Service access control method, electronic device, and storage medium
The service access control method addresses the inefficiencies of traditional single-point defenses by implementing proactive, near-source defense across multiple trust domains through collaborative verification and key derivation, enhancing network security and efficiency.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- ZTE CORP
- Filing Date
- 2024-06-28
- Publication Date
- 2026-06-30
AI Technical Summary
Traditional single-point defense methods based on network boundaries are ineffective for cross-trust domain access, leading to delayed defense and increased service processing delays, as they rely on passive attack detection and require additional equipment, and cannot be implemented across domains.
A service access control method that involves user nodes sending access request messages through intermediate nodes, where each node performs stateless filtering and collaborative verification using derived keys, enabling proactive, near-source defense across multiple trust domains.
Enables proactive, near-source defense across multiple trust domains, reducing the risk of malicious traffic propagation, improving service resource utilization, and minimizing the need for additional equipment, thus enhancing network security and efficiency.
Smart Images

Figure 2026521655000001_ABST
Abstract
Description
Technical Field
[0001] This application is filed based on a Chinese patent application with an application number of 202310797534.0 and a filing date of June 29, 2023, and claims the priority of the Chinese patent application. All the contents of the Chinese patent application are incorporated herein by reference.
[0002] This application relates to the technical field of network communication, and particularly to a service access control method, an electronic device, and a storage medium.
Background Art
[0003] With the acceleration of the integration of heterogeneous networks and the cloudification of enterprise services, access across trust domains has become the norm. The traditional single-point defense method based on network boundaries has already become substantially ineffective, and systematic cybersecurity in the cyber space requires collaboration among multiple trust domains. Thus, not only access control is performed at a position close to the service side, but access is also controlled at all possible positions across the entire network, proximity source defense is performed as close as possible, the propagation of malicious traffic is blocked early, the utilization rate of service resources is improved, the investment in core network equipment is reduced, and the possibility of threats invading the service network can be reduced.
[0004] The proximity source defense methods provided by related technologies generally adopt passive defense methods such as "attack detection - analysis tracing - traffic removal", that is, the source of the attack is analyzed only after the attack occurs, and then treatment is performed nearby. Therefore, the defense effect is delayed, and further introduction of additional dedicated equipment is required, increasing the delay of service processing. Furthermore, proximity source defense can only be implemented within a controllable internal network and cannot be implemented across domains.
Summary of the Invention
Problems to be Solved by the Invention
[0005] Embodiments of the present application provide a service access control method, an electronic device, and a storage medium. [Means for solving the problem]
[0006] In a first embodiment, an embodiment of the present application provides a service access control method, the method comprising: a user node sending a first access request message to a server node, the first access request message comprising IP address information, the first access request message reaching the server node via at least one intermediate node, the at least one intermediate node comprising an access point, and the first access request message representing that the user node is making an initial access request; the user node receiving a first response message returned from the server node, the first response message comprising access authentication information and identification information, the access authentication information being determined based on at least the server node's key and the IP address information, and the identification information comprising an identifier of another node other than the access point through which the first access request message passed; and the user node sending a second access request message to the server node, the second access request message comprising the access authentication information, the identification information and the IP address information.
[0007] In a second embodiment, an embodiment of the present application provides a service access control method, the method comprising: a step of an intermediate node receiving an access request message sent from a user node; if the access request message is a second access request message, the intermediate node obtaining access authentication information, an identifier of an unreachable node and IP address information from the second access request message, wherein the second access request message indicates that the user node is making a non-first access request; a step of the intermediate node determining access verification information based on at least its own node's key, the identifier of the unreachable node and the IP address information; a step of the intermediate node comparing the access verification information with the access authentication information to obtain a verification result of the second access request message; and a step of the intermediate node forwarding the second access request message to the next node if the verification result is a successful verification result.
[0008] In a third embodiment, an embodiment of the present application provides a service access control method, the method comprising: a server node receiving an access request message sent from a user node; if the access request message is a second access request message, the server node obtaining access authentication information and IP address information from the second access request message, wherein the second access request message indicates that the user node is making a non-first access request; the server node determining access verification information based on at least its own key and the IP address information; the server node comparing the access verification information with the access authentication information and determining the verification result of the second access request message; and if the verification result is a successful verification result, the server node returning a service to the user node.
[0009] In a fourth embodiment, an embodiment of the present application provides an electronic device comprising one or more processors and a memory in which one or more programs are stored, wherein, when executed by the one or more processors, the one or more programs cause the one or more processors to implement the service access control method described in the first embodiment, the service access control method described in the second embodiment, or the service access control method described in the third embodiment.
[0010] In a fifth embodiment, an embodiment of the present application provides a computer-readable storage medium on which a computer program is stored, and which, when executed by a processor, realizes the service access control method described in the first embodiment, the service access control method described in the second embodiment, or the service access control method described in the third embodiment. [Brief explanation of the drawing]
[0011] [Figure 1] This is a schematic diagram of the structure of a service access control system according to one embodiment of the present invention. [Figure 2] This is a flowchart of a service access control method according to one embodiment of the present invention. [Figure 3] This is a flowchart of a service access control method according to another embodiment of the present invention. [Figure 4] This is a flowchart of a service access control method according to another embodiment of the present invention. [Figure 5] This is a flowchart of a service access control method according to another embodiment of the present invention. [Figure 6] This is a flowchart of a service access control method according to another embodiment of the present invention. [Figure 7] This is a sequence diagram of a service access control method according to one specific example of the present invention. [Figure 8] A schematic diagram illustrating the structure of a service access control system according to one specific example of the present invention. [Figure 9] This is a sequence diagram of a service access control method according to another specific example of the present invention. [Figure 10] This is a schematic diagram of the structure of a service access control system according to another specific example of the present invention. [Figure 11] This is a sequence diagram of a service access control method according to another specific example of the present invention. [Figure 12] This is a schematic diagram of the structure of an electronic device according to one embodiment of the present invention. [Modes for carrying out the invention]
[0012] To further clarify the purpose, technical solution, and advantages of this application, the application will be described in more detail below with reference to the drawings and embodiments. The specific embodiments described herein are used solely for illustrative purposes and are not intended to limit the application.
[0013] In the description of the embodiments of this application, terms such as "First," "Second," etc., in the specification, claims, and the drawings above are used to distinguish similar objects and should not be understood as indicating or implying relative importance, implicitly indicating the number of technical features shown, or implicitly indicating the sequence of technical features shown. "At least one" refers to one or more, and "multiple" refers to two or more. "And / or" describes the relationship between related objects and indicates that three relationships may exist. For example, A and / or B may mean that A exists alone, A and B exist simultaneously, or B exists alone. Here, A and B may be singular or plural. The symbol " / " generally indicates that the preceding and succeeding related objects have an "or" relationship. Although the device schematic diagram shows a division of functional modules and the flowchart shows a logical order, this may differ in some cases from the module division in the device, and the illustrated or described steps may be performed in an order different from the order in the flowchart.
[0014] In addition, the technical features mentioned in each embodiment of the present application described below may be combined with each other, provided that they do not conflict with each other.
[0015] With the convergence of heterogeneous networks and the accelerating migration of enterprise services to the cloud, cross-trust domain access is becoming commonplace. Traditional single-point defense methods based on network boundaries are already effectively ineffective, and systematic cybersecurity requires collaboration between multiple trust domains. This allows for access control not only at locations close to the service provider, but also at every possible location across the entire network, enabling proximity-source defense wherever possible, early prevention of malicious traffic propagation, improved service resource utilization, reduced investment in core network equipment, and a decrease in the likelihood of threats infiltrating the service network.
[0016] Many existing proximity-source defense methods employ passive defense strategies such as "attack detection - analysis tracing - traffic removal," meaning that the source of the attack is only analyzed after the attack occurs, and then immediate action is taken. This results in delayed defense, the need for additional dedicated equipment, and increased delays in service processing. Furthermore, proximity-source defense can only be implemented within a controllable internal network and cannot be implemented across domains.
[0017] To solve the above problems, embodiments of the present application provide a service access control method, an electronic device, and a storage medium. A user node sends a first access request message including IP address information to a server node, and the first access request message reaches the server node via at least one intermediate node. Thereby, intermediate nodes in the network can perform stateless filtering on traffic for a user to access an application, realizing active and proximity-source defense of the network against the application. Thereby, reliable collaboration can be performed according to the agreements among the user node, the server node, and the intermediate nodes. Then, the user node receives a first response message returned from the server node and including access authentication information and identification information. Here, the first response message is obtained by the server node coordinating the information of each domain and comprehensively determining whether to permit the user's current access. If it permits, the user node is granted permission. Thereby, determination of the request message of the user node is realized. Finally, the user node sends a second access request message including access authentication information, identification information, and IP address information to the server node. Thereby, malicious traffic can be identified by performing collaborative verification at multiple points in the network on the user's access request, realizing the process of collaborative transfer verification for the user's access request message, and enabling collaborative defense of the service.
[0018] Hereinafter, embodiments of the present application will be described with reference to the drawings.
[0019] Referring to FIG. 1, FIG. 1 is a schematic diagram of a system architecture for executing a service access control method according to an embodiment of the present application.
[0020] In the embodiment shown in Figure 1, the service access control system 100 includes, but is not limited to, a user node 200, a server node 300, and at least one intermediate node. Here, only an example with one intermediate node is shown in Figure 1.
[0021] The service access control system 100 in this embodiment is a precise service access control system that enables collaboration across domains. In this embodiment, the user node 200 includes, but is not limited to, computers, mobile devices, IoT devices, etc., and the server node 300 includes, but is not limited to, servers, routers, switches, etc., and is not specifically limited in this embodiment.
[0022] User node 200 accesses applications within the service network via the access network and relay nodes. The system architecture diagram is shown in Figure 1. Here, the access network key management device 412 and access gateway 411 belong to the access domain, the relay network key management device 422 and router belong to the relay domain, and the service network key management device 320, service authentication server 330, and service gateway 310 belong to the service domain. The key management devices and gateways in each domain are functionally independent of each other and may be physically separated or integrated. For clarity, they are shown separately in the diagram.
[0023] In some embodiments, the user node 200 is configured to initiate access requests to a target application and to receive access response messages sent from the target application.
[0024] The intermediate node includes an access point 410 and a relay node 420, the access point 410 includes an access gateway 411 and an access network key management device 412, and the relay node 420 includes a relay gateway 421 and a relay network key management device 422.
[0025] The access point 410 is configured to receive application access requests sent from the user node 200, and the access gateway 411 determines whether the access request message is the first packet based on the local cache table, the protocol field in the message, or the authentication information field, and forwards the message based on the determination result.
[0026] The relay node 420 is configured to receive application access requests sent from the user node 200, and the relay gateway determines whether a message is the first packet based on the local cache table and whether the protocol field or authentication information field in the message is 0. The first packet is forwarded directly; if it is not the first packet, validation is performed, thereby enabling message validation and interception.
[0027] The server node 300 includes a service gateway 310, a service network key management device 320, and a service authentication server 330. The server node 300 is configured to receive application access requests sent from the user node 200, and the service gateway 310 can determine if it is the first packet based on the local cache table, the protocol field in the message, or the authentication information field being 0.
[0028] Furthermore, before the user node 200 can access the application, the service access control system 100 must perform system-level collaboration key derivation, and the access key management device derives a relay domain key for the relay domain. In some embodiments, based on the relay domain key and the service domain identifier, the relay key management device derives a service domain key for the service domain.
[0029] The service gateway 310 receives a service access request sent from the user node 200, and if it determines that the user is accessing the service for the first time, it requests service access authentication from the service authentication server 330. The service gateway 310 can determine whether it is the first access in various ways, such as by checking the message protocol type, the local cache table, and whether the message authentication information field is 0.
[0030] The service authentication server 330 comprehensively determines whether to allow a user to access the service based on multi-domain information such as the user's current trustworthiness, the user's access location information, the application's current load status, network link congestion status, and service access control lists. The service access control lists may be filtered based on source IP, destination IP, source port, destination port, protocol number, etc., and may also support filtering based on source address ranges and destination address ranges.
[0031] If access is permitted, the service authentication server 330 generates application access authentication information based on the service domain key and information such as the user source address, target service address, user identification ID, service identification ID, source port, destination port, protocol number, and target URL. The application access authentication information is relayed through the service gateway 310 and assigned to the user node 200. Here, the user identification ID, service identification ID, source port, destination port, protocol number, and target URL are optional information.
[0032] User node 200 includes authenticated access credentials and information such as the service domain identifier and relay domain identifier in subsequent service access messages. Access gateway 411, relay gateway, and service gateway 310 verify the access credentials in the message based on their respective domain keys, session information such as the source IP and destination IP addresses in the message, and the domain identifier. If verification fails, the message is blocked, thereby achieving precise service access control through inter-domain collaboration.
[0033] In some embodiments, the system architecture according to this embodiment enables proactive, near-source defense of applications by the network through coordinated key derivation, coordinated service authentication, and coordinated forwarding verification between access domains, relay domains, and service domains, allowing multiple forwarding nodes within the network to filter user application access traffic in a stateless manner. This embodies the real-time, efficient, and systematic nature of this method while avoiding the drawbacks of single-point defense and without introducing other devices that increase service latency.
[0034] Based on the structure of the service access control system 100 described above, various embodiments of the service access control method of the present application are submitted below.
[0035] Referring to Figure 2, Figure 2 is a flowchart of a service access control method according to one embodiment of the present invention. This service access control method is applied to, but is not limited to, a user node 200 of the system architecture, and includes, but is not limited to, steps S101 to S103.
[0036] Step S101: The user node sends a first access request message to the server node.
[0037] The first access request message includes IP address information, and it reaches the server node via at least one intermediate node. The at least one intermediate node includes an access point, and the first access request message indicates that the user node is making its initial access request.
[0038] In some embodiments, a user node sends a first access request message to a server node to request authentication for the access, and this first access request message includes IP address information. This makes it easier for the server node and intermediate nodes to locate the first access request message on the network, enabling traffic management and quality of service control for the first request message. Here, the first access request message is the message in which the user node makes its initial access request.
[0039] In this embodiment, the IP address information includes user source address information and target service address information.
[0040] Step S102: The user node receives the first response message returned from the server node.
[0041] The first response message includes access authentication information and identification information. The access authentication information is determined based on at least the server node's key and IP address information, and the identification information includes identifiers of nodes other than the access point through which the first access request message passed.
[0042] In some embodiments, the user node receives a first response message returned from the server node, thereby determining authenticated access credentials and identification information from the first response message and enabling accurate parsing of the first access request message.
[0043] Step S103: The user node sends a second access request message to the server node.
[0044] The second access request message includes access authentication information, identification information, and IP address information.
[0045] In some embodiments, after the user node receives the first response message, the user node subsequently sends a second access request message to the server node containing access authentication information, identification information, and IP address information, requesting continued access to the application, thereby enabling a cooperative forwarding verification process for the user's access request messages.
[0046] Furthermore, the second access request message sent by the user node includes already authenticated access authentication information and identification information of the relay domain traversed during the current access, thereby facilitating the determination of intermediate nodes and server nodes.
[0047] In some embodiments, during the process of a user node sending a first access request message to a server node, the first access request message may reach the server node via only an access point, in which case the identification information includes the identifier of the server node. Alternatively, the first access request message may reach the server node via an access point and at least one relay node, in which case the identification information includes the identifiers of each relay node and the identifier of the server node.
[0048] In some embodiments, the key for any relay node is transmitted to the relay node by the key management device of the preceding node, and the key for the relay node is determined by the key management device of the preceding node based on the relay node's identifier and the key of the preceding node.
[0049] Before the user node sends the first access request message to the server node, the access point's access network key management device generates an access domain key and synchronizes it with the access gateway 411. The relay node's relay network key management device 422 performs trust negotiation with the contracted access network key management device to confirm that key derivation is possible. Subsequently, the access network key management device 412 derives a relay domain key based on the access domain key and the relay domain identifier, and then the relay node's relay network key management device 422 derives a service domain key based on the service domain identifier and the relay domain key. The service network key management device 320 synchronizes the service domain key with the service gateway 310 and the application service authentication server 330. This enhances the security of communication. By deriving different keys at different stages of communication and between each node, the risk of keys being obtained by an attacker can be reduced. Even if the key of one node is leaked, the keys of other nodes remain secure.
[0050] In some embodiments, the server node's key is sent to the server node by the key management device of the node immediately preceding the server node, and is generated by the key management device of the preceding node based on the server node's identifier and the key of the preceding node.
[0051] In some embodiments, when messages are transmitted without passing through relay nodes, the access point's access network key management device collaborates with the service network key management device 320 based on trust. The access network key management device derives a service domain key based on a randomly generated access network key and service domain identifier. After key derivation is complete, the service domain key management device synchronizes the service domain key with the service gateway 310 and the application service authentication server 330.
[0052] In some embodiments, access authentication information is further determined based on at least one of the following: user identification ID, service identification ID, source port information, destination port information, target service URL information, or protocol number information. This enables accurate determination of access request messages sent by user nodes, filtering of abnormal communication data flows, improved accuracy in identifying access request messages, and accurate and rapid identification of malicious traffic.
[0053] Note that the user identification ID, service identification ID, source port information, destination port information, target service URL information, or protocol number information are all optional, and the access authentication information may include one or more of the above pieces of information. For example, the access authentication information may include the server node key, IP address information, user identification ID, and service identification ID, or the access authentication information may include the server node key, IP address information, source port information, destination port information, etc., and these will not be listed one by one in this embodiment.
[0054] Referring to Figure 3, Figure 3 is a flowchart of a service access control method according to another embodiment of the present invention, which is applied to an intermediate node of a service access control system 100, but is not limited thereto. The service access control method includes, but is not limited to, steps S201 to S205.
[0055] Step S201: The intermediate node receives an access request message sent from the user node.
[0056] Step S202: If the access request message is a second access request message, the intermediate node obtains access authentication information, the identifier of the unreachable node, and IP address information from the second access request message.
[0057] The second access request message indicates that the user node is making a non-initial access request.
[0058] Step S203: The intermediate node determines access verification information based on at least its own node's key, the identifier and IP address information of the unreachable node.
[0059] Step S204: The intermediate node compares the access verification information and the access authentication information to obtain the verification result of the second access request message.
[0060] Step S205: If the verification result is a successful verification, the intermediate node forwards the second access request message to the next node.
[0061] In some embodiments, after receiving an access request message from a user node, the intermediate node first determines whether the access request message is the first access request message sent by the user node or a message sent for a second access request. If the access request message is a second access request message, i.e., an access request message sent by the user node for a second access request, the intermediate node obtains access authentication information, the identifier and IP address information of the unreachable node from the second access request message, performs message verification, and determines the access verification information corresponding to the second access request message. Subsequently, the intermediate node verifies the second access request message by comparing the access verification information with the access authentication information and obtains the verification result for the second access request message. Finally, if the verification result is a successful verification, it indicates that the second access request message has already been authenticated and is a secure access request message, and the intermediate node forwards the second access request message to the next node, thereby completing the forwarding of the second access request message.
[0062] If the verification result is a failure, it indicates that the second access request message is not authenticated and may contain malicious traffic or dangerous information, and the intermediate node will block the message from being forwarded.
[0063] Access verification information is further determined based on at least one of the following: user identification ID, service identification ID, source port information, destination port information, target service URL information, and protocol number information. In the process by which the intermediate node compares the access verification information and the access authentication information, each information field of the access verification information and the access authentication information is compared.
[0064] A successful verification result means that the access verification information and access authentication information match, while a failed verification result means that the access verification information and access authentication information do not match.
[0065] Referring to Figure 4, Figure 4 is a flowchart of a service access control method according to another embodiment of the present application, which includes, but is not limited to, step S301.
[0066] Step S301: If the access request message is the first access request message, the intermediate node forwards the first access request message directly to the next node.
[0067] The first access request message indicates that the user node is making its initial access request.
[0068] In some embodiments, if an access request message is the first access request message, it indicates that the access request message is the user node's initial access request, and the intermediate node does not need to perform verification and may forward the first access request message directly to the next node.
[0069] In some embodiments, the intermediate node may be an access point in the transmission path of the access request message, or it may be a relay node in the transmission path of the access request message. Both the access point and the relay node may compare the access verification information with the access authentication information, thereby enabling active, near-source defense of the application by the network and avoiding the shortcomings of single-point defense.
[0070] In some embodiments, the relay network key management device 422 performs trust negotiation with the contracted access network key management device to confirm that key derivation is possible. The access network key management device then derives a relay domain key based on the relay domain identifier and the access domain key. The relay network key management device 422 synchronizes the relay domain key with the relay gateway. Therefore, in this embodiment, the key for the relay node is transmitted to the relay node by the key management device of the node immediately preceding the relay node, and the key for the relay node is determined by the key management device of the preceding node based on the identifier of the relay node and the key of the preceding node.
[0071] Referring to Figure 5, Figure 5 is a flowchart of a service access control method according to another embodiment of the present invention, which is applied to a server node in the system architecture of Figure 1, but is not limited thereto. The service access control method includes, but is not limited to, steps S401 to S405.
[0072] Step S401: The server node receives an access request message sent from the user node.
[0073] Step S402: If the access request message is a second access request message, the server node obtains access authentication information and IP address information from the second access request message.
[0074] The second access request message indicates that the user node is making a non-initial access request.
[0075] Step S403: The server node determines access verification information based at least on its own node's key and IP address information.
[0076] Step S404: The server node compares the access verification information and the access authentication information to determine the verification result of the second access request message.
[0077] Step S405: If the validation result is a successful validation result, the server node returns the service to the user node.
[0078] In some embodiments, the server node receives an access request message sent from the user node and determines whether the message is the first access request message sent by the user node. If it determines that the access request message is a second access request message, the server node must obtain access authentication information and IP address information from the second access request message and verify the second access request message. Subsequently, the server node determines access verification information based on at least its own node's key and IP address information and verifies the second access request message. Finally, if the verification result is a successful verification result, i.e., the access verification information and access authentication information match, it indicates that the second access request message has already been authenticated, and the server node returns the service to the user node. This enhances the security of communications and enables coordinated protection of services by the network.
[0079] If the verification result is a failure, it indicates that the second access request message is not authenticated and may contain malicious traffic or dangerous information. In this case, the server node rejects the second access request message sent from the user node and denies the access request.
[0080] Access authentication information is further determined based on at least one of the following: user identification ID, service identification ID, source port information, destination port information, target service URL information, and protocol number information. In the process by which the server node compares access verification information and access authentication information, each information field of the access verification information and access authentication information is compared.
[0081] A successful verification result means that the access verification information and access authentication information match, while a failed verification result means that the access verification information and access authentication information do not match.
[0082] Referring to Figure 6, which is a flowchart of a service access control method according to another embodiment of the present application, including, but not limited to, steps S501 to S504.
[0083] Step S501: If the access request message is the first access request message, the server node obtains IP address information from the first access request message.
[0084] Step S502: The server node decides whether to allow the user node to be granted access privileges based on the status information.
[0085] The status information includes at least one of the following: the user's current trust level, connection status information, the application's current load level, the network's current link congestion level, and the service access control list.
[0086] Step S503: If it is decided to grant access privileges to the user node, the server node determines the access authentication information based on at least its own node's key and IP address information.
[0087] In some embodiments, during the process of determining access authentication credentials, the server node first decides whether to allow the access, that is, whether to grant access privileges to the user node based on state information. State information is relevant information obtained by the server node from each trust domain. If it decides to grant access privileges to the user node, the server node determines the access authentication credentials based on at least its own node's key and IP address information. This allows the server node to uniformly decide whether to grant users access privileges to the service.
[0088] Step S504: The server node sends a first response message back to the user node.
[0089] The first response message includes access authentication information and identification information. The access authentication information is determined based on at least the server node's key and the IP address information, and the identification information includes identifiers of nodes other than the access point through which the first access request message passed.
[0090] In some embodiments, if the access request message is the first access request message, the server node obtains IP address information from the first access request message and uniformly decides whether to grant access to the user based on multi-domain information such as the user's current trust level, connection status information, the application's current load status, the network's current link congestion status, and service access control lists. The server node then determines access authentication information based on at least its own key and IP address information and decides whether the first access request message is accessible. Finally, the server node sends a first response message back to the user node, which includes access authentication information and identification information for the user node to store.
[0091] The user's current trustworthiness is determined by a trustworthiness score based on their past access behavior. Connection status information includes, but is not limited to, the connection location and connected device. The application's current load status represents the resource usage, such as memory and CPU.
[0092] In some embodiments, the service network key management device 320 performs trust negotiation with the contracted relay network key management device 422 to confirm that key derivation is possible. Subsequently, the relay network key management device 422 derives a service domain key based on the service domain identifier and the relay domain key. The service network key management device 320 synchronizes the service domain key with the service gateway 310 and the application service authentication server 330. Thus, the server node's key is sent to the server node by the key management device of the node immediately preceding the server node and generated by the key management device of the preceding node based on the server node's identifier and the key of the preceding node.
[0093] In some embodiments, access authentication information is further determined based on at least one of the following: user identification ID, service identification ID, source port information, destination port information, target service URL information, and protocol number information.
[0094] In some embodiments, access verification information is further determined based on at least one of the following: user identification ID, service identification ID, source port information, destination port information, target service URL information, and protocol number information.
[0095] To more clearly explain the process of service access control, an example is provided below.
[0096] Example 1: In Example 1, the service access control method will be explained using the structure of the service access control system 100 shown in Figure 1 as an example.
[0097] In this example, after system startup, the access network key management device, the relay network key management device 422, and the service network key management device 320 each perform trust negotiation and determine that trust-based collaboration is possible according to their respective agreements. The access network key management device derives the relay domain key MSK2 = KDF(MSK1, BR_ID) based on the randomly generated access network key MSK1 and the relay domain identifier BR_ID.
[0098] Next, the relay network key management device 422 derives the service domain identifier MSK3 = KDF(MSK2, SR_ID) based on the relay domain key MSK2 and the service domain identifier SR_ID. After deriving the key, each domain key management device synchronizes the corresponding domain key to the gateway within each domain in order to perform subsequent forwarding verification. The service domain key management device simultaneously synchronizes the service domain key MSK3 to the application service authentication server 330.
[0099] After receiving a user's request for permission to access an application, server node 300 coordinates information from each domain to make a comprehensive decision on whether to grant the user's access. If permission is granted, server node 300 generates application access authentication information and grants authorization to user node 200. Service authentication server 330 makes a unified decision on whether to allow the user to access the application based on multi-domain information such as the user's current trust level (trust scoring based on the user's past access behavior), connection status information (connection location, connected device, etc.), the application's current load status (based on resource usage such as memory and CPU), the current network link congestion status, and service access control lists. The service access control list supports filtering based on source IP, destination IP, source port (optional), destination port (optional), protocol number (optional), URL (optional), user identification ID (optional), application identification ID (optional), etc. It also supports filtering based on source address range (IP + mask) and destination address range (IP + mask) to facilitate subnet-level access control. For example, if the source IP is 10.1.1.1 and the destination IP is 20.1.1.1, access to user node 200 is allowed; if the source IP is 10.2.1.0 / 24 and the destination IP is 20.2.1.0 / 24, access to user node 200 is allowed; and if the source IP is 10.3.0.0 / 16 and the destination IP is 20.3.1.0 / 24, access to user node 200 is denied. In this embodiment, there are no specific restrictions on the settings of the source and destination IPs.
[0100] When granting access to user node 200, server node 300 generates application access authentication information Credential=KDF(MSK3,IPs,IPd) based on information such as the service domain key, user source address, target service address, user identification ID (optional), service identification ID (optional), source port (optional), destination port (optional), protocol number (optional), and target URL (optional). The application access authentication information is relayed via service gateway 310, and authorization is granted to user node 200.
[0101] Referring to Figure 7, which is a sequence diagram of a service access control method according to an example of the present invention, including, but not limited to, steps 1001 to 1018.
[0102] Here, steps 1001-1003 are the system-level collaboration key derivation process before the user node accesses the application, and steps 1004-1011 are the service authentication process when the user accesses the application for the first time.
[0103] Step 1001: When the system starts up, the access network key management device generates the access domain key MSK1 and synchronizes it with the access gateway.
[0104] Step 1002: The relay network key management device performs trust negotiation with the contracted access network key management device to confirm that key derivation is possible. The access network key management device then derives the relay domain key MSK2 based on the relay domain identifier and access domain key MSK1. The relay network key management device synchronizes the relay domain key MSK2 with the relay gateway.
[0105] Step 1003: The service network key management device negotiates trust with the contracted relay network key management device to confirm that key derivation is possible. The relay network key management device then derives the service domain key MSK3 based on the service domain identifier and the relay domain key MSK2. The service network key management device synchronizes the service domain key MSK3 with the service gateway and the application service authentication server.
[0106] Step 1004: The user node initiates its first access to the application, and the access gateway and relay gateway each determine that this is the first message and forward it. The determination method may be based on the local cache table, or on whether the protocol field or the authentication information field Credential in the message is 0.
[0107] Step 1005: Based on the same method as above, the service gateway determines, after receiving an application access request, that the user is accessing the application for the first time.
[0108] Step 1006: Forward this message to the service authentication server and request authentication for this access.
[0109] Step 1007: After receiving an access authentication request, the service authentication server first decides whether to grant access. Based on relevant information obtained from each trust domain, such as the user's current trust level, connection status information, the application's current load status, the network's current link congestion status, and multi-domain information such as service access control lists, the service authentication server makes a unified decision on whether to allow the user to access the service.
[0110] Step 1008: If access is permitted, the service authentication server generates application access authentication information for this access. The service authentication server 330 generates application access authentication information based on the service domain key and information such as the user source address, target service address, user identification ID (optional), service identification ID (optional), source port (optional), destination port (optional), protocol number (optional), and target URL (optional).
[0111] Step 1009: The service authentication server returns a service request response message to the user. This service request response message includes authenticated application access authentication information and information such as the relay domain identifier BR_ID and service domain identifier SR_ID used in this access.
[0112] Step 1010: The service gateway sends a message to the user node containing authenticated application access credentials and information such as the relay domain identifier BR_ID and service domain identifier SR_ID used in this access.
[0113] Step 1011: The user node stores the authenticated access credentials and related information.
[0114] Steps 1012-1018 are the collaborative transfer verification process that takes place when the user subsequently accesses the application.
[0115] Step 1012: The user node continues to access the application, and the message includes authenticated application access credentials, as well as information such as the relay domain identifier BR_ID and service domain identifier SR_ID used in this access.
[0116] Step 1013: After receiving the data message, the access gateway generates a temporary verification credential based on the BR_ID, SR_ID, source IPs, destination IPd, etc. in the message and the locally stored access domain key MSK1. It compares whether the temporary verification credential is equal to the credential field in the message. If they are equal, the verification result is considered a pass.
[0117] Step 1014: The access gateway forwards the application access request message after verification is successful. Otherwise, it rejects the access request.
[0118] Step 1015: After receiving the service request, the relay gateway performs verification in the same manner, namely generating a temporary verification credential based on the SR_ID, source IPs, destination IPd, etc. in the message and the locally stored service domain key MSK2. It compares whether the temporary verification credential is equal to the credential field in the message. If they are equal, the verification result is considered a pass.
[0119] Step 1016: The relay gateway forwards the application access request message after the verification is successful. Otherwise, it rejects the access request.
[0120] Step 1017: After receiving the service request, the service gateway verifies the access credentials. Specifically, it generates a temporary verification credential, Credential=KDF(MSK3,IPs,IPd), based on the locally stored service domain key MSK3 and the source IPs and destination IPd in the message. It then compares whether the temporary verification credential, Credential, is equal to the credential field in the message. If they are equal, the verification result is considered a pass.
[0121] Step 1018: The service gateway forwards the application access request message to the corresponding application after the verification is successful. Otherwise, it rejects the access request.
[0122] Example 2: In some scenarios, user node 200 may access applications within the service network via a direct access network, bypassing relay node 420.
[0123] Referring to Figure 8, Figure 8 is a schematic diagram of a system architecture for implementing a service access control method according to an example of the present invention.
[0124] In some embodiments, the service access control system 100 includes, but is not limited to, a user node 200, a server node 300, and an access point 410. Here, the access point 410 includes an access network key management device and an access gateway 411, the server node 300 includes a service network key management device 320, a service gateway 310, and a service authentication server 330, and the access point 410 communicates with the user node 200 and the server node 300, respectively.
[0125] In this scenario, the collaborative access control processing flow is basically similar to Example 1, but with some differences in the key derivation and transfer verification processes.
[0126] Referring to Figure 9, which is a sequence diagram of a service access control method according to another example of the present application, applied to the service access control system 100 of Figure 8, the service access control method includes, but is not limited to, steps 2001 to 2014.
[0127] Step 2001: After the system starts up, the access network key management device and the service network key management device will collaborate based on trust.
[0128] Step 2002: The access network key management device derives the service domain key MSK2 = KDF(MSK1, SR_ID) based on the randomly generated access network key MSK1 and the service domain identifier SR_ID.
[0129] Step 2003: The user node initiates its first access to the application.
[0130] Step 2004: After receiving an application access request, the service gateway determines that the user is accessing the application for the first time.
[0131] Step 2005: Forward this message to the service authentication server and request authentication for this access.
[0132] Step 2006: After receiving an access authentication request, the service authentication server first decides whether to allow the access. Based on relevant information obtained from each trust domain, such as the user's current trust level, connection status information, the application's current load status, the network's current link congestion status, and multi-domain information such as the service access control list, the service authentication server 330 makes a unified decision on whether to allow the user to access the service.
[0133] Step 2007: If access is permitted, the service authentication server generates application access credentials for this access. The service authentication server generates application access credentials based on information such as the service domain key and the user source address, target service address, user identification ID (optional), service identification ID (optional), source port (optional), destination port (optional), protocol number (optional), and target URL (optional).
[0134] Step 2008: The service authentication server returns a service request response message to the user. This service request response message contains information such as authenticated application access credentials and the service domain identifier SR_ID.
[0135] Step 2009: The user node stores authenticated access credentials and related information.
[0136] Step 2010: The user node makes an application access request, which includes authenticated application access credentials and associated identifiers.
[0137] Step 2011: After receiving the application access request message, the access gateway generates a temporary verification credential (Credential) based on the SR_ID, source IPs, destination IPd, etc. in the message, and the locally stored access domain key MSK1. It compares whether the temporary verification credential (Credential) is equal to the credential field (Credential) in the message. If they are equal, the verification result is considered a pass.
[0138] Step 2012: The access gateway forwards the application access request message after verification is successful. Otherwise, it rejects the access request.
[0139] Step 2013: After receiving the service request, the service gateway authenticates the access credentials. Specifically, it generates a temporary validation credentials Credential=KDF(MSK2,IPs,IPd) based on the locally stored service domain key MSK2 and the source IPs and destination IPd in the message, and compares whether the temporary validation credentials Credential are equal to the credentials field Credential in the message. If they are equal, the validation result is considered a pass.
[0140] Step 2014: The service gateway forwards the application access request message to the corresponding application after the verification is successful. Otherwise, it rejects the access request.
[0141] In Example 2, after the system starts up, the access network key management device and the service network key management device collaborate based on trust. The access network key management device derives the service domain key MSK2 = KDF(MSK1, SR_ID) based on the randomly generated access network key MSK1 and the service domain identifier SR_ID. After key derivation is complete, the service domain key management device synchronizes the service domain key MSK2 with the service gateway and the application service authentication server.
[0142] In some embodiments, after the access gateway 411 receives the application access request message in step 2011, the forwarding authentication process is as follows: First, MSK2=KDF(MSK1,SR_ID) is calculated based on the SR_ID in the message and the locally stored access domain key MSK1. Next, temporary verification credentials Credential=KDF(MSK2,IPs,IPd) are generated based on MSK2 and source IPs, destination IPd, etc. Finally, the temporary verification credentials Credential are compared to the credentials field Credential in the message to see if they are equal. If they are equal, the verification result is a pass. If the verification fails, the message forwarding is blocked. The verification process for the service gateway 310 is the same as in Example 1.
[0143] Example 3: In some scenarios, when a user node 200 accesses an application, it may connect to the network via multiple relay nodes 420 and access applications within the service network.
[0144] Referring to Figure 10, which is a schematic diagram of a system architecture for implementing a service access control method according to another example of the present invention.
[0145] In some embodiments, the service access control system 100 includes, but is not limited to, a user node 200, a server node 300, an access point 410, and a number of relay nodes 420 (Figure 11 shows two relay nodes 420 as an example, referred to as relay node 1 and relay node 2, respectively). Here, the access point 410 includes an access network key management device and an access gateway 411, the server node 300 includes a service network key management device 320, a service gateway 310, and a service authentication server 330, and each relay node 420 includes a relay network key management device 422 and a relay gateway. The access point 410 is communicated with the user node 200 and the relay nodes 420, respectively, and the relay nodes 420 are communicated with the server node 300.
[0146] In this scenario, the collaborative access control processing flow is basically similar to Example 1, but with some differences in the key derivation and transfer verification processes.
[0147] Referring to Figure 11, Figure 11 is a sequence diagram of a service access control method according to another example of the present application, which is applied to the service access control system 100 of Figure 10, and the service access control method includes, but is not limited to, steps 3001 to 3021.
[0148] Step 3001: After the system starts up, the access network key management device, the relay network 1 key management device, the relay network 2 key management device, and the service network key management device each conduct trust negotiations and determine that trust-based collaboration is possible in accordance with their respective agreements.
[0149] Step 3002: The access network key management device derives the relay domain key MSK2 = KDF(MSK1, BR_ID1) based on the randomly generated access network key MSK1 and relay domain identifier BR_ID1.
[0150] Step 3003: The relay network 1 key management device derives the relay domain 2 key MSK3 = KDF(MSK2, BR_ID2) based on the relay domain 1 key MSK2 and the relay domain 2 identifier BR_ID2.
[0151] Step 3004: The relay network 2-key management device derives the service domain key MSK4 = KDF(MSK3, SR_ID) based on the relay domain 2-key MSK3 and the service domain identifier SR_ID.
[0152] Step 3005: The user node initiates its first access to the application, and the access gateway and relay gateway each determine that this is the first message and forward it. The determination of whether it is the first message may be based on the local cache table, or on whether the protocol field or the authentication information field Credential in the message is 0.
[0153] Step 3006: Based on the same method as above, the service gateway determines, after receiving an application access request, that the user is accessing the application for the first time.
[0154] Step 3007: Forward this message to the service authentication server and request authentication for this access.
[0155] Step 3008: After receiving an access authentication request, the service authentication server first decides whether to grant access. Based on relevant information obtained from each trust domain, such as the user's current trust level, connection status information, the application's current load status, the network's current link congestion status, and multi-domain information such as service access control lists, the service authentication server makes a unified decision on whether to allow the user to access the service.
[0156] Step 3009: If access is permitted, the service authentication server generates application access authentication information for this access. The service authentication server 330 generates application access authentication information based on the service domain key and information such as the user source address, target service address, user identification ID (optional), service identification ID (optional), source port (optional), destination port (optional), protocol number (optional), and target URL (optional).
[0157] Step 3010: The service authentication server returns a service request response message to the user. This service request response message includes authenticated application access authentication information and information such as the relay domain identifier BR_ID and service domain identifier SR_ID used in this access.
[0158] Step 3011: The service gateway sends a message to the user node containing authenticated application access credentials and information such as the relay domain identifier BR_ID and service domain identifier SR_ID used in this access.
[0159] Step 3012: The user node stores the authenticated access credentials and related information.
[0160] Step 3013: The user node continues to access the application, and the message includes authenticated application access credentials, as well as information such as the relay domain identifier BR_ID and service domain identifier SR_ID used in this access.
[0161] Step 3014: After receiving the data message, the access gateway generates a temporary verification credential based on the BR_ID, SR_ID, source IPs, destination IPd, etc. in the message and the locally stored access domain key MSK1. It compares whether the temporary verification credential is equal to the credential field in the message. If they are equal, the verification result is considered a pass.
[0162] Step 3015: The access gateway forwards the application access request message after verification is successful. Otherwise, it rejects the access request.
[0163] Step 3016: Relay gateway node 1 receives the application access request and performs forwarding verification.
[0164] Step 3017: If verification is successful, send the application access request to relay gateway node 2.
[0165] Step 3018: Relay gateway node 2 receives the application access request and performs forwarding verification.
[0166] Step 3019: If verification is successful, forward the application access request message. Otherwise, reject the access request.
[0167] Step 3020: After receiving the service request, the service gateway authenticates the access credentials, that is, it generates a temporary verification credential Credential=KDF(MSK4,IPs,IPd) based on the locally stored service domain key MSK4 and the source IPs, destination IPd, etc. in the message, and compares whether the temporary verification credential Credential is equal to the credential field in the message. If they are equal, the verification result is considered a pass.
[0168] Step 3021: The service gateway forwards the application access request message to the corresponding application after the verification is successful. Otherwise, it rejects the access request.
[0169] In Example 3, after the system starts up, the access network key management device, the relay network 1 key management device, the relay network 2 key management device, and the service network key management device 320 each perform trust negotiation and determine that trust-based collaboration is possible according to their mutual agreements. The access network key management device derives the relay domain key MSK2=KDF(MSK1,BR_ID1) based on the randomly generated access network key MSK1 and the relay domain identifier BR_ID1. Then, the relay network 1 key management device derives the relay domain 2 key MSK3=KDF(MSK2,BR_ID2) based on the relay domain 1 key MSK2 and the relay domain 2 identifier BR_ID2. The relay network 2 key management device derives the service domain key MSK4=KDF(MSK3,SR_ID) based on the relay domain 2 key MSK3 and the service domain identifier SR_ID. After deriving the keys, each domain key management device synchronizes the corresponding domain key to the gateway within each domain in order to perform subsequent forwarding verification. The service domain key management device simultaneously synchronizes the service domain key MSK4 with the application service authentication server 330.
[0170] In some embodiments, the transfer verification process from steps 3016 to 3018 is as follows:
[0171] The access gateway 411 performs forwarding verification on received application access requests. First, it calculates MSK2=KDF(MSK1,BR_ID1) based on the relay domain 1 identifier BR_ID1 in the message and the locally stored access domain key MSK1. Next, it calculates MSK3=KDF(MSK2,BR_ID2) based on MSK2 and the relay domain 2 identifier BR_ID2 in the message. Furthermore, it calculates MSK4=KDF(MSK3,SR_ID) based on MSK3 and SR_ID. Finally, it generates temporary verification credentials Credential=KDF(MSK4,IPs,IPd) based on MSK4, source IPs, and destination IPd. Lastly, it compares whether the temporary verification credentials Credential are equal to the credentials field Credential in the message. If they are equal, the verification result is considered a pass. If the verification fails, the message forwarding is blocked.
[0172] Relay Gateway 1 receives an application access request and performs forwarding verification. First, it calculates MSK3=KDF(MSK2,BR_ID2) based on the locally stored MSK2 and the relay domain 2 identifier BR_ID2 in the message. Next, it calculates MSK4=KDF(MSK3,SR_ID) based on MSK3 and SR_ID. Finally, it generates temporary verification credentials Credential=KDF(MSK4,IPs,IPd) based on MSK4, source IPs, and destination IPd. Lastly, it compares whether the temporary verification credentials Credential are equal to the credentials field Credential in the message. If they are equal, the verification result is considered a pass. If the verification fails, the message forwarding is blocked.
[0173] Relay Gateway 2 receives the application access request and performs forwarding verification. First, it calculates MSK4=KDF(MSK3,SR_ID) based on the locally stored MSK3 and SR_ID, and then generates temporary verification credentials Credential=KDF(MSK4,IPs,IPd) based on MSK4, source IPs, and destination IPd. Finally, it compares whether the temporary verification credentials Credential are equal to the credentials field Credential in the message. If they are equal, the verification result is considered a pass. If the verification fails, the message forwarding is blocked.
[0174] Furthermore, as shown in Figure 12, the embodiment of the present application further provides electronic equipment.
[0175] In some embodiments, the electronic device includes one or more processors and memory, with Figure 12 illustrating one processor and memory. The processors and memory can be connected by a bus or other means, with Figure 12 illustrating a bus connection.
[0176] Memory stores one or more programs, and when one or more programs are executed by one or more processors, the one or more processors are made to implement the service access control method according to the embodiment of the present invention.
[0177] The memory may be used as a non-temporary computer-readable storage medium to store non-temporary software programs and non-temporary computer executable programs, such as the service access control method in the embodiment of the present application described above. The processor implements the service access control method in the embodiment of the present application described above by executing the non-temporary software programs and programs stored in the memory.
[0178] The memory may include a program storage area and a data storage area, the program storage area may store an operating system and application programs necessary for at least one function, and the data storage area may store data necessary for performing the service access control method in the embodiments of the present application described above. Furthermore, the memory may include high-speed random access memory and non-temporary memory, such as at least one disk storage device, flash memory device, or other non-temporary solid-state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the electronic device via a network. Examples of networks described above include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
[0179] The non-temporary software programs and instructions necessary to implement the service access control method in the above-described embodiment are stored in memory and, when executed by the processor, realize the service access control method in the above-described embodiment.
[0180] The processor and memory may be connected by a bus or other means.
[0181] Furthermore, embodiments of the present application provide a computer-readable storage medium. A computer-executable program is stored on this computer-readable storage medium, and when this computer-executable program is executed by one or more control processors, for example, one processor in Figure 12, the aforementioned one or more processors can implement the service access control method according to embodiments of the present application.
[0182] Furthermore, one embodiment of the present invention provides a computer program product. This computer program product includes a computer program or computer instruction, which is stored on a computer-readable storage medium, and a centralized management unit of a computer device reads the computer program or computer instruction from the computer-readable storage medium, executes the computer program or computer instruction, and causes the computer device to implement the service access control method of the arbitrary embodiment described above.
[0183] Furthermore, each functional unit in each embodiment of the present application may be integrated into a single processing unit, each unit may exist physically independently, or two or more units may be integrated into a single unit. The above-described integrated unit may be implemented in hardware form, or in a form that combines hardware and software functional units.
[0184] The service access control method provided by the embodiment of the present invention has at least the following beneficial effects. The user node sends a first access request message containing IP address information to the server node, and the first access request message reaches the server node via at least one intermediate node. This enables the intermediate node in the network to perform stateless filtering of traffic for users accessing the application, thereby achieving active and near-source defense of the network to the application. This enables trust-based collaboration in accordance with the agreement between the user node, server node, and intermediate node. Subsequently, the user node receives a first response message from the server node containing access authentication information and identification information. Here, the first response message is obtained by the server node coordinating information from each domain and making a comprehensive decision on whether to allow the user's access this time, and if allowed, granting authority to the user node. This enables the determination and authentication of the user node's request message. Finally, the user node sends a second access request message to the server node containing access authentication information, identification information, and IP address information. This enables the identification of malicious traffic by performing coordinated verification of user access requests at multiple points on the network, realizing a process of coordinated forwarding verification of user access request messages, and allowing for coordinated defense of the service.
[0185] All or part of the steps of the methods disclosed above, the system may be implemented as software, firmware, hardware, and appropriate combinations thereof. Some or all physical components may be implemented as software, hardware, or integrated circuits (such as application-specific integrated circuits) executed by a centralized management unit (such as a centralized management unit, a digital signal centralized management unit, or a micro-centralized management unit). Such software may be distributed on computer-readable media, which may include computer storage media (or non-temporary media) and communication media (or temporary media). As is well known to those skilled in the art, the term “computer storage media” includes temporary and non-temporary, removable and non-removable media implemented in any method or technique for storing information (e.g., computer-readable instructions, data structures, program modules, or other data). Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory, or other memory technologies; CD-ROM, digital versatile disk (DVD), or other optical disk storage; magnetic cassette, magnetic tape, magnetic disk storage, or other magnetic storage devices; or any other media capable of storing desired information and accessible by a computer. Furthermore, as is well known to those skilled in the art, communication media typically include computer-readable instructions, data structures, program modules, or other data in modulated data signals such as carrier waves or other transmission mechanisms, and may include any information distribution media.
Claims
1. A service access control method, A user node sends a first access request message to a server node, the first access request message includes IP address information, the first access request message reaches the server node via at least one intermediate node, the at least one intermediate node includes an access point, and the first access request message indicates that the user node is making an initial access request. The steps include: the user node receiving a first response message returned from the server node, the first response message including access authentication information and identification information, the access authentication information being determined based on at least the server node's key and the IP address information, and the identification information including an identifier of another node other than the access point through which the first access request message passed; A method comprising the step of the user node sending a second access request message to the server node, wherein the second access request message includes the access authentication information, the identification information, and the IP address information.
2. The first access request message reaches the server node only via the access point, and the identification information includes the identifier of the server node. or The method according to claim 1, wherein the first access request message reaches the server node via the access point and at least one relay node, and the identification information includes an identifier for each of the relay nodes and an identifier for the server node.
3. The method according to claim 2, wherein the key of any relay node is transmitted to the relay node by the key management device of the preceding node, and the key of the relay node is determined by the key management device of the preceding node based on the identifier of the relay node and the key of the preceding node.
4. The method according to claim 1, wherein the key for the server node is transmitted to the server node by the key management device of the node immediately preceding the server node, and is generated by the key management device of the node immediately preceding the server node based on the identifier of the server node and the key of the node immediately preceding the server node.
5. The method according to claim 1, wherein the access authentication information is further determined based on at least one of a user identification ID, a service identification ID, source port information, destination port information, target service URL information, and protocol number information.
6. A service access control method, The intermediate node receives an access request message sent from the user node, If the access request message is a second access request message, the intermediate node obtains access authentication information, an identifier of an unreachable node, and IP address information from the second access request message, wherein the second access request message indicates that the user node is making a non-first access request. The intermediate node determines access verification information based on at least its own node's key, the identifier of the unreachable node, and the IP address information. The intermediate node compares the access verification information and the access authentication information to obtain the verification result of the second access request message, A method comprising the step of, if the verification result is a successful verification result, the intermediate node forwards the second access request message to the next node.
7. If the access request message is a first access request message, the intermediate node further includes the step of forwarding the first access request message directly to the next node. The method according to claim 6, wherein the first access request message indicates that the user node is making an initial access request.
8. The method according to claim 6, wherein the access verification information is further determined based on at least one of a user identification ID, a service identification ID, source port information, destination port information, target service URL information, and protocol number information.
9. The method according to claim 6, wherein the intermediate node is an access point or relay node in the transmission path of the access request message.
10. The method according to claim 9, wherein the key of the relay node is transmitted to the relay node by the key management device of the node immediately preceding the relay node, and the key of the relay node is determined by the key management device of the node immediately preceding the relay node based on the identifier of the relay node and the key of the node immediately preceding the relay node.
11. A service access control method, The server node receives an access request message sent from the user node, If the access request message is a second access request message, the server node obtains access authentication information and IP address information from the second access request message, wherein the second access request message indicates that the user node is making a non-first access request. The server node determines access verification information based on at least its own node's key and the IP address information. The server node compares the access verification information and the access authentication information and determines the verification result of the second access request message, A method comprising the step of, if the verification result is a successful verification result, the server node returns a service to the user node.
12. If the access request message is a first access request message, the server node takes the step of obtaining IP address information from the first access request message. The server node determines the access authentication information based on at least its own node's key and the IP address information. The method according to claim 11, comprising the step of the server node returning a first response message to the user node, wherein the first response message includes access authentication information and identification information, the access authentication information is determined based on at least the server node's key and the IP address information, and the identification information includes an identifier of another node other than the access point through which the first access request message passed.
13. The step in which the server node determines the access authentication information based on at least its own node's key and the IP address information is: The server node determines, based on state information, whether to grant access privileges to the user node, wherein the state information includes at least one of the user's current trust level, connection status information, the current load level of the application, the current link congestion level of the network, and a service access control list. The method according to claim 12, further comprising the step of the server node determining the access authentication information based on at least its own node's key and the IP address information, if it decides to allow the granting of access rights to the user node.
14. The method according to claim 11 or 12, wherein the key for the server node is transmitted to the server node by the key management device of the node immediately preceding the server node, and is generated by the key management device of the node immediately preceding the server node based on the identifier of the server node and the key of the node immediately preceding the server node.
15. The method according to claim 12, wherein the access authentication information is further determined based on at least one of a user identification ID, a service identification ID, source port information, destination port information, target service URL information, and protocol number information.
16. The method according to claim 11, wherein the access verification information is further determined based on at least one of a user identification ID, a service identification ID, source port information, destination port information, target service URL information, and protocol number information.
17. It is an electronic device, One or more processors, Includes memory in which one or more programs are stored, When the one or more programs are executed by the one or more processors, the one or more processors will: A service access control method according to any one of claims 1 to 5, A service access control method according to any one of claims 6 to 10, An electronic device that implements the service access control method described in any one of claims 11 to 16.
18. A computer-readable storage medium on which a computer program is stored, When the aforementioned program is executed by the processor, A service access control method according to any one of claims 1 to 5, A service access control method according to any one of claims 6 to 10, A computer-readable storage medium that implements the service access control method described in any one of claims 11 to 16.