[go: up one dir, main page]

CN111917694B - A method and device for identifying TLS encrypted traffic - Google Patents

A method and device for identifying TLS encrypted traffic Download PDF

Info

Publication number
CN111917694B
CN111917694B CN201910396042.4A CN201910396042A CN111917694B CN 111917694 B CN111917694 B CN 111917694B CN 201910396042 A CN201910396042 A CN 201910396042A CN 111917694 B CN111917694 B CN 111917694B
Authority
CN
China
Prior art keywords
app
dpi
server
information
tls
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910396042.4A
Other languages
Chinese (zh)
Other versions
CN111917694A (en
Inventor
宋科
李华光
刘西亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201910396042.4A priority Critical patent/CN111917694B/en
Priority to PCT/CN2020/080236 priority patent/WO2020224341A1/en
Publication of CN111917694A publication Critical patent/CN111917694A/en
Application granted granted Critical
Publication of CN111917694B publication Critical patent/CN111917694B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种TLS加密流量识别方法,包括DPI Server接收来自注册网站的App注册请求信息,并为目标App分配App特征标识信息,且发送回注册网站。DPI Server基于双向验证的TLS连接,与App Server交换该App的App特征验证信息,交换后双方具有相同的App特征标识信息以及App特征验证信息。DPI Server基于双向验证的TLS连接,将该App的App特征标识信息以及App特征验证信息,发送给DPI网元。DPI网元根据所述App特征验证信息验证用户TLS流量中所述App特征标识信息的合法性,并根据所述App特征标识信息识别由该App产生的TLS流量。本发明可实现针对电信运营商合作SP的应用业务TLS加密流量的防欺诈的精确细化的DPI识别,从而减少或防止流量欺诈现象的发生。

Figure 201910396042

The present invention provides a method for identifying TLS encrypted traffic, including DPI Server receiving App registration request information from a registration website, assigning App feature identification information to a target App, and sending it back to the registration website. The DPI Server exchanges the App feature verification information of the App with the App Server based on the TLS connection of two-way verification. After the exchange, both parties have the same App feature identification information and App feature verification information. The DPI Server sends the App feature identification information and App feature verification information of the App to the DPI network element based on the two-way authenticated TLS connection. The DPI network element verifies the legitimacy of the App feature identification information in the user TLS traffic according to the App feature verification information, and identifies the TLS traffic generated by the App according to the App feature identification information. The invention can realize the precise and detailed DPI identification for anti-fraud of the TLS encrypted flow of the application service of the cooperative SP of the telecommunication operator, thereby reducing or preventing the occurrence of traffic fraud.

Figure 201910396042

Description

一种TLS加密流量识别方法及装置A method and device for identifying TLS encrypted traffic

技术领域technical field

本发明涉及移动通信领域,尤其涉及一种TLS加密流量识别方法及装置。The invention relates to the field of mobile communication, in particular to a TLS encrypted traffic identification method and device.

背景技术Background technique

随着移动宽带和智能终端的不断发展,以及用户信息安全隐私保护的加强,越来越多的iOS及Android应用程序的网络连接采用基于TLS(Transport Layer Security,传输层安全)承载,致使TLS加密流量占比越来越大。电信运营商对用户TLS加密流量进行精确识别的需求场景也越来越多。在电信运营商移动网络中,不管是在P-GW(Packet DataNetwork Gateway)网元、MEC (Mobile Edge Computing,移动边缘计算)服务器,或者其它相关交换机、路由器、防火墙、流量分析器等设备中,都可能会需要基于DPI(Deep PacketInspection,深度报文检测)技术对TLS加密流量进行精确识别。With the continuous development of mobile broadband and smart terminals, and the strengthening of user information security and privacy protection, more and more network connections of iOS and Android applications are based on TLS (Transport Layer Security, Transport Layer Security) bearer, resulting in TLS encryption The proportion of traffic is increasing. There are also more and more scenarios where telecom operators need to accurately identify user TLS encrypted traffic. In the mobile network of telecom operators, whether in P-GW (Packet DataNetwork Gateway) network elements, MEC (Mobile Edge Computing, Mobile Edge Computing) servers, or other related switches, routers, firewalls, traffic analyzers, etc., It may be necessary to accurately identify TLS encrypted traffic based on DPI (Deep Packet Inspection) technology.

以5G MEC为例,边缘计算为5G终端提供了高带宽、低时延的可靠的移动无线网络,一种可能的典型运营模式是,当网络负荷接近饱和时,MEC设备将为不同应用业务提供不同的QoS保障,尤其是对有合作关系的SP(Service Provider,业务供应商)付费的应用业务提供高优先级QoS保障。所以,通过 DPI技术准确识别出合作SP的基于TLS加密的应用业务流量尤为重要。Taking 5G MEC as an example, edge computing provides 5G terminals with a reliable mobile wireless network with high bandwidth and low latency. A possible typical operation mode is that when the network load is close to saturation, MEC equipment will provide services for different applications. Different QoS guarantees, especially high-priority QoS guarantees for application services paid by SPs (Service Providers, service providers) with cooperative relations. Therefore, it is particularly important to accurately identify the TLS-encrypted application traffic of the cooperative SP through the DPI technology.

然而,常规DPI技术,通常根据TLS Client Hello消息中SNI(Server NameIndication,服务器名称指示)或TLS Certificate消息中服务器证书CN (Common Name)及SAN(Subject Alternative Name,主题备用名称)或DNS (Domain Name System,域名系统)请求/响应消息中服务器DNS域名,对合作SP的应用业务TLS加密流量进行识别。这类识别方法通常存在缺陷,比如:有些VPN(Virtual Private Network,虚拟专用网)软件利用这类SNI、CN、 SAN、DNS等特征,将其VPN流量伪装成电信运营商的合作SP的应用业务流量,从而达到获取高优先级QoS或者逃避计费等目的。However, the conventional DPI technology is usually based on the SNI (Server Name Indication, server name indication) in the TLS Client Hello message or the server certificate CN (Common Name) and SAN (Subject Alternative Name, subject alternative name) or DNS (Domain Name Name) in the TLS Certificate message. System, Domain Name System) request/response message DNS domain name of the server to identify the TLS encrypted traffic of the application business of the cooperative SP. There are usually defects in this type of identification method, for example: some VPN (Virtual Private Network, virtual private network) software utilizes such features as SNI, CN, SAN, DNS to disguise its VPN traffic as the application business of the cooperative SP of the telecom operator Traffic, so as to achieve the purpose of obtaining high-priority QoS or evading billing.

目前,一种常见的解决方法是,电信运营商提前获取合作SP的服务器公网IP地址,针对这些指定IP地址的TLS加密流量进行DPI识别。但是,这种方法过于粗放,无法精确识别合作SP的细化业务。At present, a common solution is that the telecom operator obtains the public network IP address of the server of the cooperative SP in advance, and performs DPI identification on the TLS encrypted traffic of these specified IP addresses. However, this method is too extensive to accurately identify the refined business of cooperative SPs.

目前,另一种常见解决方法是,电信运营商通过合作SP的服务器公网IP 地址和一个或多个SNI/CN/SAN/DNS的组合信息对TLS加密流量进行DPI 识别。这种方法可以一定程度细化合作SP的应用业务,但是细化程度通常不够理想。而且,IETF(InternetEngineering Task Force,互联网工程任务组) 在TLS 1.3(RFC 8446)协议中已经对Certificate消息进行加密,导致CN/SAN 特征失效;以及在DoT(RFC 7858)和DoH(RFC8484)协议中已经对DNS 消息加密,导致DNS特征失效;以及加密SNI的草案已拟定发布讨论,将导致未来SNI特征也会失效。At present, another common solution is that telecom operators perform DPI identification on TLS encrypted traffic through the combined information of the server public network IP address of the cooperative SP and one or more SNI/CN/SAN/DNS. This method can refine the application business of the cooperative SP to a certain extent, but the degree of refinement is usually not ideal. Moreover, IETF (InternetEngineering Task Force, Internet Engineering Task Force) has encrypted the Certificate message in the TLS 1.3 (RFC 8446) protocol, resulting in the failure of the CN/SAN feature; and in the DoT (RFC 7858) and DoH (RFC8484) protocols DNS messages have been encrypted, resulting in invalidation of DNS features; and a draft of encrypted SNI is proposed for publication and discussion, which will cause future SNI features to be invalidated as well.

目前需要一种针对电信运营商合作SP的应用业务TLS加密流量的防欺诈的精确细化的可行的DPI识别方法。通过使用本发明的方法,可实现针对电信运营商合作SP的应用业务TLS加密流量的防欺诈的精确细化的DPI识别,减少或防止流量欺诈现象的发生。At present, there is a need for a precise and fine-grained feasible DPI identification method for anti-fraud of the TLS encrypted traffic of the application service of the cooperation SP of the telecom operator. By using the method of the present invention, it is possible to realize precise and fine-grained DPI identification for anti-fraud of the TLS encrypted flow of the application service of the cooperation SP of the telecommunication operator, and reduce or prevent the occurrence of flow fraud.

发明内容Contents of the invention

以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics described in detail in this article. This summary is not intended to limit the scope of the claims.

为了使电信运营商精细化识别其合作SP基于TLS加密的应用业务流量,且减少或防止流量欺诈现象的发生,本发明提出一种基于TLS加密流量识别的方法,包括:In order to enable telecom operators to finely identify the TLS-encrypted application traffic of their cooperative SPs, and reduce or prevent the occurrence of traffic fraud, the present invention proposes a method for identifying traffic based on TLS encryption, including:

DPI Server接收来自注册网站的App注册请求信息,并为目标App分配 App特征标识信息,且发送回注册网站;DPI Server receives the App registration request information from the registration website, assigns App feature identification information to the target App, and sends it back to the registration website;

DPI Server基于双向验证的TLS连接,与App Server交换该App的App 特征验证信息,交换后双方具有相同的App特征标识信息以及App特征验证信息;DPI Server exchanges the App feature verification information of the App with the App Server based on the TLS connection of two-way verification. After the exchange, both parties have the same App feature identification information and App feature verification information;

DPI Server基于双向验证的TLS连接,将该App的App特征标识信息以及App特征验证信息,发送给DPI网元;DPI Server sends the App feature identification information and App feature verification information of the App to the DPI network element based on the two-way verified TLS connection;

DPI网元根据所述App特征验证信息验证用户TLS流量中所述App特征标识信息的合法性,并根据所述App特征标识信息识别由该App产生的TLS 流量。The DPI network element verifies the legitimacy of the App feature identification information in the user TLS traffic according to the App feature verification information, and identifies the TLS traffic generated by the App according to the App feature identification information.

进一步的,所述App特征验证信息,包含用于DPI识别的App公钥信息、 MAC密钥及MAC算法信息、多区间计数器合法范围信息。Further, the App feature verification information includes App public key information for DPI identification, MAC key and MAC algorithm information, and legal range information of multi-interval counters.

进一步的,DPI Server与App Server建立的所述TLS连接中,所述 App Server的证书与DPI Server的证书,均由合法的第三方证书颁发机构签发。Further, in the TLS connection established between the DPI Server and the App Server, the certificate of the App Server and the certificate of the DPI Server are both issued by a legal third-party certificate authority.

进一步的,所述DPI网元匹配用户App流量信息中的Server Hello消息中的App特征标识信息,识别对应App的流量信息。Further, the DPI network element matches the App feature identification information in the Server Hello message in the user App traffic information, and identifies the corresponding App traffic information.

进一步的,所述DPI网元根据用户App流量信息中的Server Hello消息中的App特征验证信息,验证对应App特征标识信息的合法性。Further, the DPI network element verifies the validity of the corresponding App feature identification information according to the App feature verification information in the Server Hello message in the user App traffic information.

本发明还提供一种TLS加密流量特征信息管理装置,包括:The present invention also provides a TLS encrypted traffic feature information management device, including:

置于DPI Server中的App注册管理模块,其用于接收来自注册网站的App 注册请求信息,并为目标App分配App特征标识信息,且发送回注册网站;The App registration management module placed in the DPI Server is used to receive the App registration request information from the registration website, and assign App feature identification information to the target App, and send it back to the registration website;

置于DPI Server中的App Server更新管理模块,其基于双向验证的TLS 连接,与App Server交换该App的App特征验证信息,交换后双方具有相同的App特征标识信息以及App特征验证信息;The App Server update management module placed in the DPI Server, which is based on a two-way authenticated TLS connection, exchanges the App feature verification information of the App with the App Server, and after the exchange, both parties have the same App feature identification information and App feature verification information;

置于DPI Server中的DPI特征更新管理模块,其基于双向验证的TLS连接,将该App的App特征标识信息以及App特征验证信息,发送给DPI网元。The DPI feature update management module placed in the DPI Server sends the App feature identification information and App feature verification information of the App to the DPI network element based on the two-way verified TLS connection.

进一步的,所述App特征验证信息,包含用于DPI识别的App公钥信息、 MAC密钥及MAC算法信息、多区间计数器合法范围信息。Further, the App feature verification information includes App public key information for DPI identification, MAC key and MAC algorithm information, and legal range information of multi-interval counters.

进一步的,App Server更新管理模块与App Server建立的所述TLS 连接中,所述App Server的证书与DPI Server的证书,均由合法的第三方证书颁发机构签发。Further, in the TLS connection established between the App Server update management module and the App Server, the certificate of the App Server and the certificate of the DPI Server are both issued by a legal third-party certificate authority.

本发明还提供一种服务器,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如权利要求上述任意一项所述TLS加密流量识别的方法。The present invention also provides a server, including: a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, it implements the TLS as described in any one of the above claims. Methods for encrypted traffic identification.

附图说明Description of drawings

图1是本发明提供的TLS加密流量识别方法的流程图;Fig. 1 is the flowchart of the TLS encrypted traffic identification method provided by the present invention;

图2是本发明提供的TLS加密流量特征信息管理装置结构图;Fig. 2 is a structural diagram of a TLS encrypted traffic characteristic information management device provided by the present invention;

图3是本发明提供的一种服务器的结构图;Fig. 3 is a structural diagram of a server provided by the present invention;

图4是本发明提供的TLS加密流量识别方法的时序交互图。Fig. 4 is a sequence interaction diagram of the TLS encrypted traffic identification method provided by the present invention.

具体实施方式Detailed ways

下文中将结合附图对本发明的实施例进行详细说明。Embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings.

在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps shown in the flowcharts of the figures may be performed in a computer system, such as a set of computer-executable instructions. Also, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

本发明所述的DPI网元,一方面可以指DPI独立网元设备,另一方面也可以指PGW网关、MEC服务器、交换机、路由器、防火墙等内置DPI功能的网元设备。The DPI network element described in the present invention can refer to DPI independent network element equipment on the one hand, and can also refer to network element equipment with built-in DPI functions such as PGW gateway, MEC server, switch, router, and firewall on the other hand.

本发明引入DPI Server,为App分配App Token等信息。App业务流量通过ServerHello消息的自定义TLS扩展携带App Token等信息,以供DPI网元准确识别合作SP的基于TLS加密的App业务流量,使得DPI网元可以通过本发明提出的一系列手段防范流量欺诈情况:通过MAC(Message Authentication Code,消息鉴权码)验证相关数据的完整性,通过多区间计数器检查防止重放攻击,通过公钥密码签名验证App身份,通过App Server公网IP地址检查加强特征识别的准确性。The present invention introduces DPI Server to distribute App Token and other information to App. App business traffic carries App Token and other information through the custom TLS extension of the ServerHello message, so that the DPI network element can accurately identify the TLS-encrypted App business traffic of the cooperative SP, so that the DPI network element can prevent the traffic through a series of means proposed by the present invention Fraud situation: Verify the integrity of relevant data through MAC (Message Authentication Code, message authentication code), prevent replay attacks through multi-interval counter checks, verify App identity through public key cryptographic signatures, and strengthen through App Server public network IP address checks Accuracy of feature recognition.

如图1所示,本发明实施例提供一种TLS加密流量识别方法。As shown in FIG. 1 , an embodiment of the present invention provides a method for identifying TLS encrypted traffic.

S101,App注册阶段。如图1所示第一步,DPI Server接收到App开发者通过注册网站发来的App注册请求消息并处理。DPI Server通过相应的App 注册响应消息返回给注册网站为App开发者提供App注册信息。S101, App registration stage. As shown in the first step in Figure 1, the DPI Server receives and processes the App registration request message sent by the App developer through the registration website. The DPI Server returns the corresponding App registration response message to the registration website to provide App registration information for App developers.

典型地,App注册请求消息中包含:App名称、SP名称、App Server名称、用于AppServer更新阶段的App Server证书CN/SAN等信息。典型地, App注册响应消息中包括:专用TLS扩展类型ID、App Token、成功分配App Token的日期时间等信息。Typically, the App registration request message includes information such as App name, SP name, App Server name, and App Server certificate CN/SAN used in the AppServer update phase. Typically, the App registration response message includes: dedicated TLS extension type ID, App Token, date and time when the App Token is successfully allocated, and other information.

例如,DPI Server以“SP名称+App名称”为唯一标识,为该SP的该App 分配全局唯一的App Token。App Token可以为128位(即16字节)大整数。For example, DPI Server uses "SP name + App name" as the unique identifier, and assigns a globally unique App Token to the App of the SP. App Token can be a 128-bit (ie 16-byte) large integer.

对于专用TLS扩展类型ID的分配,DPI Server首先确保所选的扩展类型 ID不能是IANA(Internet Assigned Numbers Authority,互联网编号管理局) 已分配的知名扩展类型ID。IANA(www.iana.org)正式文件《Transport Layer Security(TLS)Extensions》记录着最新的知名扩展类型ID,如0为server_name, 1为max_fragment_length,16为application_layer_protocol_negotiation(ALPN), 35为session_ticket,41为pre_shared_key(PSK),43为supported_versions,等数十个,这些知名扩展类型ID不能被选取。DPI Server可以从目前65000 多个“Unassigned”数字中选取扩展类型ID,或者从目前200多个“Reserved for Private Use”数字中选取扩展类型ID。For the allocation of a dedicated TLS extension type ID, the DPI Server first ensures that the selected extension type ID cannot be a well-known extension type ID assigned by the IANA (Internet Assigned Numbers Authority, Internet Numbering Authority). IANA (www.iana.org) official document "Transport Layer Security (TLS) Extensions" records the latest well-known extension type ID, such as 0 for server_name, 1 for max_fragment_length, 16 for application_layer_protocol_negotiation (ALPN), 35 for session_ticket, and 41 for pre_shared_key(PSK), 43 is supported_versions, and dozens of others. These well-known extension type IDs cannot be selected. The DPI Server can select the extension type ID from more than 65,000 "Unassigned" numbers at present, or select the extension type ID from more than 200 "Reserved for Private Use" numbers at present.

可选的,DPI Server可以支持,App注册请求消息中包含需要排除的TLS 扩展类型ID的一个或多个取值范围。App可能会在TLS中加入其它与本发明无关的自定义扩展类型ID,所以DPI Server分配的专用TLS扩展类型ID不能与App的其它自定义扩展类型ID相冲突。典型地,DPI Server在排除IANA 知名TLS扩展类型ID,并排除App指定的其它扩展类型ID之后,再为该App 分配用于DPI识别的专用TLS扩展类型ID。Optionally, the DPI Server may support that the App registration request message includes one or more value ranges of TLS extension type IDs that need to be excluded. App may add other custom extension type IDs irrelevant to the present invention in TLS, so the dedicated TLS extension type ID allocated by DPI Server cannot conflict with other custom extension type IDs of App. Typically, the DPI Server allocates a dedicated TLS extension type ID for DPI identification to the App after excluding the well-known IANA TLS extension type ID and other extension type IDs specified by the App.

可选的,为了给流量欺诈行为增加难度和成本,DPI Server在排除IANA 知名TLS扩展类型ID后,并且排除App指定的其它扩展类型ID后,可以给不同SP(即“SP名称”)分配相同或不同的专用TLS扩展类型ID;或者,也可以给不同App(即“SP名称+App名称”)分配相同或不同的专用TLS扩展类型ID。Optionally, in order to increase the difficulty and cost of traffic fraud, after excluding the well-known IANA TLS extension type ID and other extension type IDs specified by App, DPI Server can assign the same or different dedicated TLS extension type IDs; alternatively, the same or different dedicated TLS extension type IDs may be assigned to different Apps (namely "SP name+App name").

典型地,App开发者将通过注册网站获得的专用TLS扩展类型ID、App Token、成功分配App Token的日期时间等信息部署到App Server。App开发者将通过注册网站获得的专用TLS扩展类型ID等信息部署到App Client。Typically, the App developer deploys information such as the dedicated TLS extension type ID obtained through the registration website, the App Token, and the date and time when the App Token was successfully allocated to the App Server. The app developer deploys information such as the dedicated TLS extension type ID obtained through the registration website to the App Client.

在App Client中部署专用TLS扩展类型ID,使得App Client产生TLS流量的ClientHello消息时,携带专用TLS扩展类型ID。Deploy a dedicated TLS extension type ID in the App Client, so that when the App Client generates a ClientHello message for TLS traffic, it carries a dedicated TLS extension type ID.

在App Server中部署专用TLS扩展类型ID,使得App Server在对含有该扩展类型ID的Client Hello回复Server Hello响应时,携带该扩展类型ID,以及相应的扩展内容。Deploy a dedicated TLS extension type ID in the App Server, so that the App Server will carry the extension type ID and the corresponding extension content when replying the Server Hello response to the Client Hello containing the extension type ID.

对于TLS 1.0协议、TLS 1.1协议、TLS 1.2协议,Client Hello不加密、 ServerHello不加密,本阶段引入的专用TLS扩展可以正常加入Client Hello、 Server Hello中。For the TLS 1.0 protocol, TLS 1.1 protocol, and TLS 1.2 protocol, Client Hello is not encrypted, and Server Hello is not encrypted. The dedicated TLS extension introduced at this stage can be added to Client Hello and Server Hello normally.

对于TLS 1.3协议,Client Hello不加密、Server Hello不加密,本阶段引入的专用TLS扩展可以正常加入Client Hello、Server Hello中。但是,因为 TLS 1.3协议引入了Encrypted Extensions消息用于加密不需要明文传输的扩展,所以在本发明实施时需要确保本阶段引入的专用TLS扩展应加入到Server Hello中,而不是加入到EncryptedExtensions中。典型地,以OpenSSL-1.1.1 库为例,通过Open SSL API函数SSL_CTX_add_custom_ext()设置自定义扩展时,通过将该函数的相关参数设置为包含“SSL_EXT_TLS1_3_SERVER_HELLO”而不是包含“SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS”,从而使得本阶段引入的专用TLS扩展可以正常加入Server Hello中。For the TLS 1.3 protocol, Client Hello is not encrypted, and Server Hello is not encrypted. The dedicated TLS extension introduced at this stage can be added to Client Hello and Server Hello normally. However, because the TLS 1.3 protocol introduces the Encrypted Extensions message to encrypt extensions that do not require plaintext transmission, it is necessary to ensure that the dedicated TLS extensions introduced at this stage should be added to Server Hello instead of EncryptedExtensions when the present invention is implemented. Typically, taking the OpenSSL-1.1.1 library as an example, when setting a custom extension through the OpenSSL API function SSL_CTX_add_custom_ext(), set the relevant parameters of the function to include "SSL_EXT_TLS1_3_SERVER_HELLO" instead of "SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS", so that this The dedicated TLS extension introduced in the stage can be added to Server Hello normally.

S102,App Server更新阶段。如图1所示第二步,DPI Server接收App Server 发起的TLS连接建立请求,并采用双向证书验证机制建立TLS连接。DPI Server接收App Server更新请求消息,并处理App Server周期性更新的DPI 识别及验证信息,同时DPI Server也通过App Server更新响应消息,将新的 DPI识别及验证信息发送给App Server。S102, App Server update stage. In the second step shown in Figure 1, the DPI Server receives the TLS connection establishment request initiated by the App Server, and establishes a TLS connection using a two-way certificate verification mechanism. The DPI Server receives the App Server update request message, and processes the periodically updated DPI identification and verification information of the App Server. At the same time, the DPI Server also sends the new DPI identification and verification information to the App Server through the App Server update response message.

典型地,App Server更新请求消息包含:App Token、成功分配App Token 的日期时间、App Server公网IP地址(可选)、用于DPI识别的App Server 公钥信息。App Server更新响应消息包含:多区间计数器合法范围、MAC密钥、MAC算法等信息。Typically, the App Server update request message includes: App Token, the date and time when the App Token is successfully allocated, the public IP address of the App Server (optional), and the public key information of the App Server for DPI identification. The App Server update response message includes information such as the legal range of multi-interval counters, MAC keys, and MAC algorithms.

典型地,App Server与DPI Server之间的TLS连接采用双向证书验证机制,给流量欺诈行为增加难度和成本。App Server作为TLS客户端将自己的证书通过上行Certificate消息发送给DPI Server,DPI Server作为TLS服务端将自己的证书通过下行Certificate消息发送给App Server。App Server和DPI Server各自的证书,均须由第三方合法CA(Certificate Authority,证书颁发机构)签发,以保证双方能通过对方的证书验证对方的合法身份。其中,DPI Server通过第一步App注册阶段获得的“用于App Server更新阶段的App Server证书CN/SAN”,对App Server通过上行Certificate发送的CN及SAN 进行校验,以验证App Server的合法身份。Typically, the TLS connection between the App Server and the DPI Server uses a two-way certificate verification mechanism, which increases the difficulty and cost of traffic fraud. As a TLS client, App Server sends its own certificate to DPI Server through an uplink Certificate message, and DPI Server, as a TLS server, sends its own certificate to App Server through a downlink Certificate message. The respective certificates of the App Server and the DPI Server must be issued by a third-party legitimate CA (Certificate Authority, Certificate Authority) to ensure that both parties can verify the legal identity of the other party through the other party's certificate. Among them, the DPI Server verifies the CN and SAN sent by the App Server through the uplink Certificate through the "App Server Certificate CN/SAN for the App Server Update Phase" obtained in the first App registration stage to verify the legitimacy of the App Server identity.

典型地,App Server通过与DPI Server的TLS连接,周期性地发送App Server更新请求消息给DPI Server,将App Server公网IP地址(可选)、用于 DPI识别的App Server公钥信息发送给DPI Server;同时,在该消息中携带 App Token、成功分配App Token的日期时间,以便于DPI Server关联到第一步App注册阶段所形成的该App的相关信息。Typically, the App Server periodically sends an App Server update request message to the DPI Server through a TLS connection with the DPI Server, and sends the App Server public network IP address (optional) and the App Server public key information used for DPI identification to the DPI Server; at the same time, the App Token is carried in the message, and the date and time when the App Token is successfully allocated, so that the DPI Server can associate with the relevant information of the App formed in the first step of the App registration stage.

例如,在App Server更新请求消息中,包含用于DPI识别的App Server 公钥信息。典型地,App Server可以周期性地重新生成该公钥及其配对的私钥,并将最新生成的公钥通过此消息发送给DPI Server。该公钥用于后续第四步 DPI特征识别阶段中,DPI网元验证App Server对App Token扩展内容相关部分的签名。For example, App Server public key information used for DPI identification is included in the App Server update request message. Typically, the App Server can periodically regenerate the public key and its paired private key, and send the newly generated public key to the DPI Server through this message. The public key is used in the fourth step of the DPI feature identification stage, and the DPI network element verifies the App Server's signature on the relevant part of the App Token extension content.

可选地,在App Server更新请求消息中,App Server如果能获取其对App Client所提供服务的App Server公网IP地址,则应将这些IP地址上报给DPI Server,以便后续第四步DPI特征识别阶段中,DPI网元加强特征识别精确性。典型地,对于这些IP地址,可以通过多组/多对以“包含”和“对包含进行排除”的方式来描述,比如,以IPv4为例可描述为,包含从X1.X2.X3.X4到 Y1.Y2.Y3.Y4范围内的IP地址,并排除该范围内从M1.M2.M3.M4到N1.N2.N3.N4范围内的IP地址,而且包含或排除所描述的内容可以是一个或多个地址范围。Optionally, in the App Server update request message, if the App Server can obtain the public IP address of the App Server that provides services to the App Client, it should report these IP addresses to the DPI Server, so that the fourth step DPI feature In the recognition phase, DPI network elements enhance the accuracy of feature recognition. Typically, these IP addresses can be described by multiple groups/pairs in the manner of "include" and "exclude from inclusion". For example, taking IPv4 as an example, it can be described as, including from X1.X2.X3.X4 to IP addresses in the range Y1.Y2.Y3.Y4, and exclude IP addresses in that range from M1.M2.M3.M4 to N1.N2.N3.N4, and including or excluding what is described can is one or more address ranges.

典型地,在App Server更新响应消息中,包含DPI Server分配的多区间计数器合法范围。典型地,多区间计数器取值范围可以是从1开始到最大值 64位(8字节)的正整数(记为MAX64)。多区间计数器合法范围可以是从1 到MAX64之间的一个或多个范围段。Typically, the App Server update response message includes the legal range of the multi-interval counter allocated by the DPI Server. Typically, the value range of the multi-interval counter can be a positive integer from 1 to a maximum value of 64 bits (8 bytes) (marked as MAX64). The legal range of a multi-interval counter can be one or more range segments from 1 to MAX64.

例如,在App Server更新响应消息中,包含MAC密钥和MAC算法信息。典型地,MAC算法可以采用HMAC算法(RFC 2104),在本消息中的算法描述格式可以为“HMAC-MD5”、“HMAC-SHA1”、“HMAC-SHA224”、“HMAC-SHA256”、“HMAC-SHA384”、“HMAC-SHA512”等。For example, the App Server update response message includes MAC key and MAC algorithm information. Typically, the MAC algorithm can use the HMAC algorithm (RFC 2104), and the algorithm description format in this message can be "HMAC-MD5", "HMAC-SHA1", "HMAC-SHA224", "HMAC-SHA256", "HMAC -SHA384", "HMAC-SHA512", etc.

S103,DPI特征更新阶段。如图1所示第三步,DPI Server接收DPI网元发起的TLS连接建立请求,并采用双向证书验证机制建立TLS连接。DPI Server接收DPI网元发起的DPI特征更新请求并处理,以及通过相应的DPI 特征更新响应为DPI网元提供App的最新DPI特征信息。S103, a DPI feature update stage. In the third step shown in Figure 1, the DPI Server receives the TLS connection establishment request initiated by the DPI network element, and establishes the TLS connection by using a two-way certificate verification mechanism. The DPI Server receives and processes the DPI feature update request initiated by the DPI network element, and provides the DPI network element with the latest DPI feature information of the App through the corresponding DPI feature update response.

典型地,DPI特征更新响应消息包含:App名称、SP名称、App Server 名称、专用TLS扩展类型ID、App Token、成功分配App Token的日期时间、 App Server公网IP地址(可选)、用于DPI识别的App Server公钥、多区间计数器合法范围、MAC密钥、MAC算法等信息。Typically, the DPI feature update response message includes: App name, SP name, App Server name, dedicated TLS extension type ID, App Token, date and time when App Token is successfully allocated, App Server public network IP address (optional), App server public key identified by DPI, legal range of multi-interval counters, MAC key, MAC algorithm and other information.

典型地,DPI网元与DPI Server之间的TLS连接采用双向证书验证机制,给流量欺诈行为增加难度和成本。DPI网元作为TLS客户端将自己的证书通过上行Certificate消息发送给DPI Server,DPI Server作为TLS服务端将自己的证书通过下行Certificate消息发送给DPI网元。DPI Server的证书,须由第三方合法CA签发,以保证DPI网元能通过该证书验证DPI Server的合法身份。DPI网元的证书,可由DPI Server作为私有CA为DPI网元签发,预置于 DPI网元中,作为DPI网元的合法身份证明。Typically, the TLS connection between the DPI network element and the DPI Server uses a two-way certificate verification mechanism, which increases the difficulty and cost of traffic fraud. As a TLS client, the DPI network element sends its own certificate to the DPI Server through the uplink Certificate message, and the DPI Server, as the TLS server, sends its own certificate to the DPI network element through the downlink Certificate message. The certificate of the DPI Server must be issued by a third-party legal CA to ensure that the DPI network element can verify the legal identity of the DPI Server through the certificate. The certificate of the DPI network element can be issued by the DPI Server as a private CA for the DPI network element, and it is preset in the DPI network element as the legal identity certificate of the DPI network element.

典型地,DPI网元通过与DPI Server的TLS连接,周期性地向DPI Server 发送DPI特征更新请求消息,以获取DPI Server中各个App最新的识别特征信息。Typically, the DPI network element periodically sends a DPI feature update request message to the DPI Server through a TLS connection with the DPI Server, so as to obtain the latest identification feature information of each App in the DPI Server.

典型地,DPI Server将上次DPI网元请求之后发生过相关信息更新的各 App识别特征信息,通过DPI特征更新响应消息发送给DPI网元。可选地, DPI Server将上次DPI网元请求之后未发生过相关信息更新的各App Token或“SP名称+App名称”置于消息中发送给DPI网元。Typically, the DPI Server sends the identification feature information of each App whose relevant information has been updated after the last DPI network element request to the DPI network element through a DPI feature update response message. Optionally, the DPI Server puts each App Token or "SP name+App name" whose relevant information has not been updated after the last DPI network element request in a message and sends it to the DPI network element.

可选地,DPI网元发送的DPI特征更新请求消息中,可以指定或排除一个或多个AppToken或“SP名称+App名称”。对应地,DPI Server在发送的 DPI特征更新响应消息中,只携带相应的App的最新的识别特征信息。Optionally, in the DPI feature update request message sent by the DPI network element, one or more AppTokens or "SP name+App name" may be specified or excluded. Correspondingly, the DPI feature update response message sent by the DPI Server only carries the latest identification feature information of the corresponding App.

S104,DPI特征识别阶段。如图1所示第四步,DPI网元检测App上网流量中的ClientHello、Server Hello消息中的指定扩展类型及其内容,匹配 App Token并验证App Server签名及MAC,确认App流量的真实性,从而准确识别App业务流量。S104, the DPI feature recognition stage. In the fourth step shown in Figure 1, the DPI network element detects the specified extension type and content in the ClientHello and Server Hello messages in the App Internet traffic, matches the App Token and verifies the App Server signature and MAC, and confirms the authenticity of the App traffic. In this way, App business traffic can be accurately identified.

典型地,该App业务流量中App Client发出的Client Hello消息内包含:之前分配的专用TLS扩展类型ID且内容为空。该App业务流量中App Server 发出的Server Hello消息内包含:之前分配的专用TLS扩展类型ID、该扩展内容包含有App Token、成功分配AppToken的日期时间、多区间计数器合法范围内的一个多区间计数器值、对前部分扩展内容的签名、签名算法、对前部分扩展内容的MAC值、MAC算法等信息。Typically, the Client Hello message sent by the App Client in the App business traffic contains: the previously assigned dedicated TLS extension type ID and the content is empty. The Server Hello message sent by the App Server in the App business traffic contains: the previously allocated dedicated TLS extension type ID, the extension content includes the App Token, the date and time when the AppToken is successfully allocated, and a multi-interval counter within the legal range of the multi-interval counter value, the signature of the extended content of the former part, the signature algorithm, the MAC value of the extended content of the former part, the MAC algorithm and other information.

典型地,App Client发出的Client Hello消息中,包含一个自定义TLS扩展,其扩展类型ID为第一步App注册阶段分配的专用TLS扩展类型ID,其扩展内容为空。Typically, the Client Hello message sent by the App Client contains a custom TLS extension whose extension type ID is the dedicated TLS extension type ID allocated in the first step of the App registration phase, and whose extension content is empty.

典型地,App Server发出的Server Hello消息中,包含一个自定义TLS扩展,其扩展类型ID为第一步App注册阶段分配的专用TLS扩展类型ID,其扩展内容如下:Typically, the Server Hello message sent by the App Server contains a custom TLS extension whose extension type ID is the dedicated TLS extension type ID allocated in the first step of the App registration phase, and the extension content is as follows:

具体地,扩展内容1:App Token。该App Token来自于第一步App注册阶段。Specifically, extension content 1: App Token. The App Token comes from the first step of App registration.

具体地,扩展内容2:成功分配App Token的日期时间。该日期时间信息来自于第一步App注册阶段。Specifically, extended content 2: the date and time when the App Token is successfully allocated. The date and time information comes from the first step of app registration.

具体地,扩展内容3:多区间计数器合法范围内的一个多区间计数器值。该多区间计数器合法范围来自于第二步App Server更新阶段。典型地,对于同一个App Client用户(以IP地址区分),App Server在该多区间计数器合法范围内,从小到大取值,对于每个TLS连接的Server Hello消息,其多区间计数器值加1,达到该多区间计数器取值范围的最大值后,再回绕到最小值重新开始。Specifically, extension content 3: a multi-interval counter value within the legal range of the multi-interval counter. The legal range of the multi-interval counter comes from the second step of the App Server update phase. Typically, for the same App Client user (distinguished by IP address), the App Server takes values from small to large within the legal range of the multi-interval counter. For each Server Hello message connected by TLS, the value of the multi-interval counter is increased by 1 , after reaching the maximum value of the multi-interval counter value range, wrap around to the minimum value and start again.

具体地,扩展内容4:对扩展内容1~扩展内容3整体的签名。App Server 采用扩展内容5的签名算法对扩展内容1~扩展内容3整体进行签名。典型地,首先对该内容进行哈希以获取固定长度的哈希结果,然后对哈希结果使用第二步App Server更新阶段所生成的用于DPI识别的App Server公钥所对应的私钥进行加密,加密结果即为签名。Specifically, extended content 4: a signature for the entirety of extended content 1 to extended content 3 . The App Server uses the signature algorithm of the extension content 5 to sign the extension content 1 to extension content 3 as a whole. Typically, the content is first hashed to obtain a fixed-length hash result, and then the hash result is hashed using the private key corresponding to the App Server public key for DPI identification generated in the second App Server update stage. Encryption, the result of encryption is the signature.

具体地,扩展内容5:签名算法。该签名算法由App Server决定,包含哈希算法和公钥加密算法,典型地,如“MD5-RSA”、“SHA1-RSA”、“SHA224-RSA”、“SHA256-RSA”、“SHA384-RSA”、“SHA512-RSA”等之一Specifically, extended content 5: signature algorithm. The signature algorithm is determined by App Server, including hash algorithm and public key encryption algorithm, typically, such as "MD5-RSA", "SHA1-RSA", "SHA224-RSA", "SHA256-RSA", "SHA384-RSA ", "SHA512-RSA", etc.

具体地,扩展内容6:对扩展内容1~扩展内容5整体的MAC值。App Server 采用扩展内容7的MAC算法,使用第二步App Server更新阶段从DPI Server 获取的MAC密钥,对扩展内容1~扩展内容5整体生成MAC值。Specifically, the extended content 6: the MAC value for the whole of the extended content 1 to the extended content 5 . The App Server adopts the MAC algorithm of the extension content 7, and uses the MAC key obtained from the DPI Server in the second step of the App Server update phase to generate MAC values for the extension content 1 to the extension content 5 as a whole.

具体地,扩展内容7:MAC算法。该MAC算法由App Server决定,从由第二步AppServer更新阶段由DPI Server分配的多个MAC算法中,选择其中一个以使用。Specifically, extended content 7: MAC algorithm. The MAC algorithm is determined by the App Server, and one of the multiple MAC algorithms allocated by the DPI Server in the second step of the App Server update phase is selected for use.

典型地,DPI网元检测TLS流量中Client Hello消息是否包含相关的专用 TLS扩展类型ID,如果包含,则需要继续对该TLS-TCP(Transmission Control Protocol,传输控制协议)流的Server Hello消息进一步检测;如果不包含,则不需要继续对该TLS-TCP流的Server Hello消息进一步检测。Typically, the DPI network element detects whether the Client Hello message in the TLS traffic contains the relevant dedicated TLS extension type ID, and if it does, it needs to continue to further detect the Server Hello message of the TLS-TCP (Transmission Control Protocol, transmission control protocol) flow ; If not included, further detection of the Server Hello message of the TLS-TCP stream is not required.

典型地,DPI网元检测TLS流量中Server Hello消息是否包含相关的专用 TLS扩展类型ID,如果包含,则继续对该扩展内容进一步检测并验证;如果不包含,则不需要继续对该扩展内容进一步检测并验证。典型地,DPI网元对该扩展内容的检测及验证方法如下:Typically, the DPI network element detects whether the Server Hello message in the TLS traffic contains the relevant dedicated TLS extension type ID, and if it does, it continues to further detect and verify the extension content; if it does not contain it, it does not need to continue the extension content. Detect and verify. Typically, the DPI network element detects and verifies the extended content as follows:

典型地,DPI网元提取扩展内容1,作为App Token。如果后续验证通过,则将该AppToken识别为相应App,即将当前TLS流量准确识别为相应App 业务。Typically, the DPI network element extracts the extended content 1 as App Token. If the subsequent verification passes, the AppToken will be identified as the corresponding App, that is, the current TLS traffic will be accurately identified as the corresponding App business.

可选地,DPI网元提取扩展内容2,作为成功分配App Token的日期时间,一方面可以用于对App Token唯一性的验证,另一方面可以用于对App Token 版本信息的描述。Optionally, the DPI network element extracts the extended content 2 as the date and time of the successful allocation of the App Token. On the one hand, it can be used to verify the uniqueness of the App Token, and on the other hand, it can be used to describe the version information of the App Token.

典型地,DPI网元提取扩展内容3,作为多区间计数器值。DPI网元检测该多区间计数器值是否在多区间计数器合法范围内。如果在合法范围内,则检查对于同一个AppServer(以网络侧IP地址+网络侧PORT区分)下的同一个App Client用户(以用户侧IP地址区分)的不同TLS流的Server Hello消息多区间计数器值是否递增或达最大值回绕,如果是递增或达最大值回绕,则认为该多区间计数器值通过检查,否则认为不通过检查。如果不在合法范围内,则也认为不通过检查。对多区间计数器的合法取值检查,用于防止基于重放攻击的流量欺诈情况。Typically, the DPI network element extracts the extended content 3 as a multi-interval counter value. The DPI network element detects whether the value of the multi-interval counter is within the legal range of the multi-interval counter. If it is within the legal range, check the Server Hello message multi-interval counter for different TLS flows of the same App Client user (distinguished by user-side IP address) under the same AppServer (distinguished by network-side IP address + network-side PORT) Whether the value increments or wraps around at the maximum value. If it is incremented or wraps around at the maximum value, the multi-interval counter value is considered to pass the check, otherwise it is considered not to pass the check. If it is not within the legal range, it is also considered to have failed the inspection. Check the legal value of multi-interval counters to prevent traffic fraud based on replay attacks.

典型地,DPI网元提取扩展内容4,作为App Server对扩展内容1~扩展内容3整体的签名;DPI网元对扩展内容1~扩展内容3整体,使用从扩展内容5提取到的签名算法,以及从第三步DPI特征更新阶段中获取的用于DPI 识别的App Server公钥,验证签名。具体地,从扩展内容5提取到的签名算法包括哈希算法和公钥加密算法,采用该哈希算法对扩展内容1~扩展内容3 整体进行哈希获取哈希结果;采用该公钥加密算法,使用从第三步DPI特征更新阶段中获取的用于DPI识别的App Server公钥,对扩展内容4进行解密获取解密结果;如果该哈希结果与该解密结果一致,则认为通过签名验证;否则认为未通过签名验证。对扩展的签名验证用于认证App Server的身份合法性,以减少或防止流量欺诈情况。Typically, the DPI network element extracts the extended content 4 as the signature of the App Server for the entire extended content 1 to the extended content 3; the DPI network element uses the signature algorithm extracted from the extended content 5 for the entire extended content 1 to the extended content 3, And the App Server public key used for DPI identification obtained from the third step DPI feature update phase, to verify the signature. Specifically, the signature algorithm extracted from the extension content 5 includes a hash algorithm and a public key encryption algorithm, and the hash algorithm is used to hash the entire extension content 1 to extension content 3 to obtain a hash result; the public key encryption algorithm is used to , using the App Server public key used for DPI identification obtained from the third step DPI feature update stage, to decrypt the extension content 4 to obtain the decryption result; if the hash result is consistent with the decryption result, it is considered that the signature verification is passed; Otherwise, it is considered that the signature verification has not been passed. The extended signature verification is used to authenticate the identity of the App Server to reduce or prevent traffic fraud.

典型地,DPI网元提取扩展内容5,作为验证扩展内容4的签名算法。Typically, the DPI network element extracts the extended content 5 as a signature algorithm for verifying the extended content 4 .

典型地,DPI网元提取扩展内容6,作为App Server对扩展内容1~扩展内容5整体的MAC值;DPI网元对扩展内容1~扩展内容5整体,使用从扩展内容7提取到的MAC算法,以及从第三步DPI特征更新阶段中获取的MAC 密钥,计算生成MAC值;如果生成的MAC值与提取到MAC值一致,则认为MAC校验通过,否则认为MAC校验未通过。对扩展的MAC校验用于确保扩展内容的完整性,降低流量欺诈发生的可能性。Typically, the DPI network element extracts the extended content 6 as the MAC value of the App Server for the entire extended content 1 to the extended content 5; the DPI network element uses the MAC algorithm extracted from the extended content 7 for the entire extended content 1 to the extended content 5 , and the MAC key obtained from the third step DPI feature update phase to calculate and generate a MAC value; if the generated MAC value is consistent with the extracted MAC value, it is considered that the MAC verification has passed, otherwise it is considered that the MAC verification has not passed. The extended MAC check is used to ensure the integrity of the extended content and reduce the possibility of traffic fraud.

典型地,DPI网元提取扩展内容7,作为验证扩展内容6的MAC算法。Typically, the DPI network element extracts the extended content 7 as a MAC algorithm for verifying the extended content 6 .

典型地,DPI网元对于通过多区间计数器检查、签名验证、MAC校验的 App Token,则可将该App Token识别为相应App,即将当前TLS流量准确识别为相应App业务。Typically, the DPI network element can identify the App Token as the corresponding App for the App Token that has passed the multi-interval counter check, signature verification, and MAC verification, that is, the current TLS traffic can be accurately identified as the corresponding App service.

可选地,在上述准确识别App业务的情况下,DPI网元如果从第三步DPI 特征更新阶段中,获取到App Server公网IP地址,则可检查当前TLS-TCP 流的网络侧IP地址是否在该App Server公网IP地址范围内,如果是,则更可加强识别结果的准确性。Optionally, in the above-mentioned case of accurately identifying App services, if the DPI network element obtains the App Server public network IP address from the third step DPI feature update stage, it can check the network side IP address of the current TLS-TCP flow Whether it is within the range of the public network IP address of the App Server, and if so, the accuracy of the identification result can be further enhanced.

如图2所示,本发明实施例还提供一种TLS加密流量特征信息管理装置,包括:As shown in Figure 2, the embodiment of the present invention also provides a TLS encrypted traffic feature information management device, including:

设置于DPI Server 200中的App注册管理模块201。App注册管理模块接收来自注册网站的App注册请求信息,并为目标App分配App特征标识信息,且发送回注册网站。The App registration management module 201 set in the DPI Server 200. The App registration management module receives the App registration request information from the registration website, assigns App feature identification information to the target App, and sends it back to the registration website.

设置于DPI Server 200中的App Server更新管理模块202。App Server更新管理模块基于双向验证的TLS连接,与App Server交换该App的App特征验证信息,交换后双方具有相同的App特征标识信息以及App特征验证信息。The App Server update management module 202 installed in the DPI Server 200 . The App Server update management module exchanges the App feature verification information of the App with the App Server based on the two-way verified TLS connection. After the exchange, both parties have the same App feature identification information and App feature verification information.

设置于DPI Server 200中的DPI特征更新管理模块203。DPI特征更新管理模块基于双向验证的TLS连接,将该App的App特征标识信息以及App 特征验证信息,发送给DPI网元。The DPI feature update management module 203 set in the DPI Server 200 . The DPI feature update management module sends the App feature identification information and App feature verification information of the App to the DPI network element based on the two-way verified TLS connection.

如图3所示,本发明实施例还提供一种服务器300,包括:存储器301、处理器302、总线接口303、用户接口304、输出接口305,所述处理器302 执行所述TLS加密流量识别方法。As shown in Figure 3, the embodiment of the present invention also provides a server 300, including: a memory 301, a processor 302, a bus interface 303, a user interface 304, and an output interface 305, and the processor 302 executes the TLS encrypted traffic identification method.

本发明不仅仅限于以上实施例,凡依本发明权利要求范围所做的等效变更,皆属于本发明权利要求涵盖范围。The present invention is not limited to the above embodiments, and all equivalent changes made according to the scope of the claims of the present invention fall within the scope of the claims of the present invention.

本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些组件或所有组件可以被实施为由处理器,如数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质) 和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those of ordinary skill in the art can understand that all or some of the steps in the methods disclosed above, the functional modules/units in the system, and the device can be implemented as software, firmware, hardware, and an appropriate combination thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components. Components cooperate to execute. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As known to those of ordinary skill in the art, the term computer storage media includes both volatile and nonvolatile media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. permanent, removable and non-removable media. Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, tape, magnetic disk storage or other magnetic storage devices, or can Any other medium used to store desired information and which can be accessed by a computer. In addition, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .

Claims (8)

1.一种TLS加密流量识别方法,包括:1. A method for identifying TLS encrypted traffic, comprising: DPI Server接收来自注册网站的App注册请求信息,并为目标App分配App特征标识信息,且发送回注册网站;DPI Server receives the App registration request information from the registration website, assigns App feature identification information to the target App, and sends it back to the registration website; DPI Server基于双向验证的TLS连接,与App Server交换目标App的App特征验证信息,交换后双方具有相同的App特征标识信息以及App特征验证信息;DPI Server exchanges the App feature verification information of the target App with the App Server based on the TLS connection of two-way verification. After the exchange, both parties have the same App feature identification information and App feature verification information; DPI Server基于双向验证的TLS连接,将目标App的App特征标识信息以及App特征验证信息,发送给DPI网元;DPI Server sends the App feature identification information and App feature verification information of the target App to the DPI network element based on the two-way verified TLS connection; DPI网元根据所述App特征验证信息验证用户TLS流量中所述App特征标识信息的合法性,并根据所述App特征标识信息识别由目标App产生的TLS流量,所述DPI网元通过多区间计数器检查防止重放攻击;The DPI network element verifies the legitimacy of the App feature identification information in the user TLS traffic according to the App feature verification information, and identifies the TLS traffic generated by the target App according to the App feature identification information, and the DPI network element passes through multiple intervals Counter checks to prevent replay attacks; 其中,所述DPI网元匹配用户App流量信息中的Server Hello消息中的App特征标识信息,识别对应App的流量信息。Wherein, the DPI network element matches the App feature identification information in the Server Hello message in the user App traffic information, and identifies the corresponding App traffic information. 2.如权利要求1所述的方法,其特征在于,所述App特征验证信息,包含用于DPI识别的App公钥信息、MAC密钥及MAC算法信息、多区间计数器合法范围信息。2. The method according to claim 1, wherein the App feature verification information includes App public key information, MAC key and MAC algorithm information, and multi-interval counter legal range information for DPI identification. 3.如权利要求1所述的方法,其特征在于,DPI Server与App Server建立的所述TLS连接中,所述App Server的证书与DPI Server的证书,均由合法的第三方证书颁发机构签发。3. The method according to claim 1, wherein, in the TLS connection established between the DPI Server and the App Server, the certificate of the App Server and the certificate of the DPI Server are all issued by a legal third-party certification authority . 4.如权利要求1所述的方法,其特征在于,所述DPI网元根据用户App流量信息中的Server Hello消息中的App特征验证信息,验证对应App特征标识信息的合法性。4. The method according to claim 1, wherein the DPI network element verifies the validity of the corresponding App feature identification information according to the App feature verification information in the Server Hello message in the user App traffic information. 5.一种TLS加密流量特征信息管理装置,包括:5. A TLS encrypted traffic characteristic information management device, comprising: 置于DPI Server中的App注册管理模块,其用于接收来自注册网站的App注册请求信息,并为目标App分配App特征标识信息,且发送回注册网站;The App registration management module placed in the DPI Server is used to receive the App registration request information from the registration website, assign App feature identification information to the target App, and send it back to the registration website; 置于DPI Server中的App Server更新管理模块,其基于双向验证的TLS连接,与AppServer交换目标App的App特征验证信息,交换后双方具有相同的App特征标识信息以及App特征验证信息;The App Server update management module placed in the DPI Server, which is based on a bidirectionally authenticated TLS connection, exchanges the App feature verification information of the target App with the AppServer, and after the exchange, both parties have the same App feature identification information and App feature verification information; 置于DPI Server中的DPI特征更新管理模块,其基于双向验证的TLS连接,将目标App的App特征标识信息以及App特征验证信息,发送给DPI网元,所述DPI网元通过多区间计数器检查防止重放攻击;The DPI feature update management module placed in the DPI Server, which is based on a two-way verified TLS connection, sends the App feature identification information and App feature verification information of the target App to the DPI network element, and the DPI network element checks through the multi-interval counter prevent replay attacks; 其中,所述DPI网元匹配用户App流量信息中的Server Hello消息中的App特征标识信息,识别对应App的流量信息。Wherein, the DPI network element matches the App feature identification information in the Server Hello message in the user App traffic information, and identifies the corresponding App traffic information. 6.如权利要求5所述的装置,其特征在于,所述App特征验证信息,包含用于DPI识别的App公钥信息、MAC密钥及MAC算法信息、多区间计数器合法范围信息。6. The device according to claim 5, wherein the App feature verification information includes App public key information for DPI identification, MAC key and MAC algorithm information, and legal range information of multi-interval counters. 7.如权利要求5所述的装置,其特征在于,App Server更新管理模块与App Server建立的所述TLS连接中,所述App Server的证书与DPI Server的证书,均由合法的第三方证书颁发机构签发。7. The device according to claim 5, wherein, in the TLS connection established between the App Server update management module and the App Server, the certificate of the App Server and the certificate of the DPI Server are all legal third-party certificates issued by the issuing authority. 8.一种服务器,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现如权利要求1~4中任意一项所述TLS加密流量识别的方法。8. A server, comprising: a memory, a processor, and a computer program stored on the memory and operable on the processor, characterized in that, when the processor executes the program, any A method for identifying TLS encrypted traffic.
CN201910396042.4A 2019-05-09 2019-05-09 A method and device for identifying TLS encrypted traffic Active CN111917694B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910396042.4A CN111917694B (en) 2019-05-09 2019-05-09 A method and device for identifying TLS encrypted traffic
PCT/CN2020/080236 WO2020224341A1 (en) 2019-05-09 2020-03-19 Method and apparatus for identifying tls encrypted traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910396042.4A CN111917694B (en) 2019-05-09 2019-05-09 A method and device for identifying TLS encrypted traffic

Publications (2)

Publication Number Publication Date
CN111917694A CN111917694A (en) 2020-11-10
CN111917694B true CN111917694B (en) 2023-02-28

Family

ID=73051379

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910396042.4A Active CN111917694B (en) 2019-05-09 2019-05-09 A method and device for identifying TLS encrypted traffic

Country Status (2)

Country Link
CN (1) CN111917694B (en)
WO (1) WO2020224341A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491910B (en) * 2020-12-01 2023-09-05 三六零数字安全科技集团有限公司 Flow identification method, device, equipment and storage medium based on DOT protocol
CN112491909B (en) * 2020-12-01 2023-09-01 三六零数字安全科技集团有限公司 Flow identification method, device, equipment and storage medium based on DOH protocol
CN113518080B (en) * 2021-06-23 2021-11-19 北京观成科技有限公司 TLS encrypted traffic detection method and device and electronic equipment
CN114449064B (en) * 2022-01-26 2023-12-29 普联技术有限公司 Application identification method and device for TLS encrypted traffic and application identification equipment
US12414001B2 (en) 2023-04-18 2025-09-09 Samsung Electronics Co., Ltd. Method and apparatus for network traffic management
WO2024219591A1 (en) * 2023-04-18 2024-10-24 Samsung Electronics Co., Ltd. Method and apparatus for network traffic management

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340289B (en) * 2008-08-19 2011-11-09 北京飞天诚信科技有限公司 Replay attack preventing method and system thereof
WO2015128609A1 (en) * 2014-02-28 2015-09-03 British Telecommunications Public Limited Company Profiling for malicious encrypted network traffic identification
CN105099802B (en) * 2014-05-15 2019-01-08 中国移动通信集团公司 A kind of method for recognizing flux, terminal and network element device
US9473979B2 (en) * 2014-06-30 2016-10-18 Motorola Solutions, Inc. Method and system for data transmission
US9628455B2 (en) * 2014-12-09 2017-04-18 Akamai Technologies, Inc. Filtering TLS connection requests using TLS extension and federated TLS tickets
CN106533689B (en) * 2015-09-15 2019-07-30 阿里巴巴集团控股有限公司 A kind of method and apparatus of the load digital certificates in SSL/TLS communication
CN107135190B (en) * 2016-02-29 2021-01-15 阿里巴巴集团控股有限公司 Data flow attribution identification method and device based on transport layer secure connection
CN107707508A (en) * 2016-08-09 2018-02-16 中兴通讯股份有限公司 Applied business recognition methods and device
US10805338B2 (en) * 2016-10-06 2020-10-13 Cisco Technology, Inc. Analyzing encrypted traffic behavior using contextual traffic data
CN109309907B (en) * 2017-07-27 2021-08-06 中兴通讯股份有限公司 Method, device and related equipment for traffic accounting
CN109547400A (en) * 2017-09-22 2019-03-29 三星电子株式会社 The server registration method of communication means, integrity verification method and client
CN109617904A (en) * 2018-12-29 2019-04-12 江苏天创科技有限公司 A kind of HTTPS application and identification method in IPv6 network

Also Published As

Publication number Publication date
WO2020224341A1 (en) 2020-11-12
CN111917694A (en) 2020-11-10

Similar Documents

Publication Publication Date Title
CN111917694B (en) A method and device for identifying TLS encrypted traffic
US10097525B2 (en) System, apparatus and method for generating dynamic IPV6 addresses for secure authentication
US8418242B2 (en) Method, system, and device for negotiating SA on IPv6 network
US8108677B2 (en) Method and apparatus for authentication of session packets for resource and admission control functions (RACF)
US9699158B2 (en) Network user identification and authentication
US8806565B2 (en) Secure network location awareness
CN110800331A (en) Network verification method, related equipment and system
US20090070474A1 (en) Dynamic Host Configuration Protocol
US11223946B2 (en) Guaranteeing authenticity and integrity in signaling exchange between mobile networks
KR20100126783A (en) IP address delegation
CN102255916A (en) Access authentication method, device, server and system
Lopez et al. Pceps: Usage of tls to provide a secure transport for the path computation element communication protocol (pcep)
Dinu et al. DHCP server authentication using digital certificates
Miao et al. Transport layer security (TLS) transport mapping for Syslog
CN111314269A (en) Address automatic allocation protocol security authentication method and equipment
US8275987B2 (en) Method for transmission of DHCP messages
CN104518874A (en) Network access control method and system
Shete et al. DHCP protocol using OTP based two-factor authentication
CN113810173B (en) A method for verifying application information, a message processing method and a device
CN112865975B (en) Message security interaction method and system and signaling security gateway device
EP1836559B1 (en) Apparatus and method for traversing gateway device using a plurality of batons
Su et al. Secure DHCPv6 that uses RSA authentication integrated with self-certified address
CN113810353A (en) A method, message processing method and device for verifying application information
CN114567450A (en) A kind of protocol message processing method and device
He et al. Network-layer accountability protocols: a survey

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant