User authentication method and device for encrypted traffic, electronic equipment and storage medium

By acquiring protocol information to configure access control policies and proxy configurations, decrypting the packets to be parsed, and processing user IDs using the first and second access control policies, the problem of high cost and inaccurate identification of encrypted traffic authentication in existing technologies is solved, and fast and accurate user authentication is achieved.

CN116260626BActive Publication Date: 2026-06-30BEIJING TOPSEC NETWORK SECURITY TECH +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING TOPSEC NETWORK SECURITY TECH
Filing Date
2022-12-30
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing technologies require additional authentication devices and firewall detection for encrypted traffic authentication, which increases the user's configuration and maintenance costs and cannot quickly and accurately identify the visitor's identity.

Method used

By acquiring protocol information, configuring access control policies and proxy configurations, decrypting messages to be parsed, and performing user authentication according to access control policies, user IDs in different situations are handled using the first and second access control policies respectively, thus achieving fast and accurate user authentication.

Benefits of technology

It improves the efficiency of user authentication, reduces maintenance costs, can quickly identify the identity of visitors, and ensures the accuracy and security of authentication.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116260626B_ABST
    Figure CN116260626B_ABST
Patent Text Reader

Abstract

This application provides a user authentication method, apparatus, electronic device, and storage medium for encrypted traffic. The method includes: acquiring protocol information; obtaining target traffic based on the protocol information; configuring an access control policy, including a first access control policy and a second access control policy; generating a proxy configuration corresponding to the access control policy; matching the access control policy with the target traffic to obtain a message to be parsed; decrypting the message to be parsed to obtain a decrypted message to be parsed; and performing user authentication on the decrypted message to be parsed according to the proxy configuration to obtain an authentication result. Implementing this application embodiment can improve the efficiency of user authentication, reduce user maintenance costs, quickly identify the identity of the visitor, and accurately and quickly authenticate users.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and more specifically, to a user authentication method, apparatus, electronic device, and computer storage medium for encrypted traffic. Background Technology

[0002] In recent years, with the rapid development of computer applications, enterprise network environments have become increasingly complex, and the requirements for computer data privacy and information security have become increasingly stringent. Especially for critical business resources, the consequences of leakage are unpredictable. To restrict access to relevant resources by suspicious individuals, user authentication is necessary. However, traditional authentication methods often involve plaintext transmission, which can be easily intercepted by others at intermediate routing nodes, posing risks of data leakage and tampering. Therefore, encrypted traffic authentication and detection for specific business operations has become a key factor in measuring network security.

[0003] Existing technologies require additional authentication devices when authenticating encrypted traffic, and firewalls are still needed to inspect encrypted traffic, which increases the user's configuration and maintenance costs. Alternatively, sufficient traffic needs to be collected in advance and models such as machine learning need to be trained, which is costly and cannot identify the visitor's identity. Summary of the Invention

[0004] The purpose of this application is to provide a user authentication method, device, electronic device, and storage medium for encrypted traffic, which can improve the efficiency of user authentication, reduce user maintenance costs, quickly identify the identity of the visitor, and accurately and quickly authenticate the user.

[0005] In a first aspect, embodiments of this application provide a user authentication method for encrypted traffic, the method comprising:

[0006] Obtain protocol information;

[0007] The target traffic is obtained based on the protocol information;

[0008] Configure access control policies, including a first access control policy and a second access control policy;

[0009] Generate the proxy configuration corresponding to the access control policy;

[0010] The access control policy is matched with the target traffic to obtain the message to be parsed;

[0011] The message to be parsed is decrypted to obtain the decrypted message to be parsed;

[0012] The user is authenticated based on the decrypted message to be parsed according to the agent configuration, and the authentication result is obtained.

[0013] In the above implementation process, access control is performed on the target traffic according to the access control policy and the corresponding proxy configuration to ensure that the target traffic complies with the access control policy. Then, user authentication is performed on the parsed packets obtained from the target traffic. This can improve the efficiency of user authentication, reduce the user maintenance cost, and quickly identify the identity of the visitor, and accurately and quickly authenticate the user.

[0014] Furthermore, the step of configuring the access control policy includes:

[0015] Obtain user information, action status, protocol information, and policy information;

[0016] If the action status is an allowed status, configure a first access control policy based on the user information, the action status, the protocol information, and the policy information;

[0017] If the action status is an authentication status, configure a second access control policy based on the user information, the action status, and the protocol information;

[0018] The access control policy is obtained based on the first access control policy and the second access control policy.

[0019] In the above implementation process, the first access control policy and the second access control policy are configured according to different user information, action status, protocol information and policy information, so that the access control policy is more specific and the accuracy of user access control can be improved.

[0020] Further, the step of generating the proxy configuration corresponding to the access control policy includes:

[0021] A first proxy configuration is generated based on the first access control policy in the access control policy;

[0022] A second proxy configuration is generated according to the second access control policy in the access control policy;

[0023] The proxy configuration is obtained based on the first proxy configuration and the second proxy configuration.

[0024] In the above implementation process, generating the first proxy configuration and the second proxy configuration according to the first access control policy and the second access control policy respectively can enable the proxy configuration to match different access control policies and improve the accuracy of the proxy configuration.

[0025] Further, the step of matching the access control policy based on the target traffic to obtain the packet to be parsed includes:

[0026] Determine whether a user ID exists in the target traffic;

[0027] If so, the first access control policy in the access control policy is matched according to the target traffic to obtain the message to be parsed;

[0028] If not, match the second access control policy in the access control policy according to the target traffic, add the second access control policy ID of the second access control policy to the packet of the target traffic, and obtain the packet to be parsed.

[0029] In the above implementation process, different access control policies are matched to the target traffic based on whether a user ID exists in the target traffic. This allows the parsed packets to be segmented according to the presence of the user ID, which facilitates different user authentication for the parsed packets and improves user authentication efficiency.

[0030] Further, the step of performing user authentication on the decrypted message to be parsed according to the proxy configuration to obtain the authentication result includes:

[0031] If the access control policy ID in the decrypted message to be parsed is the second access control policy ID, look up the user policy configuration in the second proxy configuration that corresponds to the second access control policy ID to obtain the target URL, perform user authentication based on the target URL, and obtain the authentication result;

[0032] If the access control policy ID in the decrypted message to be parsed is the first access control policy ID, the configuration corresponding to the first access control policy ID in the first proxy configuration is searched to obtain the target security detection policy. Security detection is performed according to the target security detection policy to obtain the detection result.

[0033] In the above implementation process, the corresponding target URL can be directly located based on the second access policy ID, which effectively improves the speed of user authentication, can quickly identify the user's identity, and avoids the probability of errors in the authentication process, thus improving accuracy.

[0034] Furthermore, the step of performing security detection according to the target security detection strategy and obtaining the detection result further includes:

[0035] If the detection result is passed, access authorization is granted based on the detection result;

[0036] If the test result is unsuccessful, an alarm message will be issued.

[0037] In the above implementation process, security testing of the target security detection strategy can effectively ensure the authenticity and accuracy of user identity, and avoid errors in the user authentication process that could lead to the identification of incorrect user identities.

[0038] Furthermore, prior to the step of obtaining protocol information, the following steps are also included:

[0039] Configure user authentication policies according to user needs.

[0040] In the above implementation process, user authentication policies are configured according to user needs, which facilitates the subsequent confirmation of user information during the user authentication process and improves the security of user authentication.

[0041] Secondly, embodiments of this application also provide a user authentication device for encrypted traffic, the device comprising:

[0042] The parsing module is used to obtain protocol information;

[0043] The data acquisition module is used to obtain the target traffic based on the protocol information;

[0044] A configuration module is used to configure access control policies, which include a first access control policy and a second access control policy.

[0045] The generation module is used to generate the proxy configuration corresponding to the access control policy;

[0046] The matching module is used to match the access control policy according to the target traffic to obtain the packet to be parsed;

[0047] The proxy module is used to decrypt the message to be parsed to obtain the decrypted message to be parsed;

[0048] The authentication module is used to perform user authentication on the decrypted message to be parsed according to the proxy configuration, and obtain the authentication result.

[0049] In the above implementation process, access control is performed on the target traffic according to the access control policy and the corresponding proxy configuration to ensure that the target traffic complies with the access control policy. Then, user authentication is performed on the parsed packets obtained from the target traffic. This can improve the efficiency of user authentication, reduce the user maintenance cost, and quickly identify the identity of the visitor, and accurately and quickly authenticate the user.

[0050] Thirdly, an electronic device provided in this application includes: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the steps of the method as described in any of the first aspects.

[0051] Fourthly, embodiments of this application provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the method described in any of the first aspects.

[0052] Fifthly, embodiments of this application provide a computer program product that, when run on a computer, causes the computer to perform the method described in any of the first aspects.

[0053] Other features and advantages of this disclosure will be set forth in the following description, or some features and advantages may be inferred from the description or determined without doubt, or may be learned by practicing the techniques described above.

[0054] It can be implemented in accordance with the contents of the specification. The preferred embodiments of this application are described in detail below with reference to the accompanying drawings. Attached Figure Description

[0055] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation on the range. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0056] Figure 1 A flowchart illustrating the user authentication method for encrypted traffic provided in this application embodiment;

[0057] Figure 2 A schematic diagram illustrating the structural composition of the user authentication device for encrypted traffic provided in this application embodiment;

[0058] Figure 3 This is a schematic diagram of the structural composition of the electronic device provided in the embodiments of this application. Detailed Implementation

[0059] The technical solutions in the embodiments of this application will now be described with reference to the accompanying drawings.

[0060] It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures. Furthermore, in the description of this application, terms such as "first," "second," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.

[0061] The specific embodiments of this application will be described in further detail below with reference to the accompanying drawings and examples. The following examples are used to illustrate this application, but are not intended to limit the scope of this application.

[0062] Example 1

[0063] Figure 1 This is a flowchart illustrating the user authentication method for encrypted traffic provided in an embodiment of this application, as shown below. Figure 1 As shown, the method includes:

[0064] S1, obtain protocol information;

[0065] S2, obtain the target traffic based on protocol information;

[0066] S3, Configure access control policies, including a first access control policy and a second access control policy;

[0067] S4, generate the proxy configuration corresponding to the access control policy;

[0068] S5, match the access control policy according to the target traffic to obtain the message to be parsed;

[0069] S6, decrypt the message to be parsed to obtain the decrypted message to be parsed;

[0070] S7 performs user authentication on the decrypted message to be parsed according to the agent configuration and obtains the authentication result.

[0071] In the above implementation process, access control is performed on the target traffic according to the access control policy and the corresponding proxy configuration to ensure that the target traffic complies with the access control policy. Then, user authentication is performed on the parsed packets obtained from the target traffic. This can improve the efficiency of user authentication, reduce the user maintenance cost, and quickly identify the identity of the visitor, and accurately and quickly authenticate the user.

[0072] The target traffic in this application embodiment is HTTP channel (Hypertext Transfer Protocol Secure, HTTPS) traffic with security as the goal, which requires user authentication, data filtering, and security detection by a Web Application Firewall (WAF) system.

[0073] The embodiments in this application are based on a security protection firewall product.

[0074] In S1, in addition to protocol information, information such as source and destination IPs, ports, regions, roles, domains, services, and applications are also obtained.

[0075] Furthermore, the steps for configuring access control policies include:

[0076] Obtain user information, action status, protocol information, and policy information;

[0077] If the action status is allowed, configure the first access control policy based on user information, action status, protocol information, and policy information;

[0078] If the action status is authentication status, configure the second access control policy based on user information, action status, and protocol information;

[0079] The access control policy is obtained based on the first access control policy and the second access control policy.

[0080] In the above implementation process, the first access control policy and the second access control policy are configured according to different user information, action status, protocol information and policy information, so that the access control policy is more specific and the accuracy of user access control can be improved.

[0081] Configure the first access control policy, referencing the user configured by the client, setting the action status to allowed, selecting HTTPS for the protocol information, and referencing the Digital Light Processing (DLP) data filtering policy and WAF policy for the policy information. Other policies can be configured according to user needs, determining the traffic to be processed and the processing method.

[0082] Configure a second access control policy, referencing the user authentication information configured by the client, setting the action status to authentication status, selecting HTTPS for the protocol information, and configuring other settings according to user needs. Determine the traffic that needs to be authenticated, and then automatically generate proxy configuration based on the access control policy.

[0083] Furthermore, S4 includes:

[0084] Generate the first proxy configuration based on the first access control policy in the access control policy;

[0085] Generate a second proxy configuration based on the second access control policy in the access control policy;

[0086] The proxy configuration is obtained based on the first proxy configuration and the second proxy configuration.

[0087] In the above implementation process, generating the first proxy configuration and the second proxy configuration according to the first access control policy and the second access control policy respectively can enable the proxy configuration to match different access control policies and improve the accuracy of the proxy configuration.

[0088] A first proxy configuration is generated based on the first access control policy in the access control policy, wherein the first proxy configuration generated by the first access control policy includes the referenced DLP policy and the referenced WAF policy; the second proxy configuration generated by the second access control policy includes the access control policy ID and the target Uniform Resource Locator (URL) to which authentication needs to be redirected.

[0089] If the target traffic reaches the firewall device and the user module analyzes it and finds that the traffic has not been authenticated, no action will be taken.

[0090] Furthermore, S5 includes:

[0091] Determine if a user ID exists in the target traffic;

[0092] If so, the message to be parsed is obtained by matching the first access control policy in the target traffic access control policy;

[0093] If not, match the second access control policy in the access control policy of the target traffic, add the second access control policy ID of the second access control policy to the packet of the target traffic, and obtain the packet to be parsed.

[0094] In the above implementation process, different access control policies are matched to the target traffic based on whether a user ID exists in the target traffic. This allows the parsed packets to be segmented according to the presence of the user ID, which facilitates different user authentication for the parsed packets and improves user authentication efficiency.

[0095] The target traffic has no user ID. Matching the second access control policy, the second access control policy ID is added to the Layer 2 header of the target traffic packet, and the target traffic is sent to the proxy process through the virtual interface.

[0096] The target traffic has a user ID, matches the first access control policy, and sends the target traffic to the proxy process through a virtual interface.

[0097] A second access control ID is added to the Layer 2 header of the message, and then sent to the agent process for parsing through the virtual interface, so as to realize the transmission of information between the data processing process and the agent process.

[0098] Furthermore, S7 includes:

[0099] If the access control policy ID in the decrypted message is the second access control policy...

[0100] The system retrieves the user policy configuration corresponding to the second access control policy ID from the second proxy configuration, obtains the target URL, performs user authentication based on the target URL, and obtains the authentication result; 0. If the access control policy ID in the decrypted message is the first access control policy ID...

[0101] Find the configuration corresponding to the first access control policy ID in the first agent configuration to obtain the target security detection policy, perform security detection according to the target security detection policy, and obtain the detection result.

[0102] In the above implementation process, the corresponding target URL can be directly located based on the second access policy ID, which effectively improves the speed of user authentication, can quickly identify the user's identity, and avoids the probability of errors in the authentication process, thus improving accuracy.

[0103] The proxy process parses the message, obtains the access control policy ID, finds the corresponding policy, identifies the target URL requiring redirection, and redirects to that URL. The client performs user authentication at the redirected target URL. The user then performs authentication based on the returned URL, and upon successful authentication, re-accesses the website.

[0104] Query the corresponding resources. After new target traffic arrives at the firewall device, the user analyzes the traffic and finds that it has been authenticated, and then tags it with the corresponding user ID.

[0105] The proxy process parses the packets and finds the corresponding DLP data filtering policy and WAF policy. Based on the DLP and WAF policies, it performs security checks on the target traffic. Once the checks pass, the client can access the required resources.

[0106] Furthermore, step 5, which involves conducting security testing based on the target security testing strategy and obtaining the testing results, also includes:

[0107] If the test result is passed, access authorization will be granted based on the test result.

[0108] If the test result is unsuccessful, an alarm message will be issued.

[0109] In the above implementation process, security testing of the target security detection strategy can effectively ensure the authenticity and accuracy of user identity, and avoid errors in the user authentication process that could lead to the identification of incorrect user identities.

[0110] Furthermore, prior to the step of obtaining protocol information, the following steps are also included:

[0111] Configure user authentication policies according to user needs.

[0112] In the above implementation process, user authentication policies are configured according to user needs, which facilitates the subsequent confirmation of user information during the user authentication process and improves the security of user authentication.

[0113] User authentication policies can determine the user authentication method, the configurable port for the client, the suffix, etc. When authentication is required, authentication can be performed by accessing a URL that combines the firewall management IP, the configured port, and the suffix.

[0114] Example 2

[0115] To implement the method corresponding to Embodiment 1 above and achieve the corresponding functions and technical effects, a user authentication device for encrypted traffic is provided below, such as... Figure 2 As shown, the device includes:

[0116] Parsing module 1 is used to obtain protocol information;

[0117] Data acquisition module 2 is used to obtain the target traffic based on protocol information;

[0118] Configuration module 3 is used to configure access control policies, including a first access control policy and a second access control policy.

[0119] Module 4 is used to generate the proxy configuration corresponding to the access control policy;

[0120] Matching module 5 is used to match access control policies based on target traffic to obtain the packet to be parsed;

[0121] Proxy module 6 is used to decrypt the message to be parsed, and obtain the decrypted message to be parsed;

[0122] Authentication module 7 is used to perform user authentication on the decrypted message to be parsed according to the agent configuration and obtain the authentication result.

[0123] In the above implementation process, access control is performed on the target traffic according to the access control policy and the corresponding proxy configuration to ensure that the target traffic complies with the access control policy. Then, user authentication is performed on the parsed packets obtained from the target traffic. This can improve the efficiency of user authentication, reduce the user maintenance cost, and quickly identify the identity of the visitor, and accurately and quickly authenticate the user.

[0124] Furthermore, configuration module 3 is also used for:

[0125] Obtain user information, action status, protocol information, and policy information;

[0126] If the action status is allowed, configure the first access control policy based on user information, action status, protocol information, and policy information;

[0127] If the action status is authentication status, configure the second access control policy based on user information, action status, and protocol information;

[0128] The access control policy is obtained based on the first access control policy and the second access control policy.

[0129] In the above implementation process, the first access control policy and the second access control policy are configured according to different user information, action status, protocol information and policy information, so that the access control policy is more specific and the accuracy of user access control can be improved.

[0130] Furthermore, generation module 4 is also used for:

[0131] Generate the first proxy configuration based on the first access control policy in the access control policy;

[0132] Generate a second proxy configuration based on the second access control policy in the access control policy;

[0133] The proxy configuration is obtained based on the first proxy configuration and the second proxy configuration.

[0134] In the above implementation process, generating the first proxy configuration and the second proxy configuration according to the first access control policy and the second access control policy respectively can enable the proxy configuration to match different access control policies and improve the accuracy of the proxy configuration.

[0135] Furthermore, the matching module 5 is also used for:

[0136] Determine if a user ID exists in the target traffic;

[0137] If so, match the first access control policy in the access control policy according to the target traffic to obtain the packet to be parsed;

[0138] If not, match the second access control policy in the access control policy of the target traffic, add the second access control policy ID of the second access control policy to the packet of the target traffic, and obtain the packet to be parsed.

[0139] In the above implementation process, different access control policies are matched to the target traffic based on whether a user ID exists in the target traffic. This allows the parsed packets to be segmented according to the presence of the user ID, which facilitates different user authentication for the parsed packets and improves user authentication efficiency.

[0140] Furthermore, authentication module 7 is also used for:

[0141] If the access control policy ID in the decrypted message is the second access control policy ID, look up the user policy configuration corresponding to the second access control policy ID in the second proxy configuration to obtain the target URL, perform user authentication based on the target URL, and obtain the authentication result.

[0142] If the access control policy ID in the decrypted message is the first access control policy ID, find the configuration corresponding to the first access control policy ID in the first proxy configuration to obtain the target security detection policy, perform security detection according to the target security detection policy, and obtain the detection result.

[0143] In the above implementation process, the corresponding target URL can be directly located based on the second access policy ID, which effectively improves the speed of user authentication, can quickly identify the user's identity, and avoids the probability of errors in the authentication process, thus improving accuracy.

[0144] Furthermore, authentication module 7 is also used for:

[0145] If the test result is passed, access authorization will be granted based on the test result.

[0146] If the test result is unsuccessful, an alarm message will be issued.

[0147] In the above implementation process, security testing of the target security detection strategy can effectively ensure the authenticity and accuracy of user identity, and avoid errors in the user authentication process that could lead to the identification of incorrect user identities.

[0148] Furthermore, configuration module 3 is also used for:

[0149] Configure user authentication policies according to user needs.

[0150] In the above implementation process, user authentication policies are configured according to user needs, which facilitates the subsequent confirmation of user information during the user authentication process and improves the security of user authentication.

[0151] The user authentication device for encrypted traffic described above can implement the method of Embodiment 1. The options in Embodiment 1 also apply to this embodiment, and will not be described in detail here.

[0152] The remaining contents of this embodiment can be referred to the contents of Embodiment 1 above, and will not be repeated in this embodiment.

[0153] Example 3

[0154] This application provides an electronic device, including a memory and a processor. The memory stores a computer program, and the processor runs the computer program to enable the electronic device to perform the encrypted traffic user authentication method of Embodiment 1.

[0155] Alternatively, the aforementioned electronic device may be a server.

[0156] Please see Figure 3 , Figure 3 This is a schematic diagram illustrating the structural composition of an electronic device provided in an embodiment of this application. The electronic device may include a processor 31, a communication interface 32, a memory 33, and at least one communication bus 34. The communication bus 34 is used to enable direct communication between these components. In this embodiment, the communication interface 32 is used for signaling or data communication with other node devices. The processor 31 may be an integrated circuit chip with signal processing capabilities.

[0157] The processor 31 described above can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose processor can be a microprocessor, or the processor 31 can be any conventional processor.

[0158] The memory 33 may be, but is not limited to, random access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), etc. The memory 33 stores computer-readable instructions. When these computer-readable instructions are executed by the processor 31, the device can perform the aforementioned operations. Figure 1 The various steps involved in the method implementation examples.

[0159] Optionally, the electronic device may also include a storage controller and an input / output unit. The memory 33, storage controller, processor 31, peripheral interface, and input / output unit are electrically connected directly or indirectly to each other to achieve data transmission or interaction. For example, these components can be electrically connected to each other via one or more communication buses 34. The processor 31 is used to execute executable modules stored in the memory 33, such as software function modules or computer programs included in the device.

[0160] Input / output units are used to enable users to create tasks and set optional start periods or preset execution times for those tasks, facilitating user-server interaction. Input / output units can be, but are not limited to, a mouse and keyboard.

[0161] Understandable. Figure 3 The structure shown is for illustrative purposes only; the electronic device may also include components that are more advanced than those shown. Figure 3 The more or fewer components shown, or having the same Figure 3 The different configurations shown. Figure 3 The components shown can be implemented using hardware, software, or a combination thereof.

[0162] In addition, this application also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the user authentication method for encrypted traffic in Embodiment 1.

[0163] This application also provides a computer program product that, when run on a computer, causes the computer to perform the method described in the method embodiment.

[0164] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can also be implemented in other ways. The apparatus embodiments described above are merely illustrative; for example, the flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions marked in the blocks may occur in a different order than those marked in the drawings. For example, two consecutive blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram and / or flowchart, and combinations of blocks in block diagrams and / or flowcharts, can be implemented using dedicated hardware-based apparatus that performs the specified function or action, or using a combination of dedicated hardware and computer instructions.

[0165] In addition, the functional modules in the various embodiments of this application can be integrated together to form an independent part, or each module can exist independently, or two or more modules can be integrated to form an independent part.

[0166] If the aforementioned functions are implemented as software functional modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, external hard drives, ROM, RAM, magnetic disks, or optical disks.

[0167] The above description is merely an embodiment of this application and is not intended to limit the scope of protection of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application. It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures.

[0168] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of protection of the claims.

[0169] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

Claims

1. A user authentication method for encrypted traffic, characterized in that, The method includes: Obtain protocol information; The target traffic is obtained based on the protocol information; Configure access control policies, including a first access control policy and a second access control policy; Generate the proxy configuration corresponding to the access control policy; The access control policy is matched with the target traffic to obtain the message to be parsed; The message to be parsed is decrypted to obtain the decrypted message to be parsed; Based on the proxy configuration, user authentication is performed on the decrypted message to be parsed to obtain the authentication result; The step of generating the proxy configuration corresponding to the access control policy includes: A first proxy configuration is generated based on the first access control policy in the access control policy; A second proxy configuration is generated according to the second access control policy in the access control policy; The proxy configuration is obtained based on the first proxy configuration and the second proxy configuration; The step of matching the access control policy according to the target traffic to obtain the packet to be parsed includes: Determine whether a user ID exists in the target traffic; If so, the first access control policy in the access control policy is matched according to the target traffic to obtain the message to be parsed; If not, match the second access control policy in the access control policy according to the target traffic, add the second access control policy ID of the second access control policy to the packet of the target traffic, and obtain the packet to be parsed; The steps for configuring access control policies include: Obtain user information, action status, protocol information, and policy information; If the action status is an allowed status, configure a first access control policy based on the user information, the action status, the protocol information, and the policy information; If the action status is an authentication status, configure a second access control policy based on the user information, the action status, and the protocol information; The access control policy is obtained based on the first access control policy and the second access control policy.

2. The user authentication method for encrypted traffic according to claim 1, characterized in that, The step of performing user authentication on the decrypted message to be parsed according to the proxy configuration and obtaining the authentication result includes: If the access control policy ID in the decrypted message to be parsed is the second access control policy ID, look up the user policy configuration in the second proxy configuration that corresponds to the second access control policy ID to obtain the target URL, perform user authentication based on the target URL, and obtain the authentication result; If the access control policy ID in the decrypted message to be parsed is the first access control policy ID, the configuration corresponding to the first access control policy ID in the first proxy configuration is searched to obtain the target security detection policy. Security detection is performed according to the target security detection policy to obtain the detection result.

3. The user authentication method for encrypted traffic according to claim 2, characterized in that, The step of performing security detection according to the target security detection strategy and obtaining the detection result further includes: If the detection result is passed, access authorization is granted based on the detection result; If the test result is unsuccessful, an alarm message will be issued.

4. The user authentication method for encrypted traffic according to claim 1, characterized in that, Before the step of obtaining protocol information, the following is also included: Configure user authentication policies according to user needs.

5. A user authentication device for encrypted traffic, characterized in that, The device includes: The parsing module is used to obtain protocol information; The data acquisition module is used to obtain the target traffic based on the protocol information; A configuration module is used to configure access control policies, which include a first access control policy and a second access control policy. The generation module is used to generate the proxy configuration corresponding to the access control policy; The matching module is used to match the access control policy according to the target traffic to obtain the packet to be parsed; The proxy module is used to decrypt the message to be parsed to obtain the decrypted message to be parsed; The authentication module is used to perform user authentication on the decrypted message to be parsed according to the proxy configuration, and obtain the authentication result; The generation module is also used for: A first proxy configuration is generated based on the first access control policy in the access control policy; A second proxy configuration is generated according to the second access control policy in the access control policy; The proxy configuration is obtained based on the first proxy configuration and the second proxy configuration; The matching module is also used for: Determine whether a user ID exists in the target traffic; If so, the first access control policy in the access control policy is matched according to the target traffic to obtain the message to be parsed; If not, match the second access control policy in the access control policy according to the target traffic, add the second access control policy ID of the second access control policy to the packet of the target traffic, and obtain the packet to be parsed; The configuration module is also used for: Obtain user information, action status, protocol information, and policy information; If the action status is an allowed status, configure a first access control policy based on the user information, the action status, the protocol information, and the policy information; If the action status is an authentication status, configure a second access control policy based on the user information, the action status, and the protocol information; The access control policy is obtained based on the first access control policy and the second access control policy.

6. An electronic device, characterized in that, The device includes a memory and a processor, the memory being used to store a computer program, and the processor running the computer program to cause the electronic device to perform a user authentication method for encrypted traffic according to any one of claims 1 to 4.

7. A computer-readable storage medium, characterized in that, It stores a computer program that, when executed by a processor, implements the user authentication method for encrypted traffic as described in any one of claims 1 to 4.