Method and system for controlling access permission

Abstract

The invention discloses a method and a system for controlling access permission. The method comprises the steps of receiving an identity verification request sent by a connection initiating host in anSDP framework, wherein the identity verification request comprises identity recognition information of the connection initiating host; acquiring risk information corresponding to the identity recognition information from a third-party environment risk perception platform; performing identity verification on the connection initiating host according to the risk information, and determining a connection receiving host list accessible to the connection initiating host in the SDP framework under the condition that the identity verification is passed; configuring a key algorithm pair for the identity recognition information, and configuring the validity period of the key algorithm pair according to the risk information; and sending the connection receiving host list, the key algorithm pair andthe validity period to the connection initiating host. According to the invention, the leakage risk of the key algorithm pair can be avoided, and the security of accessing a hidden service is ensured.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method and system for controlling access rights. Background technique [0002] In the existing SDP (Software Defined Perimeter, software-defined boundary) framework, it includes a connection initiating host, a controller, and a connection accepting host; the controller is used to authenticate the connection initiating host and the connection accepting host, and determine the connection initiating host An accessible connection accepting host; before the connection initiating host establishes a service link with the connection accepting host, the connection initiating host will send a SPA (Single Packet Authorization, single packet authorization) package to the connection accepting host; wherein, the SPA package includes According to the dynamic password generated by the key algorithm pair, the access authority can be controlled through the dynamic password; however, in ...

AI Technical Summary

Problems solved by technology

[0002] In the existing SDP (Software Defined Perimeter, software-defined boundary) framework, it includes a connection initiating host, a controller, and a connection accepting host; the controller is used to authenticate the connection initiating host and the connection accepting host, and determine the connection initiating host An accessible connection accepting host; before the connection initiating host establishes a service link with the connection accepting host, the connection initiating host will send a SPA (Single Packet Authorization, single packet authorization) package to the connection accepting host; wherein, the SPA package includes According to the dynamic password generated by the key algorithm pair, the access authority can be controlled through the dynamic password; however, in the standard SDP framework, the key algorithm pair is unchanged, and once the key algorithm pair is leaked, it may cause concealment The business service on the connection accepting host is attacked; in addition, in the standard SDP framework, if the connection initiating host is hijacked after the business link is established, the business service hidden on the connection accepting host will also be attacked risk; therefore, how to ensure the security of accessing hidden services in the SDP framework has become a technical problem that those skilled in the art need to solve urgently

Images