CN-116192987-B - Zero trust knock message transmission method and system based on QUIC protocol

CN116192987BCN 116192987 BCN116192987 BCN 116192987BCN-116192987-B

Abstract

The application provides a zero trust knock message transmission method and system based on QUIC protocol, wherein the method comprises that an SPA client generates an SPA knock message and sends the SPA knock message to the QUIC client; the QUIC client sends the SPA knocking message to the corresponding QUIC server through the QUIC protocol, and the QUIC server forwards the SPA knocking message to the SDP zero trust gateway. The application adopts the QUIC protocol to bear the SPA knock message, ensures that the SPA knock message can reliably and effectively reach the SDP zero trust gateway, and the QUIC protocol can effectively ensure the safety tradition of the zero trust SDP scheme UDP without connection based on UDP, and simultaneously, the QUIC can ensure the reliability of the message at an application layer, for example, the SPA knock message is discarded by a network layer, and a QUIC client terminal automatically retransmits, thereby ensuring the accessibility of the SPA knock message, ensuring the normal access of user service and improving user experience.

Inventors

Lv Shujian

Assignees

长沙誉联信息技术有限公司

Dates

Publication Date: 20260508
Application Date: 20221020

Claims (7)

1. A zero trust knock message transmission method based on QUIC protocol is characterized by comprising the following steps: S1, a single-packet authorized SPA client generates an SPA knocking message and sends the SPA knocking message to a QUIC client; s2, the QUIC client sends the SPA knocking message to a corresponding QUIC server through a QUIC protocol; S3, the QUIC server forwards the SPA knocking message to an SDP zero trust gateway; S2, including: s21, the QUIC client encapsulates the SPA knocking message to obtain an encapsulated message; s22, the QUIC client transmits the encapsulation message to the QUIC server through an encryption transmission tunnel of a QUIC protocol; S21, comprising: s211, the QUIC client generates target connection corresponding to the SPA knocking message, and the target connection is identified by a connection ID; s212, the QUIC client loads the SPA knocking message into the target connection to obtain the packaging message; S3, including: s31, after receiving the encapsulation message, the QUIC server decapsulates the encapsulation message to obtain the SPA knock message; S32, the QUIC server forwards the SPA knock message to an SDP zero trust gateway.
2. The quit protocol-based zero-trust knock message transmission method according to claim 1, wherein S22 comprises: and the QUIC client transmits the encapsulation message to the QUIC server by adopting a 0-rtt mode through an encrypted transmission tunnel of a QUIC protocol.
3. A zero trust knock message transmission system based on the QUIC protocol for executing the method as claimed in claim 1 or 2, comprising SPA client, QUIC server and SDP zero trust gateway; The SPA client is used for generating an SPA knocking message and sending the SPA knocking message to the QUIC client; The QUIC client is used for sending the SPA knocking message to a corresponding QUIC server through a QUIC protocol; the QUIC server is used for forwarding the SPA knocking message to an SDP zero trust gateway.
4. The QUIC protocol-based zero-trust knock message transmission system according to claim 3, wherein the QUIC client is specifically configured to encapsulate the SPA knock message to obtain an encapsulated message, and transmit the encapsulated message to the QUIC server through an encrypted transmission tunnel of the QUIC protocol.
5. The QUIC protocol-based zero-trust knock message transmission system according to claim 4, wherein the QUIC client is specifically configured to generate a target connection corresponding to the SPA knock message, the target connection is identified by a connection ID, and the SPA knock message is loaded into the target connection to obtain the encapsulation message.
6. The quit protocol-based zero-trust knock message transmission system of claim 5, wherein said quit server is configured to decapsulate said encapsulated message after receiving said encapsulated message to obtain said SPA knock message, and forward said SPA knock message to an SDP zero-trust gateway.
7. The quit protocol-based zero-trust knock message transmission system according to claim 6, wherein said quit client is specifically configured to transmit said encapsulated message to said quit server by means of an encrypted transmission tunnel of quit protocol using a 0-rti scheme.

Description

Zero trust knock message transmission method and system based on QUIC protocol Technical Field The application relates to the technical field of information security, in particular to a zero trust knock message transmission method and system based on a QUIC protocol. Background Zero Trust was originally derived from the delocalized security concept set forth in the yersinia Li Ge forum 2004, and the Forrester officially set forth the term "Zero Trust, ZT". The core idea of zero trust security is "anyone/device/system inside and outside the network should not be trusted by default, a trust basis for access control needs to be reconstructed based on authentication and authorization". The technical core content of the zero-trust network security architecture comprises a Single Packet Authorization (SPA) module for accessing a user request to a zero-trust gateway, and the SPA generally selects to use a user datagram protocol (UDP, user Datagram Protocol) for communication, because the UDP transmission is connectionless and does not need to respond by default, the advantage is great, and the user can be hidden by discarding data packets with failed Authorization. In the prior art, since the gateway knocking is performed by adopting a UDP connectionless protocol in the zero trust architecture, a knocking message of a user accessing the zero trust gateway in an internet environment is lost due to network jitter and congestion, so that the service of the user cannot be accessed, and the user experience is reduced. The above information disclosed in the background section is only for enhancement of understanding of the background of the application and therefore it may contain information that does not form the prior art that is already known to a person of ordinary skill in the art. Disclosure of Invention The application provides a zero trust knock message transmission method and system based on a QUIC protocol, which are used for solving the problems existing in the prior art. In a first aspect, the present application provides a zero trust knock message transmission method based on the qic protocol, including: S1, a single-packet authorized SPA client generates an SPA knocking message and sends the SPA knocking message to a QUIC client; s2, the QUIC client sends the SPA knocking message to a corresponding QUIC server through a QUIC protocol; S3, the QUIC server forwards the SPA knocking message to an SDP zero trust gateway. In some embodiments, S2 comprises: s21, the QUIC client encapsulates the SPA knocking message to obtain an encapsulated message; s22, the QUIC client transmits the encapsulation message to the QUIC server through an encrypted transmission tunnel of a QUIC protocol. In some embodiments, S21 comprises: s211, the QUIC client generates target connection corresponding to the SPA knocking message, and the target connection is identified by a connection ID; s212, the QUIC client loads the SPA knocking message into the target connection to obtain the packaging message. In some embodiments, S3 comprises: s31, after receiving the encapsulation message, the QUIC server decapsulates the encapsulation message to obtain the SPA knock message; S32, the QUIC server forwards the SPA knock message to an SDP zero trust gateway. In some embodiments, S22 comprises: and the QUIC client transmits the encapsulation message to the QUIC server by adopting a 0-rtt mode through an encrypted transmission tunnel of a QUIC protocol. The application provides a zero-trust knock message transmission system based on a QUIC protocol, which comprises an SPA client, a QUIC server and an SDP zero-trust gateway; The SPA client is used for generating an SPA knocking message and sending the SPA knocking message to the QUIC client; The QUIC client is used for sending the SPA knocking message to a corresponding QUIC server through a QUIC protocol; the QUIC server is used for forwarding the SPA knocking message to an SDP zero trust gateway. In some embodiments, the QUIC client is specifically configured to encapsulate the SPA knock message to obtain an encapsulated message, and transmit the encapsulated message to the QUIC server through an encrypted transmission tunnel of a QUIC protocol. In some embodiments, the QUIC client is specifically configured to generate a target connection corresponding to the SPA knock message, where the target connection is identified by a connection ID, and load the SPA knock message into the target connection to obtain the encapsulation message. In some embodiments, the QUIC server is specifically configured to decapsulate the encapsulated packet after receiving the encapsulated packet, so as to obtain the SPA knock message, and forward the SPA knock message to an SDP zero trust gateway. In some embodiments, the QUIC client is specifically configured to transmit the encapsulated packet to the QUIC server through an encrypted transmission tunnel of the QUIC protocol using a 0-rtt scheme. The zero trust gat