CN109302432B - Network communication data combination encryption transmission method based on network security isolation technology - Google Patents

Network communication data combination encryption transmission method based on network security isolation technology Download PDF

Info

Publication number
CN109302432B
CN109302432B CN201811539057.3A CN201811539057A CN109302432B CN 109302432 B CN109302432 B CN 109302432B CN 201811539057 A CN201811539057 A CN 201811539057A CN 109302432 B CN109302432 B CN 109302432B
Authority
CN
China
Prior art keywords
network
nth
communication
security isolation
communication data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811539057.3A
Other languages
Chinese (zh)
Other versions
CN109302432A (en
Inventor
何书霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201811539057.3A priority Critical patent/CN109302432B/en
Publication of CN109302432A publication Critical patent/CN109302432A/en
Application granted granted Critical
Publication of CN109302432B publication Critical patent/CN109302432B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes

Abstract

A combined encryption transmission method of network communication data based on network security isolation technology, a first network security isolation device is respectively connected with a first network and an external network, a second network security isolation device is respectively connected with a second network and the external network, …, an Nth network security isolation device is respectively connected with an Nth network and the external network, N is a natural positive integer more than or equal to 2, the first network comprises a first network communication device and a first secret key group, the second network comprises a second network communication device and a second secret key group, and the Nth network comprises the Nth network communication device and the Nth secret key group in the same way, the invention isolates malicious attacks from the external network and establishes a local secure credible network, even if the network where two communication parties or the two communication parties are located has bugs, the malicious attacks can not touch the encryption and decryption process of the communication data and the secret key group, the AES advanced encryption algorithm or the RSA encryption algorithm and the secret key more than 128 bits can ensure the encryption of the communication data, the trustworthiness of the encrypted transmission is ensured.

Description

Network communication data combination encryption transmission method based on network security isolation technology
Technical Field
The invention relates to the field of methods for encrypting and transmitting network communication data, in particular to a network communication data combined encryption and transmission method based on a network security isolation technology.
Background
The network communication data encryption transmission technology is a fundamental stone of trusted network communication data transmission, a secret key used for network communication data encryption transmission is a core of security protection in the trusted network communication data transmission process, the high-complexity secret key is matched with an encryption algorithm with sufficient strength, such as using more than 128-bit keys while using the AES advanced encryption algorithm or RSA encryption algorithm, the method can ensure that the network communication data encrypted and transmitted in the effective time is not decrypted, but both network communication parties or the networks where both network communication parties are located are connected with the external network under normal conditions, if the network communication equipment or the networks where both network communication parties are located are subjected to malicious attacks from the external network due to the existence of bugs and the like, the secret key of any party is stolen or the communication equipment is completely controlled by an attacker, and the encryption and decryption processes of the attack data are interfered, so that the encryption and transmission of the network communication data are not credible.
At present, no effective technical scheme is provided in the technical field to isolate malicious attacks from external networks of network communication parties or networks in which the network communication parties are located, and to construct a safe and reliable local network for encryption and decryption processes and keys used for encryption and transmission of network communication data.
The network security isolation technology means that information exchange and resource sharing are realized on the basis of disconnection of two or more computers or networks, and the aim is to ensure that the security exchange of data between networks is completed on the premise of isolating harmful attacks outside a trusted network and ensuring that information inside the trusted network is not leaked. The core of the network isolation technology is physical isolation, and the interaction and sharing of data information in a trusted network environment can be realized by a network with two disconnected link layers through special hardware and a security protocol. The network security isolation technology is divided into five categories, namely a single-board security isolation computer, a network security isolation card, a network security concentrator, a gatekeeper and an optical gate according to the isolation technology used by the network security isolation technology, wherein the gatekeeper taking a security island technology as a core concept and the optical gate taking feedback-free one-way transmission as a core concept and other security network security isolation devices are widely applied in government and financial industries and are frequently deployed at the connection of external networks such as internal networks of governments and financial institutions and the internet to protect the internal networks from illegal intrusion.
At present, network isolation devices such as optical gates, network gates and the like in the technical field are mostly used for constructing an internal trusted network and exchanging data with an external network, and the high security of the network isolation devices is not yet applied to the field of network communication data encryption transmission, so that a safe and trusted local network is constructed for two communication parties.
Disclosure of Invention
Aiming at the problems, the invention provides a network communication data combined encryption transmission method based on a network security isolation technology, which applies the network security isolation technology to the field of network communication data encryption transmission, isolates two communication parties and networks where the two communication parties are located from an external network and establishes a local secure trusted network, and solves the problem that the network environment of the network where the secret key storage and encryption and decryption processes are located in the communication data encryption transmission process is not trusted due to malicious attacks from the external network and the like.
In order to achieve the purpose, the invention adopts the following technical scheme:
the network communication data combination encryption transmission method based on the network security isolation technology uses a network security isolation device and network communication equipment, and is characterized in that:
the first network security isolation device is respectively connected with a first network and an external network, the second network security isolation device is respectively connected with a second network and the external network, …, the Nth network security isolation device is respectively connected with the Nth network and the external network, N is a natural positive integer greater than or equal to 2, the first network comprises a first network communication device and a first secret key group, the second network comprises a second network communication device and a second secret key group, and the Nth network comprises the Nth network communication device and the Nth secret key group in the same way;
the first network security isolation device, the second network security isolation device, …, the nth network security isolation device or an optical gate, or a network gate based on a security island technology or other security isolation devices not based on a mutual exclusion switch technology;
the external network and the first network, the second network, …, the nth network are communication networks based on a TCP/IP protocol or other communication networks based on one or more digital communication protocols;
the first network, the second network, …, and the nth network may include one or more other network devices besides the network communication device, or may not include the network device;
the key sets are all composed of one or more keys, and the keys are preferably more than 128 bits;
the communication data transmitted by the first network communication equipment is encrypted by using a first secret key group in a first network and transmitted to a first network security isolation device, then the first network security isolation device exchanges the communication data encrypted by using the first secret key group to an external network, then the communication data encrypted by using the first secret key group is transmitted to a second network security isolation device through the external network, the second network security isolation device exchanges the communication data encrypted by using the first secret key group to a second network, and finally the communication data encrypted by using the first secret key group is decrypted by using a second secret key group in the second network and transmitted to the second communication equipment, so that the encrypted transmission of the communication data between the first communication equipment and the second communication equipment is completed;
the communication data transmitted by the first network communication equipment is encrypted by using a first secret key group in a first network and transmitted to a first network security isolation device, then the first network security isolation device exchanges the communication data encrypted by using the first secret key group to an external network, then the communication data encrypted by using the first secret key group is transmitted to an Nth network security isolation device through the external network, the Nth network security isolation device exchanges the communication data encrypted by using the first secret key group to an Nth network, and finally the communication data encrypted by using the first secret key group is decrypted by using the Nth secret key group in the Nth network and transmitted to the Nth communication equipment, so that the encrypted transmission of the communication data between the first communication equipment and the Nth communication equipment is completed;
according to the above manner and by analogy, when the mth network communication device of any network communication device, m is a natural positive integer less than or equal to N, and the nth network communication device of another network communication device, N is a natural positive integer less than or equal to N and not equal to m, performs encryption transmission of communication data, the communication data transmitted by the mth network communication device is encrypted by using the mth key set in the mth network and transmitted to the mth network security isolation device, then the mth network security isolation device exchanges the communication data encrypted by using the mth key set to the external network, then the communication data encrypted by using the mth key set is transmitted to the nth network security isolation device through the external network, the nth network security isolation device exchanges the communication data encrypted by using the mth key set to the nth network, and finally the communication data encrypted by using the mth key set is decrypted by using the nth key set in the nth network and transmitted to the nth network communication device, completing the encrypted transmission of communication data from the m-th communication equipment to the n-th communication equipment;
the communication data is encrypted and decrypted in the encryption transmission process of the network communication data, or an AES advanced encryption algorithm, or an RSA encryption algorithm, or other encryption algorithms are adopted.
The first network comprises a module or equipment isolated from the external network in the first network security isolation device, the second network comprises a module or equipment isolated from the external network in the second network security isolation device, and similarly, the nth network comprises a module or equipment isolated from the external network in the nth network security isolation device.
Due to the adoption of the technical scheme, the invention has the following positive effects:
1. the invention uses the network security isolation device to isolate the network of the network communication parties and the network communication parties from the external network, isolate the malicious attack from the external network and establish a local secure credible network, even if the network of the communication parties or the communication parties has bugs, the malicious attack still can not touch the communication data encryption and decryption process and the secret key set, and simultaneously adopts the high-complexity AES advanced encryption algorithm or the RSA encryption algorithm and the secret key with more than 128 bits to ensure that the communication data encryption is not cracked in the effective time, thereby ensuring the credibility of the network communication data encryption transmission.
2. If the secret key group is deployed in a module or equipment directly connected with the network security isolation device and the local trusted network, the communication data encryption and decryption work is completed by the module or equipment directly connected with the network security isolation device and the local trusted network, and the network communication equipment can communicate with the network security isolation device by adopting the bearing communication network basic encryption and even communicate with the network security isolation device in a plaintext mode, so that the manufacturing complexity and the manufacturing cost of the network communication equipment are reduced.
3. The invention adopts the secret key group instead of the single secret key, and can use one secret key in the communication process of one party and use another secret key in the communication process of the other party, thereby avoiding the distrustment of the whole system caused by the leakage of the single secret key.
4. The invention can build a confidential information transmission system by relying on the Internet or the mobile Internet, and can be used for confidential information transmission of organizations or institutions such as enterprises, governments and the like.
5. The method has a very wide application range, can be widely applied to the car networking, such as ensuring the security and the credibility of network communication data encryption transmission between the vehicle-mounted equipment and the automatic driving cloud center, between the vehicle-mounted equipment and the user control terminal and between the user control terminal and the automatic driving cloud center, and can also be widely applied to an intelligent home system, such as ensuring the security and the credibility of communication data encryption communication between the intelligent home equipment and the user control terminal.
6. At present, most of intelligent home control systems of various major brands provide a control center such as an intelligent sound box, according to the data encryption communication method provided by the invention, a safety isolation device can be arranged at the connection position of an intelligent home network consisting of the intelligent home control center and intelligent home equipment and a home local area network, a network safety isolation device is arranged at the connection position of a user control terminal and the internet, the communication mode between the intelligent home equipment and the control center does not need to be changed, and the communication mode between the user control terminal and the intelligent home control center can be integrated into the existing intelligent home system only by changing the communication mode between the user control terminal and the intelligent home control center according to the communication data encryption transmission method provided by the invention.
Drawings
Fig. 1 is a schematic diagram of the network communication data combination encryption transmission system.
Fig. 2 is a schematic diagram of an application scenario of the smart home system according to the present invention.
Fig. 3 is a schematic diagram of an application scenario of the present invention in a car networking system.
Fig. 4 is a schematic diagram of a secret information encryption transmission system built by using the invention and relying on the internet.
Detailed Description
The network communication device referred to in the present invention is a generic one, and all devices having a network communication data transmission function are network communication devices, and the composition of the related network communication data combination encryption transmission system is referred to fig. 1 and the technical solution described above, which is not described in detail.
It should be noted that:
the first network comprises modules or devices isolated from the external network in the first network security isolation device, that is, the first secret key group can be stored in the modules or devices, and similarly, the encryption and decryption of the communication data sent by the first network communication device or sent to the first network communication device in the network communication data combination encryption process can also be completed by the modules or devices;
the second network comprises modules or devices isolated from the external network in the second network security isolation device, that is, the second secret key group can be stored in the modules or devices, and similarly, the encryption and decryption of the communication data sent by the second network communication device or sent to the second network communication device in the network communication data combination encryption process can be also completed by the modules or devices;
similarly, the nth network includes modules or devices isolated from the external network in the nth network security isolation apparatus, that is, the nth key group may be stored in these modules or devices, and similarly, encryption and decryption of communication data sent by or sent to the nth network communication device in the network communication data combination encryption process according to the present invention may also be performed by these modules or devices.
Three specific application examples are given below in conjunction with the technical solutions, and it is obvious that the described examples are only a part of the present invention, and the parts not described and the technical solutions all belong to the protection scope of the present invention.
With reference to fig. 2, a schematic diagram of an application scenario of the present invention in an intelligent home system is shown, and a specific application example of the present invention in the intelligent home system is given, where N = 2.
The first communication equipment is a user control terminal, can be an intelligent mobile phone, a bracelet and the like, the first network is a user control terminal network formed by the user control terminals, the first network safety isolation device is connected with the user control terminal network and the mobile internet or the wifi network in a company or a family, the first network safety isolation device can exchange data of the user control terminal network and the mobile internet or the wifi network in the company or the family under the isolation strength of logical isolation or physical isolation, the second network communication equipment is intelligent household equipment, if the intelligent entrance door, the intelligent air conditioner and other equipment are adopted, the second network is an intelligent home network formed by intelligent home equipment, the second network safety isolation device is connected with the intelligent home network and the home local area network, and the second network safety isolation device can exchange data of the intelligent home network and the home local area network under the isolation strength of logic isolation or physical isolation. The home local area network and the mobile internet or wifi networks in companies and families are connected together through the internet, and the three networks together form an external network in the embodiment.
In consideration of cost, portability, performance, etc., in this embodiment, the first network security isolation device may be a miniaturized gatekeeper based on the security island technology, such as a SCSI switch, a memory bus, or unidirectional transmission, and the second network security isolation device may be a miniaturized gatekeeper based on the security island technology, such as a SCSI switch, a memory bus, or unidirectional transmission.
The first secret key group is composed of a 128-bit secret key, is stored in the user control terminal and is input and set by a user through the user control terminal, and the second secret key group is the same as the first secret key group, is stored in the intelligent household equipment and is input and set by the user through the intelligent household equipment.
In the embodiment, the network communication data encryption adopts an AES advanced encryption algorithm.
According to the technical scheme of the invention, communication data such as a control command and the like transmitted to the intelligent household equipment by the user control terminal network is firstly encrypted by using a first secret key group in the user control terminal and transmitted to a first network security isolation device, then the first network security isolation device exchanges the communication data encrypted by using the first secret key group to a mobile internet or a wifi network in a company or a family, then the communication data internet and a home local area network encrypted by using the first secret key group are transmitted to a second network security isolation device, the second network security isolation device exchanges the communication data encrypted by using the first secret key group to the intelligent household system network, and finally the communication data encrypted by using the first secret key group is decrypted by using a second secret key group in the intelligent household equipment in the intelligent household system network until the control command sent by the user control terminal is transmitted to the intelligent household equipment, and the intelligent household equipment executes the relevant operation according to the control command.
According to the technical scheme, the deployment of the embodiment is combined to realize encryption of state data transmission of the intelligent household equipment to the user control terminal, and details are not repeated here.
The deployment of the first network security isolation device and the second network security isolation device separates a user control terminal network, a user control terminal, an intelligent home system network and intelligent home equipment from an external network formed by a home local area network, the internet, a mobile internet or a wifi network in a company or a family, even if the user control terminal network, the user control terminal, the intelligent home system network and the intelligent home equipment have a vulnerability to be invaded and controlled, the network security isolation device is deployed to isolate malicious attacks from the external network, an attacker cannot cross the security isolation device to steal a secret key or interfere an encryption and decryption process, and the AES advanced encryption algorithm and the 128-bit secret key can ensure that the communication encryption transmission of a control command is credible.
With reference to fig. 3, a schematic diagram of an application scenario of the present invention in a car networking system is shown, and a specific application example of the present invention in the car networking system is given, where N = 3.
The first network communication equipment is vehicle-mounted equipment, such as in-vehicle environment control equipment, automatic driving equipment and the like, the first network is a vehicle-mounted network formed by the vehicle-mounted equipment, the first network safety isolation device is installed in the vehicle and connected with the vehicle-mounted network and the mobile Internet, the first network safety isolation gateway can exchange data of the vehicle-mounted network and the mobile Internet under the isolation strength approaching or reaching physical isolation, the second network communication equipment is a user control terminal and can be a smart phone, a bracelet and the like, the user control terminal network formed by the second network user control terminals, the second network safety isolation device is connected with the user control terminal network and the mobile Internet, and the second network safety isolation device can exchange the user control terminal network and the mobile Internet under the isolation strength approaching or reaching physical isolation And the third network safety isolation device is connected with the automatic driving cloud center network and the internet, and can exchange data of the automatic driving cloud center network and the internet under the isolation strength close to or reaching physical isolation. The internet and the mobile internet are connected to each other to constitute an external network in this example.
In view of the problems of cost, portability, performance, etc., in this embodiment, the first network security isolation device is a miniaturized gatekeeper based on the secure island technology, such as a SCSI switch, a memory bus, and unidirectional transmission, the second network security isolation device is a miniaturized gatekeeper based on the secure island technology, such as a SCSI switch, a memory bus, and unidirectional transmission, and the third network security isolation device is an optical gate with high security and performance.
The first secret key group is composed of two 256 secret keys and stored in the vehicle-mounted equipment, the first secret key group is used for encrypting communication data of the vehicle-mounted equipment and the automatic driving cloud center control server, the second secret key group is used for encrypting communication data of the vehicle-mounted equipment and the user control terminal, the second secret key group is composed of two 256 secret keys and stored in the user control terminal, the first secret key group is identical to the second secret key group, the second secret key group is used for encrypting communication data of the user control terminal and the automatic driving cloud center control server, the third secret key group is composed of two 256 secret keys and stored in the automatic driving cloud center control server, the first secret key group is identical to the first secret key group, and the second secret key group is identical to the second secret key group. The first secret key group, the second secret key group and the third secret key group are generated by negotiation of a Diffie-Hellman secret key exchange technology through the vehicle-mounted equipment, the automatic driving cloud center server and the user control terminal.
In the embodiment, the encryption of the communication data between the network communication terminals adopts an AES advanced encryption algorithm.
According to the technical scheme of the invention, communication data encryption transmission between the vehicle-mounted equipment, the user control terminal and the automatic driving cloud center server can be realized by combining the deployment of the embodiment, the specific encryption process can be provided according to the technical scheme of the invention, and is not repeated, and only the functions which can be realized by using the communication data encryption transmission method according to the embodiment are described here.
Function one: the user communicates with the vehicle-mounted equipment through the user control terminal, and the communication data such as control commands for starting an automobile engine, regulating the environment temperature in the automobile and the like, vehicle state implementation feedback data and the like are transmitted in an encrypted manner according to the communication data combination encryption transmission method.
And a second function: the vehicle uses the vehicle-mounted network communication equipment to communicate with the automatic driving cloud center control server, according to the communication data combination encryption transmission method, the communication data such as the vehicle driving position, speed, destination and the like are encrypted and transmitted to the automatic driving cloud center control server, and the automatic driving cloud center server automatically plans a rapid automatic driving route according to the vehicle driving position, speed, destination and the data transmitted by other vehicles.
And function III: the user enables the user control terminal to communicate with the automatic driving cloud center at a company, the vehicle is automatically driven to the company parking lot from the family parking lot after reserving for three hours, and the communication data combination encryption transmission method is used for encrypting and transmitting the communication data such as arrival time, destination and the like to the automatic driving cloud center control server.
The three functions are typical functions in the internet of vehicles, and if the communication data encryption transmission process is attacked, interfered and tampered by hackers due to the fact that the network communication equipment has a leak, the network where the network communication equipment is located has a leak and the like, wrong and dangerous commands are issued to the vehicles, and the consequences and damage caused by the wrong and dangerous commands are difficult to estimate.
In this embodiment, the first network security isolation device, the second network security isolation device, and the third network security isolation device are deployed to construct a local trusted network, isolate malicious attacks from an external network, and ensure the trustworthiness of communication data encryption transmitted between two network communication devices when the above functions are implemented, so that the trustworthiness of communication data encryption transmission can be ensured even if a vulnerability exists in a network communication device or a vulnerability exists in a network where the network communication device is located.
With reference to fig. 4, a schematic diagram of a secret information encryption transmission system provided by the present invention and built by using the internet is shown, where a specific application distance example of the present invention in secret information transmission is given, where N = 2.
As shown in fig. 4, confidential information needs to be encrypted and transmitted between a company a and a company B, according to the technical solution of the present invention, a first network communication device computer a and a first network security isolation device optical gate a are deployed at the company a, a second network communication device computer B and a second network security isolation device optical gate B are deployed at the company B, the computer a generates a first secret key set a and a second secret key set B, and copies the secret key set B to the computer B through a usb flash disk. Network security isolations a and B are connected to the internet through the networks of companies a and B, respectively. The key is 2048-bit key, and the encryption algorithm is RSA asymmetric encryption algorithm.
Confidential information to be transmitted is copied to the computer A or B in a physical mode such as a USB flash disk, and then the confidential information is encrypted and transmitted by using the secret key set A or B according to the communication data combination encryption transmission method. The high security of the optical gate ensures that the computers A and B are isolated from the company network and the Internet, ensures the security and the credibility of a secret key group and an encryption and decryption process, and can ensure that confidential information is not cracked and stolen in the Internet transmission process by matching with a 2048-bit secret key and an RSA asymmetric algorithm.
In addition to the technical solutions of the present invention and the three embodiments described above, the technical solutions of the present invention can be actually expanded, and the following three embodiments are expanded as follows:
1. each network communication device can be connected with a plurality of branch network communication devices in parallel, each branch network communication device can be correspondingly added with a key group, so that the expansion result is that a communication encryption system is increased, the communication data encryption transmission of the branch of the network communication device and the network communication devices or the branch of the network communication devices in other safe and credible local networks can be realized according to the communication data combination encryption transmission process, and the expansion also belongs to the protection scope of the invention.
2. The network isolation devices used in the above three embodiments, such as optical gates, network gates, etc., all have mature devices, and these devices provide technologies such as content inspection, protocol stripping, protocol inspection, access control, session termination, etc., besides providing trusted data exchange.
3. The core idea of the invention is to use the network isolation technology to construct a safe and reliable network environment for the storage of the secret key and the data encryption and decryption process in the data encryption transmission process, obviously, on the premise of not violating the core idea, the cryptology technologies such as integrity verification, random number anti-replay attack, identity authentication, digital signature and the like can be applied to the communication data encryption transmission process to further enhance the credibility of the data transmission encryption, and the expansion also belongs to the protection scope of the invention.
The above embodiments and the extended examples fully illustrate that the technical solution of the present invention is feasible and operable. Of course, the embodiments of the present invention are not limited to the above three specific embodiments, and the extensions are not limited to the above three extensions, and those skilled in the art can obtain the embodiments or the extensions according to the present invention without any creative effort, which belongs to the protection scope of the present invention.

Claims (2)

1. The network communication data combination encryption transmission method based on the network security isolation technology uses a network security isolation device and network communication equipment, and is characterized in that: the first network security isolation device is respectively connected with a first network and an external network, the second network security isolation device is respectively connected with a second network and the external network, …, the Nth network security isolation device is respectively connected with the Nth network and the external network, N is a natural positive integer greater than or equal to 2, the first network comprises a first network communication device and a first secret key group, the second network comprises a second network communication device and a second secret key group, and the Nth network comprises the Nth network communication device and the Nth secret key group in the same way; the first network security isolation device, the second network security isolation device, …, the nth network security isolation device or an optical gate, or a network gate based on a security island technology or other security isolation devices not based on a mutual exclusion switch technology; the external network and the first network, the second network, … and the Nth network are communication networks based on TCP/IP protocol; the first network, the second network, …, the nth network comprise one or more network communication devices; each key set is composed of a plurality of keys, when the first network, the second network, the … network and the Nth network transmit data with different target networks, the corresponding keys in the key sets are used for encrypting the transmitted data, namely the target networks are different, the keys in the key sets are different, and the key length is 128 bits or more; the communication data transmitted by the first network communication equipment is encrypted by using a first secret key group in a first network and transmitted to a first network security isolation device, then the first network security isolation device exchanges the communication data encrypted by using the first secret key group to an external network, then the communication data encrypted by using the first secret key group is transmitted to a second network security isolation device through the external network, the second network security isolation device exchanges the communication data encrypted by using the first secret key group to a second network, and finally the communication data encrypted by using the first secret key group is decrypted by using a second secret key group in the second network and transmitted to the second communication equipment, so that the encrypted transmission of the communication data between the first communication equipment and the second communication equipment is completed; the communication data transmitted by the first network communication equipment is encrypted by using a first secret key group in a first network and transmitted to a first network security isolation device, then the first network security isolation device exchanges the communication data encrypted by using the first secret key group to an external network, then the communication data encrypted by using the first secret key group is transmitted to an Nth network security isolation device through the external network, the Nth network security isolation device exchanges the communication data encrypted by using the first secret key group to an Nth network, and finally the communication data encrypted by using the first secret key group is decrypted by using the Nth secret key group in the Nth network and transmitted to the Nth communication equipment, so that the encrypted transmission of the communication data between the first communication equipment and the Nth communication equipment is completed; according to the above manner and by analogy, when the mth network communication device of any network communication device, m is a natural positive integer less than or equal to N, and the nth network communication device of another network communication device, N is a natural positive integer less than or equal to N and not equal to m, performs encryption transmission of communication data, the communication data transmitted by the mth network communication device is encrypted by using the mth key set in the mth network and transmitted to the mth network security isolation device, then the mth network security isolation device exchanges the communication data encrypted by using the mth key set to the external network, then the communication data encrypted by using the mth key set is transmitted to the nth network security isolation device through the external network, the nth network security isolation device exchanges the communication data encrypted by using the mth key set to the nth network, and finally the communication data encrypted by using the mth key set is decrypted by using the nth key set in the nth network and transmitted to the nth network communication device, completing the encrypted transmission of communication data from the m-th communication equipment to the n-th communication equipment; the communication data encryption and decryption in the network communication data encryption transmission process adopts an AES advanced encryption algorithm or an RSA encryption algorithm.
2. The method for combined encrypted transmission of network communication data based on network security isolation technology as claimed in claim 1, wherein: the first network comprises a module or equipment isolated from the external network in the first network security isolation device, the second network comprises a module or equipment isolated from the external network in the second network security isolation device, and similarly, the Nth network comprises a module or equipment isolated from the external network in the Nth network security isolation device.
CN201811539057.3A 2018-12-17 2018-12-17 Network communication data combination encryption transmission method based on network security isolation technology Active CN109302432B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811539057.3A CN109302432B (en) 2018-12-17 2018-12-17 Network communication data combination encryption transmission method based on network security isolation technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811539057.3A CN109302432B (en) 2018-12-17 2018-12-17 Network communication data combination encryption transmission method based on network security isolation technology

Publications (2)

Publication Number Publication Date
CN109302432A CN109302432A (en) 2019-02-01
CN109302432B true CN109302432B (en) 2021-09-07

Family

ID=65142806

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811539057.3A Active CN109302432B (en) 2018-12-17 2018-12-17 Network communication data combination encryption transmission method based on network security isolation technology

Country Status (1)

Country Link
CN (1) CN109302432B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111865969B (en) * 2020-07-17 2021-06-08 江苏润易联信息技术有限公司 Secure transmission method and system suitable for financial information
CN115348088A (en) * 2020-08-31 2022-11-15 国网山东省电力公司临沂供电公司 Communication network security encryption method
CN114650124B (en) * 2020-12-18 2023-10-03 中国联合网络通信集团有限公司 Synchronization method and device for data transmission
CN113091224B (en) * 2021-04-07 2022-11-29 青岛海信日立空调系统有限公司 Air conditioning device and air conditioning control device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101447956A (en) * 2009-01-13 2009-06-03 杭州华三通信技术有限公司 Cross-GAP communication method and communication system using same
CN102316108A (en) * 2011-09-09 2012-01-11 周伯生 Device for establishing network isolated channel and method thereof
CN103401771A (en) * 2013-07-26 2013-11-20 四川华迪航天金穗高技术有限公司 Network isolation method and network isolation system
CN203313221U (en) * 2013-07-05 2013-11-27 黄淮学院 Network isolation device
CN107294937A (en) * 2016-04-11 2017-10-24 平安科技(深圳)有限公司 Data transmission method, client and server based on network service
CN107438062A (en) * 2016-09-19 2017-12-05 广东建邦计算机软件股份有限公司 Visitor's auth method and device
CN108512821A (en) * 2017-02-28 2018-09-07 阿里巴巴集团控股有限公司 Data transmission method, device and system and gateway and transaction data storage method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10686827B2 (en) * 2016-04-14 2020-06-16 Sophos Limited Intermediate encryption for exposed content

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101447956A (en) * 2009-01-13 2009-06-03 杭州华三通信技术有限公司 Cross-GAP communication method and communication system using same
CN102316108A (en) * 2011-09-09 2012-01-11 周伯生 Device for establishing network isolated channel and method thereof
CN203313221U (en) * 2013-07-05 2013-11-27 黄淮学院 Network isolation device
CN103401771A (en) * 2013-07-26 2013-11-20 四川华迪航天金穗高技术有限公司 Network isolation method and network isolation system
CN107294937A (en) * 2016-04-11 2017-10-24 平安科技(深圳)有限公司 Data transmission method, client and server based on network service
CN107438062A (en) * 2016-09-19 2017-12-05 广东建邦计算机软件股份有限公司 Visitor's auth method and device
CN108512821A (en) * 2017-02-28 2018-09-07 阿里巴巴集团控股有限公司 Data transmission method, device and system and gateway and transaction data storage method

Also Published As

Publication number Publication date
CN109302432A (en) 2019-02-01

Similar Documents

Publication Publication Date Title
CN109302432B (en) Network communication data combination encryption transmission method based on network security isolation technology
CN107105060A (en) A kind of method for realizing electric automobile information security
CN112671798B (en) Service request method, device and system in Internet of vehicles
CN103795543B (en) A kind of secure two-way authentication method for rfid system
Wang et al. NOTSA: Novel OBU with three-level security architecture for internet of vehicles
AU2017100661A4 (en) An information security method of distributed electric vehicle controllers
CN105450406A (en) Data processing method and device
CN110147666B (en) Lightweight NFC identity authentication method in scene of Internet of things and Internet of things communication platform
US11308240B2 (en) Cryptographic circuit and data processing
Karaarslan et al. Digital twin security threats and countermeasures: An introduction
CN104065485A (en) Power grid dispatching mobile platform safety guaranteeing and controlling method
CN102073821A (en) XEN platform-based virtual safety communication tunnel establishing method
CN108881486A (en) Intelligent network connection vehicle remote communication means and system based on trusted technology
Alladi et al. Drone-MAP: A novel authentication scheme for drone-assisted 5G networks
CN111935213A (en) Distributed trusted authentication virtual networking system and method
CN113965328A (en) Authority transfer method and system for digital key offline condition of trusted execution environment
CN108989020A (en) A kind of unmanned plane ad hoc network defence Sybil attack method and system
Luo et al. Security mechanisms design for in-vehicle network gateway
CN102710638A (en) Device and method for isolating data by adopting non-network manner
Anwar et al. Security assessment of in-vehicle communication protocols
CN114553577B (en) Network interaction system and method based on multi-host double-isolation secret architecture
Wang et al. Automotive network security
CN113839782B (en) Light-weight safe communication method for CAN (controller area network) bus in vehicle based on PUF (physical unclonable function)
Kleberger et al. An in-depth analysis of the security of the connected repair shop
Djinko et al. Blockchain-based approach to thwart replay attacks targeting remote keyless entry systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant