CN113114589A - Cross-network data secure transmission system and method - Google Patents
Cross-network data secure transmission system and method Download PDFInfo
- Publication number
- CN113114589A CN113114589A CN202110468895.1A CN202110468895A CN113114589A CN 113114589 A CN113114589 A CN 113114589A CN 202110468895 A CN202110468895 A CN 202110468895A CN 113114589 A CN113114589 A CN 113114589A
- Authority
- CN
- China
- Prior art keywords
- transmission
- transmitted
- file
- data
- processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 354
- 238000000034 method Methods 0.000 title claims abstract description 17
- 238000012163 sequencing technique Methods 0.000 claims description 12
- 230000015556 catabolic process Effects 0.000 claims description 6
- 238000006731 degradation reaction Methods 0.000 claims description 6
- 230000006978 adaptation Effects 0.000 claims description 2
- 241000700605 Viruses Species 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/50—Queue scheduling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/50—Queue scheduling
- H04L47/62—Queue scheduling characterised by scheduling criteria
- H04L47/6215—Individual queue per QOS, rate or priority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a cross-network data secure transmission system and a method, belongs to the technical field of data transmission, and solves the problems of poor cross-network data transmission security and low efficiency in the prior art. The first processor of the system is used for setting the priority range of each transmission queue, slicing and encrypting each file to be transmitted in the current transmission period to obtain a corresponding data slice, caching the data slice in the corresponding transmission queue according to the priority of the file to be transmitted, and transmitting the data slice through a one-way transmission equipment group matched with the priority range; and the second processor is used for receiving the data slice corresponding to each file to be transmitted, decrypting and combining the data slices to obtain the file to be transmitted, and transmitting the file to the target three-party service system. The system slices the file to be transmitted, selects corresponding transmission equipment for transmission according to the priority, stores the key in the data slice for transmission, and improves the safety and transmission efficiency of cross-network data transmission to a great extent.
Description
Technical Field
The invention relates to the technical field of data transmission, in particular to a cross-network data secure transmission system and a method.
Background
With the increasingly developing professional work-division cooperation mode of enterprises, each enterprise increasingly needs to perform frequent data exchange with external clients, partners and the like, network isolation becomes a great obstacle for efficient external cooperation of the enterprise, and how to realize safe and efficient transmission of data in different network areas becomes a key technology for improving information safety and efficient operation of the enterprise.
In the prior art, mobile devices such as a U disk or a mobile hard disk are generally used for copying data to be transmitted so as to realize data transmission among different network areas; or, a double-network-card host is used in an enterprise, and the two network cards are connected to two different networks to realize cross-network transmission of data; or an Ftrans cross-network file security exchange system is adopted, the transmission speed of the Ftrans cross-network file security exchange system is high, the security is high, the anti-virus and sensitive information detection function is built in, the system can be approved and audited, the data security compliance is ensured, the data flow direction can be documented, a cross-network file exchange platform with unified management can be established for enterprises, and the system is an ideal solution for solving the problems of inter-network data security receiving, dispatching and sharing under the network isolation condition; or, cross-network transmission is performed according to the priority of the files or data to be transmitted, but the files to be transmitted with all priorities are transmitted through only one transmission channel.
Firstly, when a mobile hard disk or a U disk is used for data transmission, problems of data errors, falsification and the like easily occur, viruses are easily infected, an approval function is not available, whether data are in compliance or not can be ensured, log records are not available, tracing cannot be performed, and centralized management and control of data are difficult to perform; secondly, when the dual-network card host is used for transmission, the safety is difficult to ensure, an approval audit function is not available, and the hardware implementation cost is high; the Ftrans cross-network file security exchange system does not manage and control the security level of a file to be transmitted, is poor in security, lacks corresponding measures for improving the data transmission efficiency, and needs to improve the data transmission efficiency; fourthly, the files to be transmitted are transmitted according to the priority of the files to be transmitted, but the files to be transmitted with all priorities are transmitted through only one transmission channel, and the transmission efficiency is low.
Disclosure of Invention
In view of the foregoing analysis, the present invention aims to provide a system and a method for securely transmitting data across networks, so as to solve the problems of poor security and low transmission efficiency of data output across networks in the prior art.
In one aspect, the present invention provides a system for securely transmitting data across a network, including:
a first processor located in a first network region, and a second processor located in a second network region; the first network region is physically isolated from the second network region and communicates through a plurality of unidirectional transmission device groups;
the first processor is used for setting a priority range of each transmission queue, correspondingly slicing and encrypting each file to be transmitted in a current transmission period of a first network area to obtain a preset number of encrypted data slices, caching the corresponding data slices in the corresponding transmission queues according to the priority of the file to be transmitted, and transmitting the file through a one-way transmission equipment group with a transmission rate matched with the priority range;
and the second processor is used for receiving the data slice corresponding to each file to be transmitted by the first processor, decrypting and combining the data slices to obtain the file to be transmitted, and transmitting the file to a target three-party service system in a second network area.
Furthermore, the priority range of the transmission queue is matched with the transmission rate of the unidirectional device transmission group, and each unidirectional device transmission group comprises a plurality of unidirectional transmission devices with the same transmission rate;
the first processor is specifically configured to:
reading priority information of each file to be transmitted in a current transmission cycle in a first network area, and further determining a transmission queue to which each file to be transmitted belongs;
performing degradation sequencing on all files to be transmitted belonging to each transmission queue according to priorities, taking a preset number of data slices corresponding to each file to be transmitted as a group, caching the data slices in the transmission queues according to the sequencing, and further transmitting the data slices through a matched one-way transmission equipment group according to a caching sequence; the preset number is the same as the number of the unidirectional transmission devices in the unidirectional transmission device group, the data slices in each group correspond to the unidirectional transmission devices in the unidirectional transmission device group one by one, and then the data slices are transmitted through the corresponding unidirectional transmission devices.
Further, the first processor is further configured to:
when any transmission queue completes transmission firstly, a file to be transmitted with the lowest priority level and not transmitted is called from a transmission queue with a priority level range higher than that of the transmission queue, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through a corresponding one-way transmission equipment group, or a file to be transmitted with the highest priority level and not transmitted is called from a transmission queue with a priority level range lower than that of the transmission queue completing transmission firstly, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through the corresponding one-way transmission equipment group until all the files to be transmitted in the current transmission cycle complete transmission.
Further, the data slice comprises an identification ID of a file to be transmitted, a target IP address, a target port, a data block sequence number, a data encryption block length and a data encryption block;
the second processor is specifically configured to:
when the received data block serial number is 0, decrypting the data encryption block based on the corresponding data encryption block length to obtain a key;
when the received data block serial number is greater than 0, decrypting the data encryption block based on the corresponding data encryption block length and the key to obtain file data to be transmitted contained in the data slice;
merging the file data to be transmitted obtained by decryption to obtain the file to be transmitted;
and transmitting the file to be transmitted to a target three-party service system according to the target IP address and the target port.
Further, the system also comprises a plurality of first service nodes positioned in the first network area and a plurality of second service nodes positioned in the second network area; a plurality of the first service nodes and a plurality of the second service nodes are configured with adaptation interfaces of the unidirectional transmission equipment;
each first service node is used for receiving the data slice in the corresponding transmission queue, compressing the data slice and transmitting the data slice through the corresponding one-way transmission equipment group;
each second service node is used for correspondingly receiving the data slice transmitted by the first service node, decompressing the data slice and transmitting the data slice to the second processor.
Further, the first processor is further configured to:
acquiring the security level of the file to be transmitted and the file data to be transmitted;
comparing the security level of the file to be transmitted with the permitted security level of the second network area to judge whether the security level is higher than the permitted security level of the second network area, if not, comparing the file data to be transmitted with sensitive information words in a database, and replacing the sensitive information words in the file to be transmitted with preset symbols; if so, terminating the transmission of the file to be transmitted.
Furthermore, the first processor and the second processor are both configured with an identifier, a service IP and a port of the three-party service system allowed to be accessed, and used for judging whether the identifier is legal and whether the service IP and the port are matched when the three-party service system requests to be accessed.
In another aspect, the present invention provides a method for securely transmitting cross-network data, which is based on the system for securely transmitting cross-network data of any one of claims 1 to 7, and includes the following steps:
setting a priority range of each transmission queue by using a first processor of a first network area, slicing and encrypting each file to be transmitted in a current transmission period of the first network area correspondingly to obtain a preset number of encrypted data slices, caching the corresponding data slices in the corresponding transmission queues according to the priority of the file to be transmitted, and transmitting the file through a one-way transmission equipment group with a transmission rate matched with the priority range;
and receiving the data slice corresponding to each file to be transmitted by the first processor by using a second processor in the second network area, decrypting and combining to obtain the file to be transmitted, and transmitting the file to a target three-party service system in the second network area.
Furthermore, the priority range of the transmission queue is matched with the transmission rate of the unidirectional device transmission group, and each unidirectional device transmission group comprises a plurality of unidirectional transmission devices with the same transmission rate;
the step of transmitting the file to be transmitted by using the first processor comprises the following steps:
reading priority information of each file to be transmitted in a current transmission cycle in a first network area, and further determining a transmission queue to which each file to be transmitted belongs;
performing degradation sequencing on all files to be transmitted belonging to each transmission queue according to priorities, taking a preset number of data slices corresponding to each file to be transmitted as a group, caching the data slices in the transmission queues according to the sequencing, and transmitting the data slices through a matched one-way transmission equipment group according to a caching sequence; the preset number is the same as the number of the unidirectional transmission devices in the unidirectional transmission device group, the data slices in each group correspond to the unidirectional transmission devices in the unidirectional transmission device group one by one, and then the data slices are transmitted through the corresponding unidirectional transmission devices.
Further, the step of transmitting the file to be transmitted by using the first processor further includes:
when any transmission queue completes transmission firstly, a file to be transmitted with the lowest priority level and not transmitted is called from a transmission queue with a priority level range higher than that of the transmission queue, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through a corresponding one-way transmission equipment group, or a file to be transmitted with the highest priority level and not transmitted is called from a transmission queue with a priority level range lower than that of the transmission queue completing transmission firstly, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through the corresponding one-way transmission equipment group until all the files to be transmitted in the current transmission cycle complete transmission.
Compared with the prior art, the invention can realize at least one of the following beneficial effects:
1. the cross-network data safe transmission system and the cross-network data safe transmission method provided by the invention have the advantages that the files to be transmitted with different priorities are sliced and encrypted to obtain a plurality of encrypted data slices, the data slices are cached in the transmission queues with different priority ranges, and then the one-way transmission equipment group with the transmission rate matched with the priority range is selected for transmission, so that the simultaneous transmission of the files to be transmitted with different priority ranges is realized, and the transmission efficiency of the files to be transmitted can be improved to a great extent.
2. In each transmission period, the to-be-transmitted files with corresponding priorities are taken from the transmission queues which are not transmitted, cached in the transmission queues which are transmitted, and transmitted through the corresponding one-way transmission equipment groups, so that the transmission efficiency of the whole system for the to-be-transmitted files is improved.
3. The cross-network data security transmission system and the method provided by the invention have the advantages that the key for decrypting the data slice is independently stored in the data slice, the key is obtained at the receiving end through the set serial number of the data slice, and the data slices corresponding to other serial numbers are decrypted and combined based on the key to obtain the file to be transmitted, so that the security of cross-network data transmission is improved to a great extent.
In the invention, the technical schemes can be combined with each other to realize more preferable combination schemes. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, wherein like reference numerals are used to designate like parts throughout.
FIG. 1 is a schematic diagram of a cross-network data secure transmission system according to an embodiment of the present invention;
fig. 2 is a flowchart of a cross-network data secure transmission method according to an embodiment of the present invention.
Reference numerals:
1-a first network area; 2-a second network area; 11-a first processor; 12 a first serving node; 21-a second processor; 22 second service node.
Detailed Description
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate preferred embodiments of the invention and together with the description, serve to explain the principles of the invention and not to limit the scope of the invention.
The invention discloses a cross-network data secure transmission system.
As shown in fig. 1, the system includes a first processor located in a first network region and a second processor located in a second network region. Specifically, the first network area is physically isolated from the second network area, and the communication is performed through the plurality of unidirectional transmission device groups, that is, the transmission of the file or data to be transmitted is performed through the plurality of unidirectional transmission device groups. Preferably, the first processor in the first network region may transmit the file or the data to be transmitted to the second network region through the corresponding unidirectional transmission device group, and the second processor in the second network region may also transmit the file or the data to be transmitted to the first network region through the corresponding unidirectional transmission device group.
Since the transmission process of the file or data to be transmitted from the first processor in the first network area to the second network area is the same as the transmission process of the file or data to be transmitted from the second processor in the second network area to the first network area, the transmission process will be described by taking the case where the file or data to be transmitted is transmitted from the first processor in the first network area to the second network area.
Preferably, the first processor receives files to be transmitted with various priorities from a three-party service system, and in order to enable the files to be transmitted with different priorities to be transmitted timely and efficiently, the first processor includes a plurality of transmission queues and sets a priority range of each transmission queue, illustratively, the priorities of the files to be transmitted are respectively 1 to 9 through ordinal number representation, the smaller the ordinal number of the file to be transmitted is, the higher the corresponding priority is, the priority range of the first transmission queue is set to be ordinal number 1 and ordinal number 2, the priority range of the second transmission queue is set to be ordinal number 3 to ordinal number 5, the priority range of the third transmission queue is set to be ordinal number 6 to ordinal number 9, or the priority range of each transmission queue can be set according to user requirements.
The first processor is further configured to slice and encrypt each file to be transmitted in a current transmission cycle of the first network area to obtain a preset number of encrypted data slices, and cache the data slices corresponding to the file to be transmitted in a corresponding transmission queue according to a priority of the file to be transmitted, where for example, if the priority of the file to be transmitted is 1, the data slices corresponding to the file to be transmitted are stored in the first transmission queue and are transmitted through a one-way transmission device group with a transmission rate matching with the priority range. Preferably, the transmission period may be set according to the cache memory of each transmission queue, so that the sum of the sizes of the files to be transmitted in the corresponding priority range in each transmission period is less than or equal to the cache memory of the corresponding transmission queue.
And the second processor is used for receiving the data slice corresponding to each file to be transmitted by the first processor, decrypting and combining the data slices to obtain the file to be transmitted, and transmitting the file to a target three-party service system in a second network area.
Preferably, the priority range of the transmission queue is matched with the transmission rate of the transmission group of the unidirectional device, and specifically, the smaller the ordinal number in the priority range of the transmission queue, the higher the transmission rate of the corresponding unidirectional transmission device group is, thereby improving the transmission efficiency of the file to be transmitted with the higher priority. In addition, each unidirectional transmission device group comprises a plurality of unidirectional transmission devices with the same transmission rate, and the number of the unidirectional transmission devices can be set according to the actual requirements of users.
Preferably, the first processor is specifically configured to:
reading the priority information of each file to be transmitted in the current transmission cycle in the first network area, namely acquiring the ordinal number of the file to be transmitted, thereby determining the priority level of the file to be transmitted and further determining the transmission queue to which each file to be transmitted belongs.
Each transmission queue may include a plurality of files to be transmitted with different priorities, in order to improve the transmission efficiency of the files to be transmitted with high priorities, all the files to be transmitted belonging to each transmission queue are subjected to degradation sequencing according to the priorities, a preset number of data slices corresponding to each file to be transmitted are taken as a group, and are cached in the transmission queue according to the sequencing, and then are transmitted through a matched one-way transmission equipment group according to the caching sequence. Preferably, the preset number is the same as the number of the unidirectional transmission devices in the unidirectional transmission device group, the data slices in each group correspond to the unidirectional transmission devices in the unidirectional transmission device group one by one, and then the data slices are transmitted through the corresponding unidirectional transmission devices, so that the second processor in the second network region can receive a complete file to be transmitted at one time, and the transmission efficiency of the file to be transmitted is improved.
Preferably, in view of the difference in the time for each transmission queue to complete transmission, for example, any transmission queue may complete transmission first, and in order to provide efficiency of data transmission, the first processor is further configured to:
when any transmission queue completes transmission firstly, a file to be transmitted with the lowest priority level and not transmitted is called from a transmission queue with a priority level range higher than that of the transmission queue, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through a corresponding one-way transmission equipment group, or a file to be transmitted with the highest priority level and not transmitted is called from a transmission queue with a priority level range lower than that of the transmission queue completing transmission firstly, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through the corresponding one-way transmission equipment group until all the files to be transmitted in the current transmission cycle complete transmission.
Illustratively, if the first transmission queue completes transmission first, the file to be transmitted with the highest priority and not transmitted is called from the second transmission queue and cached in the first transmission queue, and is transmitted through the corresponding one-way transmission equipment group; if the files to be transmitted in the second transmission queue are few and transmission is completed firstly, calling the files to be transmitted with the lowest priority which are not transmitted from the first transmission queue, caching the files to be transmitted in the second transmission queue, and transmitting the files through the corresponding one-way transmission equipment group; if the number of files with transmission in the third transmission queue is less, the transmission is completed firstly, and the file to be transmitted with the lowest priority and not transmitted is called from the first transmission queue and buffered in the third transmission queue, and is transmitted through the corresponding one-way transmission equipment group.
Preferably, in order to improve the security of transmission of the file to be transmitted, the data slice is set to include an identifier ID, a target IP address, a target port, a data block sequence number, a data encryption block length, and a data encryption block of the file to be transmitted. The identification ID of the file to be transmitted is used for determining the data slice contained in the file to be transmitted, and the length of the data encryption block is convenient for the second processor to determine the number of bytes read.
The preferred second processor is specifically configured to:
when the received data block sequence number is 0, it indicates that the content stored in the corresponding data encryption block is a key for decrypting other data slices, and the data encryption block is decrypted based on the corresponding data encryption block length to obtain the key.
And when the sequence number of the received data block is greater than 0, indicating that the content stored in the corresponding data encryption block is the substantial information content of the file to be transmitted, decrypting the data encryption block based on the length of the corresponding data encryption block and the key to obtain the file data to be transmitted contained in the data slice.
And merging the file data to be transmitted obtained by decryption according to the sequence number of the data blocks so as to obtain the file to be transmitted.
And the second processor determines which three-party service system the file to be transmitted needs to be transmitted to according to the target IP address, determines whether the three-party service system is in a service range or not according to the target port, and can confirm that the file to be transmitted is transmitted to the three-party service system if the target port exists in the target ports configured in advance.
Preferably, in order to improve the efficiency of data transmission across networks in the system, the system further includes a plurality of first service nodes located in the first network area and a plurality of second service nodes located in the second network area; the plurality of first service nodes and the plurality of second service nodes are configured with adaptive interfaces of the unidirectional transmission equipment, and are packaged and then are in communication connection with the unidirectional transmission equipment in the form of web interfaces.
Specifically, the service nodes correspond to the transmission queues one to one, each first service node is used for receiving and compressing the data slices in the corresponding transmission queue, the transmission efficiency of the data slices can be improved, and then the data slices are transmitted through the corresponding one-way transmission equipment groups, and the data slices in the plurality of transmission queues can be processed by the plurality of service nodes at the same time, so that the data processing and transmission efficiency is improved.
Correspondingly, each second service node is configured to correspondingly receive the data slice transmitted by the first service node, decompress the data slice, and transmit the decompressed data slice to the second processor.
In order to prevent the high-security level files from flowing into the low-security level network area and sensitive information from leaking out, the first processor is further configured to:
checking whether the file to be transmitted contains viruses or not through corresponding antivirus service, if so, terminating transmission, and returning feedback information to prompt a client user that the file to be transmitted contains viruses; and if not, scanning to obtain the security classification information of the file to be transmitted and the data content of the file to be transmitted.
Comparing the security level of the file to be transmitted with the permitted security level of the second network area to judge whether the security level is higher than the permitted security level of the second network area, if not, comparing the file data to be transmitted with the sensitive information words in the database, and replacing the sensitive information words in the file to be transmitted with preset symbols; if so, the transmission of the file to be transmitted is stopped, so that the safe transmission of the file to be transmitted is realized.
Preferably, the second processor is further configured to record a sender, a subject, a sending time, a data security level, a receiver, and a receiving time of each file to be transmitted, so as to ensure traceability and auditability of the file to be transmitted.
Preferably, the first processor and the second processor are both configured with an identifier, a service IP and a port of a three-party service system which is allowed to be accessed, and used for judging whether the identifier is legal and whether the service IP and the port are matched when the three-party service system requests to be accessed; in addition, the first processor and the second processor respectively carry out data transmission with the three-party service system and the three-party service system through a TCP/UDP application layer protocol interface, so that the efficiency and the safety of cross-network data transmission of the three-party service system are improved.
The invention further discloses a cross-network data secure transmission method which is realized based on the cross-network data secure transmission system disclosed by the embodiment of the method. As shown in fig. 2, the method comprises the steps of:
s110, setting a priority range of each transmission queue by using a first processor of a first network area, slicing and encrypting each file to be transmitted in a current transmission period of the first network area correspondingly to obtain a preset number of encrypted data slices, caching the corresponding data slices in the corresponding transmission queues according to the priority of the file to be transmitted, and transmitting the files through a one-way transmission equipment group with a transmission rate matched with the priority range.
And S120, receiving the data slice corresponding to each file to be transmitted by the first processor by using the second processor in the second network region, decrypting and combining the data slices to obtain the file to be transmitted, and transmitting the file to a target three-party service system in the second network region.
Preferably, the priority range of the transmission queue matches with the transmission rate of the unidirectional device transmission group, and each unidirectional device transmission group includes a plurality of unidirectional transmission devices with the same transmission rate.
The step of transmitting the file to be transmitted by using the first processor comprises the following steps:
and reading the priority information of each file to be transmitted in the current transmission cycle in the first network area, and further determining the transmission queue to which each file to be transmitted belongs.
The files to be transmitted belonging to each transmission queue are subjected to degradation sequencing according to the priority, a preset number of data slices corresponding to each file to be transmitted are taken as a group, are cached in the transmission queues according to the sequencing, and are transmitted through the matched one-way transmission equipment group according to the caching sequence; the preset number is the same as the number of the unidirectional transmission devices in the unidirectional transmission device group, the data slices in each group correspond to the unidirectional transmission devices in the unidirectional transmission device group one by one, and then the data slices are transmitted through the corresponding unidirectional transmission devices.
Preferably, the step of transmitting the file to be transmitted by using the first processor further comprises:
when any transmission queue completes transmission firstly, a file to be transmitted with the lowest priority level and not transmitted is called from a transmission queue with a priority level range higher than that of the transmission queue, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through a corresponding one-way transmission equipment group, or a file to be transmitted with the highest priority level and not transmitted is called from a transmission queue with a priority level range lower than that of the transmission queue completing transmission firstly, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through the corresponding one-way transmission equipment group until all the files to be transmitted in the current transmission cycle complete transmission.
Compared with the prior art, the cross-network data secure transmission system and the cross-network data secure transmission method disclosed by the embodiment of the invention have the advantages that firstly, files to be transmitted with different priorities are sliced and encrypted to obtain a plurality of encrypted data slices, the encrypted data slices are cached in transmission queues with different priority ranges, then, a one-way transmission equipment group with the transmission rate matched with the priority range is selected for transmission, the simultaneous transmission of the files to be transmitted with different priority ranges is realized, and the transmission efficiency of the files to be transmitted can be greatly improved. In each transmission period, the to-be-transmitted files with corresponding priorities are taken from the transmission queue which is not transmitted, cached in the transmission queue which is transmitted, and transmitted through the corresponding one-way transmission equipment group, so that the transmission efficiency of the whole system to the to-be-transmitted files is improved. In addition, the cross-network data secure transmission system and the method disclosed by the embodiment of the invention have the advantages that the key for decrypting the data slice is independently stored in the data slice, the key is obtained at the receiving end through the set serial number of the data slice, and the data slices corresponding to other serial numbers are decrypted and combined based on the key to obtain the file to be transmitted, so that the security of cross-network data transmission is improved to a great extent.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention.
Claims (10)
1. A system for secure transmission of data across a network, comprising:
a first processor located in a first network region, and a second processor located in a second network region; the first network region is physically isolated from the second network region and communicates through a plurality of unidirectional transmission device groups;
the first processor is used for setting a priority range of each transmission queue, correspondingly slicing and encrypting each file to be transmitted in a current transmission period of a first network area to obtain a preset number of encrypted data slices, caching the corresponding data slices in the corresponding transmission queues according to the priority of the file to be transmitted, and transmitting the file through a one-way transmission equipment group with a transmission rate matched with the priority range;
and the second processor is used for receiving the data slice corresponding to each file to be transmitted by the first processor, decrypting and combining the data slices to obtain the file to be transmitted, and transmitting the file to a target three-party service system in a second network area.
2. The system according to claim 1, wherein the priority range of the transmission queue matches the transmission rate of the unidirectional device transmission group, and each unidirectional device transmission group includes a plurality of unidirectional transmission devices with the same transmission rate;
the first processor is specifically configured to:
reading priority information of each file to be transmitted in a current transmission cycle in a first network area, and further determining a transmission queue to which each file to be transmitted belongs;
performing degradation sequencing on all files to be transmitted belonging to each transmission queue according to priorities, taking a preset number of data slices corresponding to each file to be transmitted as a group, caching the data slices in the transmission queues according to the sequencing, and further transmitting the data slices through a matched one-way transmission equipment group according to a caching sequence; the preset number is the same as the number of the unidirectional transmission devices in the unidirectional transmission device group, the data slices in each group correspond to the unidirectional transmission devices in the unidirectional transmission device group one by one, and then the data slices are transmitted through the corresponding unidirectional transmission devices.
3. The system according to claim 2, wherein the first processor is further configured to:
when any transmission queue completes transmission firstly, a file to be transmitted with the lowest priority level and not transmitted is called from a transmission queue with a priority level range higher than that of the transmission queue, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through a corresponding one-way transmission equipment group, or a file to be transmitted with the highest priority level and not transmitted is called from a transmission queue with a priority level range lower than that of the transmission queue completing transmission firstly, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through the corresponding one-way transmission equipment group until all the files to be transmitted in the current transmission cycle complete transmission.
4. The system according to claim 2, wherein the data slice comprises an identifier ID of a file to be transmitted, a target IP address, a target port, a data block sequence number, a data encryption block length, and a data encryption block;
the second processor is specifically configured to:
when the received data block serial number is 0, decrypting the data encryption block based on the corresponding data encryption block length to obtain a key;
when the received data block serial number is greater than 0, decrypting the data encryption block based on the corresponding data encryption block length and the key to obtain file data to be transmitted contained in the data slice;
merging the file data to be transmitted obtained by decryption to obtain the file to be transmitted;
and transmitting the file to be transmitted to a target three-party service system according to the target IP address and the target port.
5. The system according to claim 4, further comprising a plurality of first service nodes located in a first network region and a plurality of second service nodes located in a second network region; a plurality of the first service nodes and a plurality of the second service nodes are configured with adaptation interfaces of the unidirectional transmission equipment;
each first service node is used for receiving the data slice in the corresponding transmission queue, compressing the data slice and transmitting the data slice through the corresponding one-way transmission equipment group;
each second service node is used for correspondingly receiving the data slice transmitted by the first service node, decompressing the data slice and transmitting the data slice to the second processor.
6. The system according to claim 2, wherein the first processor is further configured to:
acquiring the security level of the file to be transmitted and the file data to be transmitted;
comparing the security level of the file to be transmitted with the permitted security level of the second network area to judge whether the security level is higher than the permitted security level of the second network area, if not, comparing the file data to be transmitted with sensitive information words in a database, and replacing the sensitive information words in the file to be transmitted with preset symbols; if so, terminating the transmission of the file to be transmitted.
7. The system of claim 3, wherein the first processor and the second processor are configured with an identifier, a service IP and a port of a three-party service system allowing access, and are configured to determine whether the identifier is legal and whether the service IP and the port are matched when the three-party service system requests access.
8. A cross-network data secure transmission method, based on any one of claims 1 to 7, comprising the following steps:
setting a priority range of each transmission queue by using a first processor of a first network area, slicing and encrypting each file to be transmitted in a current transmission period of the first network area correspondingly to obtain a preset number of encrypted data slices, caching the corresponding data slices in the corresponding transmission queues according to the priority of the file to be transmitted, and transmitting the file through a one-way transmission equipment group with a transmission rate matched with the priority range;
and receiving the data slice corresponding to each file to be transmitted by the first processor by using a second processor in the second network area, decrypting and combining to obtain the file to be transmitted, and transmitting the file to a target three-party service system in the second network area.
9. The method according to claim 8, wherein the priority range of the transmission queue matches the transmission rate of the unidirectional device transmission group, and each unidirectional device transmission group comprises a plurality of unidirectional transmission devices with the same transmission rate;
the step of transmitting the file to be transmitted by using the first processor comprises the following steps:
reading priority information of each file to be transmitted in a current transmission cycle in a first network area, and further determining a transmission queue to which each file to be transmitted belongs;
performing degradation sequencing on all files to be transmitted belonging to each transmission queue according to priorities, taking a preset number of data slices corresponding to each file to be transmitted as a group, caching the data slices in the transmission queues according to the sequencing, and transmitting the data slices through a matched one-way transmission equipment group according to a caching sequence; the preset number is the same as the number of the unidirectional transmission devices in the unidirectional transmission device group, the data slices in each group correspond to the unidirectional transmission devices in the unidirectional transmission device group one by one, and then the data slices are transmitted through the corresponding unidirectional transmission devices.
10. The method for securely transmitting data across a network according to claim 9, wherein the step of transmitting the file to be transmitted by using the first processor further comprises:
when any transmission queue completes transmission firstly, a file to be transmitted with the lowest priority level and not transmitted is called from a transmission queue with a priority level range higher than that of the transmission queue, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through a corresponding one-way transmission equipment group, or a file to be transmitted with the highest priority level and not transmitted is called from a transmission queue with a priority level range lower than that of the transmission queue completing transmission firstly, and is cached in the transmission queue completing transmission firstly, and then the file is transmitted through the corresponding one-way transmission equipment group until all the files to be transmitted in the current transmission cycle complete transmission.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110468895.1A CN113114589A (en) | 2021-04-28 | 2021-04-28 | Cross-network data secure transmission system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110468895.1A CN113114589A (en) | 2021-04-28 | 2021-04-28 | Cross-network data secure transmission system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113114589A true CN113114589A (en) | 2021-07-13 |
Family
ID=76720318
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110468895.1A Pending CN113114589A (en) | 2021-04-28 | 2021-04-28 | Cross-network data secure transmission system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113114589A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114944864A (en) * | 2022-05-12 | 2022-08-26 | 中国电子科技集团公司第五十四研究所 | Cross-network-area safe and efficient transmission method for remote sensing satellite original code stream data |
| CN114996198A (en) * | 2022-08-03 | 2022-09-02 | 中国空气动力研究与发展中心计算空气动力研究所 | Cross-processor data transmission method, device, equipment and medium |
| CN116633993A (en) * | 2023-07-25 | 2023-08-22 | 中邮消费金融有限公司 | Cross-network micro-service calling method, device, equipment and storage medium |
| CN116827883A (en) * | 2023-08-25 | 2023-09-29 | 明度智云(浙江)科技有限公司 | SCADA system offline data caching method, device and storage medium |
| CN114944864B (en) * | 2022-05-12 | 2024-05-28 | 中国电子科技集团公司第五十四研究所 | Safe and efficient transmission method for remote sensing satellite original code stream data across network areas |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030099250A1 (en) * | 2001-11-23 | 2003-05-29 | International Business Machines Corporation | Queue scheduling mechanism in a data packet transmission system |
| CN102025638A (en) * | 2010-12-21 | 2011-04-20 | 福建星网锐捷网络有限公司 | Data transmission method and device based on priority level as well as network equipment |
| CN102959912A (en) * | 2010-06-25 | 2013-03-06 | 西门子公司 | Prioritized transfer of data telegrams |
| CN107634915A (en) * | 2017-08-25 | 2018-01-26 | 中国科学院计算机网络信息中心 | Data transmission method, device and storage medium |
| CN111030945A (en) * | 2019-12-06 | 2020-04-17 | 深信服科技股份有限公司 | Disaster recovery method, disaster recovery gateway, storage medium, device and system |
-
2021
- 2021-04-28 CN CN202110468895.1A patent/CN113114589A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030099250A1 (en) * | 2001-11-23 | 2003-05-29 | International Business Machines Corporation | Queue scheduling mechanism in a data packet transmission system |
| CN102959912A (en) * | 2010-06-25 | 2013-03-06 | 西门子公司 | Prioritized transfer of data telegrams |
| CN102025638A (en) * | 2010-12-21 | 2011-04-20 | 福建星网锐捷网络有限公司 | Data transmission method and device based on priority level as well as network equipment |
| CN107634915A (en) * | 2017-08-25 | 2018-01-26 | 中国科学院计算机网络信息中心 | Data transmission method, device and storage medium |
| CN111030945A (en) * | 2019-12-06 | 2020-04-17 | 深信服科技股份有限公司 | Disaster recovery method, disaster recovery gateway, storage medium, device and system |
Non-Patent Citations (1)
| Title |
|---|
| 杨越等: "基于多传输通道的单向传输技术研究", 《计算机应用与软件》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114944864A (en) * | 2022-05-12 | 2022-08-26 | 中国电子科技集团公司第五十四研究所 | Cross-network-area safe and efficient transmission method for remote sensing satellite original code stream data |
| CN114944864B (en) * | 2022-05-12 | 2024-05-28 | 中国电子科技集团公司第五十四研究所 | Safe and efficient transmission method for remote sensing satellite original code stream data across network areas |
| CN114996198A (en) * | 2022-08-03 | 2022-09-02 | 中国空气动力研究与发展中心计算空气动力研究所 | Cross-processor data transmission method, device, equipment and medium |
| CN114996198B (en) * | 2022-08-03 | 2022-10-21 | 中国空气动力研究与发展中心计算空气动力研究所 | Cross-processor data transmission method, device, equipment and medium |
| CN116633993A (en) * | 2023-07-25 | 2023-08-22 | 中邮消费金融有限公司 | Cross-network micro-service calling method, device, equipment and storage medium |
| CN116633993B (en) * | 2023-07-25 | 2023-10-10 | 中邮消费金融有限公司 | Cross-network micro-service calling method, device, equipment and storage medium |
| CN116827883A (en) * | 2023-08-25 | 2023-09-29 | 明度智云(浙江)科技有限公司 | SCADA system offline data caching method, device and storage medium |
| CN116827883B (en) * | 2023-08-25 | 2023-11-17 | 明度智云(浙江)科技有限公司 | SCADA system offline data caching method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113114589A (en) | Cross-network data secure transmission system and method | |
| CN102195957B (en) | Resource sharing method, device and system | |
| US7016499B2 (en) | Secure ephemeral decryptability | |
| US10326798B2 (en) | System and method for secure data transmission and storage | |
| US7774411B2 (en) | Secure electronic message transport protocol | |
| US7774594B2 (en) | Method and system for providing strong security in insecure networks | |
| WO2023165150A1 (en) | Communication method and apparatus, and satellite convergence gateway and readable storage medium | |
| US20080031458A1 (en) | System, methods, and apparatus for simplified encryption | |
| US20030115251A1 (en) | Peer data protocol | |
| US20030069981A1 (en) | IP hopping for secure data transfer | |
| US20060075506A1 (en) | Systems and methods for enhanced electronic asset protection | |
| EP2518647A1 (en) | Method for uploading a file in an on-line storage system and corresponding on-line storage system | |
| CA2577504A1 (en) | Secure method of termination of service notification | |
| US20200162245A1 (en) | Method and system for performing ssl handshake | |
| CN111082929A (en) | Method for realizing encrypted instant communication | |
| US10419212B2 (en) | Methods, systems, apparatuses, and devices for securing network communications using multiple security protocols | |
| CA2547812A1 (en) | Encoding messages for use in a communication system based on classification status | |
| CN109460182A (en) | A kind of storage of data, read method and device | |
| CN112437031A (en) | Multi-terminal converged homeland resource mobile government system based on heterogeneous network | |
| Surkov | Model and method of chunk processing of payload for HTTP authorization protocols | |
| CN116781764A (en) | Long-connection task execution method and device and related equipment | |
| US11546411B1 (en) | Backing up confidential data to user devices on the same local network | |
| JPH11122293A (en) | Electronic mail server system | |
| CN107612942A (en) | A kind of SMS platform user data transmission safe encryption method | |
| CN116418602B (en) | Metadata protection anonymous communication method and system based on trusted hardware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220322 Address after: 100048 703-1, 6th floor, building 8, yard 50, Xisanhuan North Road, Haidian District, Beijing Applicant after: Beijing Zhonghong Lida Xinchuang Technology Co.,Ltd. Applicant after: BEIJING LEADAL TECHNOLOGY DEVELOPMENT Co.,Ltd. Address before: 100048 703-1, 6th floor, building 8, yard 50, Xisanhuan North Road, Haidian District, Beijing Applicant before: Beijing Zhonghong Lida Xinchuang Technology Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210713 |