CN100361443C - Access control method and safety proxy server - Google Patents
Access control method and safety proxy server Download PDFInfo
- Publication number
- CN100361443C CN100361443C CNB2004100404726A CN200410040472A CN100361443C CN 100361443 C CN100361443 C CN 100361443C CN B2004100404726 A CNB2004100404726 A CN B2004100404726A CN 200410040472 A CN200410040472 A CN 200410040472A CN 100361443 C CN100361443 C CN 100361443C
- Authority
- CN
- China
- Prior art keywords
- access control
- ssl
- acl
- handle
- ssl proxy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 9
- 238000012545 processing Methods 0.000 claims abstract description 10
- 238000013507 mapping Methods 0.000 claims abstract description 5
- 239000000284 extract Substances 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000004891 communication Methods 0.000 abstract description 2
- 230000008878 coupling Effects 0.000 description 6
- 238000010168 coupling process Methods 0.000 description 6
- 238000005859 coupling reaction Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 3
- 238000011160 research Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention relates to an access controlling method which relates to computer communication technology, particularly to the safe access controlling technology based on the SSL agreement. The present invention controls the access from a proxy client end according to an access controlling list which records the mapping relationship between a user identifying mark mould plate and processing action. The present invention has the advantages that an access controlling function is provided for proxy service based on the safe protection by using the SSL agreement, all applying systems in a proxy range can be provided with uniform access controlling program, and the control of access authority can be flexibly carried out by different body DNs in an applying certificate.
Description
Technical field
The present invention relates to computer communication technology, particularly based on the safe access control technology of ssl protocol.
Background technology
Security socket layer (SSL, Secure Sockets Layer) be a kind of by Netscape exploitation security protocol.After the SSL session began, Web server was given browser with public keys, held consultation between server and browser, generated the encryption environment that carries out safe transmission.Browser and server use this security context to carry out exchanges data during session, thereby realize the confidentiality and integrity of transfer of data.
In application proxy, between Application Launcher and application proxy client, used the SSL/TLS agreement to realize the protection of confidentiality and integrity based on ssl protocol.When the application proxy client conducts interviews, can guarantee the confidentiality and integrity of the service acted on behalf of.But in actual applications, past contact need realize the access control to different user, and promptly which service which user can visit, and these demands have just exceeded the scope of ssl protocol.
Usually, this visit realizes that in application service system promptly application system itself provides the access control mechanisms based on authority of a cover oneself, passes through the access control of this mechanism realization to the user when the user uses this application system.
But this mechanism can not be carried out unified access control at all services that provide in the network just for some application systems.
Summary of the invention
Technical problem to be solved by this invention is, a kind of access control technology based on DN in the digital certificate (Distinguished Name distinguished name) element is provided, when can be implemented in TSM Security Agent, to the unified access control of all services of providing in the network.
The technical scheme that the present invention solve the technical problem employing is, a kind of access control method is provided, to doing access control, record the User Identity template according to Access Control List (ACL) in the described Access Control List (ACL) from the visit of ssl proxy client---handle the action mapping relation; Described User Identity template is a ssl proxy client certificate DN template.
Result by certificate main body DN and DN template matches discerns the user.When the ssl proxy server receives when connecting from the SSL of ssl proxy client, acting server extracts main body DN from ssl proxy client user's digital certificate, and mates with the Access Control List (ACL) of being set up; If can mate, then handle this connection according to matching result; If can not mate, then handle according to default action.Described processing action comprises: allow or refuse the visit of set kind, allow or refusal to the visit of the set kind of certain set address.Described set address is the set server address that service is provided, and the visit of described set kind comprises HTTP, FTP or TELNET or user-defined type service based on TCP.
Above-mentioned " User Identity template " can be main body DN template.To specific user, in other words, the every attribute of main body DN is all obtained showing as main body DN under the situation of appointment, this paper is considered as a kind of form of DN template.As the list1 in the embodiment.
The present invention also provides a kind of security proxy server with access control, comprises the ssl proxy device, also comprises access control apparatus, and described access control apparatus comprises storage device, processing unit; Storage device stores Access Control List (ACL); Record the User Identity template in the described Access Control List (ACL)---handle the action mapping relation; Described User Identity template is a ssl proxy client certificate DN template; Processing unit extracts main body DN and mates with the Access Control List (ACL) in the storage device from the ssl proxy client certificate, handle accordingly according to matching result.Corresponding being treated to:, then handle this connection according to matching result if can mate; If can not mate, then handle according to default action.
The invention has the beneficial effects as follows:
1, using ssl protocol to carry out providing on the basis of security protection access control function to institute's agency service; 2, can provide unified access control planning to all application systems of acting on behalf of in the scope; 3, can be by control of authority that main body DN different in the application certificate is conducted interviews flexibly.
The present invention is further illustrated below in conjunction with specification drawings and specific embodiments.
Description of drawings
Fig. 1 is the network connection diagram that relates in the specific embodiment of the invention.
Fig. 2 is the flow chart of the specific embodiment of the invention.
The network connection layout of Fig. 3 embodiment of the invention 1.
Embodiment
Referring to Fig. 1 and Fig. 2, the present invention relates to acting server end and agent client based on ssl protocol.In ssl protocol, use server end and client certificate verification simultaneously, promptly use the SSL server certificate at the ssl proxy server end, use the SSL client certificate in the ssl proxy client, the user in use, need to use the SSL client certificate to login, could be connected with the ssl proxy server.Because therefore the title that the main consuming body DN comes identifying user in the digital certificate is just controlled the user access that indicates among the main body DN based on the access control of digital certificate.The Access Control List (ACL) of main body DN element in the ssl proxy server end is realized based on digital certificate, every the control tabulation can comprise some clauses and subclauses, each clauses and subclauses is made up of the DN template and the processing action of needs coupling, promptly can specify main body DN to satisfy the user's of a certain DN matching template access rights, these access rights can be appointed as refusal or allow.Described DN template is come out by the main body DN information extraction of standard digital certificate, is the combination of digital certificate main body DN field,
Digital certificate as herein described is meant the X509v3 certificate format of employing standard, and the information field that comprises in this certificate format mainly contains: certificate version number, certificate serial number, certificate authority person, certificate main body, validity period of certificate, public key algorithm information etc.Wherein certificate authority person and certificate main body all use the mode of DN to represent, the certificate main body is the owner of certificate, and issuer is meant the CA that this certificate is issued.The access control that we did be exactly owner at certificate be that the certificate main body is controlled, so our the main consuming body DN is as the object of our control.
DN is made up of a series of relative distinguished name (RDN, Relative DistinguishedName), and RDN generally includes CN, OU, O, L, ST and C (CN, OU, O, L, ST, C are used to mark the attribute of object).We are that the basic element of DN matching template is set up access control list (ACL) with these six promptly, when the SSL server receives when connecting from the SSL of client, server extracts this user's DN from client user's digital certificate, and mate with the ACL that is set up, if on the coupling, then allow or refuse to determine processing,, then handle according to default ACL action if unmatch to this connection according to the action of the acl entry that is mated.
Specifically, implementation step is as follows:
1, the agency who " HTTP service ", " FTP service " is reached " other service " is set in the ssl proxy server.
2, the ssl proxy server is embodied as requirement client certificate is verified.
3, set up needed Access Control List (ACL) at the ssl proxy server end.
4, when the request of sending from the ssl proxy client a certain service, the SSL server end reaches the User DN that extracts according to defined Access Control List (ACL) and compares from client certificate, and next step operation is carried out in specified action according to Access Control List (ACL).
Below be embodiment more specifically, as Fig. 3.
Between protected Intranet and outer net, the arrangement acting server, its outer net interface IP address is 202.115.72.23, extranet interfaces address 192.168.0.1; Acting server is acted on behalf of three different application servers in certain company's internal network, i.e. http server, ftp server and other server (as mis system etc.).
The pairing IP of each server address is as follows:
192.168.0.23——MIS
192.168.0.25——FTP
192.168.0.27——HTTP
Access rights to these three kinds of dissimilar application are assumed to be:
1, all employees of company can visit http server;
2, the employee of other department can visit ftp server except that research institute of company employee;
3, has only the mis system that the first of Human Resource Department and second can visited company.
At above access rights control, we are configured to Access Control List (ACL) down on acting server:
When certificate management system carried out certificate authority to the employee, do to give a definition: Business Name was defined as: mp; Research institute's department name is defined as: R﹠amp; D; Human Resource Department's title is defined as: PR.
list1
The cn=first, ou=PR, o=mp, c=cn:permit
Cn=second, ou=PR, o=mp, c=cn:permit
list2
cn=any,ou=any,o=mp,c=cn:permit
list3
cn=any,ou=R&D,o=mp,c=cn:deny
Be explained as follows:
list1:
" cn=first, ou=PR, o=mp, c=cn " is the DN matching template, and " permit " is corresponding processing action.
If main body DN and " cn=first, ou=PR, o=mp " coupling then implement to handle action " permission ";
If main body DN and " cn=second, ou=PR, o=mp " coupling then implement to handle action " permission ";
list2:
If main body DN and " o=mp " coupling are then implemented to handle action and are allowed;
list3:
If main body DN and " ou=R﹠amp; D, o=mp " coupling, then implement to handle action " refusal ".
Contain among above-mentioned list2 and the list3 " cn=any ", cn is any in expression.
Access control list application defined above to the application service of being acted on behalf of, can be realized the access control to the difference service.As follows:
proxy?http?192.168.0.27:80?list?2
proxy?ftp?192.168.0.25:21?list?3
proxy?mis?192.168.0.23:8888?list?1
Be explained as follows:
Http access application tabulation 2 to the 192.168.0.27 server;
Ftp access application tabulation 3 to the 192.168.0.25 server;
Mis access application tabulation 1 to the 192.168.0.27 server;
Claims (6)
1, access control method, it is characterized in that, security socket layer ssl proxy server to doing access control from the visit of ssl proxy client, records the User Identity template according to Access Control List (ACL) in the described Access Control List (ACL)---handle the action mapping relation;
Described User Identity template is a ssl proxy client certificate distinguished name DN template.
2, access control method as claimed in claim 1, it is characterized in that, when the ssl proxy server receives when connecting from the SSL of ssl proxy client, the ssl proxy server extracts main body DN from ssl proxy client user's digital certificate, and mates with the Access Control List (ACL) of being set up; If can mate, then handle this connection according to matching result; If can not mate, then handle according to default action.
3, access control method as claimed in claim 1 is characterized in that, described processing action comprises: allow or refuse the visit of set kind.
4, access control method as claimed in claim 1 is characterized in that, described processing action comprises: permission or refusal are to the visit of the set kind of certain set address.
5, access control method as claimed in claim 4 is characterized in that, described set address is the set server address that service is provided, and the visit of described set kind comprises HTTP, FTP, TELNET or user-defined type service based on TCP.
6, a kind of security proxy server comprises security socket layer ssl proxy device, it is characterized in that, also comprise access control apparatus, described access control apparatus comprises:
Storage device stores Access Control List (ACL); Record the User Identity template in the described Access Control List (ACL)---handle the action mapping relation; Described User Identity template is a ssl proxy client certificate distinguished name DN template;
Processing unit extracts main body DN and mates with the Access Control List (ACL) in the storage device from the ssl proxy client certificate, handle accordingly according to matching result; Corresponding being treated to:, then handle this connection according to matching result if can mate; If can not mate, then handle according to default action.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100404726A CN100361443C (en) | 2004-08-17 | 2004-08-17 | Access control method and safety proxy server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100404726A CN100361443C (en) | 2004-08-17 | 2004-08-17 | Access control method and safety proxy server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1738255A CN1738255A (en) | 2006-02-22 |
| CN100361443C true CN100361443C (en) | 2008-01-09 |
Family
ID=36080923
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100404726A Expired - Fee Related CN100361443C (en) | 2004-08-17 | 2004-08-17 | Access control method and safety proxy server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100361443C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101883106A (en) * | 2010-06-30 | 2010-11-10 | 赛尔网络有限公司 | Network access authentication method and server based on digital certificate |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101043319B (en) * | 2006-03-22 | 2011-02-02 | 鸿富锦精密工业(深圳)有限公司 | Digital content protective system and method |
| CN101127108B (en) * | 2006-08-15 | 2014-11-05 | 阿里巴巴集团控股有限公司 | Method for accessing a information source via a computer system |
| CN101187965B (en) * | 2006-11-16 | 2010-12-15 | 思科技术公司 | Filtering of access to data object |
| CN101192888B (en) * | 2006-11-21 | 2012-01-11 | 中兴通讯股份有限公司 | Method for controlling GPON terminal service |
| CN101242336B (en) * | 2008-03-13 | 2010-12-01 | 杭州华三通信技术有限公司 | Method for remote access to intranet Web server and Web proxy server |
| CN101431516B (en) * | 2008-12-04 | 2012-04-25 | 成都市华为赛门铁克科技有限公司 | Method for realizing distributed security policy, client and communication system |
| CN103188254A (en) * | 2011-12-31 | 2013-07-03 | 北京市国路安信息技术有限公司 | Network security protection method capable of giving consideration to both smoothness and safety of internal and external network information |
| CN103795568A (en) * | 2014-01-23 | 2014-05-14 | 上海斐讯数据通信技术有限公司 | Method for controlling access to equipment based on equipment management access modes |
| CN105635187B (en) * | 2016-03-30 | 2019-12-20 | 北京奎牛科技有限公司 | Method and device for generating electronic file with stamp and method and device for authenticating electronic file with stamp |
| CN107426339B (en) * | 2017-09-04 | 2020-05-26 | 珠海迈越信息技术有限公司 | Access method, device and system of data connection channel |
| CN111800402B (en) * | 2020-06-28 | 2022-08-09 | 格尔软件股份有限公司 | Method for realizing full link encryption proxy by using event certificate |
| CN111866091B (en) * | 2020-06-30 | 2023-10-31 | 海尔优家智能科技(北京)有限公司 | Method, device, server and system for cloud platform information interaction |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1159234A (en) * | 1995-06-06 | 1997-09-10 | 美国电报电话Ipm公司 | System and method for database access control |
| CN1178058A (en) * | 1995-02-07 | 1998-04-01 | 英国电讯有限公司 | Information services provision and management |
| WO2000010303A1 (en) * | 1998-08-12 | 2000-02-24 | Kyberpass Corporation | Access control using attributes contained within public key certificates |
| CN1423455A (en) * | 2001-11-22 | 2003-06-11 | 深圳市中兴通讯股份有限公司上海第二研究所 | User authentication management method in Ethernet broadband access system |
-
2004
- 2004-08-17 CN CNB2004100404726A patent/CN100361443C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1178058A (en) * | 1995-02-07 | 1998-04-01 | 英国电讯有限公司 | Information services provision and management |
| CN1159234A (en) * | 1995-06-06 | 1997-09-10 | 美国电报电话Ipm公司 | System and method for database access control |
| WO2000010303A1 (en) * | 1998-08-12 | 2000-02-24 | Kyberpass Corporation | Access control using attributes contained within public key certificates |
| CN1423455A (en) * | 2001-11-22 | 2003-06-11 | 深圳市中兴通讯股份有限公司上海第二研究所 | User authentication management method in Ethernet broadband access system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101883106A (en) * | 2010-06-30 | 2010-11-10 | 赛尔网络有限公司 | Network access authentication method and server based on digital certificate |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1738255A (en) | 2006-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11805131B2 (en) | Methods and systems for virtual file storage and encryption | |
| JP3505058B2 (en) | Network system security management method | |
| US8909925B2 (en) | System to secure electronic content, enforce usage policies and provide configurable functionalities | |
| US7921450B1 (en) | Security system using indirect key generation from access rules and methods therefor | |
| CN102483792B (en) | For the method and apparatus of shared document | |
| JP4757430B2 (en) | Access control method for Internet site | |
| CN101341492B (en) | Secure identity management | |
| CN100361443C (en) | Access control method and safety proxy server | |
| CN106534199B (en) | Distributed system certification and rights management platform under big data environment based on XACML and SAML | |
| US20050171872A1 (en) | Techniques for establishing and managing a distributed credential store | |
| US20020162019A1 (en) | Method and system for managing access to services | |
| US8108913B2 (en) | Architecture and method for controlling the transfer of information between users | |
| EP1943769A1 (en) | Method of providing secure access to computer resources | |
| CN108123930A (en) | Access the host in computer network | |
| WO2002006948A1 (en) | Method for protecting the privacy, security, and integrity of sensitive data | |
| Kraft | Designing a distributed access control processor for network services on the web | |
| CN106685785A (en) | Intranet access system based on IPsec VPN proxy | |
| CN114762291A (en) | Method, computer program and data sharing system for sharing user specific data of a user | |
| Spinellis et al. | Trusted third party services for deploying secure telemedical applications over the WWW | |
| JP2003131929A (en) | Information terminal, information network system and program thereof | |
| CN113037736B (en) | Authentication method, device, system and computer storage medium | |
| WO2009147598A1 (en) | Method and a system of healthcare data handling | |
| Taylor et al. | Implementing role based access control for federated information systems on the web | |
| US7007091B2 (en) | Method and apparatus for processing subject name included in personal certificate | |
| Rantos et al. | Policy-controlled authenticated access to LLN-connected healthcare resources |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: MAIPU COMMUNICATION TECHNOLOGY CO., LTD. Free format text: FORMER NAME: MAIPU (SICHUAN) COMMUNICATION TECHNOLOGY CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: Sichuan city of Chengdu province high tech Zone nine Hing Road No. 16 building, Maipu Patentee after: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd. Address before: Sichuan city of Chengdu province high tech Zone nine Hing Road No. 16 building, Maipu Patentee before: Maipu (Sichuan) communication technology Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080109 |