CN105099930B - Encrypting traffic flow control methods and device - Google Patents
Encrypting traffic flow control methods and device Download PDFInfo
- Publication number
- CN105099930B CN105099930B CN201410217872.3A CN201410217872A CN105099930B CN 105099930 B CN105099930 B CN 105099930B CN 201410217872 A CN201410217872 A CN 201410217872A CN 105099930 B CN105099930 B CN 105099930B
- Authority
- CN
- China
- Prior art keywords
- address
- client
- encrypting traffic
- data flow
- data stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of encrypting traffic flow control methods and device, applied on bandwidth management equipment, this method comprises: extracting client ip address, server end IP address and the destination slogan of the message identifying when detecting that carrying certification certificate uses the message identifying of main information;Data flow list item in inquiry data stream list with the presence or absence of the client ip address, server end IP address and destination slogan then creates corresponding data flow entry, is added in data stream list if it does not exist;If detecting the encrypting traffic for meeting existing list item in data stream list, flow control is carried out to the encrypting traffic.The present invention realizes the flow control to the encrypting traffic after certification by the identification to verification process.
Description
Technical field
The present invention relates to network communication technology field more particularly to a kind of encrypting traffic flow control methods and device.
Background technique
At present by SSL (Secure Sockets Layer, Secure Socket Layer)/TLS (Transport Layer
Security, Transport Layer Security) protection using more and more, including based on Web and the application for being not based on Web.SSL/TLS is
The security protocol of safety and data integrity is provided for network communication, network connection is encrypted in transport layer.TLS is SSL
Successor, TLSv1 be tls protocol first version.
In enterprise's application, in face of the data of more and more TLSv1 agreements encryption, these are added by bandwidth management equipment
Ciphertext data, which carries out effectively identification, to be particularly important.The transmission of the TLSv1 flow in enterprise's limitation network can be helped, and is passed through
Identification to the office service of TLSv1 encryption, can be preferably office service bandwidth allocation, ensure that enterprise normally handles official business demand,
And the identification for non-office service encryption data, it can play the role of blocking flow or limit flow.
Currently, identifying recognition methods mature not yet to TLSv1 agreement encryption data, protocal analysis personnel are often led
It is dynamic to evade TLSv1 agreement, protocol identification analysis is not carried out to the application or software that use the agreement.Even if there is the knowledge of only a few
Other analysis method, system cannot not be widely used in other and use TLSv1 agreement without versatility yet for recognition methods
The discriminance analysis of application.
Summary of the invention
In view of this, this method is applied to Bandwidth Management the present invention provides a kind of encrypting traffic flow control methods
In equipment, this method comprises:
When detecting that carrying certification certificate uses the message identifying of main information, with extracting the client ip of the message identifying
Location, server end IP address and destination slogan;
It inquires in data stream list with the presence or absence of the client ip address, server end IP address and destination slogan
Data flow list item then creates corresponding data flow entry, is added in data stream list if it does not exist;
If detecting the encrypting traffic for meeting existing list item in data stream list, flow is carried out to the encrypting traffic
Control.
The present invention also provides a kind of encrypting traffic volume control device, which is applied on bandwidth management equipment,
The device includes:
Main body recognition unit extracts this and recognizes when for detecting that carrying certification certificate uses the message identifying of main information
Demonstrate,prove client ip address, server end IP address and the destination slogan of message;
List item establishes unit, for inquiring in data stream list with whether there is the client ip address, IP at server end
The data flow list item of location and destination slogan then creates corresponding data flow entry, is added in data stream list if it does not exist;
Flow controlling unit, if for detecting the encrypting traffic for meeting existing list item in data stream list, to this
Encrypting traffic carries out flow control.
The present invention realizes the flow control to the encrypting traffic after certification by the identification to verification process.
Detailed description of the invention
Fig. 1 is TLSv1 agreement single data stream and multiple data stream transmission schematic diagram in one embodiment of the present invention.
Fig. 2 is the flow chart of encrypting traffic flow control methods in one embodiment of the present invention.
Fig. 3 is the structural schematic diagram of encrypting traffic volume control device in one embodiment of the present invention.
Fig. 4 is the underlying hardware schematic diagram of encrypting traffic volume control device in one embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention more comprehensible, referring to the drawings to of the present invention
Scheme is described in further detail.
The present invention is identified by the verification process to cryptographic protocol, achievees the purpose that identify encrypting traffic, thus
Realize the flow control to encrypting traffic.The present invention introduces the identification process to the cryptographic protocol by taking TLSv1 agreement as an example,
To complete the control to the agreement encrypting traffic.
TLSv1 agreement includes two protocol groups: record protocol and Handshake Protocol.It include certificate verification in Handshake Protocol
Part.As shown in Figure 1, when carrying out single data stream transmission using TLSv1 agreement, client (client) and server end
(server) information transmitting is completed by the same data flow always, even requesting multiple file transmission simultaneously is also sequence
The transmission that transmission, only previous file end of transmission just will do it next file.For example, using the system of TLSv1 agreement
User logs on as single data stream transmission.In single data stream transmission, it is only necessary to the data flow where certificate verification is blocked,
The purpose of Bandwidth Management can be realized in current limliting or guarantee.
In multiple data stream transmission, such as certain network disk files are synchronous, and system only carries out a certificate verification, can open simultaneously
It opens multiple data flows and carries out information transmission.It in this case, include certification authentication process due to not being each data flow, because
This, can only carry out current limliting or guarantee to the data flow where certification authentication process using the band width control method of single data stream,
Other data flows are due to just being initiated after client certificate success, these data flows are without verification process, data transmission
Obviously unaffected.For multiple data stream flow control problems, specific implementation process is as follows.
The present invention provides a kind of encrypting traffic flow control methods, and this method is applied on bandwidth management equipment.Referring to
Fig. 2, method includes the following steps:
Step 101, when detecting that carrying certification certificate uses the message identifying of main information, the visitor of the message identifying is extracted
Family end IP address, server end IP address and destination slogan;
Step 102, inquiring whether there is the client ip address, server end IP address and purpose in data stream list
The data flow list item of port numbers then creates corresponding data flow entry, is added in data stream list if it does not exist;
Step 103, if detecting the encrypting traffic for meeting existing list item in data stream list, to the encrypting traffic
Carry out flow control.
Bandwidth management equipment is used for control of network flow quantity, and different network bandwidths is provided for different business demands.Bandwidth
Feature database is preserved in management equipment, this feature library is used to store the Partial Feature that main body is used for the certification certificate of identification.
This is defined using main body by bandwidth management equipment manufacturer for the certification certificate of identification, and manufacturer, which can analyze, needs what is identified to recognize
Certificate is demonstrate,proved, being added in feature database in certification certificate using the Partial Feature of main body is extracted.Manufacturer regularly publishes new spy
Library version is levied, bandwidth management equipment obtains feature database version and upgrades.The user of bandwidth management equipment, selects according to business demand
It selects and needs which certification certificate to carry out flow control using main body to, constitute the feature database of user oneself, be used for rear afterflow rate
Characteristic matching is carried out when control.
TLSv1 agreement carries out X.509v3 certificate verification in Handshake Protocol part, and server disappears in the Hello of TLSv1 agreement
In breath, it will X.509v3 authenticate the information such as certificate, key exchange and be sent to client, and client is required to be authenticated.Client
Upon receiving the message, will X.509v3 authenticate certificate, encryption key is sent to server, complete the negotiation of encryption key,
Data encryption is carried out using the encryption key in subsequent data transmission.The report that bandwidth management equipment can be sent by detection client
Whether carried in text and authenticates certificate X.509v3 to carry out the identification of message identifying.
Especially by detect this X.509v3 certificate using main information whether with saved in bandwidth management equipment feature database
X.509v3 certificate it is identical using main information, institute's progress flow control in need is saved in bandwidth management equipment feature database
System uses main information.If testing result is that X.509v3 certificate is identical using main information, extract in the message identifying
Client ip address, server end IP address and destination slogan.Due in X.509v3 certificate the use of main information being this
The feature that certificate must include, and each user using main information be it is globally unique, therefore, the letter can be passed through
Breath carries out the identification of encrypting traffic.For example, the bandwidth management equipment of certain enterprise needs the encryption data to access Yunio Dropbox
Stream carries out current limliting, occupies bandwidth to avoid a large amount of non-office services, influences the use of normal office work business.When enterprise staff uses
When office computer accesses Yunio Dropbox downloading film, message identifying, the message identifying are sent to Yunio Dropbox server first
Middle carrying authenticates certificate, and use the main body of the certification certificate is that (in practical application, this uses main body specifically can be with to Yunio Dropbox
It is a segment identification information, for indicating Yunio Dropbox), after bandwidth management equipment detects the message identifying, find in the message
The use main body for authenticating certificate is Yunio Dropbox, and to be that enterprise's office service is not required to be used for Yunio Dropbox, therefore, bandwidth
Management equipment extracts IP address, the IP address of Yunio Dropbox server of office computer used in the employee in message identifying
And destination slogan, in case subsequent carry out flow control use to encrypting traffic.
Bandwidth management equipment needs the IP address and destination slogan of the client and server of flow control obtaining
Afterwards, internal data stream list is inquired, is confirmed whether the existing client ip address, server end IP address and destination
The data flow list item of slogan then creates corresponding data flow entry, is added in data stream list if it does not exist.The foundation of the list item
Flow control foundation is provided for multiple data stream transmission, flow is carried out to the data flow for meeting each list item IP corresponding relationship in tables of data
Control.For example, enterprise staff access Yunio Dropbox downloading film when, initially set up employee's office computer IP address,
The corresponding relationship list item of Yunio Dropbox server ip address and destination slogan, during subsequent download, to meeting the list item
Data flow limited.
Bandwidth management equipment detects each data flow, and is matched with the list item in data stream list, if the encryption number
It is identical as a certain list item according to stream client ip address, server end IP address and destination slogan, then it is corresponding to execute the list item
Flow control policy.This is because message identifying only occurs in first data flow in multiple data stream transmission, therefore,
The multiple data flows transmitted after certification can not only be controlled according to certificate using main body.And all data flows are all by visitor
What family end was initiated, therefore, initiated using the Characteristics Detection by client, server ip address and destination slogan are and data
The matched data flow of the corresponding table item saved in flow table carries out flow control to the data flow.For example, when detecting employee access
When the data flow of Yunio Dropbox, due to having been set up list item in authentication phase, subsequent data flow can be with the list item
It is matched, if matching, flow control is carried out according to the control strategy of enterprise's configured in advance.
It can play the role of flow control to a certain extent using the identification of main body to certificate by above-mentioned, but it is right
The a certain access using main body might not all be non-office service.In order to keep flow control more accurate, in above-mentioned list item
It, can be by the total capacity of the preceding M message of statistical data stream, when the capacity is greater than preset capability value N, to the data after matching
Stream is controlled.Wherein, the experience configuration of M and N can be used similar approach and be estimated: for example, M is 30 (herein M
Message does not include ACK message), possible handshake message 3 is deducted, other message loads averagely press the estimation of 500 bytes, 27 reports
The general 13.5k of text, so N can be configured to 13k at this time, M suggests being 25 to 40 herein.Non- do mainly is utilized in the judgement
The larger feature of public business datum amount, controls the partial data stream.
The ageing time of corresponding table item should be arranged when establishing list item in bandwidth management equipment.When ageing time then, delete
Corresponding table item, to save the memory space of bandwidth management equipment.
Corresponding with above method embodiment to be, the embodiment of the present invention also provides a kind of encrypting traffic volume control device
60, which is applied on bandwidth management equipment.Referring to Fig. 3, which includes:
Main body recognition unit 61, when for detecting that carrying certification certificate uses the message identifying of main information, extracting should
Client ip address, server end IP address and the destination slogan of message identifying;
List item establishes unit 62, for inquiring in data stream list with the presence or absence of the client ip address, IP at server end
The data flow list item of address and destination slogan then creates corresponding data flow entry, is added to data stream list if it does not exist
In;
Flow controlling unit 63, if for detecting the encrypting traffic for meeting existing list item in data stream list, it is right
The encrypting traffic carries out flow control.
Further, the flow controlling unit 63 is used to count the total capacity of M message before the encrypting traffic, if should
When total capacity is greater than preset capacity N, flow control is carried out to the encrypting traffic.
Further, the encrypting traffic is the data flow encrypted using TLSv1 agreement.
Further, described using main information is the X.509v3 subject information in certificate.
Further, the list item establishes unit 62 for the ageing time of the data flow list item to be arranged.
The flow to encrypting traffic may be implemented in encrypting traffic volume control device 60 provided in an embodiment of the present invention
Control, specific implementation process can be found in the explanation of above method embodiment, and details are not described herein.
Refer to Fig. 4, the embodiment of the present invention also provides a kind of encrypting traffic volume control device, including CPU, memory,
Nonvolatile memory and various hardware, including CPU can be by program corresponding in reading non-volatile storage or instruction
Deposit the function of the middle each module for running and realizing each step of above method embodiment or above-mentioned Fig. 3 shown device.It specifically includes:
CPU is detecting the certification report for carrying certification certificate and using main information by reading corresponding program or instruction
Wen Shi extracts client ip address, server end IP address and the destination slogan of the message identifying;
CPU is inquired by reading corresponding program or instruction and be whether there is the client ip address, clothes in data stream list
The data flow list item of business device end IP address and destination slogan then creates corresponding data flow entry, is added to number if it does not exist
According in flow table;
CPU is by reading corresponding program or instruction, if detecting the encryption number for meeting existing list item in data stream list
According to stream, then flow control is carried out to the encrypting traffic.
The present invention identifies verification process according to the use main body of certification certificate, and then realizes the flow control to encrypting traffic
System.There are also a kind of more feasible methods for the identification of the verification process, since most system is in the Server of Handshake Protocol
The extension of domain name DNSName can be carried in Hello, different certificates are different using the DNSName of main body, therefore can pass through
DNSName identifies verification process.
The present invention can effectively identify encrypting traffic, protect customer network flow normal allocation, to customer demand without
The network flow of pass is blocked or is limited flow transmission speed, carries out flow guarantee to the business-critical of customer demand, excellent
First transmit.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.
Claims (8)
1. a kind of encrypting traffic flow control methods, this method is applied on bandwidth management equipment, which is characterized in that this method
Include:
If detecting, the carrying that client is sent authenticates the message identifying that certificate uses main information, and the certification certificate uses
The certification certificate saved in main information and feature database is identical using main information, with extracting the client ip of the message identifying
Location, server end IP address and destination slogan;
The data that whether there is the client ip address, server end IP address and destination slogan are inquired in data stream list
Flow entry then creates corresponding data flow entry, is added in data stream list if it does not exist;
If detecting, the client for meeting existing list item in data stream list is sent to the encrypting traffic of server, counts the encryption
The total capacity of M message before data flow carries out flow control to the encrypting traffic if the total capacity is greater than preset capacity N.
2. the method as described in claim 1, it is characterised in that:
The encrypting traffic is the data flow encrypted using TLSv1 agreement.
3. the method as described in claim 1, it is characterised in that:
Described using main information is the X.509v3 subject information in certificate.
4. the method as described in claim 1, which is characterized in that when the creation corresponding data flow entry, further includes:
The ageing time of the data flow list item is set.
5. a kind of encrypting traffic volume control device, which is applied on bandwidth management equipment, which is characterized in that the device
Include:
Main body recognition unit, if the message identifying for carrying certification certificate and using main information sent for detecting client,
And the certification certificate is identical using main information using the certification certificate saved in main information and feature database, extracts the certification
Client ip address, server end IP address and the destination slogan of message;
List item establishes unit, for inquire in data stream list with the presence or absence of the client ip address, server end IP address with
And the data flow list item of destination slogan then creates corresponding data flow entry, is added in data stream list if it does not exist;
Flow controlling unit, if for detecting that the client for meeting existing list item in data stream list is sent to the encryption of server
Data flow counts the total capacity of M message before the encrypting traffic, if the total capacity is greater than preset capacity N, to the encryption number
Flow control is carried out according to stream.
6. device as claimed in claim 5, it is characterised in that:
The encrypting traffic is the data flow encrypted using TLSv1 agreement.
7. device as claimed in claim 5, it is characterised in that:
Described using main information is the X.509v3 subject information in certificate.
8. device as claimed in claim 5, it is characterised in that:
The list item establishes unit and is further used for that the ageing time of the data flow list item is arranged.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410217872.3A CN105099930B (en) | 2014-05-21 | 2014-05-21 | Encrypting traffic flow control methods and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410217872.3A CN105099930B (en) | 2014-05-21 | 2014-05-21 | Encrypting traffic flow control methods and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105099930A CN105099930A (en) | 2015-11-25 |
| CN105099930B true CN105099930B (en) | 2019-07-09 |
Family
ID=54579515
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410217872.3A Active CN105099930B (en) | 2014-05-21 | 2014-05-21 | Encrypting traffic flow control methods and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105099930B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019075608A1 (en) * | 2017-10-16 | 2019-04-25 | Oppo广东移动通信有限公司 | Method and device for identifying encrypted data stream, storage medium, and system |
| CN110225013B (en) * | 2019-05-30 | 2021-11-09 | 世纪龙信息网络有限责任公司 | Service certificate monitoring and updating system |
| CN117938544B (en) * | 2024-03-19 | 2024-06-07 | 杭州海康威视数字技术股份有限公司 | Flow control method, device and equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101958842A (en) * | 2010-10-28 | 2011-01-26 | 神州数码网络(北京)有限公司 | Flow control method based on user |
| CN102404347A (en) * | 2011-12-28 | 2012-04-04 | 南京邮电大学 | Mobile internet access authentication method based on public key infrastructure |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1215681C (en) * | 2003-07-31 | 2005-08-17 | 港湾网络有限公司 | CPU message flow control method of distributed exchange router system |
| CN101980500B (en) * | 2010-11-08 | 2013-11-13 | 中国电信股份有限公司 | Digital signature-based point-to-point flow control method and system |
-
2014
- 2014-05-21 CN CN201410217872.3A patent/CN105099930B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101958842A (en) * | 2010-10-28 | 2011-01-26 | 神州数码网络(北京)有限公司 | Flow control method based on user |
| CN102404347A (en) * | 2011-12-28 | 2012-04-04 | 南京邮电大学 | Mobile internet access authentication method based on public key infrastructure |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105099930A (en) | 2015-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105027493B (en) | Safety moving application connection bus | |
| CN102685093B (en) | A kind of identity authorization system based on mobile terminal and method | |
| US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
| US9781109B2 (en) | Method, terminal device, and network device for improving information security | |
| CN104348914B (en) | A kind of tamper resistant systems file syn chronizing system and its method | |
| US8274401B2 (en) | Secure data transfer in a communication system including portable meters | |
| US20150326486A1 (en) | Application identification in records of network flows | |
| AU2014342834B2 (en) | Method and system for validating a virtual asset | |
| CN106060078B (en) | User information encryption method, register method and verification method applied to cloud platform | |
| US20160087797A1 (en) | Secure remote password | |
| Laštovička et al. | Using TLS fingerprints for OS identification in encrypted traffic | |
| AU2014342834A1 (en) | Method and system for validating a virtual asset | |
| CN115996122A (en) | Access control method, device and system | |
| CN105099930B (en) | Encrypting traffic flow control methods and device | |
| CN109818774A (en) | Automatic sensing asset acquisition device, method and computer readable storage medium | |
| CN201252570Y (en) | Security gateway client end device | |
| CN114374543B (en) | Network security protection method, system, device, security switch and storage medium | |
| KR101088084B1 (en) | Method and system for monitoring and cutting off illegal electronic-commerce transaction | |
| US10158624B2 (en) | System, device and method for monitoring network | |
| EP2725757A1 (en) | TLS protocol extension | |
| CN106878378B (en) | Scatter processing method in network communication management | |
| US20160171613A1 (en) | Backing management | |
| KR101288103B1 (en) | Method and system for monitoring and cutting off illegal electronic-commerce transaction | |
| US20040158635A1 (en) | Secure terminal transmission system and method | |
| CN114143048B (en) | Method, device and storage medium for managing safety resources |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |