CN113378205A - Method for data reverse transmission across security domains - Google Patents
Method for data reverse transmission across security domains Download PDFInfo
- Publication number
- CN113378205A CN113378205A CN202110768916.1A CN202110768916A CN113378205A CN 113378205 A CN113378205 A CN 113378205A CN 202110768916 A CN202110768916 A CN 202110768916A CN 113378205 A CN113378205 A CN 113378205A
- Authority
- CN
- China
- Prior art keywords
- data
- identification
- unique
- list
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 31
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000002955 isolation Methods 0.000 claims description 5
- 238000012552 review Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 abstract description 12
- 238000004891 communication Methods 0.000 abstract description 6
- 230000003287 optical effect Effects 0.000 description 17
- 238000010586 diagram Methods 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for data reverse transmission across security domains, which comprises the following specific steps: s1, acquiring an original data unit in a data packet needing forward transmission, performing identity identification operation on the original data unit to obtain a unique identifier, and storing the unique identifier into an identifier list; s2, when a data packet needs to be reversely transmitted, acquiring a data unit to be examined in the data packet needing to be reversely transmitted; carrying out identity identification operation on the data unit to be examined to obtain a unique identification; reading the identification list, comparing the obtained unique identification with the unique identification in the identification list, and if the unique identification is compared with the unique identification in the identification list, releasing the data packet; otherwise, the data packet is prohibited from being released. The invention can simplify the security examination step of the data by the intranet processing unit and improve the communication efficiency of the cross-security domain.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a method for data cross-security domain reverse transmission.
Background
With the development of network technology, there is a need for cross-domain communication between the same organization and different organizations in different network domains for cooperative work. Cross-domain communication refers to the transfer of information between two or more networks/areas that enforce different security policies. In cross-domain communication, data is primarily transmitted through the isolated switching device, as shown in fig. 1.
The cross-domain transmission of data includes forward transmission and reverse transmission. Forward transmission refers to the generation or collection of raw data from a low security domain and then the convergence of these data to a high security domain, whereas reverse transmission is used. In the process of cross-domain transmission, the isolation switching device is mainly responsible for security review and data exchange of data, and the device is composed of an intranet processing unit, an extranet processing unit and an isolation and switching control unit, as shown in fig. 2.
The steps of data forward transmission are as follows:
(1) the extranet processing unit firstly carries out security examination such as filtering and content scanning on the forward transmitted data, and if the data passes the security examination, the data is encapsulated by a custom protocol.
(2) The isolation and exchange control unit controls the connection with the internal and external network processing units through a switch, and ferries the data in the previous step to the internal network processing unit.
(3) And the intranet processing unit splits the data packet to obtain original data, encapsulates the data by using a general protocol and sends the encapsulated data to the intranet.
The data reverse transmission steps are as follows:
(1) the intranet processing unit firstly carries out security examination such as filtering and content scanning on the data transmitted in the reverse direction, and if the data passes the security examination, the data is packaged by a custom protocol.
(2) The isolation and exchange control unit controls the connection with the internal and external network processing units through a switch, and ferries the data in the previous step to the external network processing unit.
(3) And the outer network processing unit splits the data packet to obtain original data, encapsulates the data by using a general protocol and sends the data to the outer network.
Some data in the forward transmission data are non-sensitive, and after the data enter the high security domain, if the data need to be transmitted reversely, a series of security checks are still carried out, so that the efficiency of data exchange is affected. If the data is data which is difficult to review, such as audio and video, more resources and cost are consumed.
If the non-sensitive original data in the data needing reverse transmission can be quickly determined, the safety examination step of the intranet processing unit on the data can be simplified to a certain extent, and the communication efficiency of the cross-safety domain is improved.
Disclosure of Invention
In view of the deficiencies of the prior art, the present invention is directed to a method for reverse transmission of data across security domains.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method for data reverse transmission across security domains comprises the following specific steps:
s1, acquiring an original data unit in a data packet needing forward transmission, performing identity identification operation on the original data unit to obtain a unique identifier, and storing the unique identifier into an identifier list;
s2, when a data packet needs to be reversely transmitted, acquiring a data unit to be examined in the data packet needing to be reversely transmitted; carrying out identity identification operation on the data unit to be examined to obtain a unique identification; reading the identification list, comparing the obtained unique identification with the unique identification in the identification list, and if the unique identification is compared with the unique identification in the identification list, releasing the data packet; otherwise, the data packet is prohibited from being released.
Further, the raw data unit is raw data that has been security-reviewed by the isolated switching device.
Further, the identity operation refers to an operation capable of ensuring data integrity, and the uniqueness identifier refers to a unique value calculated by the operation.
Further, the operation capable of ensuring data integrity is a hash operation, a message authentication code or a digital signature cryptographic operation.
Further, the identification list has an anti-tampering function.
Further, the identification list is deployed on the block chain, or the signature device is used for signing the unique identification in the identification list, so as to prevent tampering.
Further, in the forward transmission process, when the original data unit is judged to be sensitive data, the unique identifier corresponding to the original data unit is deleted from the identifier list, and the unique identifiers of the non-sensitive original data are all stored in the identifier list.
Further, the unit of data to be reviewed is data to be reviewed without security review.
Further, in step S2, if the packet is not approved, the quarantine switching device is further used to perform security check on the data unit to be checked, and determine whether reverse transmission is possible.
The invention has the beneficial effects that:
(1) the safety inspection process of reverse transmission data is simplified, various data types such as characters, pictures, videos and the like are supported, the safety inspection efficiency is improved, and the resource consumption is reduced;
(2) each piece of non-sensitive original data corresponds to an anti-tampering unique identifier, and the security is high.
(3) The uniqueness identifier is obtained by carrying out identity identifier operation on the original data unit, and whether the original data is modified or not is effectively identified to prevent the data from carrying sensitive data.
Drawings
FIG. 1 is a diagram of a conventional cross-domain communication;
FIG. 2 is a schematic diagram of a conventional isolated switching device;
FIG. 3 is a schematic diagram of an embodiment of the present invention.
Detailed Description
The present invention will be further described with reference to the accompanying drawings, and it should be noted that the present embodiment is based on the technical solution, and the detailed implementation and the specific operation process are provided, but the protection scope of the present invention is not limited to the present embodiment.
Example 1
The present embodiment provides a method for data reverse transmission across security domains, as shown in fig. 3, the specific process includes:
the unidirectional optical gate A performs identity identification operation on the data packet transmitted in the forward direction, and the process of obtaining the uniqueness identifier is as follows:
1) the unidirectional optical gate A acquires an original data unit, namely original video data, in the forward transmission data packet, and performs security examination on the original data unit;
2) after the security examination of the original video data is finished, the one-way optical shutter A uses an SHA3-224 function to carry out hash operation on the data to obtain a hash value X; as shown in table 1.
TABLE 1 Cross-Domain data information
3) The unidirectional optical gate a stores X into the identification list (it should be noted that the unidirectional optical gate a only has an additional right to the identification list), and synchronizes to each node of the block chain where the identification list is located, so as to prevent tampering.
4) After the video data enters the high security domain, the video data is judged to be non-sensitive data, so that the corresponding hash value of the video data is stored in the identification list without deletion.
5) The flow is ended.
The flow of checking the data packet transmitted in reverse direction by the unidirectional optical shutter B is as follows:
1) the unidirectional optical gate B acquires a data unit to be examined in the reverse transmission data packet;
2) the one-way shutter B performs hash operation on the data using the same SHA3-224 function as the one-way shutter a to obtain a hash value Y, as shown in table 2;
TABLE 2
3) Reading the identification list by the single optical shutter B (it needs to be explained that the single optical shutter B only has read-only permission to the identification list), comparing Y with the hash value in the identification list, finding that the hash value X in the list is Y, which indicates that the data unit to be examined is non-sensitive original data, releasing the data, and allowing the data to be reversely transmitted;
4) the flow is ended.
Example 2
The present embodiment provides a method for data reverse transmission across security domains, as shown in fig. 3, the specific process includes:
the unidirectional optical gate A performs identity identification operation on the data packet transmitted in the forward direction, and the process of obtaining the uniqueness identifier is as follows:
1) the unidirectional optical shutter A acquires an original data unit, namely original txt text data, in the forward transmission data packet, and performs security examination on the original data unit;
2) after the security examination of the original txt text data is finished, the one-way optical shutter A uses an SHA3-224 function to carry out hash operation on the data to obtain a hash value X; as shown in table 3;
TABLE 3
3) The unidirectional optical gate a stores X into the identification list (it should be noted that the unidirectional optical gate a only has an additional right to the identification list), and synchronizes to each node of the block chain where the identification list is located, so as to prevent tampering.
4) After entering the high security domain, the txt text data is determined to be non-sensitive data, so that the corresponding hash value of the txt text data is stored in the identification list without deletion.
5) The flow is ended.
The procedure for checking the backward transmitted data packet by the one-way shutter B is as follows
1) The unidirectional optical gate B acquires a data unit to be examined in the reverse transmission data packet;
2) the one-way shutter B performs hash operation on the data by using the same SHA3-224 function as the one-way shutter A to obtain a hash value Y; as shown in table 4;
TABLE 4
3) Reading the identification list by the single optical shutter B (it needs to be noted that the single optical shutter B only has read-only permission to the identification list), comparing Y with the hash value in the identification list, finding no hash value equal to Y, indicating that the data unit to be examined is not original data, and prohibiting the data from reversely transmitting in this way;
4) the one-way shutter B performs further safety examination on the data, confirms that the data meets the safety requirements, releases the data and allows the data to be transmitted reversely;
5) the flow is ended.
Various corresponding changes and modifications can be made by those skilled in the art based on the above technical solutions and concepts, and all such changes and modifications should be included in the protection scope of the present invention.
Claims (9)
1. A method for data reverse transmission across security domains is characterized by comprising the following specific steps:
s1, acquiring an original data unit in a data packet needing forward transmission, performing identity identification operation on the original data unit to obtain a unique identifier, and storing the unique identifier into an identifier list;
s2, when a data packet needs to be reversely transmitted, acquiring a data unit to be examined in the data packet needing to be reversely transmitted; carrying out identity identification operation on the data unit to be examined to obtain a unique identification; reading the identification list, comparing the obtained unique identification with the unique identification in the identification list, and if the unique identification is compared with the unique identification in the identification list, releasing the data packet; otherwise, the data packet is prohibited from being released.
2. The method of claim 1, wherein the raw data unit is raw data that has been security-vetted by an isolated switching device.
3. The method of claim 1, wherein the identity operation is an operation capable of ensuring data integrity, and the uniqueness identifier is a unique value calculated by the operation.
4. The method of claim 3, wherein the operation capable of ensuring data integrity is a hash operation, a message authentication code, or a digitally signed cryptographic operation.
5. The method of claim 1, wherein the list of identifications is tamper-resistant.
6. The method according to claim 5, characterized in that the list of identifications is deployed on the blockchain or the unique identifications in the list of identifications are signed using a signing device in case of tampering.
7. The method according to claim 1, wherein during the forward transmission, when the original data unit is determined to be sensitive data, the unique identifier corresponding to the original data unit is deleted from the identifier list, so as to ensure that all the unique identifiers stored in the identifier list are the unique identifiers of the non-sensitive original data.
8. The method of claim 1, wherein the unit of data to be reviewed is data to be reviewed without a security review.
9. The method of claim 1, wherein in step S2, if the data packet is not allowed to pass, the isolation switch device is further used to perform security check on the data unit to be checked, and determine whether reverse transmission is possible.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110768916.1A CN113378205A (en) | 2021-07-07 | 2021-07-07 | Method for data reverse transmission across security domains |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110768916.1A CN113378205A (en) | 2021-07-07 | 2021-07-07 | Method for data reverse transmission across security domains |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113378205A true CN113378205A (en) | 2021-09-10 |
Family
ID=77581316
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110768916.1A Pending CN113378205A (en) | 2021-07-07 | 2021-07-07 | Method for data reverse transmission across security domains |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113378205A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710360A (en) * | 2022-04-15 | 2022-07-05 | 北京全路通信信号研究设计院集团有限公司 | Audit-based inside-out data secure transmission method and system and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102902675A (en) * | 2011-07-26 | 2013-01-30 | 腾讯科技(深圳)有限公司 | Picture content approval method and device |
| US8739270B1 (en) * | 2009-01-28 | 2014-05-27 | The Boeing Company | Trusted, cross domain information sharing between multiple legacy and IP based devices |
| CN105681305A (en) * | 2016-01-15 | 2016-06-15 | 北京工业大学 | SDN firewall system and implementation method |
| CN106060003A (en) * | 2016-05-09 | 2016-10-26 | 北京航天数控系统有限公司 | Network boundary unidirectional isolated transmission device |
-
2021
- 2021-07-07 CN CN202110768916.1A patent/CN113378205A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8739270B1 (en) * | 2009-01-28 | 2014-05-27 | The Boeing Company | Trusted, cross domain information sharing between multiple legacy and IP based devices |
| CN102902675A (en) * | 2011-07-26 | 2013-01-30 | 腾讯科技(深圳)有限公司 | Picture content approval method and device |
| CN105681305A (en) * | 2016-01-15 | 2016-06-15 | 北京工业大学 | SDN firewall system and implementation method |
| CN106060003A (en) * | 2016-05-09 | 2016-10-26 | 北京航天数控系统有限公司 | Network boundary unidirectional isolated transmission device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710360A (en) * | 2022-04-15 | 2022-07-05 | 北京全路通信信号研究设计院集团有限公司 | Audit-based inside-out data secure transmission method and system and electronic equipment |
| CN114710360B (en) * | 2022-04-15 | 2024-01-19 | 北京全路通信信号研究设计院集团有限公司 | Audit-based inside-to-outside data security transmission method and system and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107770182A (en) | The date storage method and home gateway of home gateway | |
| CN109688186B (en) | Data interaction method, device, equipment and readable storage medium | |
| CN110036391A (en) | Bulk of optical feedback for visual identity certification | |
| CN110381075B (en) | Block chain-based equipment identity authentication method and device | |
| CN114448727B (en) | Information processing method and system based on industrial internet identification analysis system | |
| CN105814861B (en) | Apparatus and method for transmitting data | |
| CN113378205A (en) | Method for data reverse transmission across security domains | |
| CN108390857A (en) | A kind of method and apparatus of high sensitive network to low sensitive network export | |
| CN117081861B (en) | Intelligent contract data management system based on block chain | |
| CN108199866B (en) | Social network system with strong privacy protection | |
| CN113904854A (en) | Block chain data encryption method and device based on quotient secret algorithm | |
| CN101136767B (en) | Assets safety management method, system and network element equipment of telecom network | |
| CN113297613A (en) | Key access method, key processing device, key processing equipment and computer storage medium | |
| CN110913004A (en) | Data security exchange method based on cloud platform | |
| CN114553577B (en) | Network interaction system and method based on multi-host double-isolation secret architecture | |
| CN114257419B (en) | Device authentication method, device, computer device and storage medium | |
| CN114372092A (en) | Case collaborative search processing method, system, device and electronic equipment | |
| JP3845106B2 (en) | Mobile terminal and authentication method | |
| Griffin | Telebiometric information security and safety management | |
| CN111585972B (en) | Security protection method and device for gatekeeper and network system | |
| KR20190097216A (en) | Computer-readable storage medium containing a method, apparatus and instructions for signing measurements of a sensor | |
| CN114143028A (en) | Data cross-region safe transmission method and system based on electric power spot transaction service scene | |
| CN112926956A (en) | Block chain financial payment management method and system | |
| CN114157445B (en) | Safe block chain container transmission method and system | |
| CN116319075B (en) | Secret communication interaction system based on cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |