CN110177116A - Intelligence melts the safety data transmission method and device of mark network - Google Patents
Intelligence melts the safety data transmission method and device of mark network Download PDFInfo
- Publication number
- CN110177116A CN110177116A CN201910496313.3A CN201910496313A CN110177116A CN 110177116 A CN110177116 A CN 110177116A CN 201910496313 A CN201910496313 A CN 201910496313A CN 110177116 A CN110177116 A CN 110177116A
- Authority
- CN
- China
- Prior art keywords
- data packet
- obscure
- cipher mode
- flag bit
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides safety data transmission methods and device that a kind of intelligence melts mark network.When recipient receives the data packet from sender, cipher mode flag bit is parsed, judges cipher mode;Decipherment algorithm in encryption rule database is inquired according to cipher mode flag bit, ciphertext data, it checks and updates whether flag bit reaches threshold value, if the value for reaching threshold value using timestamp operation in receiver system time and data packet selects new cipher mode as seed, and cipher mode is returned to sender;After sender receives new cipher mode, with new cipher mode encryption data and send.Encryption policy of obscuring in the present invention supports user to define and can constantly change that safety is higher;Replay Attack can be prevented based on timestamp;With the seed of the time difference of receiving-transmitting sides alternatively algorithm, receiving-transmitting sides do not need to synchronize.
Description
Technical field
The present invention relates to the secure data biographies that mark network is melted in computer network communication technology field more particularly to a kind of intelligence
Transmission method and device.
Background technique
Intelligence melts the mark network system by dynamic sensing network state and intelligent Matching demand for services, and then selects reasonable
Network group and its internal component provide the service of wisdom.Meanwhile it is multiple by introducing behavior matching, behavior cluster, network
The mechanism such as miscellaneous behavior game decision realize the dynamic adaptation and cooperative scheduling of resource, increase substantially network resource utilization,
Network energy consumption etc. is reduced, user experience is obviously improved.The safety that intelligence melts mark network is particularly important.
Current most of safety obscure complexity of the safety of Encryption Algorithm dependent on big number Factorization, so RSA
(Ron Rivest, Adi Shamir and Leonard Adleman) etc. obscures the larger threat that cipher mode faces and is derived from meter
The constantly improve and factoring algorithm of calculation ability is continuously improved, and wherein the raising of computing capability includes due to computer network
The distributed computation ability that the numerous computers of networking caused by development carries out improves and the raising of supercomputer computing capability, long
Key be safe within a very long time.But the cipher mode of obscuring of the data packet in existing internet is mostly static state
, it can not dynamically update, can not effectively guarantee that intelligence melts the safety of mark network.
Summary of the invention
The embodiment provides safety data transmission methods and device that a kind of intelligence melts mark network, existing to overcome
There is the problem of technology.
To achieve the goals above, this invention takes following technical solutions.
According to an aspect of the invention, there is provided a kind of intelligence melts the safety data transmission method of mark network, comprising:
Step S110: when receiver equipment is received from after obscuring encrypted data packet of method, apparatus is sent, to described
Data packet is parsed, and the value obscured cipher mode flag bit and update flag bit in the data packet is obtained;
Step S120: the receiver equipment obscures the value inquiry encryption rule data of cipher mode flag bit according to
Library obtains decipherment algorithm, carries out data deciphering processing to the data packet using the decipherment algorithm, is indicated according to the update
The value of position judges whether obscure cipher mode update, if so, thening follow the steps S130;
Step S130: the receiver equipment is made with the value of timestamp operation in receiver system time and the data packet
New cipher mode of obscuring is selected for seed, and the new cipher mode of obscuring is returned into described sender equipment;
Step S140: the receiver equipment receive it is described it is new obscure cipher mode after, according to it is described it is new obscure plus
Close mode obscures encrypted packet, and transmission obscures encrypted data packet and gives described sender equipment.
Preferably, the data packet include update flag bit, confirmation update flag bit, obscure cipher mode flag bit and
Timestamp;Described to obscure flag bit using 14 bit lengths, what flag data packet used obscures cipher mode, obscures cipher mode
The value of flag bit maps each other with the encryption policy of obscuring obscured in encryption policy database.
Preferably, the timestamp uses 32 bit lengths, for the time of flag data packet, the timestamp conduct
The seed of strategy selection operator.
Preferably, the update flag bit uses 1 bit length, and when the update flag bit is 1, encryption is obscured in update
Mode does not update when the update flag bit is 0 and obscures cipher mode;
The confirmation updates flag bit and uses 1 bit length, when it is 1 that the confirmation, which updates flag bit, indicates to have confirmed that
Cipher mode is obscured in update, and when it is 0 that the confirmation, which updates flag bit, expression, which does not update, obscures cipher mode.
Preferably, before the step S110 further include:
It sends method, apparatus to initiate to communicate for the first time, comprising obscuring in the payload for the data packet that described sender equipment is sent
Cipher mode database information;
Receiver equipment receives the data packet that described sender equipment initiates communication for the first time, extracts obscuring in data packet and adds
Close mode database information and proofread it is local obscure cipher mode database, it is total to obtain described sender equipment, receiver equipment
The response data packet is sent to described by obscuring encryption policy database information and being encapsulated in response data packet with maintenance
Send method, apparatus;
After described sender equipment receives the response data packet, the described sender in the response data packet is extracted
What equipment, receiver equipment were safeguarded jointly obscures encryption policy database information and one kind is therefrom selected to obscure encryption policy, institute
State send method, apparatus by it is selected obscure encryption policy and be encapsulated in tactful confirmation request data packet and be sent to recipient set
It is standby;
After the receiver equipment receives the tactful confirmation request data packet of described sender equipment, extracts and store institute
Stating transmission, method, apparatus is selected obscures encryption policy, confirms response data packet to described sender equipment sending strategy;
It is true according to both sides after described sender equipment receives the strategy confirmation response data packet that the receiver equipment returns
The encryption policy of obscuring recognized obscures encrypted packet, and sends and obscure encrypted data packet to the receiver equipment.
According to another aspect of the present invention, the safety data transmission device that a kind of intelligence melts mark network is provided, comprising:
Data packet handing module, computing module, obscures encryption policy database module and controller at clock module;
The data packet handing module, for carrying out obscuring encryption to data packet according to the cipher mode of obscuring of setting,
Flag bit will be updated, confirmation updates flag bit, obscures cipher mode flag bit and timestamp is encapsulated into data packet, according to data
The status information of packet determines when the update for initiating to obscure Encryption Algorithm request;The data packet received is parsed, is received
The control information that controller issues, to update packet processing strategie and encapsulation format;
The clock module, for providing clock information;
The computing module, for carrying out operation to data, by carrying out modular arithmetic to random number, selection updates mark
Timestamp is supplied to data packet handing module from Clock Extraction timestamp by the value of position;
Described obscures encryption policy database module, for obscuring encryption policy by database purchase and obscuring encryption
Tactful label etc.;The control information that controller issues is received, obscures encryption policy database to update;
The controller, for issuing control information to data packet handing module, to update packet processing strategie and encapsulating
Format is filled, obscuring forwarding strategy and be handed down to and obscuring encryption policy database module for data packet is generated, to obscuring encryption policy
Database issues control information, obscures encryption policy database to update.
Preferably, the device further include:
Status information processing module, for handling data packet status information, the timestamp information of preprocessed data packet is determined
Whether equipment should actively be initiated to obscure the request of Encryption Algorithm update.
Preferably, the device includes: transmission method, apparatus and receiver equipment, working method are full duplex mode,
In communication process, both of which is supported in the initiation of more new strategy: user initiates the status information with equipment according to data packet manually
Selection automatically initiates.
Preferably, when described device is to send method, apparatus, the data packet handing module, specifically for transmission
Data packet is packaged: according to obscure in encryption policy database it is specified obscure cipher mode data packet obscure plus
It is close, flag bit will be updated, confirmation updates flag bit, obscures cipher mode flag bit and timestamp is encapsulated into data packet, according to
The status information of data packet determines when initiate to obscure the update request of Encryption Algorithm;It is fixed according to the certain flag bit fields of data packet
The parsing sequence and content of adopted data packet header, for the data packet that receiver equipment is sent, with the analysis mode appointed
Cipher mode flag bit is obscured in parsing, cipher mode is obscured according to obscuring in encryption policy database, to next group of data packet
It carries out obscuring encryption;The control information that controller issues is received, to update packet processing strategie and encapsulation format;
When described device is receiver equipment, the data packet handing module comes from sender specifically for receiving
Equipment obscure encrypted data packet after, the data packet is parsed, obtains in the data packet and obscures encryption side
Formula flag bit and the value for updating flag bit are obtained according to the value inquiry encryption rule database for obscuring cipher mode flag bit
Decipherment algorithm carries out data deciphering processing to the data packet using the decipherment algorithm, according to the value for updating flag bit
Judge whether obscure cipher mode update, if it is, with the time in receiver system time and the data packet
The value for stabbing operation selects new cipher mode of obscuring as seed, and the new cipher mode of obscuring is returned to the transmission
Method, apparatus;The control information that controller issues is received, to update packet processing strategie and encapsulation format.
Preferably, the data packet handing module in described sender equipment, specifically for being initiated for the first time when transmission method, apparatus
When communication, comprising obscuring cipher mode database information in the payload of the data packet of transmission;
Data packet handing module in the receiver equipment initiates to lead to for the first time specifically for receiving described sender equipment
The data packet of letter extracts obscuring cipher mode database information and proofreading in data packet and locally obscures cipher mode database,
Obtain described sender equipment, receiver equipment is safeguarded jointly obscures encryption policy database information and be encapsulated in response data
The response data packet is sent to described sender equipment by Bao Zhong;
Data packet handing module in described sender equipment extracts after receiving the response data packet
What the described sender equipment in the response data packet, receiver equipment were safeguarded jointly obscures encryption policy database information simultaneously
Therefrom one kind is selected to obscure encryption policy, obscures encryption policy by selected and be encapsulated in tactful confirmation request data packet concurrently
Give receiver equipment;
Data packet handing module in the receiver equipment, specifically for receiving the strategy of described sender equipment really
After recognizing request data package, extracts and store that described sender equipment is selected to obscure encryption policy, to described sender equipment
Sending strategy confirms response data packet;
Data packet handing module in described sender equipment, the strategy returned specifically for receiving the receiver equipment
After confirming response data packet, encrypted packet is obscured according to the encryption policy of obscuring of both sides' confirmation, and send obscure it is encrypted
Data packet gives the receiver equipment.
As can be seen from the technical scheme provided by the above-mentioned embodiment of the present invention, the intelligence of inventive embodiments melts mark network
Encryption policy of obscuring in safety data transmission scheme supports user to define and can constantly change that safety is higher.Based on when
Between stamp state change come decide whether update obscure encryption policy, Replay Attack can be prevented.With with the receiver system time and
The seed of the value of timestamp operation alternatively algorithm, receiving-transmitting sides do not need to synchronize in data packet.
The additional aspect of the present invention and advantage will be set forth in part in the description, these will become from the following description
Obviously, or practice through the invention is recognized.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill of field, without creative efforts, it can also be obtained according to these attached drawings others
Attached drawing.
Fig. 1 is that the realization principle for the safety data transmission method that a kind of intelligence provided in an embodiment of the present invention melts mark network is shown
It is intended to.
Fig. 2 is that the process flow for the safety data transmission method that a kind of intelligence provided in an embodiment of the present invention melts mark network is shown
It is intended to.
Fig. 3 is the encryption policy confirmation obscured in transmission data that a kind of intelligence provided in an embodiment of the present invention melts mark network
The realization principle schematic diagram of method.
Fig. 4 is the encryption policy confirmation obscured in transmission data that a kind of intelligence provided in an embodiment of the present invention melts mark network
The processing flow schematic diagram of method.
Fig. 5 be a kind of intelligence provided in an embodiment of the present invention melt mark network safety data transmission method in data inclusion
Structure schematic diagram.
Fig. 6 is the structural representation for the safety data transmission device that a kind of intelligence provided in an embodiment of the present invention melts mark network
Figure.
Fig. 7 is the application scenarios signal for obscuring transmission method that a kind of intelligence provided in an embodiment of the present invention melts mark network
Figure.
Specific embodiment
Embodiments of the present invention are described below in detail, the example of the embodiment is shown in the accompanying drawings, wherein from beginning
Same or similar element or element with the same or similar functions are indicated to same or similar label eventually.Below by ginseng
The embodiment for examining attached drawing description is exemplary, and for explaining only the invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singular " one " used herein, " one
It is a ", " described " and "the" may also comprise plural form.It is to be further understood that being arranged used in specification of the invention
Diction " comprising " refer to that there are the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition
Other one or more features, integer, step, operation, element, component and/or their group.It should be understood that when we claim member
Part is " connected " or when " coupled " to another element, it can be directly connected or coupled to other elements, or there may also be
Intermediary element.In addition, " connection " used herein or " coupling " may include being wirelessly connected or coupling.Wording used herein
"and/or" includes one or more associated any cells for listing item and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art
Language and scientific term) there is meaning identical with the general understanding of those of ordinary skill in fields of the present invention.Should also
Understand, those terms such as defined in the general dictionary, which should be understood that, to be had and the meaning in the context of the prior art
The consistent meaning of justice, and unless defined as here, it will not be explained in an idealized or overly formal meaning.
In order to facilitate understanding of embodiments of the present invention, it is done by taking several specific embodiments as an example below in conjunction with attached drawing further
Explanation, and each embodiment does not constitute the restriction to the embodiment of the present invention.
Embodiment one
Actual transmitting-receiving process is the process of duplex, is only to state clear transmitting terminal A and receiving end B as described below
The description of single transmitting-receiving.Fig. 1 is that the realization for the safety data transmission method that intelligence described in the embodiment of the present invention melts mark network is former
Schematic diagram is managed, Fig. 2 is the process flow for the safety data transmission method that a kind of intelligence provided in an embodiment of the present invention melts mark network
Schematic diagram includes the following steps.
Step S210: it when recipient receives the data packet from sender, by parsing data packet, obtains in data packet
Obscure cipher mode flag bit and update flag bit, obscure encryption side according to obscure that cipher mode flag bit judges data packet
Formula;
Step S220: decipherment algorithm is obtained according to cipher mode flag bit inquiry encryption rule database is obscured, decrypts number
According to inspection updates whether flag bit is the threshold value set, and S130 is carried out if reaching threshold value, and above-mentioned threshold value expression is mixed
The cipher mode that confuses updates;If not up to threshold value, process terminates;
The value of above-mentioned update flag bit is set to 1 by communication host is automated randomized according to network environment, double to more new traffic
Side obscures cipher mode.It supports in addition, updating flag bit by setting and the user setting of sending instructions under controller.User setting is excellent
First grade is arranged higher than controller, and controller setting priority is higher than automated randomized set.
Updating flag bit can be by the setting that sends instructions under controller.Controller sends more new command, client computer to client computer
Flag bit will be updated and be set as 1.
Updating flag bit can be by user setting.It provides user after function generation emergency and updates to obscure manually and add
The ability of close strategy can be 1 by user setting.
Step S230: recipient is selected newly using the value of timestamp operation in receiver system time and data packet as seed
Obscure cipher mode, and new cipher mode of obscuring is returned into sender;The value of above-mentioned operation can be receiver system
Difference in time and data packet between timestamp.
Step S240: sender obscures cipher mode flag bit, setting update according to the cipher mode setting of obscuring received
Flag bit is arranged timestamp, obscures transmission data with new cipher mode of obscuring.
Actual transmitting-receiving process is the process of duplex, is only to state clear transmitting terminal A and receiving end B as described below
The description of single transmitting-receiving.Fig. 3 is the encryption obscured in transmission data that a kind of intelligence provided in an embodiment of the present invention melts mark network
The realization principle schematic diagram of tactful confirmation method, Fig. 4 be the intelligence of the embodiment of the present invention melt mark network obscure transmission data in
Encryption policy confirmation method processing flow schematic diagram, comprising the following steps:
Step S410: sender A initiates to communicate for the first time.Comprising obscuring in the payload for the data packet that sender A is sent
Cipher mode database information.
Step S420: recipient B receives the data packet that sender A initiates communication for the first time, extracts obscuring in data packet and adds
Close mode database information and proofread it is local obscure cipher mode database, obtain that A, B safeguard jointly obscures encryption policy number
According to library information.The encryption policy database information of obscuring that A, B are safeguarded jointly is encapsulated in response data packet, by above-mentioned number of responses
Sender A is sent to according to packet.
Step S430: after sender A receives above-mentioned response data packet, response data packet is parsed, it is total to obtain A, B
Encryption policy database information is obscured with maintenance, and determine coded communication obscures encryption policy set, and therefrom selects one kind
Obscure encryption policy.Sender A obscures selected encryption policy and is encapsulated in tactful confirmation request data packet, by above-mentioned plan
Slightly confirmation request data packet is sent to recipient B.
Step S440: recipient B receives the tactful confirmation request data packet of sender A, to tactful confirmation request data
Packet is parsed, and obtains that sender A is selected to obscure encryption policy.Recipient B by it is above-mentioned obscure encryption policy and be stored in post
In storage, response data packet is confirmed to sender's A sending strategy.
After step S450: sender A receives the strategy confirmation response data packet of recipient B return, according to both sides' confirmation
Obscure encryption policy encapsulated data packet, both sides start to carry out coded communication shown in Fig. 2.
Encapsulation format
Fig. 5 be a kind of intelligence provided in an embodiment of the present invention melt mark network safety data transmission method in data inclusion
Structure schematic diagram, as shown in figure 5, data packet using update flag bit, confirmation update flag bit, obscure cipher mode flag bit and when
Between stab data packet be marked.It updates flag bit and uses 1 bit length, when updating flag bit is 1, encryption side is obscured in update
Formula does not update when update flag bit is 0 and obscures cipher mode.Confirmation updates flag bit and uses 1 bit length, when confirmation updates
It when flag bit is 1, indicates to have confirmed that cipher mode is obscured in update, when it is 0 that confirmation, which updates flag bit, expression, which does not update to obscure, to be added
Close mode.Flag bit is obscured using 14 bit lengths, and indicate use obscures cipher mode.Obscure the value of cipher mode flag bit
It is mapped each other with the encryption policy of obscuring obscured in encryption policy database.Timestamp uses 32 bit lengths, is used to reference numerals
According to the time of packet, the seed of strategy selection operator can be used as, which includes but is not limited to the shape for using extension header
Formula is realized.
The embodiment of the present invention also proposed the safety data transmission device that a kind of intelligence melts mark network, which is based on shape
State obscures transmitting device, has programmability, can flexibly define, update forwarding strategy, obscures encryption policy, Packet analyzing
Strategy.The safety data transmission device that above-mentioned intelligence melts mark network includes but is not limited to data packet handing module, at status information
Reason module, computing module, obscures encryption policy database, controller at clock module.The device can be sender and recipient
Two opposite equip.s.
Fig. 6 is the structural representation for the safety data transmission device that a kind of intelligence provided in an embodiment of the present invention melts mark network
Figure, which can be two opposite equip.s of sender and recipient.Equipment function itself does not have difference, working method Quan Shuan
Work mode, in communication process, an equipment is both transmitting terminal and receiving end.In communication process, the initiation of more new strategy
Support both of which: user initiates manually and equipment is automatically initiated according to the selection of the status information of data packet.It is updated at second
Under mode, the request for when initiating policy update is determined by the equipment for most starting to initiate communication request, and policy update request is initiated
Afterwards, the more new strategy of data packet and obscure encryption policy and can't come into force, but confirmation should be received until requesting party
It comes into force after information.
Data packet is obscured forwarding strategy and should be generated by controller is unified, this equipment can pass through online upgrading or local
The mode upgraded manually caches the forwarding strategy of obscuring of data packet, it is generally the case that will cache and a variety of obscures in equipment
Forwarding strategy, to guarantee the demand that can be updated in data packet treatment process with implementation strategy.
Communicating pair should exchange local access vector cache library information when communicating for the first time, find strategy by the exchange of the information
The policy intersection in library is cached, to provide range of choice for update tactful in next communication process.
The major function of this equipment is the processing realized to data packet, include but is not limited to have certain operational capability and
Storage capacity, operational capability are embodied in the processing to status information and data packet addressing repeating process to address field
Processing and data packet parsing, storage capacity is embodied in the storage to status information and obscures and forwarding strategy information
Storage, in order to guarantee the reading and processing speed of data, which should be stored in register and memory, specifically, deposit
Policy information used in present communications should be stored in device, and all plans for obscuring forwarding strategy of equipment support are stored in memory
Slightly information.
Each functions of modules of transmitting terminal A is as follows:
Data packet handing module: including but is not limited to be packaged to the data packet of transmission: according to obscuring encryption policy number
Data packet is carried out to obscure encryption according to the cipher mode of obscuring in library, flag bit will be updated, confirmation updates flag bit, obscures encryption
Mode flag bit and timestamp are encapsulated into data packet, while data packet handing module can should be believed by the state of data packet
Breath determines that the update request for when initiating to obscure Encryption Algorithm, the request should at least support user actively initiation and equipment autonomously
Initiate both of which.
Including but not limited to Packet analyzing function: data packet handing module should have flexibility for the parsing of data packet, can
Flexibly to define the parsing sequence and content of data packet header according to the certain flag bit fields of data packet, while should have again
The compatibility of data is exchanged with traditional equipment.It is mixed with the analysis mode parsing appointed for the data packet that recipient B is sent
Confuse cipher mode flag bit, obscures cipher mode according to obscuring in encryption policy database, mixes to next group of data packet
Confuse encryption.The control information that controller issues should be additionally received, to update packet processing strategie and encapsulation format.
Clock module: clock information is provided.
Computing module: operation is carried out to data.Including but not limited to by carrying out modular arithmetic to random number, selection updates mark
Timestamp is supplied to data packet handing module from Clock Extraction timestamp by the value of will position.
Status information processing module: this equipment should have the ability of processing data packet status information, including but not limited in advance
It handles the timestamp information of data packet, dynamic sensing network state, determine whether equipment should actively initiate to obscure Encryption Algorithm more
New request etc..
Obscure encryption policy database: including but not limited to storage obscures encryption policy and obscures encryption policy label etc.;
The control information that controller issues is received, encryption policy database is more obscured.
Controller: including but not limited to controller issues control information to data packet handing module, updates packet processing strategie
With encapsulation format.Controller issues control information to encryption policy database is obscured, and encryption policy database is obscured in update.
Each functions of modules of receiving end B is as follows:
Data packet handing module: including but is not limited to Packet analyzing function: cipher mode flag bit is obscured in parsing, according to obscuring
Cipher mode is obscured in encryption policy database, and data packet is parsed.Judge to update whether flag bit reaches threshold value.Packet
It includes but is not limited to encapsulation function: needing to update sender when obscuring cipher mode, cipher mode zone bit information envelope will be obscured
It is attached in data packet, is sent to sender A.The control information that controller issues is received, packet processing strategie and encapsulation lattice are updated
Formula.
Clock module: provide clock information, computing module judgement to be updated when obscuring cipher mode, mentioned from clock module
System clock is taken, as operation seed.
Computing module: operation is carried out to data.Including but not limited to according to packet time stamp and system clock carry out and
Or modular arithmetic;Obscure obscuring cipher mode and cipher mode will be obscured in encryption policy database according to operation result to provide
Give data packet handing module.
Obscure encryption policy database: including but not limited to storage obscures encryption policy and obscures encryption policy label etc..
Encryption policy is obscured to computing module and the offer of data packet handing module.The control information that controller issues is received, more obscures and adds
Close policy database.
Controller: including but not limited to controller issues control information to data packet handing module, updates packet processing strategie
With encapsulation format.Controller issues control information to encryption policy database is obscured, and encryption policy database is obscured in update.
Status information processing module: this equipment should have the ability of processing data packet status information, including but not limited in advance
It handles the timestamp information of data packet, dynamic sensing network state, determine whether equipment should actively initiate to obscure Encryption Algorithm more
New request etc..
Embodiment two
Fig. 7 is the application scenarios signal for obscuring transmission method that a kind of intelligence provided in an embodiment of the present invention melts mark network
Figure, as shown in fig. 7, A, B are user, C, D are to obscure transmitting device, W1, W2, and W3 is transmission link.Using multi-path transmission machine
System, if multi-path transmission mechanism is directly applied in isomery and asymmetric network environment, it will serious random ordering occur
And caching choking phenomenon.Transmitting device of obscuring based on state stores route selection information and mark in obscuring encryption policy database
Number, transmission path can be changed according to network state in real time, while alleviating network congestion, can also effectively promote user's body
The amount of checking the quality.In the case where intelligence melts network environment, need to guarantee the real-time and safety of user's communication, in order to guarantee transmission safety, intelligence
Melt using across agreement transmission in mark network, it can be across IPV4, IPV6, mark network protocol transmission.Obscure transmitting device to exist
Obscure and stores protocol selection information and label in encryption policy database.Obscure transmitting device according to state change Path selection and
Data pack protocol selection.
Embodiment three:
This embodiment describes obscure transmitting device in the application description in policy update stage.First against obscuring and forward
The generation of strategy provides two sources: when device initialization, obscuring and provides basic displacement square in encryption policy database
Battle array and repeating query routing policy, furthermore the present apparatus supports user is customized to obscure encryption policy, and device provides storage user and makes by oneself
Adopted strategy obscures encryption policy database.The importing for obscuring encryption policy database for user also provides two ways:
Controller imports online and user manually imports.Later, when user initiates communication request for the first time, it is logical which judges this
Whether letter is to communicate for the first time, if the user for exchanging both sides first is then needed to obscure encryption policy database information, is found double
Side obscures encryption policy database information intersection, then selects one kind to obscure encryption policy first by communication initiator, concurrently
Rise strategy request, receive other side return tactful confirmation message after, start formally using consult obscure encryption policy into
Row encrypted transmission.The initiator of communication needs to safeguard the status information of the data packet of this communication simultaneously, when status information reaches
When a certain specified threshold value, the update request for obscuring encryption policy is initiated, after receiving the update confirmation message of other side, formally
Coded communication is carried out using new encryption policy of obscuring.The threshold value mentioned in text can be stated according to the actual situation by user, if not having
Having display statement, then system uses default value automatically.
Example IV
This embodiment describes obscure the update description to encryption policy is obscured of transmitting device in case of emergency.This reality
The final purpose of experiment device is to realize the secret communication of user, although present apparatus itself does not provide the function of any network sweep,
But user can apply for opening the permission of compatible third party's tool.It please notes that the present apparatus does not provide and distinguishes third party's plug-in security
Property function, but provide user to open after emergency occurs for the function and update the ability for obscuring encryption policy manually.
Specifically, user can apply for opening the permission of compatible third party's tool, such as certain network sweep tools, use
Artificial intelligence analyzes network state, and user is assisted to find the monitored risk of network, when user determines that oneself is monitored
It can be requested manually to the update that peer user initiates to obscure encryption policy afterwards, while can be fixed in the case where communicating continual situation
The threshold value that adopted policy update is initiated, to improve the rank of communication security.
In conclusion the intelligence of the embodiment of the present invention, which is melted in the safety data transmission scheme of mark network, obscures encryption policy
It supports user to define and can constantly change, safety is higher.Added based on flag bit variation is updated to decide whether to update to obscure
Close strategy obscures encryption according to the random selection of timestamp state is a variety of using aliasing strategy database maintenance aliasing strategy information
Mode, it is difficult to crack.It can prevent Replay Attack.Using the value of timestamp operation in receiver system time and data packet as choosing
The seed of algorithm is selected, receiving-transmitting sides do not need to synchronize.
Status information processing module carries out dynamic sensing to network environment in system.Encryption policy is obscured according to network environment
By the automated randomized update of communication host, flexibly cipher mode can also be carried out more using offer controller and user's control strategy
Newly.Encapsulation, Packet analyzing rule can neatly be converted.
Those of ordinary skill in the art will appreciate that: attached drawing is the schematic diagram of one embodiment, module in attached drawing or
Process is not necessarily implemented necessary to the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can
It realizes by means of software and necessary general hardware platform.Based on this understanding, technical solution of the present invention essence
On in other words the part that contributes to existing technology can be embodied in the form of software products, the computer software product
It can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that a computer equipment
(can be personal computer, server or the network equipment etc.) executes the certain of each embodiment or embodiment of the invention
Method described in part.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device or
For system embodiment, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to method
The part of embodiment illustrates.Apparatus and system embodiment described above is only schematical, wherein the conduct
The unit of separate part description may or may not be physically separated, component shown as a unit can be or
Person may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can root
According to actual need that some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.Ordinary skill
Personnel can understand and implement without creative efforts.
The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto,
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by anyone skilled in the art,
It should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with scope of protection of the claims
Subject to.
Claims (10)
1. the safety data transmission method that a kind of intelligence melts mark network characterized by comprising
Step S110: when receiver equipment is received from after obscuring encrypted data packet of method, apparatus is sent, to the data
Packet is parsed, and the value obscured cipher mode flag bit and update flag bit in the data packet is obtained;
Step S120: the value inquiry encryption rule database that the receiver equipment obscures cipher mode flag bit according to obtains
To decipherment algorithm, data deciphering processing is carried out to the data packet using the decipherment algorithm, according to the update flag bit
Value judges whether obscure cipher mode update, if so, thening follow the steps S130;
Step S130: the receiver equipment is using the value of timestamp operation in receiver system time and the data packet as kind
Son selects new cipher mode of obscuring, and the new cipher mode of obscuring is returned to described sender equipment;
Step S140: the receiver equipment receive it is described it is new obscure cipher mode after, new obscure encryption side according to described
Formula obscures encrypted packet, and transmission obscures encrypted data packet and gives described sender equipment.
2. the method according to claim 1, wherein the data packet includes updating flag bit, confirmation update
Flag bit obscures cipher mode flag bit and timestamp;Described to obscure flag bit using 14 bit lengths, flag data packet uses
Obscure cipher mode, obscure the value of cipher mode flag bit and obscure in encryption policy database and obscure encryption policy each other
Mapping.
3. according to the method described in claim 2, it is characterized in that, the timestamp uses 32 bit lengths, for marking
The time of data packet, seed of the timestamp as strategy selection operator.
4. according to the method described in claim 2, it is characterized in that, the update flag bit use 1 bit length, when it is described more
When new flag bit is 1, cipher mode is obscured in update, when the update flag bit is 0, does not update and obscures cipher mode;
The confirmation updates flag bit and uses 1 bit length, and when it is 1 that the confirmation, which updates flag bit, expression has confirmed that update
Obscure cipher mode, when it is 0 that the confirmation, which updates flag bit, expression, which does not update, obscures cipher mode.
5. method according to any one of claims 1 to 4, which is characterized in that before the step S110 further include:
It sends method, apparatus to initiate to communicate for the first time, comprising obscuring encryption in the payload for the data packet that described sender equipment is sent
Mode database information;
Receiver equipment receives the data packet that described sender equipment initiates communication for the first time, extracts in data packet and obscures encryption side
Formula database information and proofread it is local obscure cipher mode database, obtain described sender equipment, receiver equipment is tieed up jointly
Obscuring encryption policy database information and being encapsulated in response data packet for shield, is sent to the transmission for the response data packet
Method, apparatus;
After described sender equipment receives the response data packet, the described sender extracted in the response data packet is set
What standby, receiver equipment was safeguarded jointly obscures encryption policy database information and one kind is therefrom selected to obscure encryption policy, described
Method, apparatus is sent to obscure encryption policy by selected and be encapsulated in tactful confirmation request data packet and be sent to receiver equipment;
After the receiver equipment receives the tactful confirmation request data packet of described sender equipment, extracts and store the hair
It send method, apparatus is selected to obscure encryption policy, confirms response data packet to described sender equipment sending strategy;
After described sender equipment receives the strategy confirmation response data packet that the receiver equipment returns, according to both sides' confirmation
Obscure encryption policy and obscure encrypted packet, and sends and obscure encrypted data packet to the receiver equipment.
6. the safety data transmission device that a kind of intelligence melts mark network characterized by comprising data packet handing module, clock
Module, computing module obscure encryption policy database module and controller;
The data packet handing module will more for carrying out obscuring encryption to data packet according to the cipher mode of obscuring of setting
New flag bit, confirmation update flag bit, obscure cipher mode flag bit and timestamp is encapsulated into data packet, according to data packet
Status information determines when the update for initiating to obscure Encryption Algorithm request;The data packet received is parsed, control is received
The control information that device issues, to update packet processing strategie and encapsulation format;
The clock module, for providing clock information;
The computing module, for carrying out operation to data, by carrying out modular arithmetic to random number, selection updates flag bit
Value, from Clock Extraction timestamp, is supplied to data packet handing module for timestamp;
Described obscures encryption policy database module, for obscuring encryption policy by database purchase and obscuring encryption policy
Label etc.;The control information that controller issues is received, obscures encryption policy database to update;
The controller, for issuing control information to data packet handing module, to update packet processing strategie and encapsulation lattice
Formula generates obscuring forwarding strategy and be handed down to and obscuring encryption policy database module for data packet, to obscuring encryption policy data
Library issues control information, obscures encryption policy database to update.
7. device according to claim 6, which is characterized in that the device further include:
Status information processing module, for handling data packet status information, the timestamp information of preprocessed data packet determines equipment
Whether should actively initiate to obscure the request that Encryption Algorithm updates.
8. device according to claim 6 or 7, which is characterized in that the device includes: to send method, apparatus and recipient
Equipment, working method is full duplex mode, and in communication process, both of which is supported in the initiation of more new strategy: user sends out manually
It rises and equipment is automatically initiated according to the selection of the status information of data packet.
9. device according to claim 8, which is characterized in that when described device is to send method, apparatus, the data
Packet handing module, specifically for being packaged to the data packet of transmission: specified mixed in encryption policy database according to obscuring
The cipher mode that confuses carries out data packet to obscure encryption, will update flag bit, confirmation updates flag bit, obscures cipher mode flag bit
It is encapsulated into data packet with timestamp, determines that the update for when initiating to obscure Encryption Algorithm is asked according to the status information of data packet
It asks;The parsing sequence and content that data packet header is defined according to the certain flag bit fields of data packet, send out receiver equipment
The data packet sent obscures cipher mode flag bit with the analysis mode parsing appointed, according to obscuring in encryption policy database
Obscure cipher mode, next group of data packet is carried out obscuring encryption;The control information that controller issues is received, to update at packet
Reason strategy and encapsulation format;
When described device is receiver equipment, the data packet handing module sends method, apparatus specifically for receiving to come from
Obscure encrypted data packet after, the data packet is parsed, obtains in the data packet and obscures cipher mode mark
Will position and the value for updating flag bit are decrypted according to the value inquiry encryption rule database for obscuring cipher mode flag bit
Algorithm carries out data deciphering processing to the data packet using the decipherment algorithm, is judged according to the value for updating flag bit
Whether carry out obscuring cipher mode update, if it is, transporting with timestamp in receiver system time and the data packet
The value of calculation as seed selection it is new obscure cipher mode, and by it is described it is new obscure cipher mode and return to described sender set
It is standby;The control information that controller issues is received, to update packet processing strategie and encapsulation format.
10. device according to claim 9, it is characterised in that:
Data packet handing module in described sender equipment is specifically used for sending out when transmission method, apparatus initiates communication for the first time
Comprising obscuring cipher mode database information in the payload for the data packet sent;
Data packet handing module in the receiver equipment initiates communication specifically for receiving described sender equipment for the first time
Data packet extracts obscuring cipher mode database information and proofreading in data packet and locally obscures cipher mode database, obtains
What described sender equipment, receiver equipment were safeguarded jointly obscures encryption policy database information and is encapsulated in response data packet
In, the response data packet is sent to described sender equipment;
Data packet handing module in described sender equipment, after receiving the response data packet, described in extraction
What the described sender equipment in response data packet, receiver equipment were safeguarded jointly obscure encryption policy database information and therefrom
It selects one kind to obscure encryption policy, obscures encryption policy by selected and be encapsulated in tactful confirmation request data packet and be sent to
Receiver equipment;
Data packet handing module in the receiver equipment, the strategy confirmation specifically for receiving described sender equipment are asked
It after seeking data packet, extracts and stores that described sender equipment is selected to obscure encryption policy, sent to described sender equipment
Strategy confirmation response data packet;
Data packet handing module in described sender equipment confirms specifically for receiving the strategy that the receiver equipment returns
After response data packet, encrypted packet is obscured according to the encryption policy of obscuring of both sides' confirmation, and send and obscure encrypted data
It wraps to the receiver equipment.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910496313.3A CN110177116B (en) | 2019-06-10 | 2019-06-10 | Secure data transmission method and device for intelligent identification network |
| PCT/CN2020/094554 WO2020248906A1 (en) | 2019-06-10 | 2020-06-05 | Secure data transmission method and apparatus for intelligent fusion identification network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910496313.3A CN110177116B (en) | 2019-06-10 | 2019-06-10 | Secure data transmission method and device for intelligent identification network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110177116A true CN110177116A (en) | 2019-08-27 |
| CN110177116B CN110177116B (en) | 2020-07-14 |
Family
ID=67698086
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910496313.3A Active CN110177116B (en) | 2019-06-10 | 2019-06-10 | Secure data transmission method and device for intelligent identification network |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN110177116B (en) |
| WO (1) | WO2020248906A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020248906A1 (en) * | 2019-06-10 | 2020-12-17 | 北京交通大学 | Secure data transmission method and apparatus for intelligent fusion identification network |
| CN114205814A (en) * | 2021-12-03 | 2022-03-18 | 中国联合网络通信集团有限公司 | Data transmission method, device and system, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516702A (en) * | 2012-06-29 | 2014-01-15 | 北京新媒传信科技有限公司 | Symmetrical encryption method and system and central server |
| CN106452764A (en) * | 2016-12-02 | 2017-02-22 | 武汉理工大学 | Method for automatically updating identification private key and password system |
| CN106452787A (en) * | 2016-10-13 | 2017-02-22 | 广东欧珀移动通信有限公司 | Data verification method and device |
| US20170277775A1 (en) * | 2012-10-30 | 2017-09-28 | FHOOSH, Inc. | Systems and methods for secure storage of user information in a user profile |
| CN108965302A (en) * | 2018-07-24 | 2018-12-07 | 苏州科达科技股份有限公司 | Media data transmission system, method, apparatus and storage medium |
| CN109409033A (en) * | 2018-09-11 | 2019-03-01 | 平安科技(深圳)有限公司 | Code encryption method, apparatus, computer installation and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7835520B2 (en) * | 2003-02-20 | 2010-11-16 | Zoran Corporation | Unique identifier per chip for digital audio/video data encryption/decryption in personal video recorders |
| CN106789054A (en) * | 2016-12-23 | 2017-05-31 | 携程旅游网络技术(上海)有限公司 | The update method and system of dynamic encryption and decryption algorithm |
| CN109241760A (en) * | 2018-09-28 | 2019-01-18 | 北京北信源信息安全技术有限公司 | Data ciphering method, decryption method, encryption device and decryption device |
| CN110177116B (en) * | 2019-06-10 | 2020-07-14 | 北京交通大学 | Secure data transmission method and device for intelligent identification network |
-
2019
- 2019-06-10 CN CN201910496313.3A patent/CN110177116B/en active Active
-
2020
- 2020-06-05 WO PCT/CN2020/094554 patent/WO2020248906A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516702A (en) * | 2012-06-29 | 2014-01-15 | 北京新媒传信科技有限公司 | Symmetrical encryption method and system and central server |
| US20170277775A1 (en) * | 2012-10-30 | 2017-09-28 | FHOOSH, Inc. | Systems and methods for secure storage of user information in a user profile |
| CN106452787A (en) * | 2016-10-13 | 2017-02-22 | 广东欧珀移动通信有限公司 | Data verification method and device |
| CN106452764A (en) * | 2016-12-02 | 2017-02-22 | 武汉理工大学 | Method for automatically updating identification private key and password system |
| CN108965302A (en) * | 2018-07-24 | 2018-12-07 | 苏州科达科技股份有限公司 | Media data transmission system, method, apparatus and storage medium |
| CN109409033A (en) * | 2018-09-11 | 2019-03-01 | 平安科技(深圳)有限公司 | Code encryption method, apparatus, computer installation and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 张宏科等: "智融标识网络基础研究", 《电子学报》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020248906A1 (en) * | 2019-06-10 | 2020-12-17 | 北京交通大学 | Secure data transmission method and apparatus for intelligent fusion identification network |
| CN114205814A (en) * | 2021-12-03 | 2022-03-18 | 中国联合网络通信集团有限公司 | Data transmission method, device and system, electronic equipment and storage medium |
| CN114205814B (en) * | 2021-12-03 | 2023-11-21 | 中国联合网络通信集团有限公司 | Data transmission method, device and system, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110177116B (en) | 2020-07-14 |
| WO2020248906A1 (en) | 2020-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101300806B (en) | System and method for processing secure transmissions | |
| CN106713320A (en) | Terminal data transmission method and device | |
| CN110535647A (en) | Believable data transmission method, system, electronic equipment, storage medium | |
| CN100591076C (en) | Method and apparatus for providing transaction-level security | |
| CN104322001A (en) | Transport layer security traffic control using service name identification | |
| CN108270882A (en) | The analysis method and device of domain name, storage medium, electronic device | |
| CN103746815B (en) | Safety communicating method and device | |
| CN101304310B (en) | Method for reinforcing network SSL service | |
| CN100580652C (en) | Method and device for fiber-optical channel public transmission secret protection | |
| CN1685687A (en) | Secure proximity verification of a node on a network | |
| CN105262737B (en) | A method of based on defending against DDOS attack for jump channel pattern | |
| CN104662839B (en) | The link identification in multiple domains | |
| CN108063712A (en) | The sending method and device of a kind of network request | |
| Recabarren et al. | Tithonus: A bitcoin based censorship resilient system | |
| CN102761494A (en) | IKE (Internet Key Exchange) negotiation processing method and device | |
| CN107690783A (en) | A kind of data transmission method, Centralized Controller, forwarding surface equipment and communicator | |
| CN110177116A (en) | Intelligence melts the safety data transmission method and device of mark network | |
| CN110225049A (en) | Data transmission method, client and server | |
| CN110011892A (en) | A kind of communication means and relevant apparatus of Virtual Private Network | |
| CN110519052A (en) | Data interactive method and device based on Internet of Things operating system | |
| CN107659400A (en) | A kind of quantum secret communication method and device based on mark identification | |
| CN107276996A (en) | The transmission method and system of a kind of journal file | |
| CN109936566A (en) | A kind of data transmission method system, device and computer readable storage medium | |
| CN104462994B (en) | A kind of data encryption and decryption oprerations method | |
| CN110290151A (en) | File transmitting method, device and read/write memory medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20190827 Assignee: HENAN QUNZHI INFORMATION TECHNOLOGY CO.,LTD. Assignor: Beijing Jiaotong University Contract record no.: X2021990000779 Denomination of invention: Secure data transmission method and device of Zhirong identification network Granted publication date: 20200714 License type: Common License Record date: 20211209 |
|
| EE01 | Entry into force of recordation of patent licensing contract |