Nothing Special   »   [go: up one dir, main page]

CN103441851A - Method for allowing terminal equipment to have access to VPN equipment - Google Patents

Method for allowing terminal equipment to have access to VPN equipment Download PDF

Info

Publication number
CN103441851A
CN103441851A CN2013103717238A CN201310371723A CN103441851A CN 103441851 A CN103441851 A CN 103441851A CN 2013103717238 A CN2013103717238 A CN 2013103717238A CN 201310371723 A CN201310371723 A CN 201310371723A CN 103441851 A CN103441851 A CN 103441851A
Authority
CN
China
Prior art keywords
equipment
vpn
terminal equipment
key
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2013103717238A
Other languages
Chinese (zh)
Other versions
CN103441851B (en
Inventor
赵银春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronics Technology Network Security Technology Co ltd
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN201310371723.8A priority Critical patent/CN103441851B/en
Publication of CN103441851A publication Critical patent/CN103441851A/en
Application granted granted Critical
Publication of CN103441851B publication Critical patent/CN103441851B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of information safety passwords, in particular to a method for allowing terminal equipment to safely have access to VPN equipment, and aims to solve the access safety problem of the terminal equipment in a VPN and ensure legality of the equipment having access to the VPN. The method for allowing the terminal equipment to safely have access to the VPN equipment includes the steps that when the terminal equipment has access to the VPN, the VPN equipment conducts certification on the terminal equipment having access to the VPN through a symmetric algorithm, so that illegal terminal equipment is prevented from having access to the VPN, and terminal access safety is guaranteed. When the terminal equipment has access to the VPN equipment, the VPN equipment actively conducts safety certification on the terminal equipment, and then the design is achieved. The method is applied to the technical field of the information safety passwords.

Description

A kind of method of terminal equipment access VPN equipment
Technical field
The present invention relates to information security cryptographic technique field, especially a kind of terminal equipment accesses safely the method for VPN equipment.
Background technology
VPN network by the VPN device build can effectively guarantee the fail safe that data are transmitted in network, along with the information-based industry of China is all-round developing at a high speed, the VPN network is as a kind of effective ensuring method, its application is more extensive, in special occasion, its terminal access has also been proposed to stricter safety requirements.
In network security particularly in the network security of Internet of Things, the safety access of terminal is a very important ring, the place of disposing at internet-of-things terminal, generally in the unattended operation state, unauthorized person can be relatively easy to counterfeit terminal and then access VPN equipment, in this case, VPN equipment can't authenticate the terminal of access and safety problem just easily occur, therefore must carry out authentication to the terminal of access in the applied environment of unattended terminal equipment access VPN network, thereby guarantee access security.
The VPN network can have perfect encryption method, authentication method, log recording etc. in the process of operation, can effectively guarantee reliability and the confidentiality of network data transmission, if but the terminal equipment of access itself is exactly illegal, can't make effective examination to terminal, illegal terminal can access the VPN network network and server are attacked, therefore in this case the terminal equipment accessed is carried out to authentication, can effectively guarantee the access security of network, strengthen the fail safe of system.
Summary of the invention
Technical problem to be solved by this invention is: for solving the access security problem of terminal equipment in above-mentioned VPN network, guarantee the legitimacy of the equipment of access VPN network, the invention provides a kind of its and relate to a kind of method that terminal equipment accesses safely the VPN network, when terminal equipment access VPN network, VPN equipment adopts symmetry algorithm to be authenticated the terminal equipment of access, thereby prevent illegal terminal equipment access VPN network, guarantee the fail safe of terminal access.
The technical solution used in the present invention is as follows:
A kind of method of terminal equipment access VPN equipment comprises:
Step 1: cipher server carries out initialization to the terminal equipment that includes security module, injects master control key to security module, and security module generates unique ciphertext dispersion factor MSi and application key; Cipher server carries out initialization to VPN equipment, injects master control key that terminal equipment is corresponding to VPN equipment;
Step 2: when terminal equipment access VPN equipment, by VPN equipment, initiatively carry out the terminal equipment safety certification.
In described step 1, security module generates unique ciphertext dispersion factor MSi and application key concrete steps are:
Step 11: security module is used master control key to carry out the key dispersion to the dispersion factor Si of the unique correspondence of security module, generates application key PM;
Step 12: security module is used master control key to be encrypted production ciphertext dispersion factor MSi to Si.
In described step 2, when terminal equipment access VPN equipment, initiatively carry out terminal equipment safety certification detailed process by VPN equipment and be:
Step 21:VPN equipment generates random number R and sends to the security module of terminal equipment;
Step 22: security module is used application key PM to carry out the dispersion of n secondary key to random number R and is obtained working key KM, uses described working key KM to be encrypted and to generate MR R;
Step 23: security module sends to VPN equipment by ciphertext dispersion factor MSi and MR;
Step 24:VPN equipment is used master control key to be decrypted MSi, obtains dispersion factor Si '; And by master control key, dispersion factor Si ' is carried out to key and disperse to generate application key PM ';
Step 25:VPN equipment is used application key PM ' and R to carry out the key dispersion and generates working key KM ';
Step 26:VPN equipment is used working key KM ' to be decrypted the MR received, obtains R ';
Step 27: if relatively VPN comparison in equipment R ' and R, during R '=R, allow this terminal equipment access; Otherwise, refuse this terminal equipment access.
It is to adopt XOR algorithm or international algorithm that described key disperses, and described encryption or deciphering adopt international algorithm.
Described encryption or deciphering adopt DES algorithm, aes algorithm, SM1 algorithm or SM4 algorithm.
The dispersion factor Si of described each security module is different:
While sending in described step 5 by wireless or have ray mode to send.
Described cipher server belongs to VPN equipment or does not belong to VPN equipment.
Describedly comprise that its access way of terminal equipment of security module is TF card form or USB form.
In sum, owing to having adopted technique scheme, the invention has the beneficial effects as follows:
1, when terminal equipment accesses, at first VPN equipment carry out authentication work to access device, only in the situation that authentication, by just allowing terminal equipment access VPN network, is then passed through the VPN transmitted data on network.Once terminal equipment and VPN equipment disconnect, and during re-accessing network, need to re-start authentication, guarantee the terminal access security, guarantee terminal legality, prevent the illegal terminal access.
2, provide the interface of connected reference security module on terminal equipment, and the software interface of communicating by letter with security module is provided, in access authentication procedure, terminal equipment need to be by interface and security module interaction data.
3,, in the process of terminal equipment access VPN network, must at first complete and, by authentication, only after by authentication, could successfully access VPN equipment and use the VPN transmitted data on network.
The accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the flow process of the use procedure of this method.
Embodiment
Disclosed all features in this specification, or the step in disclosed all methods or process, except mutually exclusive feature and/or step, all can combine by any way.
Disclosed arbitrary feature in this specification (comprising any accessory claim, summary and accompanying drawing), unless special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is,, unless special narration, each feature is an example in a series of equivalences or similar characteristics.
Related description of the present invention:
1, in the design, terminal equipment needs to increase security module on the prior art basis, and described security module is responsible for key dispersion, crypto-operation, key preservation etc.Disperse to produce working key by key in verification process.Its access way of terminal equipment that comprises security module is not limited by form, can be TF card form, can be other any forms such as USB form etc. yet.
2, the English full name of VPN equipment: VPN is " Virtual Private Network ", it can be by special encryption communications protocol set up a proprietary communication line on Internet between different local two or more intranets being connected to, like being that to have set up a special line the same, but it does not need real going to lay the physical circuit of optical cable and so on.This is like removing telecommunication bureau's application special line, but the expense that need not give laying-out also need not be bought the hardware devices such as router.VPN should provide the interface of third-party product.When the user has disposed the client to the VPN scheme of LAN, VPN equipment should provide characteristic or the disclosed API(application programming interface of standard), can be from company database direct input user profile.
3, operation principle: adopt the technology of the present invention, when terminal equipment accesses, at first VPN equipment carry out authentication work to access terminal equipment, only in the situation that authentication, by just allowing terminal equipment access VPN network, is then passed through the VPN transmitted data on network.Once terminal equipment and VPN equipment disconnect, and during re-accessing network, need to re-start authentication, guarantee the terminal access security, guarantee terminal legality, prevent the illegal terminal access.
3, cipher server is responsible for security module and VPN equipment are carried out to initial work, determines master key in initialization procedure.
Embodiment mono-: a kind of method of terminal equipment access VPN equipment comprises:
Step 1: cipher server carries out initialization to the terminal equipment that includes security module, injects master control key to security module, and security module generates unique ciphertext dispersion factor MSi and application key;
Step 2: security module is used master control key to carry out the key dispersion to the dispersion factor Si of the unique correspondence of security module, generates application key PM;
Step 3: security module is used master control key to be encrypted production ciphertext dispersion factor MSi to Si.
Cipher server carries out initialization to VPN equipment, injects master control key that terminal equipment is corresponding to VPN equipment;
Step 4:VPN equipment generates random number R and sends to the security module of terminal equipment;
Step 5: security module is used application key PM to carry out the dispersion of n secondary key to random number R and is obtained working key KM, uses described working key KM to be encrypted and to generate MR R;
Step 6: security module sends to VPN equipment by ciphertext dispersion factor MSi and MR;
Step 7:VPN equipment is used master control key to be decrypted MSi, obtains dispersion factor Si '; And by master control key, dispersion factor Si ' is carried out to key and disperse to generate application key PM ';
Step 8:VPN equipment is used application key PM ' and R to carry out the key dispersion and generates working key KM ';
Step 9:VPN equipment is used working key KM ' to be decrypted the MR received, obtains R ';
Step 10: if relatively VPN comparison in equipment R ' and R, during R '=R, allow this terminal equipment access; Otherwise, refuse this terminal equipment access.
Embodiment bis-, and on the embodiment basis, it is to adopt XOR algorithm or international algorithm that described key disperses.
Embodiment tri-: on embodiment mono-or two bases, described encryption or deciphering adopt international algorithm DES, AES etc., can be also symmetric cryptographic algorithm SM1, the SM4 etc. of national special use.
Embodiment tetra-: described cipher server belongs to VPN equipment or does not belong to VPN equipment.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination disclosed in this manual, and the arbitrary new method disclosed or step or any new combination of process.

Claims (9)

1. the method for terminal equipment access VPN equipment is characterized in that comprising:
Step 1: cipher server carries out initialization to the terminal equipment that includes security module, injects master control key to security module, and security module generates unique ciphertext dispersion factor MSi and application key; Cipher server carries out initialization to VPN equipment, injects master control key that terminal equipment is corresponding to VPN equipment;
Step 2: when terminal equipment access VPN equipment, by VPN equipment, initiatively carry out the terminal equipment safety certification.
2. the method for a kind of terminal equipment access VPN equipment according to claim 1, is characterized in that in described step 1, and security module generates unique ciphertext dispersion factor MSi and application key concrete steps are:
Step 11: security module is used master control key to carry out the key dispersion to the dispersion factor Si of the unique correspondence of security module, generates application key PM;
Step 12: security module is used master control key to be encrypted production ciphertext dispersion factor MSi to Si.
3. the method for a kind of terminal equipment access VPN equipment according to claim 2, is characterized in that
In described step 2, when terminal equipment access VPN equipment, initiatively carry out terminal equipment safety certification detailed process by VPN equipment and be:
Step 21:VPN equipment generates random number R and sends to the security module of terminal equipment;
Step 22: security module is used application key PM to carry out the key dispersion to random number R and is obtained working key KM, uses described working key KM to be encrypted and to generate MR R;
Step 23: security module sends to VPN equipment by ciphertext dispersion factor MSi and MR;
Step 24:VPN equipment is used master control key to be decrypted MSi, obtains dispersion factor Si '; And by master control key, dispersion factor Si ' is carried out to key and disperse to generate application key PM ';
Step 25:VPN equipment is used application key PM ' and R to carry out the key dispersion and generates working key KM ';
Step 26:VPN equipment is used working key KM ' to be decrypted the MR received, obtains R ';
Step 27: if relatively VPN comparison in equipment R ' and R, during R '=R, allow this terminal equipment access; Otherwise, refuse this terminal equipment access.
4. according to the method for the described a kind of terminal equipment access VPN equipment of one of claims 1 to 3, it is characterized in that it is to adopt XOR algorithm or international algorithm that described key disperses, described encryption or deciphering adopt international algorithm.
5. the method for a kind of terminal equipment access VPN equipment according to claim 4, is characterized in that described encryption or deciphering adopt DES algorithm, aes algorithm, SM1 algorithm or SM4 algorithm.
6. according to the method for the said a kind of terminal equipment access VPN equipment of claim 4, it is characterized in that the dispersion factor Si of described each security module is different.
7. the method for a kind of terminal equipment access VPN equipment according to claim 4, while it is characterized in that in described step 5 sending by wireless or have ray mode to send.
8. the method for a kind of terminal equipment access VPN equipment according to claim 4, is characterized in that described cipher server belongs to VPN equipment or do not belong to VPN equipment.
9. a kind of terminal equipment according to claim 4 accesses the method for VPN equipment, and its access way of terminal equipment that it is characterized in that security module is TF card form or USB form.
CN201310371723.8A 2013-08-23 2013-08-23 A kind of terminal unit accesses the method for VPN device Active CN103441851B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310371723.8A CN103441851B (en) 2013-08-23 2013-08-23 A kind of terminal unit accesses the method for VPN device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310371723.8A CN103441851B (en) 2013-08-23 2013-08-23 A kind of terminal unit accesses the method for VPN device

Publications (2)

Publication Number Publication Date
CN103441851A true CN103441851A (en) 2013-12-11
CN103441851B CN103441851B (en) 2016-12-28

Family

ID=49695520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310371723.8A Active CN103441851B (en) 2013-08-23 2013-08-23 A kind of terminal unit accesses the method for VPN device

Country Status (1)

Country Link
CN (1) CN103441851B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979458A (en) * 2016-10-25 2018-05-01 北京计算机技术及应用研究所 A kind of two-dimensional bar data ciphering method
CN109274543A (en) * 2018-11-23 2019-01-25 广州市成格信息技术有限公司 A kind of method of the hot standby protection of user data special line is solved based on VxLan
CN109698833A (en) * 2018-12-28 2019-04-30 王梅 A kind of method and system for the collaboration certification carrying out identification information in internet
CN111148056A (en) * 2020-04-03 2020-05-12 南京华智达网络技术有限公司 Operable network configuration method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1581805A (en) * 2004-05-17 2005-02-16 深圳市深信服电子科技有限公司 VPN client end safety strategy exchange and storage method
CN1588846A (en) * 2004-09-08 2005-03-02 中国工商银行 Dynamic encrypting device in network and its password identification method
CN101447907A (en) * 2008-10-31 2009-06-03 北京东方中讯联合认证技术有限公司 VPN secure access method and system thereof
US20110296186A1 (en) * 2010-06-01 2011-12-01 Visto Corporation System and method for providing secured access to services

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1581805A (en) * 2004-05-17 2005-02-16 深圳市深信服电子科技有限公司 VPN client end safety strategy exchange and storage method
CN1588846A (en) * 2004-09-08 2005-03-02 中国工商银行 Dynamic encrypting device in network and its password identification method
CN101447907A (en) * 2008-10-31 2009-06-03 北京东方中讯联合认证技术有限公司 VPN secure access method and system thereof
US20110296186A1 (en) * 2010-06-01 2011-12-01 Visto Corporation System and method for providing secured access to services

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979458A (en) * 2016-10-25 2018-05-01 北京计算机技术及应用研究所 A kind of two-dimensional bar data ciphering method
CN109274543A (en) * 2018-11-23 2019-01-25 广州市成格信息技术有限公司 A kind of method of the hot standby protection of user data special line is solved based on VxLan
CN109698833A (en) * 2018-12-28 2019-04-30 王梅 A kind of method and system for the collaboration certification carrying out identification information in internet
CN109698833B (en) * 2018-12-28 2021-08-27 北京天易数聚科技有限公司 Method and system for performing collaborative authentication of identification information in Internet
CN111148056A (en) * 2020-04-03 2020-05-12 南京华智达网络技术有限公司 Operable network configuration method and system

Also Published As

Publication number Publication date
CN103441851B (en) 2016-12-28

Similar Documents

Publication Publication Date Title
CN105656862B (en) Authentication method and device
CN101115060B (en) Method for protecting user encryption key in asymmetric key transmission process in user key management system
CN108809633B (en) Identity authentication method, device and system
CN104219041A (en) Data transmission encryption method applicable for mobile internet
CN110753344B (en) NB-IoT-based smart meter secure access system
CN103248479A (en) Cloud storage safety system, data protection method and data sharing method
CN113849847B (en) Method, apparatus and medium for encrypting and decrypting sensitive data
CN103916363A (en) Communication security management method and system for encryption machine
CN104579679A (en) Wireless public network data forwarding method for rural power distribution network communication equipment
CN114282189A (en) Data security storage method, system, client and server
CN103441851B (en) A kind of terminal unit accesses the method for VPN device
CN105612728A (en) Secured data channel authentication implying a shared secret
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices
CN105141629A (en) Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords
CN104270380A (en) End-to-end encryption method and system based on mobile network and communication client side
CN106789845A (en) A kind of method of network data security transmission
CN104618360B (en) Bypass authentication method and system based on 802.1X agreement
CN110519238B (en) Internet of things security system and communication method based on cryptographic technology
TWI422241B (en) Spectrum authorization and related communications methods and apparatus
CN110572392A (en) Identity authentication method based on HyperLegger network
CN104486322A (en) Terminal access authentication authorization method and terminal access authentication authorization system
CN104243435A (en) Communication method for HTTP based on OAuth
KR101709276B1 (en) Endpoint Security Server Management System
CN111132143B (en) Integrated multimedia intelligent equipment safety protection system and method
CN104394532A (en) Anti-brute force safe log-in method for mobile terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: No. 333, Yunhua Road, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan 610041

Patentee after: China Electronics Technology Network Security Technology Co.,Ltd.

Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041

Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc.

CP03 Change of name, title or address