Search

CN-121984775-A - SDP security architecture-based transport layer flow agent method and system

CN121984775ACN 121984775 ACN121984775 ACN 121984775ACN-121984775-A

Abstract

The invention relates to the technical field of data forwarding, in particular to a transport layer flow agent method and a transport layer flow agent system based on an SDP security architecture, which comprise the steps that a client builds an SPA message according to a local key and sends the SPA message to a gateway, the gateway performs verification on the SPA message and turns to step S3 when the verification passes, the client transmits an agent data packet to the gateway based on a forwarding channel, the gateway forwards the agent data packet based on an SDPP application layer protocol, the forwarding channel is built based on mTLS bidirectional authentication protocol, aiming at the problem of poor security of the flow agent protocol in the prior art, a key encrypted by mTLS bidirectional authentication and HMACSM3 is introduced, the effective bidirectional authentication between the client and the gateway is realized, the identity forgery protection rate reaches 100%, and the collision probability is lower than 10-9 based on the verification of the SPA message, and the replay attack protection effective rate is 99.9%.

Inventors

  • SHAO XUDONG
  • HU JIAXIN
  • CHEN JIAMING
  • Lv Shuyue
  • WANG TAO
  • Yao Wenmeng
  • CHEN GUOLIANG
  • JIN WEIWEI
  • MA JUNJIE

Assignees

  • 上海辰锐信息科技有限公司

Dates

Publication Date
20260505
Application Date
20260309

Claims (10)

  1. 1. A transport layer traffic agent method based on an SDP security architecture, comprising: step S1, a client builds an SPA message according to a local key and sends the SPA message to a gateway; step S2, the gateway performs verification on the SPA message, and the step S3 is turned to when the verification passes; step S3, the client transmits a proxy data packet to the gateway based on the forwarding channel, and the gateway forwards the proxy data packet based on an SDPP application layer protocol; the forwarding channel is constructed based on mTLS bidirectional authentication protocol; and, in the process of executing the step S3, further includes: And A3, establishing a heartbeat mechanism between the client and the gateway, and closing the forwarding channel when the heartbeat mechanism is interrupted.
  2. 2. The transport layer stream proxy method according to claim 1, wherein the step S1 comprises: step S11, the client collects local information and a time stamp and generates an encrypted random number and hmac fields; step S12, the client calculates the local information, the timestamp, the hmac field and the encrypted random number by adopting the local key so as to construct the SPA message; and step S13, the client sends the SPA message to the gateway.
  3. 3. The transport layer stream proxy method according to claim 2, wherein the step S2 comprises: s21, the gateway extracts a check field from the SPA message; Step S22, the gateway extracts corresponding check rules based on each check field to match one by one, and the gateway turns to the step S3 after the matching is passed; The check field includes the hmac value generated based on the local key.
  4. 4. The transport layer stream proxy method according to claim 1, wherein the step S3 comprises: step S31, when the client needs to send the proxy data packet, the client builds a request message and sends the request message to the gateway through the forwarding channel; step S32, the gateway verifies the proxy data packet and constructs a response message for feedback; And step S33, after receiving the response message, the client sends the proxy data packet to the gateway through the forwarding channel and forwards the proxy data packet by the gateway.
  5. 5. The transport layer stream proxy method of claim 1, wherein the step A3 comprises A31, when the forwarding channel is established, the client and the gateway respectively establish a heartbeat timer; A32, when the heartbeat timer at one side of the client is triggered, generating a heartbeat message and sending the heartbeat message to the gateway, and resetting the heartbeat timer and generating a response by the gateway; A33, resetting the local heartbeat timer when the client receives a heartbeat response; And resetting the forwarding channel when the client does not receive the heartbeat response or the gateway does not receive the heartbeat message.
  6. 6. A transport layer traffic agent system based on SDP security architecture, configured to implement a transport layer traffic agent method as claimed in any one of claims 1-5; The transport layer stream proxy system includes: The message sending module controls the client to construct an SPA message according to the local key and send the SPA message to the gateway; The message verification module controls the gateway to verify the SPA message; A forwarding module, the forwarding module controlling the client to transmit a proxy data packet to the gateway based on the forwarding channel, the gateway forwarding the proxy data packet based on an SDPP application layer protocol; the forwarding channel is constructed based on mTLS bidirectional authentication protocol; and the heartbeat verification module controls the establishment of a heartbeat mechanism between the client and the gateway, and closes the forwarding channel when the heartbeat mechanism is interrupted.
  7. 7. The transport layer flow proxy system of claim 6, wherein the message sending module comprises: the information generation module controls the client to collect local information and a time stamp and generate an encrypted random number and hmac fields; the encryption module is used for controlling the client to calculate the local information, the timestamp, the hmac field and the encrypted random number by adopting a preset encryption key so as to construct the SPA message; and the sending control module controls the client to send the SPA message to the gateway.
  8. 8. The transport layer flow proxy system of claim 7, wherein the message verification module comprises: the field extraction module is used for controlling the gateway to extract a check field from the SPA message; The field verification module controls the gateway to extract corresponding verification rules based on each verification field respectively to match one by one and generate a matching result; The check field includes the hmac value generated based on the local key.
  9. 9. The transport layer flow proxy system of claim 6, wherein the forwarding module comprises: The forwarding request module controls the client to construct a request message and send the request message to the gateway through the forwarding channel when the client needs to send the proxy data packet; The verification feedback module controls the gateway to verify the proxy data packet and construct a response message to feed back; and the forwarding control module controls the client to send the proxy data packet to the gateway through the forwarding channel after receiving the response message, and forwards the proxy data packet by the gateway.
  10. 10. The transport layer flow proxy system of claim 6, wherein the heartbeat verification module comprises The timer generation module is used for respectively establishing a heartbeat timer by the client and the gateway when the forwarding channel is established; the heartbeat sending module generates the heartbeat message and sends the heartbeat message to the gateway when a heartbeat timer at one side of the client is triggered, and the gateway resets the heartbeat timer and generates a response; And the heartbeat resetting module resets the local heartbeat timer when the client receives a heartbeat response.

Description

SDP security architecture-based transport layer flow agent method and system Technical Field The invention relates to the technical field of data forwarding, in particular to a transport layer flow agent method and a transport layer flow agent system based on an SDP security architecture. Background The flow proxy protocol is a communication protocol for proxy forwarding of network flow. Generally speaking, a traffic proxy protocol needs to establish a corresponding channel between a client and a host according to a specific transmission protocol, such as a common SOCKS proxy protocol, etc., where a client encapsulates a data packet to be sent and a destination address to which the data packet points, and then sends the data packet to the host, and the host sends the data packet to the destination address. In the prior art, more flow agent methods exist. For example, patent document CN202211468949.5 discloses a flow agent method, device and system, and relates to the technical field of network security. The method comprises the steps of verifying identity information of a user, acquiring a resource list accessible to the user based on the identity information and returning the resource list, receiving a resource access request message sent by the user, wherein the request message comprises a resource ID and an identity ID, forwarding the request message to a resource server to receive response information returned by the resource server, inserting the associated resource ID into the response information and generating a new message to return to the user. For another example, patent document CN202011010588.0 discloses a flow proxy method, a server and a storage medium. The flow agent method comprises the steps of receiving HTTP request messages, analyzing the request messages to obtain request information, judging whether the request information accords with a preset white list rule, if so, redirecting the request messages to agent software, sending the request information to the agent software, enabling the agent software to obtain the request content from preset storage equipment and send the request content to an agent server after judging that the request content corresponding to the request information is stored in the preset storage equipment, and if not, forwarding the request messages to a next hop, wherein the uplink messages of TCP connection to which the request messages belong pass through a server, and the server records SYN message header options of the TCP connection. The flow agent load of the proxy server can be reduced, the proxy server is prevented from processing the full-volume agent request, and the security of the flow agent is improved. However, in the practical implementation process, the inventor finds that the existing transport layer flow agent depends on a general application layer protocol, the security protection is insufficient, a bidirectional authentication mechanism is lacked, the identity forgery attack is easily suffered, the message integrity verification means is single, and the data falsification risk exists. Disclosure of Invention Aiming at the problems in the prior art, a transport layer flow agent method based on SDP security architecture is provided; In another aspect, a system for implementing the method is also provided. The specific technical scheme is as follows: a transport layer traffic agent method based on SDP security architecture, comprising: step S1, a client builds an SPA message according to a local key and sends the SPA message to a gateway; step S2, the gateway performs verification on the SPA message, and the step S3 is turned to when the verification passes; step S3, the client transmits a proxy data packet to the gateway based on the forwarding channel, and the gateway forwards the proxy data packet based on an SDPP application layer protocol; the forwarding channel is constructed based on mTLS bidirectional authentication protocol; and, in the process of executing the step S3, further includes: And A3, establishing a heartbeat mechanism between the client and the gateway, and closing the forwarding channel when the heartbeat mechanism is interrupted. On the other hand, the step S1 includes: step S11, the client collects local information and a time stamp and generates an encrypted random number and hmac fields; Step S12, the client calculates the local information, the timestamp, the hmac field and the encrypted random number by adopting a preset encryption key so as to construct the SPA message; and step S13, the client sends the SPA message to the gateway. On the other hand, the step S2 includes: S21, the gateway decrypts the SPA message by adopting a decryption key corresponding to the encryption key to obtain a decrypted message; step S22, the gateway extracts a check field from the decrypted message; And S23, the gateway extracts corresponding check rules based on each check field to match one by one, and the gateway shifts to the step S3 a