CN118573483B - A network security management method and related equipment - Google Patents
A network security management method and related equipment Download PDFInfo
- Publication number
- CN118573483B CN118573483B CN202411048774.1A CN202411048774A CN118573483B CN 118573483 B CN118573483 B CN 118573483B CN 202411048774 A CN202411048774 A CN 202411048774A CN 118573483 B CN118573483 B CN 118573483B
- Authority
- CN
- China
- Prior art keywords
- information
- mobile device
- target server
- certificate
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 32
- 238000012545 processing Methods 0.000 claims abstract description 103
- 238000000034 method Methods 0.000 claims abstract description 82
- 230000008569 process Effects 0.000 claims description 45
- 238000012795 verification Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 13
- 238000013507 mapping Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 abstract description 18
- 238000004422 calculation algorithm Methods 0.000 description 15
- 230000005540 biological transmission Effects 0.000 description 13
- 230000007246 mechanism Effects 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 238000013461 design Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000012790 confirmation Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000004927 fusion Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000005055 memory storage Effects 0.000 description 2
- 238000013468 resource allocation Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005057 refrigeration Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002194 synthesizing effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The disclosure provides a network security management method and related equipment, and relates to the technical field of communication. The method comprises the steps of obtaining digital certificate information, equipment unique identification information, mobile equipment random numbers, mobile equipment key-share information, attribute information of mobile equipment and security level information sent by the mobile equipment; acquiring a target server random number and target server key-share information; generating a premaster secret key according to the mobile device key-share information and the target server key-share information; generating a temporary session key according to the mobile equipment random number, the target server random number and the premaster secret key; processing the digital certificate information and the equipment unique identification information based on a preset pairing rule to generate a processing result; acquiring configuration information and generating encrypted configuration information; processing the attribute information and the security level information of the mobile equipment to generate a connection priority of the mobile equipment; and connecting with the mobile device based on the connection priority of the mobile device and the encrypted configuration information.
Description
Technical Field
The disclosure relates to the field of communication technologies, and in particular, to a network security management method and related devices.
Background
With the rapid development of internet technology, security of information transmission has become particularly important. At present, an information transmission platform generally adopts a symmetrical encryption mode to encrypt and transmit information so as to improve the safety of information transmission.
However, when the above-described encrypted transmission scheme is adopted, there are generally the following technical problems: firstly, the source of the information is not authenticated, so that some information which does not meet the conditions can be transmitted, and the reliability of information transmission is reduced; second, when a symmetric encryption mode is adopted, once an encryption key is leaked, encrypted information is easy to crack, and the security of information transmission is greatly reduced.
Currently, security protection measures adopted in a micro-grid system are generally to deploy a firewall between an enterprise management layer of the micro-grid system and an external network. As the protection measures are fewer, once the firewall between the enterprise management layer and the external network is broken by an attacker, the internal network of the micro-grid system is easy to control, so that data such as production data in the micro-grid system are stolen, or field devices are maliciously controlled, and normal industrial control is influenced.
In addition, a large number of intelligent fusion terminals are deployed in the micro-grid system, and the terminals are monitored and controlled through the micro-grid energy controller, so that the micro-grid system has the characteristics of large transmission data volume, various data acquisition modes, high data interaction instantaneity and the like, and the improvement of the network security protection of the micro-grid system is needed.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure aims to provide a network security management method and related devices, which at least overcome the problems existing in the prior art to a certain extent, complete identity authentication by combining a device unique identifier and a digital certificate, and perform temporary session key negotiation during the identity authentication process, so as to meet the plug and play requirements of an end device, process based on attribute information of a mobile device and the security level information, and generate connection priority of the mobile device. The intrinsic safety of the network and the system is enhanced, and the security mechanism is considered to be perfected, the access control based on behavior judgment is embedded in the design of the communication protocol, the system and the network state are realized to be changeable in a virtual heterogeneous mode, the secure execution environment is constructed, and the like.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to one aspect of the present application, there is provided a network security management method, including: acquiring digital certificate information, equipment unique identification information, mobile equipment random number, mobile equipment key-share information, attribute information of mobile equipment and security level information sent by the mobile equipment; acquiring a target server random number and target server key-share information; generating a premaster secret key according to the mobile device key-share information and the target server key-share information; generating a temporary session key according to the mobile equipment random number, the target server random number and the premaster secret key; processing the digital certificate information and the equipment unique identification information based on a preset pairing rule to generate a processing result; if the processing result is that the target server and the mobile equipment are allowed to be connected in a pairing way, configuration information is obtained, wherein the configuration information comprises domain name certificates and other target server parameters required by the connection establishment process with the mobile equipment; encrypting the configuration information based on the temporary session key to generate encrypted configuration information, wherein the encrypted configuration information is used for enabling the mobile equipment and a target server to complete a connection establishment process; processing the attribute information and the security level information of the mobile equipment to generate a connection priority of the mobile equipment; and connecting with the mobile equipment based on the connection priority of the mobile equipment and the encrypted configuration information.
In one embodiment of the present application, the acquiring configuration information includes: detecting whether a domain name certificate in a local storage area is in a valid state; if not, sending a certificate loading request to a certificate center; and replacing the domain name certificate in the invalid state with the new domain name certificate acquired from the certificate authority.
In one embodiment of the present application, the sending a certificate loading request to a certificate authority includes: sending a certificate loading request to the certificate center, wherein the certificate loading request comprises identification information, and the identification information is used for identifying the processing priority of the certificate loading request in the certificate center: and acquiring a domain name certificate returned by the certificate center.
In one embodiment of the present application, after the sending the encrypted configuration information to the mobile device to complete the connection establishment procedure, the method further includes: when the target server completes a first handshake request, storing all domain name information supported by a domain name certificate, cross domain name multiplexing information and handshake multiplexing information associated with the domain name certificate in a mapping table; transmitting handshake multiplexing information to the mobile device; and when the mobile equipment is disconnected with the target server and needs to be connected again, completing a handshake request with the mobile equipment based on the handshake multiplexing information.
In one embodiment of the present application, the completing a handshake request with the mobile device based on the handshake multiplexing information includes: when the domain name multiplexing information is domain name multiplexing extension information carried by the ClientHello message sent by the mobile device; acquiring a ClientHello message sent by the mobile device, wherein the ClientHello message comprises SessionID information: and determining a session key according to the session information associated with the SessionID information, and completing the handshake request with the mobile equipment.
In one embodiment of the present application, the handshake request is completed with the mobile device based on the handshake multiplexing information, and the method further includes: when the cross domain multiplexing information is a cross domain multiplexing zone bit carried by Newsessionticket messages sent by the mobile device; acquiring a ClientHello message sent by the mobile device, wherein the ClientHello message comprises Sessionticket information; transmitting verification information to the mobile equipment, wherein the verification information is returned after Sessionticket information is successfully verified; and determining a session key according to the session information associated with the Sessionticket information, and completing the handshake request with the mobile equipment.
In one embodiment of the present application, processing the attribute information and the security level information of the mobile device to generate a connection priority of the mobile device includes: acquiring real-time load balancing information of a target server and data connection task information in a preset period; processing the target server based on the data connection task information in the preset period to generate preset connection progress information of the target server; processing the attribute information and the security level information of the mobile equipment to generate target processing progress information, wherein the target processing progress information comprises processing duration and connection duration of the mobile equipment; and processing the preset connection progress information based on the target processing progress information to generate the connection priority of the mobile equipment.
In another aspect of the present application, a network security management apparatus includes: the acquisition module is used for acquiring digital certificate information, equipment unique identification information, mobile equipment random numbers, mobile equipment key-share information, attribute information of the mobile equipment and security level information which are sent by the mobile equipment; acquiring a target server random number and target server key-share information; the processing module is used for generating a premaster secret key according to the mobile equipment key-share information and the target server key-share information; generating a temporary session key according to the mobile equipment random number, the target server random number and the premaster secret key; processing the digital certificate information and the equipment unique identification information based on a preset pairing rule to generate a processing result; if the processing result is that the target server and the mobile equipment are allowed to be connected in a pairing way, configuration information is obtained, wherein the configuration information comprises domain name certificates and other target server parameters required by the connection establishment process with the mobile equipment; encrypting the configuration information based on the temporary session key to generate encrypted configuration information, wherein the encrypted configuration information is used for enabling the mobile equipment and a target server to complete a connection establishment process; processing the attribute information and the security level information of the mobile equipment to generate a connection priority of the mobile equipment; and connecting with the mobile equipment based on the connection priority of the mobile equipment and the encrypted configuration information.
According to still another aspect of the present application, an electronic apparatus, comprising: a first processor; and a memory for storing executable instructions of the first processor; wherein the first processor is configured to perform a management method implementing the network security described above via execution of the executable instructions.
According to still another aspect of the present application, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a second processor, implements the above-described network security management method.
According to a further aspect of the present application, there is provided a computer program product comprising a computer program, characterized in that the computer program, when executed by a third processor, implements the above-mentioned network security management method.
According to the network security management method and the related equipment, a target server acquires digital certificate information, equipment unique identification information, mobile equipment random numbers, mobile equipment key-share information, attribute information of mobile equipment and security level information which are sent by the mobile equipment; acquiring a target server random number and target server key-share information; generating a premaster secret key according to the mobile device key-share information and the target server key-share information; generating a temporary session key according to the mobile equipment random number, the target server random number and the premaster secret key; processing the digital certificate information and the equipment unique identification information based on a preset pairing rule to generate a processing result; if the processing result is that the target server and the mobile equipment are allowed to be connected in a pairing way, configuration information is obtained, wherein the configuration information comprises domain name certificates and other target server parameters required by the connection establishment process with the mobile equipment; encrypting the configuration information based on the temporary session key to generate encrypted configuration information, wherein the encrypted configuration information is used for the mobile equipment and the target server to complete a connection establishment process; and processing the attribute information and the security level information of the mobile equipment, generating connection priority of the mobile equipment, and connecting with the mobile equipment based on the connection priority of the mobile equipment and the encrypted configuration information. And completing identity authentication by adopting a mode of combining the unique equipment identifier and the digital certificate, performing temporary session key negotiation in the identity authentication process, meeting the plug-and-play requirement of the terminal equipment, processing based on the attribute information and the security level information of the mobile equipment, and generating the connection priority of the mobile equipment. The intrinsic safety of the network and the system is enhanced, and the security mechanism is considered to be perfected, the access control based on behavior judgment is embedded in the design of the communication protocol, the system and the network state are realized to be changeable in a virtual heterogeneous mode, the secure execution environment is constructed, and the like.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.
FIG. 1 is a flow chart of a network security management method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a network security management device according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an electronic device according to an embodiment of the present application;
Fig. 4 is a schematic diagram of a storage medium according to an embodiment of the present application.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.
A method of managing network security according to an exemplary embodiment of the present application is described below with reference to fig. 1. It should be noted that the following application scenarios are only shown for facilitating understanding of the spirit and principles of the present application, and embodiments of the present application are not limited in this respect. Rather, embodiments of the application may be applied to any scenario where applicable.
It should be noted that, a communication manner may be established between the mobile device and the target server through a physical port or the like. One or more mobile devices can be deployed in the network system architecture, the same mobile device can be connected with a plurality of target servers, and the same target server can also be in communication connection with a plurality of mobile devices.
The mobile device and the target server are not determined hardware products for the whole network system architecture, and the same hardware, such as a computer, a target server, etc., may be used as the mobile device in one case and may be used as the target server in another case.
The division of the mobile device and the target server in the application can represent the correspondence relation in the communication mode, for example, one target server can correspond to a plurality of mobile devices; also represented are different usage functions, such as mobile devices for use by users, target servers for storing certificate transfers. In order to facilitate more accurate judgment, the function and the like of the mobile device and the target server are not limited, and only the mobile device sending the connection request in the communication connection is regarded as the mobile device, and the connection request or the certificate stored in the mobile device and the target server are obtained.
In an implementation manner, the application further provides a network security management method and related equipment. Fig. 1 schematically shows a flow diagram of a network security management method according to an embodiment of the application. As shown in fig. 1, the method is applied to a target server, and includes:
S101, acquiring digital certificate information, equipment unique identification information, mobile equipment random numbers, mobile equipment key-share information, attribute information of mobile equipment and security level information sent by the mobile equipment.
In one embodiment, the mobile device random number may be 32 bytes generated by the secure random number generator, the device unique identification information may be a MAC address of the mobile device, the key_share is a public key corresponding to an elliptic curve type, and a specific representation form of the key_share information is not described herein, in addition, considering the properties of a processor speed, a memory size, a storage space, a network connection capability and the like of the device, evaluating the capability of the device to process and transmit data, evaluating encryption technology of the device, such as full disc encryption and transmission encryption, ensuring the security of the data in the transmission process, considering an access control mechanism and application authority management of the device, ensuring that only authorized applications and services can access the network, and evaluating whether the device supports remote management functions, such as remote locking and data clearing, which helps to protect the data when the device is lost or stolen.
S102, acquiring a target server random number and target server key-share information.
S103, generating a premaster secret key according to the mobile equipment key-share information and the target server key-share information.
In one embodiment, the key-share information includes, but is not limited to, preset parameters for computing a premaster secret; for example: the mobile device sends a request (ClientHello), the expansion part carries supported elliptic curve types, and a mobile device public key (POINT) is calculated for each supported elliptic curve type, and the mobile device public key is placed in key-share information in the expansion information; after the target server selects the elliptic curve parameters, multiplying basepoint of the elliptic curve to obtain a target server public key (POINT); then extracting a corresponding mobile device public key in key_share information in ClientHello, and calculating a premaster secret key; the mobile device calculates a premaster secret after receiving a target server public key (POINT) of the target server.
S104, generating a temporary session key according to the mobile equipment random number, the target server random number and the premaster secret key.
In one embodiment, the mobile device nonce and the mobile device key-share information are generated by the mobile device; the target server random number and the target server key-share information are generated by the target server, and the specific generation manner is not limited herein. The message passing session key preamble information of the mobile device and the target server in the handshake process (connection establishment process) is utilized, so that the session key can be rapidly determined under the condition that the handshake process (connection establishment process) is not influenced, and the time for two-end communication after the handshake (connection establishment) is greatly shortened.
S105, processing the digital certificate information and the equipment unique identification information based on a preset pairing rule, and generating a processing result.
In one embodiment, the method combines the unique device identifier and the digital certificate to complete the identity authentication, and performs temporary session key negotiation in the identity authentication process, thereby meeting the plug-and-play requirement of the terminal device. During registration, the information such as the sensor equipment identifier, the digital certificate and the like is required to be bound in a unique way; and after registration is completed, when the session link is reestablished, performing bidirectional identity authentication based on the digital certificate and an SM2 algorithm.
And S106, if the processing result is that the target server and the mobile equipment are allowed to be connected in a pairing mode, acquiring configuration information.
In one embodiment, the configuration information includes domain name certificates and other target server parameters required to complete the connection establishment procedure with the mobile device. The target server detects whether the domain name certificate in the local storage area is in a valid state; if not, sending a certificate loading request to a certificate center; the domain name certificate in the revocation status is replaced with a new domain name certificate obtained from the certificate authority. The target server detects whether the domain name certificate in the local storage area is in a valid state, if not, the target server sends a certificate loading request to the certificate center, and replaces the domain name certificate in an invalid state with a new domain name certificate acquired from the certificate center. Therefore, the dead domain name certificate is replaced before the handshake begins, so that the required domain name certificate is directly loaded in the handshake process, and the handshake time is shortened. And setting a certificate list in the target server, recording the domain name certificate in the local storage area in the certificate list, and detecting whether the domain name certificate is in a valid state or not through the certificate list. The local storage area can comprise a disk storage area and a memory storage area, files stored in the disk storage area need to consume I/O performance for reading and writing, and files stored in the memory storage area can be directly read.
In another embodiment, a certificate loading request is sent to a certificate authority, wherein the certificate loading request includes identification information, and the identification information is used for identifying a processing priority of the certificate loading request in the certificate authority; and acquiring a domain name certificate returned by the certificate center. The target server sends a certificate loading request to the certificate authority, which may be requested by way of a python script, or may be requested by other means. In the present application, the specific request mode is not limited. The specific form of the identification information may be selected according to the actual situation, and is not limited in the present application. As an example, the processing priority is set to a weight value of 1 to 25, the larger the weight value, the higher the priority.
S107, the configuration information is encrypted based on the temporary session key, and the encrypted configuration information is generated.
In one embodiment, the configuration information is encrypted/decrypted by using the temporary session key, specifically: when the mobile equipment sends data, the data is encrypted by an SM4 algorithm based on a temporary session key and then sent to a target server, and when the target server obtains the encrypted data, the data is decrypted by the SM4 algorithm based on the temporary session key and then the corresponding data is obtained; similarly, when the target server sends data, the data is encrypted by the SM4 algorithm based on the temporary session key and then sent to the mobile device, when the mobile device obtains the encrypted data, the data is decrypted by the SM4 algorithm based on the temporary session key to obtain corresponding data, and the encrypted configuration information is used for the mobile device and the target server to complete a connection establishment process.
After the target server acquires CHLO messages (initial packets), replying Rejection (REJ) messages, wherein the messages comprise configuration information of the target server, and the configuration information comprises corresponding domain name certificates; the mobile equipment receives REJ information, extracts and stores configuration information, sends fullclienthello information to a target server, starts formal handshake, and the information comprises the disclosure number selected by the mobile equipment; at this time, the mobile device can calculate an initial key according to the acquired configuration information and the disclosure number selected by the mobile device; the target server receives fullclienthello information, if the connection is agreed, an initial key is calculated according to the disclosure number of the mobile device, a Serverhello (SHLO) information is replied, the SHLO information is encrypted by the initial key, and the temporary disclosure number selected by the target server is contained; the mobile equipment receives the reply of the target server, if the reply is SHLO message, the mobile equipment tries to decrypt by using the initial key, and extracts the temporary public number; the mobile device and the target server respectively derive a session key based on an SHA-256 algorithm according to the temporary disclosure number and the initial key; the two parties exchange to use the session key for communication, the initial key is useless at the moment, and the handshake process is finished. The specific handshake process may be other manners after partial improvement, and this embodiment will not be repeated.
S108, processing the attribute information and the security level information of the mobile equipment to generate the connection priority of the mobile equipment.
In one embodiment, real-time load balancing information of a target server and data connection task information in a preset period are obtained, the load balancing information of the target server is monitored in real time, current network flow and resource use conditions are known, and the data connection task information in the preset period is collected, wherein the data connection task information comprises task types, data amounts and expected completion time. Processing the target server based on the data connection task information in the preset period, generating preset connection progress information of the target server, predicting the connection progress of the target server based on the collected data connection task information, and evaluating the processing capacity of the target server.
Processing the attribute information and the security level information of the mobile equipment to generate target processing progress information, wherein the target processing progress information comprises processing time and connection time of the mobile equipment, analyzing the attribute information of the mobile equipment, such as processor speed, memory size and network connection capability, evaluating the security level of the mobile equipment, considering factors such as encryption technology, operating system updating and malicious software protection, and the like, synthesizing the attribute and the security information of the mobile equipment to generate target processing progress information, including expected processing time and connection time.
Processing the preset connection progress information based on the target processing progress information to generate connection priority of the mobile equipment, evaluating the connection priority of each equipment according to real-time load of the server and the processing progress of the mobile equipment, generating the connection priority for each mobile equipment, giving priority to the arrangement of high processing speed, high safety and urgent connection requirement, and dynamically adjusting the connection priority according to the change of the load of the server and the actual connection condition of the mobile equipment.
In addition, the connection priority of the mobile device can be determined according to the size of data to be transmitted by the mobile device, the time of transmission, the time required by the connection process and the like, and the corresponding priority is determined based on the processing difficulty and the processing time of the data instead of just distinguishing the priority by the importance of the mobile device.
And S109, connecting with the mobile equipment based on the connection priority of the mobile equipment and the encrypted configuration information.
In one embodiment, connecting to the mobile device based on the connection priority of the mobile device and the encrypted configuration information is a policy that ensures network security and optimizes resource allocation. Determining the connection priority of each device according to the attribute information, the security level and the server load condition of the mobile device, encrypting the configuration information by using a strong encryption algorithm, ensuring that the configuration information is not intercepted or tampered in the transmission process, generating a request for connecting with the mobile device according to the connection priority and the encrypted configuration information, sending the encrypted connection request to the target mobile device, waiting for the response of the device, and verifying the validity of the request and responding after the mobile device receives the connection request.
The mobile device decrypts the configuration information by using a corresponding decryption key to acquire connection parameters, establishes secure encrypted connection with the server according to the decrypted configuration information, confirms connection after receiving a connection request of the mobile device, performs necessary security check, starts to transmit data safely once the connection is established, ensures the integrity and confidentiality of the data in the transmission process, continuously monitors the connection state, ensures the stability of the connection, timely discovers and solves possible problems, dynamically adjusts connection priority according to network conditions and device performance, optimizes resource allocation, periodically performs security audit, checks whether security measures in the connection process are proper or not, has potential security risks or not, sends notification to a user when the connection is established and disconnected, improves user experience and transparency, and safely disconnects and cleans related resources when the data transmission is completed or the connection is no longer needed.
Through the process, the connection between the mobile equipment and the server can be ensured to be safe and efficient, the use of network resources is optimized, and the stability and performance of the whole network are improved. This is particularly important for enterprise networks that need to handle a large number of mobile device connections.
The method comprises the steps of acquiring digital certificate information, equipment unique identification information, mobile equipment random numbers, mobile equipment key-share information, attribute information of mobile equipment and security level information sent by the mobile equipment; acquiring a target server random number and target server key-share information; generating a premaster secret key according to the mobile device key-share information and the target server key-share information; generating a temporary session key according to the mobile equipment random number, the target server random number and the premaster secret key; processing the digital certificate information and the equipment unique identification information based on a preset pairing rule to generate a processing result; if the processing result is that the target server and the mobile equipment are allowed to be connected in a pairing way, configuration information is obtained, wherein the configuration information comprises domain name certificates and other target server parameters required by the connection establishment process with the mobile equipment; encrypting the configuration information based on the temporary session key to generate encrypted configuration information, wherein the encrypted configuration information is used for the mobile equipment and the target server to complete a connection establishment process; processing the attribute information and the security level information of the mobile equipment to generate a connection priority of the mobile equipment; and connecting with the mobile device based on the connection priority of the mobile device and the encrypted configuration information. And completing identity authentication by adopting a mode of combining the unique equipment identifier and the digital certificate, performing temporary session key negotiation in the identity authentication process, meeting the plug-and-play requirement of the terminal equipment, processing based on the attribute information and the security level information of the mobile equipment, and generating the connection priority of the mobile equipment. The intrinsic safety of the network and the system is enhanced, and the security mechanism is considered to be perfected, the access control based on behavior judgment is embedded in the design of the communication protocol, the system and the network state are realized to be changeable in a virtual heterogeneous mode, the secure execution environment is constructed, and the like.
Optionally, in another embodiment of the above method according to the present application, after the sending the encrypted configuration information to the mobile device to complete the connection establishment procedure, the method further includes:
acquiring an encryption request message sent by mobile equipment, wherein the encryption request message comprises first national encryption information;
Selecting second country secret information from the first country secret information, and sending an encryption confirmation message to the mobile equipment, wherein the encryption confirmation message comprises the second country secret information;
Determining a national encryption certificate based on a preset encryption rule, and signing the national encryption certificate through a signature algorithm in second national encryption information to generate encryption verification information;
transmitting the encryption verification information to the mobile device;
and when the encryption/decryption is performed with the terminal, the encryption/decryption is performed through an SM4 algorithm in the second national encryption information.
In one embodiment, if it is determined that the ClientHello message carries SNI extension information, domain name information in the SNI extension information is extracted, a national secret certificate corresponding to the domain name information is used as a national secret certificate, and/or if it is determined that the ClientHello message does not carry SNI extension information, a default national secret certificate is used as the national secret certificate. When the mobile equipment sends data, the data is encrypted by an SM4 algorithm based on second national encryption information and then sent to a target server, and when the target server obtains the encrypted data, the data is decrypted by the SM4 algorithm based on the second national encryption information to obtain corresponding data; similarly, when the target server sends data, the data is encrypted by the SM4 algorithm based on the second cryptographic information and then sent to the mobile device, and when the mobile device obtains the encrypted data, the data is decrypted by the SM4 algorithm based on the second cryptographic information and then the corresponding data is obtained.
Optionally, in another embodiment of the above method according to the present application, after the sending the encrypted configuration information to the mobile device to complete the connection establishment procedure, the method further includes:
When the target server completes a first handshake request, storing all domain name information supported by a domain name certificate, cross domain name multiplexing information and handshake multiplexing information associated with the domain name certificate in a mapping table;
Transmitting handshake multiplexing information to the mobile device;
and when the mobile equipment is disconnected with the target server and needs to be connected again, completing a handshake request with the mobile equipment based on the handshake multiplexing information.
In one embodiment, the target server extracts all domain name information supported by the certificate; acquiring SESSIONID information or acquiring SESSIONticket encryption information sent by an edge node; associating all domain name information with SESSIONID information, or associating all domain name information with SESSIONticket encryption information.
In another embodiment, when the domain name multiplexing information is domain name multiplexing extension information carried by the ClientHello message sent by the mobile device; acquiring a ClientHello message sent by a mobile device, wherein the ClientHello message comprises SessionID information; and determining a session key according to the session information associated with the SessionID information, and completing the handshake request with the mobile device. For example, the normal user requests the original request https:// a.example.com/url1, the mobile device dns analyzes a.example.com to obtain the corresponding ip, performs tls handshake, the target server returns handshake information, the handshake information has flag bits or extension information multiplexed by cross domain name handshake, and the target server stores related handshake session information. The mobile device analyzes the handshake information to obtain a cross domain name multiplexing identifier, extracts all domain name information of the certificate in the identifier, caches the related handshake information, and the extracted domain names can share the handshake information. After a successful handshake (e.g., certificate support. Example. Com), the request is initiated to get the content completion request. The normal user additionally requests https:// b.sample.com/url 2, the mobile device dns analyzes b.sample.com to obtain the corresponding ip, the mobile device searches the handshake cache, discovers that the domain name can share the handshake information of the prior a.sample.com, and uses the handshake information to complete multiplexing handshake with the new target server.
In another embodiment, when the domain name multiplexing information is a domain name multiplexing flag bit carried by Newsessionticket messages sent by the mobile device; acquiring a ClientHello message sent by a mobile device, wherein the ClientHello message comprises Sessionticket information; transmitting verification information to the mobile equipment, wherein the verification information is returned after Sessionticket information is successfully verified; and determining a session key according to the session information associated with Sessionticket pieces of information, and completing a handshake request with the mobile device.
By applying the technical scheme, the target server acquires the digital certificate information, the equipment unique identification information, the mobile equipment random number and the mobile equipment key-share information sent by the mobile equipment; acquiring a target server random number and target server key-share information; generating a premaster secret key according to the mobile device key-share information and the target server key-share information; generating a temporary session key according to the mobile equipment random number, the target server random number and the premaster secret key; processing the digital certificate information and the equipment unique identification information based on a preset pairing rule to generate a processing result; if the processing result is that the target server and the mobile equipment are allowed to be connected in a pairing way, configuration information is obtained, wherein the configuration information comprises domain name certificates and other target server parameters required by the connection establishment process with the mobile equipment; detecting whether a domain name certificate in a local storage area is in a valid state; if not, sending a certificate loading request to a certificate center, wherein the certificate loading request comprises identification information, and the identification information is used for identifying the processing priority of the certificate loading request in the certificate center; acquiring a domain name certificate returned by a certificate center; replacing the domain name certificate in the invalid state with the new domain name certificate obtained from the certificate center; encrypting the configuration information based on the temporary session key to generate encrypted configuration information; and sending the encrypted configuration information to the mobile equipment to complete the connection establishment process.
In addition, the target server acquires an encryption request message sent by the mobile device, wherein the encryption request message comprises first national encryption information; selecting second country secret information from the first country secret information, and sending an encryption confirmation message to the mobile equipment, wherein the encryption confirmation message comprises the second country secret information; determining a national encryption certificate based on a preset encryption rule, and signing the national encryption certificate through a signature algorithm in second national encryption information to generate encryption verification information; sending encryption verification information to the mobile device; and when the encryption/decryption is performed with the terminal, the encryption/decryption is performed through an SM4 algorithm in the second national encryption information.
When the target server completes the first handshake request, storing all domain name information supported by a domain name certificate, cross domain name multiplexing information and handshake multiplexing information associated with the domain name certificate in the first handshake request in a mapping table; transmitting handshake multiplexing information to the mobile device; when the mobile device is disconnected with the target server and needs to be connected again, the cross domain multiplexing information is cross domain multiplexing extension information carried by the ClientHello message sent by the mobile device; acquiring a ClientHello message sent by a mobile device, wherein the ClientHello message comprises SessionID information; and determining a session key according to the session information associated with the SessionID information, and completing the handshake request with the mobile device. When the cross domain multiplexing information is a cross domain multiplexing zone bit carried by Newsessionticket messages sent by the mobile device; acquiring a ClientHello message sent by a mobile device, wherein the ClientHello message comprises Sessionticket information; transmitting verification information to the mobile equipment, wherein the verification information is returned after Sessionticket information is successfully verified; and determining a session key according to the session information associated with Sessionticket pieces of information, and completing a handshake request with the mobile device. The method adopts the mode of combining the unique device identifier and the digital certificate to complete the identity authentication, and carries out temporary session key negotiation in the identity authentication process, thereby meeting the plug-and-play requirement of the terminal device. The intrinsic safety of the network and the system is enhanced, and the security mechanism is considered to be perfected, the access control based on behavior judgment is embedded in the design of the communication protocol, the system and the network state are realized to be changeable in a virtual heterogeneous mode, the secure execution environment is constructed, and the like. An integrated safety framework with interaction of external protection and primary safety and complementation is constructed. On one hand, based on the existing external safety protection technology, defense means such as isolation, filtration, detection and the like are pertinently implemented on possible risk points in system architectures such as intelligent fusion terminals, micro-grid energy controllers and the like, so that potential network attack safety threats are resisted; on the other hand, the inherent security of the network and the system is enhanced, such as considering perfect security mechanism in the design of communication protocol, embedded access control based on behavior determination, realizing system and network state variability in a virtual heterogeneous manner, constructing a secure execution environment, etc.
In one embodiment, as shown in fig. 2, the present application further provides a network security management device, including:
An obtaining module 201, configured to obtain digital certificate information sent by a mobile device, device unique identification information, a mobile device random number, mobile device key-share information, attribute information of the mobile device, and security level information; acquiring a target server random number and target server key-share information;
A processing module 202, configured to generate a premaster secret according to the mobile device key-share information and the target server key-share information; generating a temporary session key according to the mobile equipment random number, the target server random number and the premaster secret key; processing the digital certificate information and the equipment unique identification information based on a preset pairing rule to generate a processing result; if the processing result is that the target server and the mobile equipment are allowed to be connected in a pairing way, configuration information is obtained, wherein the configuration information comprises domain name certificates and other target server parameters required by the connection establishment process with the mobile equipment; encrypting the configuration information based on the temporary session key to generate encrypted configuration information, wherein the encrypted configuration information is used for enabling the mobile equipment and a target server to complete a connection establishment process; processing the attribute information and the security level information of the mobile equipment to generate a connection priority of the mobile equipment; and connecting with the mobile equipment based on the connection priority of the mobile equipment and the encrypted configuration information.
According to the application, a target server acquires digital certificate information, equipment unique identification information, mobile equipment random numbers, mobile equipment key-share information, attribute information of mobile equipment and security level information which are sent by the mobile equipment; acquiring a target server random number and target server key-share information; generating a premaster secret key according to the mobile device key-share information and the target server key-share information; generating a temporary session key according to the mobile equipment random number, the target server random number and the premaster secret key; processing the digital certificate information and the equipment unique identification information based on a preset pairing rule to generate a processing result; if the processing result is that the target server and the mobile equipment are allowed to be connected in a pairing way, configuration information is obtained, wherein the configuration information comprises domain name certificates and other target server parameters required by the connection establishment process with the mobile equipment; encrypting the configuration information based on the temporary session key to generate encrypted configuration information, wherein the encrypted configuration information is used for the mobile equipment and the target server to complete a connection establishment process; processing the attribute information and the security level information of the mobile equipment to generate a connection priority of the mobile equipment; and connecting with the mobile device based on the connection priority of the mobile device and the encrypted configuration information. The method adopts the mode of combining the unique device identifier and the digital certificate to complete the identity authentication, and carries out temporary session key negotiation in the identity authentication process, thereby meeting the plug-and-play requirement of the terminal device. The intrinsic safety of the network and the system is enhanced, and the security mechanism is considered to be perfected, the access control based on behavior judgment is embedded in the design of the communication protocol, the system and the network state are realized to be changeable in a virtual heterogeneous mode, the secure execution environment is constructed, and the like.
In another embodiment of the present application, the processing module 202 is configured to obtain configuration information, including:
detecting whether a domain name certificate in a local storage area is in a valid state;
If not, sending a certificate loading request to a certificate center;
And replacing the domain name certificate in the invalid state with the new domain name certificate acquired from the certificate authority.
In another embodiment of the present application, the processing module 202 configured to send a certificate loading request to a certificate authority includes:
Sending a certificate loading request to the certificate center, wherein the certificate loading request comprises identification information, and the identification information is used for identifying the processing priority of the certificate loading request in the certificate center;
And acquiring a domain name certificate returned by the certificate center.
In another embodiment of the present application, after the processing module 202 is configured to send the encrypted configuration information to the mobile device to complete the connection establishment procedure, the processing module further includes:
When the target server completes a first handshake request, storing all domain name information supported by a domain name certificate, cross domain name multiplexing information and handshake multiplexing information associated with the domain name certificate in a mapping table;
Transmitting handshake multiplexing information to the mobile device;
and when the mobile equipment is disconnected with the target server and needs to be connected again, completing a handshake request with the mobile equipment based on the handshake multiplexing information.
In another embodiment of the present application, the processing module 202 configured to complete a handshake request with the mobile device based on the handshake multiplexing information includes:
when the domain name multiplexing information is domain name multiplexing extension information carried by the ClientHello message sent by the mobile device;
acquiring a ClientHello message sent by the mobile device, wherein the ClientHello message comprises the SessionID information;
And determining a session key according to the session information associated with the SessionID information, and completing the handshake request with the mobile equipment.
In another embodiment of the present application, the processing module 202 is configured to complete a handshake request with a mobile device based on the handshake multiplexing information, and further includes:
when the cross domain multiplexing information is a cross domain multiplexing zone bit carried by Newsessionticket messages sent by the mobile device;
acquiring a ClientHello message sent by the mobile device, wherein the ClientHello message comprises Sessionticket information;
transmitting verification information to the mobile equipment, wherein the verification information is returned after Sessionticket information is successfully verified;
and determining a session key according to the session information associated with the Sessionticket information, and completing the handshake request with the mobile equipment.
In another embodiment of the present application, the processing module 202 is configured to process the attribute information and the security level information of the mobile device, and generate a connection priority of the mobile device, including:
acquiring real-time load balancing information of a target server and data connection task information in a preset period;
processing the target server based on the data connection task information in the preset period to generate preset connection progress information of the target server;
Processing the attribute information and the security level information of the mobile equipment to generate target processing progress information, wherein the target processing progress information comprises processing duration and connection duration of the mobile equipment;
And processing the preset connection progress information based on the target processing progress information to generate the connection priority of the mobile equipment.
The embodiment of the application provides an electronic device, as shown in fig. 3, the electronic device 3 includes a first processor 300, a memory 301, a bus 302 and a communication interface 303, where the first processor 300, the communication interface 303 and the memory 301 are connected through the bus 302; the memory 301 stores a computer program executable on the first processor 300, and the first processor 300 executes the network security management method according to any one of the foregoing embodiments of the present application when the computer program is executed.
The memory 301 may include a high-speed Random Access Memory (RAM), and may further include a non-volatile memory (non-volatilememory), such as at least one disk memory. The communication connection between the system network element and at least one other network element is implemented via at least one communication interface 303 (which may be wired or wireless), the internet, a wide area network, a local network, a metropolitan area network, etc. may be used.
Bus 302 may be an ISA bus, a PCI bus, an EISA bus, or the like. The buses may be classified as address buses, data buses, control buses, etc. The memory 301 is configured to store a program, and after the first processor 300 obtains an execution instruction, the program is executed, and the network security management method disclosed in any embodiment of the present application may be applied to the first processor 300 or implemented by the first processor 300.
The first processor 300 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in software form in the first processor 300. The first processor 300 may be a general-purpose processor, including a Central Processing Unit (CPU), a network processor (NetworkProcessor NP), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied as a hardware decoding processor executing or a combination of hardware and software modules executing in the decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 301 and the first processor 300 reads the information in the memory 301 and in combination with its hardware performs the steps of the above method.
The electronic device provided by the above embodiment of the present application and the network security management method provided by the embodiment of the present application have the same beneficial effects as the method adopted, operated or implemented by the application program stored therein, because of the same inventive concept.
An embodiment of the present application provides a computer readable storage medium, as shown in fig. 4, where the computer readable storage medium stores 401 a computer program, and when the computer program is read and executed by the second processor 402, the network security management method is implemented as described above.
The technical solution of the embodiment of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing an electronic device (which may be an air conditioner, a refrigeration device, a personal computer, a target server, or a network device, etc.) or a processor to perform all or part of the steps of the method of the embodiment of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
The computer readable storage medium provided by the above embodiment of the present application has the same advantageous effects as the method adopted, operated or implemented by the application program stored therein, because of the same inventive concept as the method for managing network security provided by the embodiment of the present application.
Embodiments of the present application provide a computer program product comprising a computer program for execution by a third processor to implement a method as described above.
The computer program product provided by the above embodiment of the present application and the network security management method provided by the embodiment of the present application have the same advantageous effects as the method adopted, operated or implemented by the application program stored therein, because of the same inventive concept.
It is noted that in the present application, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The embodiments of the present application are described in a related manner, and the same similar parts between the embodiments are all mutually referred, and each embodiment is mainly described in the differences from the other embodiments. In particular, for the management method for evaluating network security, the electronic device, the electronic apparatus, and the readable storage medium embodiments, since they are substantially similar to the above-described management method embodiments of network security, the description is relatively simple, and the relevant points are referred to in the description of the above-described management method embodiments of network security.
Although the present application is disclosed above, the present application is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the application, and the scope of the application should be assessed accordingly to that of the appended claims.
Claims (9)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411048774.1A CN118573483B (en) | 2024-08-01 | 2024-08-01 | A network security management method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411048774.1A CN118573483B (en) | 2024-08-01 | 2024-08-01 | A network security management method and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118573483A CN118573483A (en) | 2024-08-30 |
| CN118573483B true CN118573483B (en) | 2024-11-19 |
Family
ID=92466046
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411048774.1A Active CN118573483B (en) | 2024-08-01 | 2024-08-01 | A network security management method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118573483B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119011274A (en) * | 2024-09-06 | 2024-11-22 | 乐研科技(苏州)有限公司 | Protection method for network security of micro-grid system and related equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115694909A (en) * | 2022-09-30 | 2023-02-03 | 福建省万物智联科技有限公司 | SSL-based MQTT authentication method and related equipment |
| CN117579288A (en) * | 2022-08-08 | 2024-02-20 | 贵州白山云科技股份有限公司 | Handshake multiplexing method, device and computer readable medium |
| CN118250694A (en) * | 2024-05-28 | 2024-06-25 | 中国铁道科学研究院集团有限公司通信信号研究所 | A 5G-R terminal identity authentication and access control system and method |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101730357B1 (en) * | 2010-11-22 | 2017-04-27 | 삼성전자주식회사 | Apparatus and method for connecting access point in portable terminal |
| CN109302369B (en) * | 2017-07-24 | 2021-03-16 | 贵州白山云科技股份有限公司 | Data transmission method and device based on key verification |
| CN111818667B (en) * | 2020-09-10 | 2020-12-29 | 深圳传音控股股份有限公司 | Device connection method, device and readable storage medium |
| CN112469003B (en) * | 2021-02-04 | 2021-07-27 | 南京理工大学 | Traffic sensor network data transmission method, system and medium based on hybrid encryption |
| JP2022185984A (en) * | 2021-06-04 | 2022-12-15 | シャープ株式会社 | Electronic device, tethering terminal, communication system, and communication method |
-
2024
- 2024-08-01 CN CN202411048774.1A patent/CN118573483B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117579288A (en) * | 2022-08-08 | 2024-02-20 | 贵州白山云科技股份有限公司 | Handshake multiplexing method, device and computer readable medium |
| CN115694909A (en) * | 2022-09-30 | 2023-02-03 | 福建省万物智联科技有限公司 | SSL-based MQTT authentication method and related equipment |
| CN118250694A (en) * | 2024-05-28 | 2024-06-25 | 中国铁道科学研究院集团有限公司通信信号研究所 | A 5G-R terminal identity authentication and access control system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118573483A (en) | 2024-08-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111835752B (en) | Lightweight authentication method and gateway based on device identity | |
| CN111416807B (en) | Data acquisition method, device and storage medium | |
| EP3318037B1 (en) | Content security at service layer | |
| JP5889988B2 (en) | HTTP-based authentication | |
| CN106034104B (en) | Verification method, device and system for network application access | |
| US10834170B2 (en) | Cloud authenticated offline file sharing | |
| CN102801616B (en) | Message sending and receiving method, device and system | |
| EP3633949B1 (en) | Method and system for performing ssl handshake | |
| US20140298037A1 (en) | Method, apparatus, and system for securely transmitting data | |
| US10171452B2 (en) | Server authentication using multiple authentication chains | |
| CN108243176B (en) | Data transmission method and device | |
| CN113411190B (en) | Key deployment, data communication, key exchange and security reinforcement method and system | |
| Li et al. | A secure sign-on protocol for smart homes over named data networking | |
| CN103427998A (en) | Internet data distribution oriented identity authentication and data encryption method | |
| CN107786515B (en) | Method and device for certificate authentication | |
| CN118573483B (en) | A network security management method and related equipment | |
| Pateriya et al. | Analysis on Man in the Middle Attack on SSL | |
| CN110138558B (en) | Transmission method and device of session key and computer-readable storage medium | |
| CN111314269A (en) | Address automatic allocation protocol security authentication method and equipment | |
| CN117938466A (en) | Substation communication method and system | |
| Hussain et al. | Boost Secure Sockets Layer against Man-in-the-Middle Sniffing Attack via SCPK | |
| CN101772025B (en) | User identification method, device and system | |
| CN111163466B (en) | Method for 5G user terminal to access block chain, user terminal equipment and medium | |
| CN114095930B (en) | Method for handling violations of satellite network users combined with access authentication and related equipment | |
| CN110225011B (en) | Authentication method and device for user node and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |