CN113518078A

CN113518078A - Cross-network data sharing method, information demander, information provider and system

Info

Publication number: CN113518078A
Application number: CN202110610951.0A
Authority: CN
Inventors: 杨国元; 王小书; 方凯; 白伟; 伍柳伊; 吕晓军; 汪健雄; 吴兴华; 李超; 谢甲旭; 杨栋
Original assignee: China Academy of Railway Sciences Corp Ltd CARS; Institute of Computing Technologies of CARS
Current assignee: China Academy of Railway Sciences Corp Ltd CARS; Institute of Computing Technologies of CARS
Priority date: 2021-06-01
Filing date: 2021-06-01
Publication date: 2021-10-19

Abstract

The invention provides a cross-network data sharing method, an information demander, an information provider and a system, comprising: the information demand party encrypts the generated data request message to generate an encryption request and then sends the encryption request to the network protection equipment, so that the network protection equipment can convert the format of the encryption request and forwards the encryption request to the information provider; the information demand party receives an encrypted response returned by the network protection equipment, and decrypts the encrypted response to obtain response data; the encrypted response is obtained by encrypting the response data constructed based on the data request message after the encrypted request received by the information provider is decrypted to obtain the data request message. The method, the information demander, the information provider and the system realize cross-network data sharing and balance the security and the sharing openness of cross-network communication.

Description

Cross-network data sharing method, information demander, information provider and system

Technical Field

The invention relates to the technical field of cross-network transmission, in particular to a cross-network data sharing method, an information demander, an information provider and a system.

Background

With the development of computer technology, communication technology and network security technology, various organizations and units attach more and more importance to the protection of core data assets, in order to prevent internal core data from leaking, physical isolation of internal and external networks is implemented, even a safety production network, a private network, an internal service network, an external service network and the like are divided in the internal network, and the network security level is improved by isolating and dividing the network.

However, at present of professional division and cooperation, various organizations and units increasingly need to perform frequent data sharing and exchange across departments and industries, and network isolation becomes a barrier for cooperative sharing of internal and external networks of each unit, so that a data sharing method and system are urgently needed to effectively solve the problem of cross-network data secure sharing and exchange.

Therefore, how to avoid the situation that the data sharing between different networks is not smooth, and the security of private networks in different industries and the sharing openness between cross-network data cannot be balanced is still an urgent problem to be solved by the technical staff in the field.

Disclosure of Invention

The invention provides a cross-network data sharing method, an information demander, electronic equipment and a storage medium, which are used for solving the problems that data sharing among different networks is not smooth, and the security of private networks in different industries and the sharing openness among cross-network data cannot be balanced.

The invention provides a cross-network data sharing method, the execution subject of the method is an information demand side, comprising the following steps:

the information demand party encrypts the generated data request message to generate an encryption request and then sends the encryption request to the network protection equipment, so that the network protection equipment can convert the format of the encryption request and forwards the encryption request to the information provider;

the information demand party receives an encrypted response returned by the network protection equipment, and decrypts the encrypted response to obtain response data;

the encrypted response is obtained by encrypting the response data constructed based on the request message after the request message is obtained by decrypting the encrypted request received by the information provider.

According to the cross-network data sharing method provided by the invention, the information demand party encrypts the generated data request message to generate an encryption request, and the method specifically comprises the following steps:

the information requiring party encrypts the generated data request message to generate an encryption request, and the method specifically comprises the following steps:

the information demand party encrypts the generated data request message by adopting a preset key to obtain a data encryption value, encrypts the preset key by adopting a public key to obtain a key encryption value, and generates an encryption request based on the key encryption value and the data encryption value;

correspondingly, the information provider receives the encryption request, decrypts the encryption request to obtain the request message, and encrypts the response data constructed based on the request message to obtain the encryption response, which specifically includes:

the information provider decrypts the key encryption value in the encryption request by using a private key after receiving the encryption request to obtain the preset key, and decrypts the data encryption value in the encryption request by using the preset key to obtain the request message;

the information provider encrypts response data constructed based on the request message by using the preset secret key to obtain an encrypted response;

the decrypting the encrypted response to obtain response data specifically includes:

decrypting the encrypted response by adopting the preset key to obtain response data;

wherein the public key and the private key correspond.

According to the cross-network data sharing method provided by the invention, the preset secret key is temporarily generated when the information demand party initiates a data request each time.

According to the cross-network data sharing method provided by the invention, the preset secret key further comprises a preset offset vector, the preset offset vector is used for adding one preset offset vector when the preset secret key is used for encryption or decryption, and the preset offset vector is temporarily randomly generated or a fixed value is configured in advance.

the information demand party encrypts the generated data request message by adopting a preset secret key and then encrypts the message for the second time by adopting a public key to generate an encryption request;

the information provider receives the encryption request, decrypts the encryption request by using a private key, and then decrypts the encryption request for the second time by using the preset key to obtain the request message;

wherein the public key and the private key correspond.

According to the cross-network data sharing method provided by the invention, the network protection device performs format conversion on the encryption request and forwards the encryption request to an information provider, and the method specifically comprises the following steps:

and the network protection equipment carries out security check on the encryption request, and if the encryption request passes the security check, the network protection equipment forwards the encryption request to the information provider according to a configuration rule corresponding to the information provider.

According to the cross-network data sharing method provided by the invention, the public key is an RSA public key, the private key corresponding to the public key is an RSA private key, and the preset key is an AES key.

The invention also provides another cross-network data sharing method, which comprises the following steps:

an information provider receives an encryption request sent by network protection equipment, and decrypts the encryption request to obtain a data request message;

the information provider builds response data based on the data request message, encrypts the response data to obtain an encrypted response, and sends the encrypted response to the network protection device, so that the network protection device can convert the format of the encrypted response and forward the encrypted response to the information demand party;

the encryption request is sent to the network protection device after the information demand party encrypts the data request message generated by the information demand party.

The invention also provides an information demander, comprising:

the first generation sending unit is used for encrypting the generated data request message by the information demand party to generate an encryption request, and then sending the encryption request to the network protection equipment so that the network protection equipment can convert the format of the encryption request and forward the encryption request to the information supply party;

the first receiving and decrypting unit is used for the information demand party to receive the encrypted response returned by the network protection equipment and decrypt the encrypted response to obtain response data;

The present invention also provides an information provider comprising:

the second receiving and decrypting unit is used for receiving the encryption request sent by the network protection equipment by the information provider, and decrypting the encryption request to obtain a data request message;

the second generating and sending unit is used for constructing response data based on the data request message by the information provider, encrypting the response data to obtain an encrypted response, and sending the encrypted response to the network protection equipment so that the network protection equipment can convert the format of the encrypted response and forward the encrypted response to the information demand party;

The invention also provides an inter-network data sharing system, which comprises the information demand party, the information supply party and network protection equipment, wherein,

the information demand party encrypts a data request message generated by the information demand party to obtain an encryption request, and sends the encryption request to the network protection equipment, so that the network protection equipment can convert the format of the encryption request and forwards the encryption request to the information provider;

the information provider receives an encryption request sent by the network protection equipment, decrypts the encryption request to obtain the data request message, constructs response data based on the data request message, encrypts the response data to obtain an encryption response, and sends the encryption response to the network protection equipment so that the network protection equipment can convert the format of the encryption response and forwards the encryption response to an information demand party;

and the information demand party receives the encrypted response returned by the network protection equipment, and decrypts the encrypted response to obtain response data.

According to the cross-network data sharing method, the information demander, the information provider and the system, the generated data request message is encrypted by the information demander to generate an encryption request, and then the encryption request is sent to the network protection equipment, so that the network protection equipment can convert the format of the encryption request and forward the encryption request to the information provider; the information demand party receives an encrypted response returned by the network protection equipment, and decrypts the encrypted response to obtain response data; the encrypted response is obtained by encrypting the response data constructed based on the data request message after the encrypted request received by the information provider is decrypted to obtain the data request message. The information provider selectively provides data for the information demander of a specific network by using an encryption and decryption transmission and receiving mode for interactive information between the information demander and the information provider, because the information demander which has negotiated an encryption and decryption algorithm in advance can obtain the data from the information provider, and the network protection equipment is adopted to forward the encrypted data in the middle, so that the forwarded encryption request can meet the format requirement of the information provider, and the transmitted encrypted data can be received by a destination end in the format. Therefore, the method, the information demander, the information provider and the system provided by the embodiment of the invention realize cross-network data sharing and balance the security and the sharing openness of cross-network communication.

Drawings

In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

FIG. 1 is a schematic flow chart of a cross-network data sharing method according to the present invention;

FIG. 2 is a second flowchart of the cross-network data sharing method according to the present invention;

FIG. 3 is a schematic structural diagram of an information demander provided in the present invention;

FIG. 4 is a schematic structural diagram of an information demander provided in the present invention;

FIG. 5 is a schematic structural diagram of a cross-network data sharing system according to the present invention;

fig. 6 is a schematic physical structure diagram of an electronic device provided in the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The existing different networks have the problems that data sharing is not smooth, and the security of private networks in different industries and the sharing openness of cross-network data cannot be balanced. An inter-network data sharing method of the present invention is described below with reference to fig. 1. Fig. 1 is a schematic flow chart of a cross-network data sharing method provided by the present invention, where an execution subject is an information requirement party, as shown in fig. 1, the method includes:

and step 110, the information demand party encrypts the generated data request message to generate an encryption request and then sends the encryption request to the network protection device, so that the network protection device converts the format of the encryption request and forwards the encryption request to the information provider.

Specifically, the execution main body of the cross-network data sharing method provided by the invention is an information demand party, namely, an information demand party needing to acquire data from a destination server. The application scenario of cross-network data sharing is aimed at, so that an information demander is different from a network where an information provider is located, the information provider may be a certain industry private network, such as a medical institution network or an electric power system network, and the information demander may be the internet used by the public, or some other industry private network. To communicate data communication between private networks of different industries, authorization between two parties of cross-network communication sharing data needs to be guaranteed, and a message structure configuration mode transmitted during cross-network communication needs to be recognized and accepted by a receiver. Firstly, the authorization between two parties of cross-network communication is carried out by a pre-configured communication encryption and decryption mode, namely, only an information provider authenticates an information demand party capable of sharing data can obtain the same encryption and decryption key as the information provider. Therefore, only if the encryption and decryption key matched with the information provider is obtained, the information demand party can encrypt the data request message by using the correct key, the information provider can decrypt the encrypted request by using the matched key to obtain the real data request message, and finally normal interaction between the two parties and the safe transmission of the shared data to the information demand party by the information provider are realized. Secondly, the information demand party and the information provider transmit the interactive message through the network protection device, and the network protection device correspondingly converts the format of the encryption request to be transmitted, for example, performs IP conversion on the encryption request according to the configuration rule and the interface information of the information provider, and transmits the converted IP converted encryption request to a server (i.e., the information provider) corresponding to the IP.

Step 120, the information demander receives the encrypted response returned by the network protection device, and decrypts the encrypted response to obtain response data;

the encrypted response is obtained by encrypting the response data constructed based on the data request message after the encrypted request received by the information provider is decrypted to obtain the data request message.

Specifically, after receiving an encryption request which is forwarded by the network protection device and meets the format requirement of the information provider, the information provider decrypts the encryption request to obtain a data request message, where it should be noted that an encryption/decryption algorithm between the information demander and the information provider is configured or negotiated in advance, and the information provider only has to share a key which can be used for encrypting and decrypting the interactive message because the information provider authorizes the right of the corresponding information demander to access and obtain data in advance. The pre-configuration or negotiation of the encryption and decryption key pair includes multiple modes, for example: the method comprises the following steps that two double-layer encryption modes including a preset secret key and a preset public key and private key pair are adopted, wherein one of the two double-layer encryption modes comprises that a data request message constructed by an information demand party is encrypted by adopting the preset secret key to obtain a data encryption value, the information demand party encrypts the preset secret key by adopting a self-owned public key to obtain a secret key encryption value, the secret key encryption value and the data encryption value form a data packet which is transmitted to an information provider through the middle of a network protection device, the information provider decrypts the secret key encryption value in the data packet by using a self-owned private key matched with the public key to obtain the preset secret key, and then decrypts the data encryption value in the data packet by using the decrypted preset secret key to obtain the content of the data request message, wherein the preset secret key can be a random secret key temporarily generated by the information demand party or a preset fixed secret key; secondly, the information demand party performs first-layer encryption on the data sharing request message by adopting a preset secret key which is configured in advance and is consistent with the information supply party to obtain an initial encryption value, then performs second-layer encryption on the initial encryption value by using a public key held by the information demand party to obtain an encryption request, and transmits the encryption request to the information supply party through intermediate forwarding of the network protection equipment; in the two double-layer encryption modes, the preset key in the key pair used by the former may be temporarily generated by the information demander, or may be held by the information demander on one side, and needs to be transmitted to the information provider in a secure manner (i.e., by public key encryption) to implement key distribution negotiation, the public key and the preset key in the key pair used by the latter are both pre-configured fixed key values, which have been set when the information provider authenticates that the specific information demander that can share data authorizes data sharing, and the public key and the private key can be changed periodically or aperiodically. After the information provider acquires the data request message, the data request message is analyzed and split to obtain a query condition, then data corresponding to the query condition is extracted from corresponding interface data of the information provider, processing, combining and assembling are carried out to form response data, then the response data are encrypted to obtain an encrypted response, and the encrypted response is sent to the network protection equipment. And finally, the network protection equipment forwards the encrypted response to the information demand party, and the information demand party decrypts the encrypted response to obtain response data after receiving the encrypted response returned by the network protection equipment. Here, when the information requesting party and the information providing party interact with each other, the encryption request or the encryption response transmitted to each other is generated based on the encryption of the pre-configured fixed key or the provisionally negotiated random key of both parties, and either party decrypts the encrypted data by using the corresponding pre-configured fixed key or the provisionally negotiated random key when receiving the encrypted data.

The method provided by the invention encrypts the generated data request message through the information demand party to generate an encryption request, and then sends the encryption request to the network protection equipment, so that the network protection equipment can convert the format of the encryption request and forwards the encryption request to the information supply party; the information demand party receives an encrypted response returned by the network protection equipment, and decrypts the encrypted response to obtain response data; the encrypted response is obtained by encrypting the response data constructed based on the data request message after the encrypted request received by the information provider is decrypted to obtain the data request message. The information provider selectively provides data for the information demander of a specific network by using an encryption and decryption transmission and receiving mode for interactive information between the information demander and the information provider, because the information demander which has negotiated an encryption and decryption algorithm in advance can obtain the data from the information provider, and the network protection equipment is adopted to forward the encrypted data in the middle, so that the forwarded encryption request can meet the format requirement of the information provider, and the transmitted encrypted data can be received by a destination end in the format. Therefore, the method provided by the embodiment of the invention realizes cross-network data sharing and balances the security and the sharing openness of cross-network communication.

Based on the above embodiment, in the method, the encrypting the generated data request message by the information demander to generate an encryption request specifically includes:

wherein the public key and the private key correspond.

Specifically, the present embodiment further defines a specific encryption and decryption manner used when the information demander and the information provider interact with each other. In the invention, the data request message or the response data sent when the two parties interact adopt a double-layer encryption mode, namely, when the information demand party sends the data request message, the data request message is encrypted by a preset secret key at a first layer, and then the preset secret key is encrypted at a second layer by a public key held by the information demand party, so that the sent message content is encrypted by the preset secret key and the preset secret key is encrypted by the public key, so that when a receiving party decrypts, the first layer decryption is carried out on the encrypted secret key by using a private key matched with the public key, and after the preset secret key is obtained by decryption, the encrypted message content is decrypted by using the preset secret key. In this case, the preset key may be a random key temporarily generated each time the information demander initiates a data sharing request, or a pre-configured fixed key may be stored and held for the information demander to use. In order to make the encryption and decryption of the preset key safer, a newly added offset vector or a preset fixed offset vector which is randomly generated can be arranged for the preset key and is used for further offset of an encryption result or offset of a decryption result when the preset key is encrypted or decrypted, a layer of rule is added on the basis of the encryption and decryption rule of the preset key, and the anti-decryption performance of the preset key is improved.

Optionally, in order to ensure the security of communication data in network communication, an HTTPS protocol and RSA encryption in a public key system need to be used; however, because the RSA operation speed is slow, the AES in the symmetric key cryptosystem with fast operation speed and high security is used to encrypt the data to be transmitted, and then the RSA is used to encrypt the AES key, which can ensure both security and performance. Therefore, the preset secret key is preferably an AES secret key, and the public-private key pair is an RSA encryption-decryption secret key, where the RSA public key and the private key are generated by the server, the public key is placed at the client, the private key is placed at the server, data to be transmitted is encrypted by the AES secret key as the preset secret key and then encoded by Base64, before data decryption, Base64 decoding is also needed, and the encoding format is UTF-8.

Based on the above embodiment, in the method, the preset key is temporarily generated when the information demander initiates a data request each time.

Specifically, the present embodiment further defines the generation of the preset key on the basis of the previous embodiment. The preset key may be, in the above embodiment, a fixed key distributed to a specific information demander authenticated by the information provider along with the public key distributed when the information provider authenticates an information demander authorized to share data, and the information demander itself stores and holds the fixed preset key for use when initiating a data sharing request; the random key generated temporarily by the information demand party each time the information demand party initiates a data sharing request may also be used, and since the temporarily generated random key does not have a process of storing and holding the random key, the embodiment preferably selects the temporarily generated random key as the preset key each time the information demand party initiates a data request, thereby avoiding a risk of leakage in the storage process, and thus, it is safer to adopt the temporarily generated random key as the preset key.

Based on the above embodiment, in the method, the preset key further includes a preset offset vector, where the preset offset vector is used to add one preset offset vector when the preset key is used for encryption or decryption, and the preset offset vector is a temporarily randomly generated or a preset fixed value.

Specifically, no matter whether the preset key is a temporarily generated random key or a preset fixed key, an encryption and decryption rule can be added on the basis of the preset key, that is, an offset vector is added in the encryption and decryption process, the offset vector can be a randomly generated or preset fixed vector, but the offset vector is encrypted by a public key held by the information demand party along with the preset key and then sent to the information provider, so that when the information provider decrypts the data encryption value in the encryption request by using the decrypted preset key, the decrypted offset vector is used to add an offset of the offset vector to the decryption result in the decryption process, because when the data encryption value is generated at the information demand party, the information demand party encrypts the data request message by using the preset key and then adds an offset of the offset vector to the encryption result, the corresponding encryption and decryption modes are realized in such a way, namely, in the process of encrypting or decrypting by using the preset key, the offset of the preset offset vector is additionally added, so that the rule of the preset offset vector is added in the encryption and decryption rule of the preset key, and the transmitted data is more difficult to decipher and leak. Preferably, the offset vector is a random value temporarily generated each time the information demand side initiates a data sharing request, so that the risk of leakage of the offset vector with a preset fixed value in the storage holding process of the information demand side is avoided, and the temporarily generated random vector is safer to use as the offset vector.

wherein the public key and the private key correspond.

Specifically, the present embodiment provides another encryption and decryption method for transmitting messages and data during an interaction process between an information demander and an information provider, that is, it is further limited that an encryption and decryption key used when the information demander and the information provider interact is a pre-configured fixed key (i.e., a preset key), and in order to further ensure security of message and data transmission, both the data request message and the response data are sent after being encrypted in a double layer. It should be noted here that the preset key is a first-layer key and is used for encrypting original data, and the public key and the private key that are pre-configured by the information provider and the information demander are generally used for second-layer encryption. When receiving the encryption request or the encryption response, the receiver also adopts a corresponding double-layer decryption method, firstly uses a private key to perform first-layer decryption, and then uses a preset secret key to perform second-layer decryption to obtain data request messages or response data. It should be noted here that the public key and the private key are a key pair which is configured in advance by the information provider and the information demander and has a function of authenticating the identity rights of both parties, and the public key and the private key which are the same as those of the information provider can be obtained only by the specific information demander which is authorized by the information provider and can share data.

Based on the above embodiment, in the method, the network protection device performs format conversion on the encryption request and forwards the encryption request to the information provider, which specifically includes:

Specifically, the data request message generated by the information demander includes, but is not limited to, a request service IP address/web address, a request service name, a request function, a request parameter, and the like. The network defense device includes but is not limited to a firewall, a gatekeeper, a security platform, and the like. Therefore, when the network protection equipment performs security check on the encryption request sent by the information demander, the security check, audit and filter are performed on the encryption request, if at least one of an illegal request, an illegal function, an illegal parameter or an illegal IP is available, the encryption request is discarded, if no illegal request, no illegal function or no illegal parameter is available, the request is subjected to IP conversion according to a preset rule and sent to a server (namely an information provider) corresponding to the converted IP, and if one or more of the illegal request and the illegal IP are available, all the requests are discarded, the IP conversion is rejected, and any service is rejected.

Based on the above embodiment, in the method, the public key is an RSA public key, the private key corresponding to the public key is an RSA private key, and the preset key is an AES key.

Specifically, the physical type of the public key and the private key is RSA, the physical type of the preset key is AES, and in a scenario where the preset key is a pre-configured fixed key, an encryption/decryption mode is specifically provided: the information demand party encrypts the request data by using the AES key to obtain a data encryption value, wherein the requested data comprises but is not limited to a data format, a type, a field and the like, then the information demand party encrypts the AES key by using an RSA public key owned by the information demand party to obtain the key encryption value, the information demand party uses the encrypted data encryption value as data packet content, the encrypted key encryption value is placed in a custom request header and sent to the network security protection equipment to initiate a request for sharing the demand information. For example: in the comprehensive transfer junction station, various transportation means such as high-speed rails, subways, aviation, buses and the like exist, and different transportation enterprises need passenger transport information of other transportation enterprises so as to provide convenient transportation connection for passengers and realize quick transfer and transfer; similarly, the shared demand information takes the railway information system demand of the comprehensive junction station as an example, the railway information system needs the arrival and departure time, the stop, the passenger flow volume and other information of the subway train, the railway information system uses a pre-configured AES key consistent with the railway information system of the comprehensive junction station, splicing and assembling are carried out according to the appointed service, function, parameter, return format and the like, a shared demand information request is formed, the AES key is used for encrypting the shared demand information, then an RSA public key of an information demand party is used for encrypting the AES key, the encrypted value is placed in a user-defined request header, and the encrypted value is sent to the network safety protection equipment. And after receiving the sharing requirement information request, the information provider analyzes the key encryption value of the user-defined request header, decrypts the key encryption value by using an RSA private key of the information provider, and analyzes the AES key. For example, after receiving the request for sharing the required information, the information provider analyzes the key encryption value from the custom request header, and then decrypts the encryption value by using the RSA private key of the information provider (the private key paired with the RSA public key of the information consumer), and obtains the AES key by analysis. The information provider decrypts the data encryption value in the request data by using the AES key analyzed in the steps, analyzes and splits the decrypted request data, extracts the corresponding function name and parameter name, submits the corresponding function to execute according to the business process, extracts, processes, merges and assembles interface data to form response data, encrypts the response data by using the analyzed AES key, and returns the encrypted response data to the information demand side according to the original path, wherein the format of the response data may comprise a data table, a character string, json format data and the like. And after the information demand party obtains the encrypted data returned by the information provider in the above steps, the information demand party uses the AES key owned by the information demand party to decrypt the encrypted data to obtain the shared information, and a complete shared data request and response link is formed.

Based on the above embodiment, the present invention further provides another cross-network data sharing method, where the execution subject is an information provider, and the following describes another cross-network data sharing method according to the present invention with reference to fig. 2. Fig. 2 is a second flowchart of the cross-network data sharing method provided by the present invention, where an execution subject is an information requirement party, as shown in fig. 2, the method includes:

step 210, an information provider receives an encryption request sent by a network protection device, and decrypts the encryption request to obtain a data request message.

Specifically, the execution subject of the cross-network data sharing method provided by the invention is an information provider, namely a target server which needs to provide required data to an information demand side. The application scenario of cross-network data sharing is aimed at, so that an information demander is different from a network where an information provider is located, the information provider may be a certain industry private network, such as a medical institution network or an electric power system network, and the information demander may be the internet used by the public, or some other industry private network. To communicate data communication between private networks of different industries, authorization between two parties of cross-network communication sharing data needs to be guaranteed, and a message structure configuration mode transmitted during cross-network communication needs to be recognized and accepted by a receiver. Firstly, the authorization between two parties of cross-network communication is carried out by a pre-configured communication encryption and decryption mode, namely, only an information provider authenticates an information demand party capable of sharing data can obtain the same encryption and decryption key as the information provider. Therefore, only if the encryption and decryption key matched with the information provider is obtained, the information demand party can encrypt the data request message by using the correct key, the information provider can decrypt the encrypted request by using the matched key to obtain the real data request message, and finally normal interaction between the two parties and the safe transmission of the shared data to the information demand party by the information provider are realized. Secondly, the information demand party and the information provider transmit the interactive message through the network protection device, and the network protection device correspondingly converts the format of the encryption request to be transmitted, for example, performs IP conversion on the encryption request according to the configuration rule and the interface information of the information provider, and transmits the converted IP converted encryption request to a server (i.e., the information provider) corresponding to the IP. Therefore, in step 210, the information provider receives the encryption request sent by the network defense device, i.e. the encryption request can be decrypted by using a key pair which is configured in advance and distributes a key indicating that the information demander is authorized to share the data function, so as to obtain a data request message.

Step 220, the information provider builds response data based on the data request message, encrypts the response data to obtain an encrypted response, and sends the encrypted response to the network protection device, so that the network protection device can convert the format of the encrypted response and forward the encrypted response to the information demand party;

Specifically, after receiving an encryption request which is forwarded by the network protection device and meets the format requirement of the information provider, the information provider decrypts the encryption request to obtain a data request message, where it should be noted that an encryption/decryption algorithm between the information demander and the information provider is configured or negotiated in advance, and the information provider only has to share a key which can be used for encrypting and decrypting the interactive message because the information provider authorizes the right of the corresponding information demander to access and obtain data in advance. The pre-configuration or negotiation of the encryption and decryption key pair includes multiple modes, for example: the method comprises the following steps that two double-layer encryption modes including a preset secret key and a preset public key and private key pair are adopted, wherein one of the two double-layer encryption modes comprises that a data request message constructed by an information demand party is encrypted by adopting the preset secret key to obtain a data encryption value, the information demand party encrypts the preset secret key by adopting a self-owned public key to obtain a secret key encryption value, the secret key encryption value and the data encryption value form a data packet which is transmitted to an information provider through the middle of a network protection device, the information provider decrypts the secret key encryption value in the data packet by using a self-owned private key matched with the public key to obtain the preset secret key, and then decrypts the data encryption value in the data packet by using the decrypted preset secret key to obtain the content of the data request message, wherein the preset secret key can be a random secret key temporarily generated by the information demand party or a preset fixed secret key; secondly, the information demand party performs first-layer encryption on the data sharing request message by adopting a preset secret key which is configured in advance and is consistent with the information supply party to obtain an initial encryption value, then performs second-layer encryption on the initial encryption value by using a public key held by the information demand party to obtain an encryption request, and transmits the encryption request to the information supply party through intermediate forwarding of the network protection equipment; in the two double-layer encryption modes, the preset key in the key pair used by the former may be temporarily generated by the information demander, or may be held by the information demander on one side, and needs to be transmitted to the information provider in a secure manner (i.e., by public key encryption) to implement key distribution negotiation, the public key and the preset key in the key pair used by the latter are both pre-configured fixed key values, and are already set to be completed when the information provider authenticates that the specific information demander capable of sharing data authorizes data sharing, and the encryption and decryption modes during message interaction and data transmission of the two information demanders and the information provider can be applied to the scenario provided by this implementation, which is not specifically limited here. After the information provider acquires the data request message, the data request message is analyzed and split to obtain a query condition, then data corresponding to the query condition is extracted from corresponding interface data of the information provider, processing, combining and assembling are carried out to form response data, then the response data are encrypted to obtain an encrypted response, and the encrypted response is sent to the network protection equipment. And finally, the network protection equipment forwards the encrypted response to the information demand party, and the information demand party decrypts the encrypted response to obtain response data after receiving the encrypted response returned by the network protection equipment. Here, when the information requesting party and the information providing party interact with each other, the encryption request or the encryption response transmitted to each other is generated based on the encryption of the pre-configured fixed key or the provisionally negotiated random key of both parties, and either party decrypts the encrypted data by using the corresponding pre-configured fixed key or the provisionally negotiated random key when receiving the encrypted data.

The invention provides a cross-network data sharing method with an execution subject being an information provider, which comprises the steps of receiving an encryption request sent by a network protection device through the information provider, decrypting the encryption request and obtaining a data request message; the information provider builds response data based on the data request message, encrypts the response data to obtain an encrypted response, and sends the encrypted response to the network protection device, so that the network protection device can convert the format of the encrypted response and forward the encrypted response to the information demand party; the encryption request is sent to the network protection device after the information demand party encrypts the data request message generated by the information demand party. The information provider selectively provides data for the information demander of a specific network by using an encryption and decryption transmission and receiving mode for interactive information between the information demander and the information provider, because the information demander which has negotiated an encryption and decryption algorithm in advance can obtain the data from the information provider, and the network protection equipment is adopted to forward the encrypted data in the middle, so that the forwarded encryption request can meet the format requirement of the information provider, and the transmitted encrypted data can be received by a destination end in the format. Therefore, the method provided by the embodiment of the invention realizes cross-network data sharing and balances the security and the sharing openness of cross-network communication.

The information demander provided by the present invention is described below, and the information demander described below and the above-described cross-network data sharing method can be referred to correspondingly.

Fig. 3 is a schematic structural diagram of an information demander provided by the present invention, as shown in fig. 3, the information demander includes a first generating and sending unit 310 and a first receiving and decrypting unit 320, wherein,

the first generating and sending unit 310 is configured to encrypt the generated data request message by the information demanding party to generate an encryption request, and then send the encryption request to the network protection device, so that the network protection device performs format conversion on the encryption request and forwards the encryption request to the information providing party;

the first receiving and decrypting unit 320 is configured to receive, by the information demander, an encrypted response returned by the network protection device, and decrypt the encrypted response to obtain response data;

The information demander provided by the invention encrypts the generated data request message through the information demander to generate an encryption request, and then sends the encryption request to the network protection equipment, so that the network protection equipment can convert the format of the encryption request and forwards the encryption request to the information provider; the information demand party receives an encrypted response returned by the network protection equipment, and decrypts the encrypted response to obtain response data; the encrypted response is obtained by encrypting the response data constructed based on the data request message after the encrypted request received by the information provider is decrypted to obtain the data request message. The information provider selectively provides data for the information demander of a specific network by using an encryption and decryption transmission and receiving mode for interactive information between the information demander and the information provider, because the information demander which has negotiated an encryption and decryption algorithm in advance can obtain the data from the information provider, and the network protection equipment is adopted to forward the encrypted data in the middle, so that the forwarded encryption request can meet the format requirement of the information provider, and the transmitted encrypted data can be received by a destination end in the format. Therefore, the information demander provided by the embodiment of the invention realizes cross-network data sharing and balances the security and sharing openness of cross-network communication.

On the basis of the above embodiment, in the information demander, the encrypting the generated data request message by the information demander to generate an encryption request specifically includes:

wherein the public key and the private key correspond.

On the basis of the above embodiment, in the information demander, the preset key is temporarily generated when the information demander initiates a data request each time.

On the basis of the above embodiment, in the information demander, the preset key further includes a preset offset vector, where the preset offset vector is used to add one preset offset vector when encrypting or decrypting using the preset key, and the preset offset vector is generated temporarily and randomly or a fixed value is configured in advance.

wherein the public key and the private key correspond.

On the basis of the above embodiment, in the information demander, the network protection device performs format conversion on the encryption request and forwards the encryption request to the information provider, and specifically includes:

On the basis of the above embodiment, in the information demander, the public key is an RSA public key, the private key corresponding to the public key is an RSA private key, and the preset key is an AES key.

The information demander provided by the present invention is described below, and the information demander described below and the above-described another cross-network data sharing method may be referred to in correspondence.

Fig. 4 is a schematic structural diagram of the information demander provided by the present invention, and as shown in fig. 4, the information demander includes a second receiving and decrypting unit 410 and a second generating and sending unit 420, wherein,

the second receiving and decrypting unit 410 is configured to receive, by an information provider, an encryption request sent by a network protection device, and decrypt the encryption request to obtain a data request message;

the second generating and sending unit 420 is configured to construct response data based on the data request message by an information provider, encrypt the response data to obtain an encrypted response, and send the encrypted response to the network protection device, so that the network protection device performs format conversion on the encrypted response and forwards the encrypted response to an information demander;

The information demand party receives an encryption request sent by network protection equipment through an information provider, and decrypts the encryption request to obtain a data request message; the information provider builds response data based on the data request message, encrypts the response data to obtain an encrypted response, and sends the encrypted response to the network protection device, so that the network protection device can convert the format of the encrypted response and forward the encrypted response to the information demand party; the encryption request is sent to the network protection device after the information demand party encrypts the data request message generated by the information demand party. The information provider selectively provides data for the information demander of a specific network by using an encryption and decryption transmission and receiving mode for interactive information between the information demander and the information provider, because the information demander which has negotiated an encryption and decryption algorithm in advance can obtain the data from the information provider, and the network protection equipment is adopted to forward the encrypted data in the middle, so that the forwarded encryption request can meet the format requirement of the information provider, and the transmitted encrypted data can be received by a destination end in the format. Therefore, the information demander provided by the embodiment of the invention realizes cross-network data sharing and balances the security and sharing openness of cross-network communication.

Based on the foregoing embodiments, the present invention further provides a cross-network data sharing system, fig. 5 is a schematic structural diagram of the cross-network data sharing system provided by the present invention, as shown in fig. 5, the system includes an information demander 510 provided by any of the foregoing embodiments, an information provider 520 provided by any of the foregoing embodiments, and a network guard device 530, wherein,

the information demander 510 encrypts a data request message generated by the information demander to obtain an encryption request, and sends the encryption request to the network protection device 530, so that the network protection device 530 converts the format of the encryption request and forwards the encryption request to the information provider 520;

the information provider 520 receives the encryption request sent by the network protection device 530, decrypts the encryption request to obtain the data request message, constructs response data based on the data request message, encrypts the response data to obtain an encryption response, and sends the encryption response to the network protection device 530, so that the network protection device 530 converts the format of the encryption response and forwards the encryption response to the information demander 510;

the information demander 510 receives the encrypted response returned by the network guard 530, and decrypts the encrypted response to obtain response data.

Fig. 6 is a schematic entity structure diagram of an electronic device provided in the present invention, and as shown in fig. 6, the electronic device may include: a processor (processor)610, a communication Interface (Communications Interface)620, a memory (memory)630 and a communication bus 640, wherein the processor 610, the communication Interface 620 and the memory 630 communicate with each other via the communication bus 640. The processor 610 may invoke logic instructions in the memory 630 to perform a cross-network data sharing method comprising: the information demand party encrypts the generated data request message to generate an encryption request and then sends the encryption request to the network protection equipment, so that the network protection equipment can convert the format of the encryption request and forwards the encryption request to the information provider; the information demand party receives an encrypted response returned by the network protection equipment, and decrypts the encrypted response to obtain response data; the encrypted response is obtained by encrypting the response data constructed based on the request message after the request message is obtained by decrypting the encrypted request received by the information provider.

In addition, the logic instructions in the memory 630 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, which when executed by a computer, enable the computer to perform the cross-network data sharing method provided by the above methods, the method comprising: the information demand party encrypts the generated data request message to generate an encryption request and then sends the encryption request to the network protection equipment, so that the network protection equipment can convert the format of the encryption request and forwards the encryption request to the information provider; the information demand party receives an encrypted response returned by the network protection equipment, and decrypts the encrypted response to obtain response data; the encrypted response is obtained by encrypting the response data constructed based on the request message after the request message is obtained by decrypting the encrypted request received by the information provider.

In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements a cross-network data sharing method provided by the above methods, the method comprising: the information demand party encrypts the generated data request message to generate an encryption request and then sends the encryption request to the network protection equipment, so that the network protection equipment can convert the format of the encryption request and forwards the encryption request to the information provider; the information demand party receives an encrypted response returned by the network protection equipment, and decrypts the encrypted response to obtain response data; the encrypted response is obtained by encrypting the response data constructed based on the request message after the request message is obtained by decrypting the encrypted request received by the information provider.

The above-described server embodiments are only illustrative, and the units described as separate components may or may not be physically separate, and components displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. An inter-network data sharing method, comprising:

2. The method for sharing cross-network data according to claim 1, wherein the information requiring party encrypts the generated data request message to generate an encryption request, specifically comprising:

wherein the public key and the private key correspond.

3. The method according to claim 2, wherein the preset key is temporarily generated each time the information demander initiates a data request.

4. The method according to claim 3, wherein the predetermined key further comprises a predetermined offset vector, the predetermined offset vector is used to add one predetermined offset vector when encrypting or decrypting with the predetermined key, and the predetermined offset vector is temporarily randomly generated or a fixed value is pre-configured.

5. The method for sharing cross-network data according to claim 1, wherein the information requiring party encrypts the generated data request message to generate an encryption request, specifically comprising:

wherein the public key and the private key correspond.

6. The cross-network data sharing method according to any one of claims 1 to 5, wherein the network protection device performs format conversion on the encryption request and forwards the encryption request to an information provider, specifically comprising:

7. The method according to any one of claims 2 to 5, wherein the public key is an RSA public key, the private key corresponding to the public key is an RSA private key, and the preset key is an AES key.

8. An inter-network data sharing method, comprising:

9. An information demander, comprising:

10. An information provider, comprising:

11. A cross-network data sharing system comprising the information demander of claim 9, the information provider of claim 10, and a network guard device, wherein,