and authentication processes, if the rules are not matched, the TCP SYN message is directly discarded without any response; otherwise, sending back the TCP SYN message to the TCP protocol stack.
Through the steps 101-103, the invention provides a pre-authentication method for TCP connection, which solves the problems of high security risk, high difficulty in operation and maintenance transformation, incapability of penetrating a knock message and the like in the conventional message authentication mode. Specifically, the port knock is different from a method for performing legal link authentication through a TCP option, and an additional authentication message needs to be sent, which is used for authentication before connection. This process is also called pre-authentication. This special message is sent, called a port knock message. This message may pass authentication information via UDP/ICMP messages. In the prior art, an extra strategy needs to be added on the boundary firewall to send an extra knock message, so that the message can effectively reach the server through the enterprise boundary firewall. The method has the advantages that the native TCP message is used to carry the authentication information, no extra knock message is needed, and no extra strategy configuration is needed for the boundary firewall of the enterprise, so that the problem that the knock message cannot penetrate through in the prior art is solved. In addition, the technology adopted by the invention is established on the basis of closing the service port by default, realizing the stealth of the network of the service port, and realizing the stealth of the port network when the equipment performs service access on the basis that the connection and the scanning cannot be performed on the network, so that the method has the advantages of anti-replay function, fine-granularity control of the port access strategy, identification of whether the terminal equipment is accessed trustiny, solving of risk loopholes caused by port exposure and the like. The invention has the effects that the prior art such as a single-packet authorization method can not realize while realizing the effects, and particularly, the scheme adds the pre-authentication information in the TCP option field, so that the server side is ensured to perform one check before receiving the TCP connection, the network attack surface is effectively reduced, and SYN Flood type attack is avoided; meanwhile, a pre-authentication flow is added before connection, so that the specific port state cannot be ascertained through tools such as port scanning and the like, and port scanning attacks are avoided. In addition, the authentication information for verifying the client information and the abstract for verifying whether the authentication information is tampered are packaged in the TCP option, and when the server unlocks the TCP option, a service port does not need to be additionally added and the original security strategy of the server does not need to be changed.
Based on the same technical concept, the present invention further provides a system for pre-authentication of TCP connection, where the system is used for processing at least the method in steps 101-103, and specifically includes:
the encryption device is used for acquiring the authentication information of the client; carrying out Hash calculation on the authentication information to obtain an abstract, and encrypting the authentication information and the abstract to obtain a ciphertext; adding HMAC for the ciphertext, packaging the ciphertext and the HMAC as TCP options in a TCP SYN message, and sending the TCP SYN message to a server;
the authentication equipment is used for capturing the TCP SYN message and comprises a decryption module which is used for identifying the captured TCP SYN message, if the identification result is legal, the TCP SYN message is decrypted, and the authentication information is extracted; an authentication module: the system is used for checking each dimension of the authentication information; a control module: for service access clearance and control to the terminal device.
Based on the same technical concept, fig. 7 exemplarily shows an apparatus for pre-authentication of a TCP connection according to an embodiment of the present invention, including:
an obtaining module 201, configured to capture a TCP SYN packet before the TCP SYN packet is sent to a service port through a TCP protocol stack;
the pre-authentication module 202 is configured to perform check matching on the captured TCP SYN packet, and verify whether the TCP SYN packet passes authentication;
and the processing module 203 is configured to send the TCP SYN message back to the TCP protocol stack to complete a subsequent link establishment procedure after the authentication is determined to be passed.
It should be noted that the above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory 304 and a processor 302, wherein the memory 304 stores a computer program, and the processor 302 is configured to execute the computer program to perform the steps of any of the above method embodiments.
Specifically, the processor 302 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more integrated circuits of the embodiments of the present application.
Memory 304 may include, among other things, mass storage 304 for data or instructions. By way of example, and not limitation, memory 304 may include a hard disk drive (hard disk drive, HDD for short), a floppy disk drive, a solid state drive (SSD for short), flash memory, an optical disk, a magneto-optical disk, tape, or a Universal Serial Bus (USB) drive or a combination of two or more of these. Memory 304 may include removable or non-removable (or fixed) media, where appropriate. The memory 304 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 304 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, memory 304 includes Read-only memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or FLASH memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a static random-access memory (SRAM) or a dynamic random-access memory (DRAM), where the DRAM may be a fast page mode dynamic random-access memory 304 (FPMDRAM), an extended data output dynamic random-access memory (EDODRAM), a synchronous dynamic random-access memory (SDRAM), or the like.
Memory 304 may be used to store or cache various data files for processing and/or communication purposes, as well as possibly computer program instructions for execution by processor 302.
The processor 302 implements the pre-authentication method of any TCP connection in the above embodiments by reading and executing computer program instructions stored in the memory 304.
Optionally, the electronic apparatus may further include a transmission device 306, wherein the transmission device 306 is connected to the processor 302.
The transmitting device 306 may be used to receive or transmit data via a network. Specific examples of the network described above may include wired or wireless networks provided by communication providers of the electronic devices. In one example, the transmission device includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmitting device 306 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
Alternatively, in this embodiment, the processor 302 may be configured to execute the following steps by a computer program:
s101, capturing the TCP SYN message before the TCP SYN message is sent to a service port through a TCP protocol stack.
S102, checking and matching the captured TCP SYN message, and verifying whether the TCP SYN message passes the authentication.
And S103, when the authentication is judged to be passed, sending the TCP SYN message back to the TCP protocol stack to complete the subsequent link establishment process.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the pre-authentication method of the TCP connection in the above embodiment, the embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; the computer program when executed by a processor implements the pre-authentication method of any of the TCP connections in the above embodiments.
It should be understood by those skilled in the art that various features of the above embodiments can be combined arbitrarily, and for the sake of brevity, all possible combinations of the features in the above embodiments are not described, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the features.
The above examples are merely illustrative of several embodiments of the present application, and the description is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (9)

1. A method of pre-authentication of a TCP connection to determine whether to allow access by a client before a TCP SYN message is sent to a service port through a TCP protocol stack, the method comprising:
capturing a TCP SYN message before the TCP SYN message is sent to a service port through a TCP protocol stack; the TCP SYN message carries a TCP option which is sent to a service port by a client, and the TCP option encapsulates authentication information for verifying client information and an abstract for verifying whether the authentication information is tampered;
checking and matching the captured TCP SYN message, and verifying whether the TCP SYN message passes the authentication; wherein, the check matching comprises: carrying out authentication check on authentication information encapsulated in a TCP option carried by a TCP SYN message;
if the authentication is judged to be passed, sending the TCP SYN message back to a TCP protocol stack to complete the subsequent link establishment process;
if the authentication is judged not to pass, the TCP SYN message is discarded.
2. The method according to claim 1, wherein the pre-authentication method for TCP connection comprises performing check matching on the captured TCP SYN packet, and verifying whether the TCP SYN packet is authenticated:
and (3) decryption: identifying the captured TCP SYN message, if the identification result is legal, decrypting the TCP SYN message and extracting authentication information;
and (3) authentication: checking each dimension of the authentication information;
controlling: and releasing and controlling service access of the terminal equipment, wherein the terminal equipment comprises a server side which initiates the TCP connection currently.
3. The method of pre-authentication of a TCP connection according to claim 2, wherein the TCP SYN message carries the TCP option sent by the client to the service port,
the decryption process comprises the following steps:
checking whether the TCP option carries a quick identifier or not, and if so, splitting the TCP option into a ciphertext and an HMAC according to a preset rule; carrying out digital signature on the ciphertext through a secret key stored by the server, verifying whether the HMACs are matched, and if so, decrypting the ciphertext through the secret key to obtain authentication information and a carried abstract;
carrying out abstract calculation on the authentication information, and comparing whether the calculated abstract is the same as the carried abstract or not;
and if the authentication information is the same, extracting the authentication information.
4. The pre-authentication method of a TCP connection according to claim 2, wherein the authentication information comprises a random number, a hardware feature code, a user ID, and server port information;
the authentication process comprises the following steps:
comparing the extracted random number with the mapping stored by the server to determine whether the random number conflicts with the mapping stored by the server;
if not, performing user access authentication on the hardware feature code and the user ID;
and if the authentication is passed, matching the port information of the server with the target port of the TCP SYN message to obtain a matching result.
5. The pre-authentication method for TCP connection according to claim 2, wherein the service access release and control for the terminal device specifically comprises:
in the decryption and authentication processes, if the rules are not matched, the TCP SYN message is directly discarded without any response;
otherwise, sending back the TCP SYN message to the TCP protocol stack.
6. The method of pre-authentication of a TCP connection according to claim 1, further comprising:
acquiring authentication information of a client;
carrying out Hash calculation on the authentication information to obtain an abstract, and encrypting the authentication information and the abstract to obtain a ciphertext;
and adding HMAC for the ciphertext, packaging the ciphertext and the HMAC as TCP options in a TCP SYN message, and sending the TCP SYN message to a server.
7. A pre-authentication apparatus for a TCP connection, wherein determining whether to allow access by a client before a TCP SYN message is sent to a service port through a TCP protocol stack comprises:
the acquisition module is used for capturing the TCP SYN message before the TCP SYN message is sent to the service port through the TCP protocol stack; the TCP SYN message carries a TCP option which is sent to a service port by a client, and the TCP option encapsulates authentication information for verifying client information and an abstract for verifying whether the authentication information is tampered;
the pre-authentication module is used for checking and matching the captured TCP SYN message and verifying whether the TCP SYN message passes the authentication; wherein, the check matching comprises: carrying out authentication check on authentication information encapsulated in a TCP option carried by a TCP SYN message;
the processing module is used for sending the TCP SYN message back to the TCP protocol stack after judging that the authentication is passed, and finishing the subsequent link establishment flow;
if the authentication is judged not to pass, the TCP SYN message is discarded.
8. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and the processor is configured to execute the computer program to perform the method of pre-authentication of a TCP connection according to any of claims 1-6.
9. A storage medium, in which a computer program is stored, wherein the computer program is arranged to execute a pre-authentication method of a TCP connection according to any one of claims 1 to 6 when running.
CN202011523848.4A 2020-12-22 2020-12-22 Pre-authentication method, device and system for TCP connection Active CN112615866B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011523848.4A CN112615866B (en) 2020-12-22 2020-12-22 Pre-authentication method, device and system for TCP connection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011523848.4A CN112615866B (en) 2020-12-22 2020-12-22 Pre-authentication method, device and system for TCP connection

Publications (2)

Publication Number Publication Date
CN112615866A CN112615866A (en) 2021-04-06
CN112615866B true CN112615866B (en) 2022-07-05

Family

ID=75243969

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011523848.4A Active CN112615866B (en) 2020-12-22 2020-12-22 Pre-authentication method, device and system for TCP connection

Country Status (1)

Country Link
CN (1) CN112615866B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992328B (en) * 2021-10-27 2024-08-20 贝壳找房(北京)科技有限公司 Zero trust transport layer stream authentication method, device and storage medium
CN114915497A (en) * 2022-07-13 2022-08-16 杭州云缔盟科技有限公司 Network access blocking method, device and application for Windows process
CN115473720A (en) * 2022-09-06 2022-12-13 包风华 A method and system for protecting TCP/IP session security
CN115865370B (en) * 2022-11-25 2024-06-04 四川启睿克科技有限公司 Single-packet authorization verification method based on TCP options
CN116405264A (en) * 2023-03-10 2023-07-07 天翼云科技有限公司 A method and system for single package authorization
CN117277589B (en) * 2023-11-20 2024-04-19 云南电网有限责任公司 An intelligent operation and maintenance control platform for power secondary systems
CN118449736A (en) * 2024-04-29 2024-08-06 重庆赛力斯凤凰智创科技有限公司 Anti-attack message processing method, device, electronic device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247261A (en) * 2007-07-18 2008-08-20 北京高信达网络科技有限公司 Method and apparatus for preventing DDos attack
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN103546486A (en) * 2013-11-04 2014-01-29 北京荣之联科技股份有限公司 SYN Cookie source authentication method and device for preventing DDOS attack
CN105791451A (en) * 2014-12-22 2016-07-20 华为技术有限公司 A message response method and device
CN111770071A (en) * 2020-06-23 2020-10-13 江苏易安联网络技术有限公司 Method and device for gateway authentication of trusted device in network stealth scene

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3086533B1 (en) * 1998-10-30 2019-09-11 VirnetX Inc. An agile network protocol for secure communications with assured system availability
US8370920B2 (en) * 2009-10-28 2013-02-05 Aunigma Network Security Corp. System and method for providing unified transport and security protocols
CN107347047B (en) * 2016-05-04 2021-10-22 阿里巴巴集团控股有限公司 Attack protection method and device
CN109639712B (en) * 2018-12-29 2021-09-10 绿盟科技集团股份有限公司 Method and system for preventing DDOS attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247261A (en) * 2007-07-18 2008-08-20 北京高信达网络科技有限公司 Method and apparatus for preventing DDos attack
CN102291441A (en) * 2011-08-02 2011-12-21 杭州迪普科技有限公司 Method and security agent device for protecting against attack of synchronize (SYN) Flood
CN103546486A (en) * 2013-11-04 2014-01-29 北京荣之联科技股份有限公司 SYN Cookie source authentication method and device for preventing DDOS attack
CN105791451A (en) * 2014-12-22 2016-07-20 华为技术有限公司 A message response method and device
CN111770071A (en) * 2020-06-23 2020-10-13 江苏易安联网络技术有限公司 Method and device for gateway authentication of trusted device in network stealth scene

Also Published As

Publication number Publication date
CN112615866A (en) 2021-04-06

Similar Documents

Publication Publication Date Title
CN112615866B (en) Pre-authentication method, device and system for TCP connection
US8413248B2 (en) Method for secure single-packet remote authorization
JP5390619B2 (en) HOMENODE-B device and security protocol
AU2004297933B2 (en) System and method for provisioning and authenticating via a network
CN111770071B (en) Method and device for gateway authentication of trusted device in network stealth scene
Bhargavan et al. A formal treatment of accountable proxying over TLS
CN112954683B (en) Domain name resolution method, domain name resolution device, electronic equipment and storage medium
Samociuk Secure communication between openflow switches and controllers
Singh et al. On the IEEE 802.11 i security: a denial‐of‐service perspective
Lei et al. SecWIR: Securing smart home IoT communications via wi-fi routers with embedded intelligence
CN114726513A (en) Data transmission method, apparatus, medium, and product
US20240154949A1 (en) Devices and Methods for Performing Cryptographic Handshaking
Atighetchi et al. Safe configuration of TLS connections
Keerthi Taxonomy of SSL/TLS attacks
Shojaie et al. Enhancing EAP-TLS authentication protocol for IEEE 802.11 i
Sathyadevan et al. Portguard-an authentication tool for securing ports in an IoT gateway
Sharma et al. A review on wireless network security
CN117749476A (en) Trusted secure connection method and device based on encryption algorithm and electronic equipment
CN108282337B (en) A Routing Protocol Reinforcement Method Based on Trusted Cryptographic Cards
Bozkurt et al. Exploring the vulnerabilities and countermeasures of SSL/TLS protocols in secure data transmission over computer networks
Yang et al. Link-layer protection in 802.11 i WLANS with dummy authentication
CN113890761A (en) Partition operation system-oriented lightweight secure communication method and system
Linh et al. Analysing open-source 5G core networks for TLS vulnerabilities and 3GPP compliance
EP2442519A1 (en) Method and system for authenticating network device
CN115314278B (en) Trusted network connection identity authentication method, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20220614

Address after: Room 405-406, floor 4, building 3, No. 168, software Avenue, Yuhuatai District, Nanjing, Jiangsu 210000

Applicant after: NANJING ENLINK NETWORK TECHNOLOGY Co.,Ltd.

Address before: Room 401c, building 5, No. 998, Wenyi West Road, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province 310000

Applicant before: Hangzhou yianlian Technology Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载