CN113676467B - Data processing method, device, equipment and storage medium - Google Patents

Data processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN113676467B
CN113676467B CN202110936707.3A CN202110936707A CN113676467B CN 113676467 B CN113676467 B CN 113676467B CN 202110936707 A CN202110936707 A CN 202110936707A CN 113676467 B CN113676467 B CN 113676467B
Authority
CN
China
Prior art keywords
network element
encrypted
service flow
service
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110936707.3A
Other languages
Chinese (zh)
Other versions
CN113676467A (en
Inventor
韦文
师进
张鑫
杨姝
刘长龙
徐坤园
褚斌杰
李贺
马兰
王欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CRSC Research and Design Institute Group Co Ltd
Original Assignee
CRSC Research and Design Institute Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CRSC Research and Design Institute Group Co Ltd filed Critical CRSC Research and Design Institute Group Co Ltd
Priority to CN202110936707.3A priority Critical patent/CN113676467B/en
Publication of CN113676467A publication Critical patent/CN113676467A/en
Application granted granted Critical
Publication of CN113676467B publication Critical patent/CN113676467B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a data processing method, a device, equipment and a storage medium, and belongs to the technical field of communication security. The method comprises the following steps: basic information of at least two service flows to be processed, which are reported by switching equipment in a network element, is obtained; if the existence of the service flow to be encrypted in the at least two service flows to be processed is identified according to the basic information of the at least two service flows to be processed, an encryption processing request comprising the service flow identification to be encrypted is issued to the network element so as to instruct the network element to encrypt the service flow to be encrypted. By the technical scheme, whether the service flow of the access network element is encrypted or not can be flexibly configured, compared with the traditional encryption machine which encrypts the service flow to be encrypted, the service flow to be encrypted is encrypted by the network element, the network element has good expansibility, and a new thought is provided for the safety communication of the service flow in the SDN.

Description

Data processing method, device, equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of communication security, in particular to a data processing method, a device, equipment and a storage medium.
Background
With the rapid development of network communication and information technology, how to ensure network information security becomes an important subject. The adoption of encryption communication can ensure that the data communication process is not intercepted, eavesdropped and tampered, and is an important measure for protecting the network information security. The key distribution and management technology and encryption and decryption processing are involved.
In the existing encryption communication network architecture, the service ciphertext to be encrypted of a source node is input to an encryptor device, and after being processed by the encryptor, the service ciphertext to be encrypted is input to a network element device for network transmission. However, the existing method is limited by the number of input/output ports of the encryptor, and the number of the business flows to be encrypted which can be processed simultaneously is small; meanwhile, the encryption machine cannot be monitored, and the maintainability is poor. Therefore, a flexible service flow encryption method in an SDN network is needed.
Disclosure of Invention
The invention provides a data processing method, a device, equipment and a storage medium, which are used for realizing encryption transmission and monitoring of service flows in an SDN (software defined network).
In a first aspect, an embodiment of the present invention provides a data processing method, including:
basic information of at least two service flows to be processed, which are reported by switching equipment in a network element, is obtained;
if the existence of the service flow to be encrypted in the at least two service flows to be processed is identified according to the basic information of the at least two service flows to be processed, an encryption processing request comprising the service flow identification to be encrypted is issued to the network element so as to instruct the network element to encrypt the service flow to be encrypted.
In a second aspect, an embodiment of the present invention further provides a data processing apparatus, including:
the basic information acquisition module is used for acquiring basic information of at least two service flows to be processed, which are reported by the switching equipment in the network element;
and the encryption module is used for issuing an encryption processing request comprising a service flow identifier to be encrypted to the network element if the service flow to be encrypted exists in the at least two service flows to be processed according to the basic information of the at least two service flows to be processed, so as to instruct the network element to encrypt the service flow to be encrypted.
In a third aspect, an embodiment of the present invention further provides an electronic device, including:
one or more processors;
a memory for storing one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement a data processing method as provided by any of the embodiments of the present invention.
In a fourth aspect, embodiments of the present invention also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a data processing method as provided by any of the embodiments of the present invention.
According to the technical scheme of the embodiment of the invention, through acquiring the basic information of at least two to-be-processed service flows reported by the switching equipment in the network element, and then if the to-be-encrypted service flows are identified to exist in the at least two to-be-processed service flows according to the basic information of the at least two to-be-processed service flows, an encryption processing request comprising the to-be-encrypted service flow identification is issued to the network element so as to instruct the network element to encrypt the to-be-encrypted service flows. According to the technical scheme, whether the service flow of the access network element is encrypted or not can be flexibly configured, compared with the traditional encryption machine, the service flow to be encrypted is encrypted through the network element, the network element has good expansibility, and a new thought is provided for the safety communication of the service flow in the SDN; meanwhile, the technical scheme of the invention can ensure the reliable transmission of the safety information between the station and the relay station equipment and between the relay station equipment and the core machine room signal equipment.
Drawings
FIG. 1A is a flowchart of a data processing method according to a first embodiment of the present invention;
fig. 1B is a schematic diagram of a network element result according to a first embodiment of the present invention;
FIG. 2 is a flow chart of a data processing method according to a second embodiment of the present invention;
FIG. 3 is a flowchart of a data processing method according to a third embodiment of the present invention;
FIG. 4 is a schematic diagram of a data processing apparatus according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1A is a flowchart of a data processing method provided by the first embodiment of the present invention, and fig. 1B is a schematic diagram of a network element result provided by the first embodiment of the present invention, where the embodiment is applicable to a situation of encrypting a service flow in an SDN network, especially to a situation of secure communication of railway signals in a high-speed railway scenario, where the method may be performed by a data processing device, where the device may be implemented by software and/or hardware, and may be integrated in an electronic device carrying a data processing function, such as an SDN controller.
As shown in fig. 1A, the method specifically may include:
s110, obtaining basic information of at least two service flows to be processed, which are reported by switching equipment in a network element.
The network element consists of one or more machine discs or machine frames, can independently complete certain transmission functions, and can comprise a key management module, an encryption and decryption module and SDN switching equipment as shown in fig. 1B; the SDN switching equipment is used for completing the basic communication function of an SDN network data surface, can be controlled by an SDN controller, and can provide network interfaces to the outside, and comprises a service interface for service flow access and an SDN data surface interface for interconnection among network elements; the key management module is responsible for receiving and managing externally injected keys, storing the keys to form a key pool, providing the keys for the encryption and decryption module, and externally providing a key injection interface for receiving the externally injected keys; the encryption and decryption module encrypts and outputs the imported service flow ciphertext message or decrypts and outputs the imported service flow ciphertext message by using the key provided by the key management module.
Further, the network element may include a key interface, a plaintext, a ciphertext import/export interface, a control plane interface, and the like, where the key interface is connected to a key management module and an encryption/decryption module, and is used for providing a key to the encryption/decryption module by the key management module; the plaintext and ciphertext import/export interfaces are connected with the encryption and decryption module and the SDN exchange module and are used for importing/exporting the service flow message to be encrypted/decrypted; the control plane interface is connected with the key management module and the SDN exchange module and is used for connecting the key management module to the SDN controller through an SDN network and receiving the control of the SDN controller.
It should be noted that, as a new network architecture, the software defined network (Software Defined Network, SDN) splits the traditional network architecture into an application, control and forwarding three-layer architecture, proposes that forwarding and control are separated, and a special controller is used to monitor and adjust the whole network state, and the forwarding layer is only used for forwarding data.
The service flow refers to service data to be transmitted through a network, for example, ethernet message data and the like, and includes message header content and message load content, wherein the message header main content includes content such as source IP or MAC address, destination IP or MAC address, message type and the like, and the message load content refers to specific service data content to be transmitted. Further, the pending traffic refers to traffic that needs to be further determined whether encryption transmission is needed before network transmission is performed.
The basic information of the service flow to be processed refers to the source IP or MAC address, the destination IP or MAC address, the message type, the encryption identification information of the service flow to be processed and the like of the message. Further, the encryption identification information is used to indicate whether the service flow to be processed needs encryption or not, and may be represented by numbers, letters or numbers plus letters, for example, the numbers may be 1 to indicate that encryption is needed, and 0 to indicate that encryption is not needed.
In this embodiment, after receiving at least two service flows to be processed sent by at least two terminals, an SDN switching device in a network element reports basic information of the at least two service flows to be processed to an SDN controller; correspondingly, the SDN controller acquires basic information of at least two service flows to be processed. The terminals may be, among other things, a train control center (Train Control Center, TCC), a computer interlock (Computer Based Interlocking, CBI), a temporary speed limit server (Temporary Speed Restriction Server, TSRS), a radio block center (Radio Block Center, RBC), a communication control server (Communication and Control Server, CCS), etc.
S120, if the existence of the service flow to be encrypted in the at least two service flows to be processed is identified according to the basic information of the at least two service flows to be processed, an encryption processing request comprising the service flow identification to be encrypted is issued to the network element so as to instruct the network element to encrypt the service flow to be encrypted.
The encryption processing request is a request for indicating which traffic flows of the traffic flows to be processed are encrypted by the network element, and may be, for example, a flow table. The traffic flow identification to be encrypted may be a network protocol label, such as Vlan label, multi-label switching protocol (MPLS) label.
In this embodiment, the SDN controller determines, according to encryption identification information of a service flow to be processed in basic information of at least two service flows to be processed, a service flow to be encrypted, that is, a service flow to be encrypted. Further, the sending of the encryption processing request including the service flow identifier to be encrypted to the network element may be determining the encryption key identifier of the service flow to be encrypted according to the available encryption key information of the network element and the encryption requirement of the service flow to be encrypted; and transmitting an encryption processing request comprising the service flow identifier to be encrypted and the encryption key identifier to the network element.
The network element encryption key information can be information such as a key identifier, a key grade, a key type and the like; the encryption requirement may refer to the encryption level of the traffic stream to be encrypted, the encryption key type, etc.
Specifically, the SDN controller may determine an encryption key of the traffic flow to be decrypted according to available encryption key information of the network element and an encryption requirement of the traffic flow to be encrypted, for example, if an encryption level in the encryption requirement of the traffic flow to be encrypted is one level, select encryption key information corresponding to the encryption level from available encryption key information of the network element, and determine an encryption key identifier of the traffic flow to be encrypted; further, an encryption processing request comprising the service flow identifier to be encrypted and the encryption key identifier is issued to the network element.
Correspondingly, after receiving an encryption processing request issued by the SDN controller, a key management module in the network element determines a key associated with the service flow to be encrypted according to an encryption key identifier and the service flow identifier to be encrypted in the encryption processing request, and sends the key associated with the service flow to be encrypted to an encryption and decryption module in the network element; meanwhile, the switching equipment in the network element sends the service flow to be encrypted to an encryption and decryption module in the network element; after receiving the service flow to be encrypted and the key associated with the service flow to be encrypted, the encryption and decryption module in the network element encrypts the service flow to be encrypted according to the key associated with the service flow to be encrypted, and sends the encrypted service flow to the switching equipment in the network element.
According to the technical scheme of the embodiment of the invention, through acquiring the basic information of at least two to-be-processed service flows reported by the switching equipment in the network element, and then if the to-be-encrypted service flows are identified to exist in the at least two to-be-processed service flows according to the basic information of the at least two to-be-processed service flows, an encryption processing request comprising the to-be-encrypted service flow identification is issued to the network element so as to instruct the network element to encrypt the to-be-encrypted service flows. According to the technical scheme, whether the service flow of the access network element is encrypted or not can be flexibly configured, compared with the traditional encryption machine, the service flow to be encrypted is encrypted through the network element, the network element has good expansibility, a new thought is provided for the safety communication of the service flow in the SDN network, and meanwhile, the technical scheme can ensure the reliable transmission of the safety information between the station and the relay station equipment and between the station and the core machine room signal equipment.
On the basis of the above embodiment, as an optional implementation manner of the embodiment of the present invention, after the network element is monitored to encrypt the service flow to be encrypted, a flow table is issued to the network element, so that the network element forwards the encrypted service flow according to the flow table. Specifically, the SDN controller establishes an SDN transmission path of the traffic flow to be encrypted, and issues a flow table to the network element, so that the network element forwards the encrypted traffic flow according to the flow table.
It should be noted that, if the SDN controller identifies that the service flow to be processed does not need to be encrypted, the SDN controller directly issues a flow table to a switching device in the network element, and correspondingly, the switching device in the network element directly forwards the service flow to be processed according to the flow table.
On the basis of the above embodiment, in order to maintain the freshness and security of the key in the network element, as an optional manner of the embodiment of the present invention, if the time period when any unused key in the network element is monitored to be longer than the set time period, a key clearing request is issued to the network element, so that the network element clears the key.
Wherein the unused key refers to a key that is unused in the network element at the current time; the duration refers to the duration of the existence of the key; the set time period may be set by those skilled in the art according to the actual circumstances. The key clearing request is used to instruct the network element to clear the key, including the key identification of the key to be cleared.
Specifically, if the SDN controller monitors that the time period of existence of any unused key in the network element is longer than a set time period, a key clearing request is issued to a key management module in the network element; correspondingly, after receiving the key clearing request, the key management module in the network element clears the corresponding key according to the key identification.
It can be understood that by monitoring the existence duration of the key in the network element, the freshness of the key is ensured, thereby ensuring the security of the encrypted service flow in transmission.
On the basis of the above embodiment, in order to ensure the sufficiency of the key in the network element, as an alternative manner of the embodiment of the present invention, if it is monitored that the number of available keys in the network element is smaller than the set value, a key acquisition request is sent to the network element, so as to instruct the network element to acquire the key from the key distribution device. Wherein the set values can be set by those skilled in the art according to the actual situation.
Wherein the available key refers to a key that can be used; the key distribution device is connected to a key management module in the network element for providing keys to the network element, which may be a conventional key distribution device, a quantum key distribution device (Quantum key Distribution, QKD), etc. The so-called key acquisition request is used to instruct the network element to acquire the key.
Specifically, if the SDN controller monitors that the number of usable keys is smaller than a set value, a key acquisition request is issued to a key management module in the network element; correspondingly, after receiving the key acquisition request, a key management module in the network element sends the key acquisition request to the key distribution equipment; correspondingly, the key distribution device sends the new key to the key management module in the network element until the number of keys in the key management module in the network element reaches a sufficient number, wherein the sufficient number is used for indicating that the keys in the network element reach a saturated state, and the key distribution device can be set by a person skilled in the art according to the actual situation.
It can be appreciated that by monitoring the number of keys in the network element, the sufficiency of the keys in the network element can be ensured, thereby ensuring the encryption requirements of the traffic flow.
Example two
Fig. 2 is a flowchart of a data processing method according to a second embodiment of the present invention, which is further optimized based on the foregoing embodiment, to provide an alternative embodiment.
As shown in fig. 2, the method specifically may include:
s210, obtaining basic information of at least two service flows to be processed, which are reported by switching equipment in a network element.
S220, if the existence of the service flow to be encrypted in the at least two service flows to be processed is identified according to the basic information of the at least two service flows to be processed, an encryption processing request comprising the service flow identification to be encrypted is issued to the network element so as to instruct the network element to encrypt the service flow to be encrypted.
Optionally, issuing an encryption processing request including the to-be-encrypted service flow identifier to the network element may be that if it is identified that the number of available encryption keys in the network element meets the requirement of encrypting the to-be-encrypted service flow, issuing an encryption processing request including the to-be-encrypted service flow identifier to the network element.
The requirements for encrypting the service flow to be encrypted can be the number of keys, the key level and the like required by the service flow to be encrypted.
Specifically, if the number of available encryption keys in the network element is equal to or greater than the number of keys required for encrypting the traffic flow to be encrypted, for example, the number of traffic flows to be encrypted is 10, and the number of keys and the key level required for each traffic flow to be encrypted are different, and if the number of keys required for the traffic flow to be encrypted is 20, determining whether the number of available encryption keys in the network element is equal to or greater than the number of keys required for encrypting the traffic flow to be encrypted. And further issues an encryption processing request including the service flow identifier to be encrypted to the network element.
Optionally, issuing an encryption processing request including the service flow identifier to be encrypted to the network element may further include, if it is identified that the number of available encryption keys in the network element does not meet the requirement for encrypting the service flow to be encrypted, selecting an encryption service flow from the service flow to be encrypted according to a sending time of the service flow to be encrypted and/or an identity level of a terminal sending the service flow to be encrypted, and issuing the encryption processing request including the service flow identifier to be encrypted to the network element.
The identity grade of the service flow terminal to be encrypted is used for representing the priority of the key, and the higher the identity grade is, the higher the priority of the key is.
For example, if the SDN controller identifies that the number of available encryption keys in the network element does not meet the requirement for encrypting the service flow to be encrypted, then according to the sequence of sending time of the service flow to be encrypted, selecting the service flow to be encrypted from the service flows to be encrypted, and issuing an encryption processing request including the identifier of the service flow to be encrypted to the network element.
For example, if the SDN controller identifies that the number of available encryption keys in the network element does not meet the requirement for encrypting the service flow to be encrypted, the service flow to be encrypted is selected from the service flows to be encrypted according to the identity level of the service flow terminal to be encrypted, and an encryption processing request including the identifier of the service flow to be encrypted is issued to the network element.
For example, if the SDN controller identifies that the number of available encryption keys in the network element does not meet the requirement for encrypting the service flow to be encrypted, according to the sequence of sending time of the service flow to be encrypted and the identity level of the service flow terminal to be encrypted, selecting the service flow to be encrypted from the service flow to be encrypted, and issuing an encryption processing request including the identifier of the service flow to be encrypted to the network element. Specifically, weights are respectively set for the sending time of the service flow to be encrypted and the identity grade of the service flow terminal to be encrypted; further, according to the sending time, the identity grade and the weights, the encryption score value of the service flow to be encrypted is determined; and selecting an encryptable service flow from the service flows to be encrypted according to the encryption score value of each service flow to be encrypted, and issuing an encryption processing request comprising the encryptable service flow identifier to the network element.
According to the technical scheme of the embodiment of the invention, through acquiring the basic information of at least two to-be-processed service flows reported by the switching equipment in the network element, and then if the to-be-encrypted service flows are identified to exist in the at least two to-be-processed service flows according to the basic information of the at least two to-be-processed service flows, an encryption processing request comprising the to-be-encrypted service flow identification is issued to the network element so as to instruct the network element to encrypt the to-be-encrypted service flows. According to the technical scheme, whether the service flow of the access network element is encrypted or not can be flexibly configured, compared with the traditional encryption machine, the service flow to be encrypted is encrypted through the network element, the network element has good expansibility, and a new thought is provided for the safety communication of the service flow in the SDN; meanwhile, the technical scheme of the invention can ensure the reliable transmission of the safety information between the station and the relay station equipment and between the relay station equipment and the core machine room signal equipment.
Example III
Fig. 3 is a flowchart of a data processing method according to a third embodiment of the present invention, further optimized on the basis of the above embodiment, to provide an alternative embodiment.
As shown in fig. 3, the method specifically may include:
s310, obtaining basic information of at least two service flows to be processed, which are reported by switching equipment in a network element.
S320, if the existence of the service flow to be encrypted in the at least two service flows to be processed is identified according to the basic information of the at least two service flows to be processed, an encryption processing request including the service flow identification to be encrypted is issued to the network element so as to instruct the network element to encrypt the service flow to be encrypted.
S330, if the existence of the service flow to be decrypted in the at least two service flows to be processed is identified according to the basic information of the at least two service flows to be processed, a decryption processing request including the service flow identification to be decrypted is issued to the network element so as to instruct the network element to decrypt the service flow to be decrypted.
The request for decryption is used to instruct the network element which traffic flows to be processed are decrypted, and may be, for example, a flow table. The traffic flow identification to be decrypted may be a network protocol label, such as Vlan label, multi-label switching protocol (MPLS) label.
The SDN controller determines the service flow needing encryption, namely the service flow to be decrypted according to the decryption identification information of the service flow to be processed in the basic information of at least two service flows to be processed. Further, the step of issuing a decryption processing request including the service flow identifier to be decrypted to the network element may be to determine the encryption key identifier of the service flow to be decrypted according to the available decryption key information of the network element and the encryption requirement of the service flow to be decrypted; and transmitting a decryption processing request comprising the service flow identifier to be decrypted and the decryption key identifier to the network element.
The network element decryption key information can be information such as a key identifier, a key grade, a key type and the like; the decryption requirements may refer to the decryption level of the traffic to be decrypted, the type of decryption key, etc.
Specifically, the SDN controller may determine a decryption key of the service flow to be decrypted according to available decryption key information of the network element and a decryption requirement of the service flow to be decrypted, for example, if a decryption level in the decryption requirement of the service flow to be decrypted is a first level, select decryption key information corresponding to the decryption level from available decryption key information of the network element, and determine a decryption key identifier of the service flow to be decrypted; further, a decryption processing request comprising the service flow identifier to be decrypted and the decryption key identifier is issued to the network element.
Correspondingly, after receiving a decryption processing request issued by the SDN controller, a key management module in the network element determines a key associated with the service flow to be decrypted according to a decryption key identifier and the service flow identifier to be decrypted in the decryption processing request, and sends the key associated with the service flow to be decrypted to an encryption and decryption module in the network element; meanwhile, the switching equipment in the network element sends the service flow to be decrypted to an encryption and decryption module in the network element; after receiving the service flow to be decrypted and the key associated with the service flow to be decrypted, the encryption and decryption module in the network element decrypts the service flow to be decrypted according to the key associated with the service flow to be decrypted, and sends the decrypted service flow to the switching equipment in the network element.
According to the technical scheme, basic information of at least two service flows to be processed, which are reported by switching equipment in a network element, is acquired; if the existence of the service flow to be encrypted in the at least two service flows to be processed is identified according to the basic information of the at least two service flows to be processed, issuing an encryption processing request comprising the service flow identification to be encrypted to the network element so as to instruct the network element to encrypt the service flow to be encrypted; if the service flow to be decrypted exists in the at least two service flows to be processed according to the basic information of the at least two service flows to be processed, a decryption processing request comprising the service flow identification to be decrypted is issued to the network element so as to instruct the network element to decrypt the service flow to be decrypted. According to the technical scheme, encryption and decryption operations can be flexibly realized on the service flow to be processed, and the service flow to be encrypted is encrypted through the network element, so that the service flow to be encrypted has good expandability; meanwhile, the technical scheme of the invention can ensure the reliable transmission of the safety information between the station and the relay station equipment and between the relay station equipment and the core machine room signal equipment.
Example IV
Fig. 4 is a schematic structural diagram of a data processing apparatus according to a fourth embodiment of the present invention, where the present embodiment is applicable to a situation of encrypting a service flow in an SDN network, and is particularly applicable to a situation of secure communication of railway signals in a high-speed railway scenario, and the apparatus may be implemented in a software and/or hardware manner and may be integrated in an electronic device that carries a data processing function, for example, an SDN controller.
As shown in fig. 4, the apparatus may specifically include a basic information acquisition module 410 and an encryption module 420, wherein,
a basic information obtaining module 410, configured to obtain basic information of at least two service flows to be processed reported by a switching device in a network element;
and the encryption module 420 is configured to, if it is identified that the to-be-encrypted service flows exist in the at least two to-be-processed service flows according to the basic information of the at least two to-be-processed service flows, issue an encryption processing request including the to-be-encrypted service flow identifier to the network element, so as to instruct the network element to encrypt the to-be-encrypted service flow.
According to the technical scheme of the embodiment of the invention, through acquiring the basic information of at least two to-be-processed service flows reported by the switching equipment in the network element, and then if the to-be-encrypted service flows are identified to exist in the at least two to-be-processed service flows according to the basic information of the at least two to-be-processed service flows, an encryption processing request comprising the to-be-encrypted service flow identification is issued to the network element so as to instruct the network element to encrypt the to-be-encrypted service flows. According to the technical scheme, whether the service flow of the access network element is encrypted or not can be flexibly configured, compared with the traditional encryption machine, the service flow to be encrypted is encrypted through the network element, the network element has good expansibility, and a new thought is provided for the safety communication of the service flow in the SDN; meanwhile, the technical scheme of the invention can ensure the reliable transmission of the safety information between the station and the relay station equipment (such as TCC and CBI) and between the station and the core machine room signal equipment (such as TSRS, RBC, CCS).
Further, encryption model 420 is specifically configured to:
if the number of the available encryption keys in the network element is identified to meet the requirement of encrypting the service flow to be encrypted, issuing an encryption processing request comprising the service flow identifier to be encrypted to the network element; or alternatively, the first and second heat exchangers may be,
if the number of the available encryption keys in the network element is not satisfied with the requirement of encrypting the service flow to be encrypted, selecting the service flow which can be encrypted from the service flow to be encrypted according to the sending time of the service flow to be encrypted and/or the identity grade of the terminal for sending the service flow to be encrypted, and issuing an encryption processing request comprising the identification of the service flow which can be encrypted to the network element.
Further, encryption model 420 is also to:
and transmitting the flow table to the network element so that the network element forwards the encrypted service flow according to the flow table.
Further, the device also comprises a decryption module, wherein the decryption module is specifically used for:
if the service flow to be decrypted exists in the at least two service flows to be processed according to the basic information of the at least two service flows to be processed, a decryption processing request comprising the service flow identification to be decrypted is issued to the network element so as to instruct the network element to decrypt the service flow to be decrypted.
Further, the device also comprises a key clearing module, wherein the key clearing module is specifically used for:
if the existence time of any unused key in the network element is longer than the set time, a key clearing request is issued to the network element, so that the network element clears the key.
Further, the device further comprises a key acquisition module, wherein the key acquisition module is specifically used for:
and if the number of the available keys in the network element is monitored to be smaller than the set value, sending a key acquisition request to the network element to instruct the network element to acquire the keys from the key distribution equipment.
Further, the service flow identifier to be encrypted or the service flow identifier to be decrypted is a network protocol label.
The data processing device can execute the data processing method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example five
Fig. 5 is a schematic structural diagram of an electronic device provided in a fifth embodiment of the present invention, and fig. 5 is a block diagram of an exemplary device suitable for implementing an embodiment of the present invention. The device shown in fig. 5 is only an example and should not be construed as limiting the functionality and scope of use of the embodiments of the invention.
As shown in fig. 5, the electronic device 12 is in the form of a general purpose computing device. Components of the electronic device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, a bus 18 that connects the various system components, including the system memory 28 and the processing units 16.
Bus 18 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, micro channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Electronic device 12 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by electronic device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache memory (cache 32). The electronic device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from or write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, commonly referred to as a "hard disk drive"). Although not shown in fig. 5, a magnetic disk drive for reading from and writing to a removable non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be coupled to bus 18 through one or more data medium interfaces. The system memory 28 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored in, for example, system memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules 42 generally perform the functions and/or methods of the embodiments described herein.
The electronic device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), one or more devices that enable a user to interact with the electronic device 12, and/or any devices (e.g., network card, modem, etc.) that enable the electronic device 12 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 22. Also, the electronic device 12 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through a network adapter 20. As shown, the network adapter 20 communicates with other modules of the electronic device 12 over the bus 18. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 12, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
The processing unit 16 executes various functional applications and data processing by running programs stored in the system memory 28, for example, implementing the data processing method provided by the embodiment of the present invention.
Example six
A sixth embodiment of the present invention also provides a computer-readable storage medium having stored thereon a computer program (or referred to as computer-executable instructions) which, when executed by a processor, is configured to perform the data processing method provided by the embodiment of the present invention, the method including:
basic information of at least two service flows to be processed, which are reported by switching equipment in a network element, is obtained;
if the existence of the service flow to be encrypted in the at least two service flows to be processed is identified according to the basic information of the at least two service flows to be processed, an encryption processing request comprising the service flow identification to be encrypted is issued to the network element so as to instruct the network element to encrypt the service flow to be encrypted.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for embodiments of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the embodiments of the present invention have been described in connection with the above embodiments, the embodiments of the present invention are not limited to the above embodiments, but may include many other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (8)

1. A method of data processing, comprising:
basic information of at least two service flows to be processed, which are reported by switching equipment in a network element, is obtained;
if the existence of the service flow to be encrypted in the at least two service flows to be processed is identified according to the basic information of the at least two service flows to be processed, issuing an encryption processing request comprising the service flow identifier to be encrypted to the network element so as to instruct the network element to encrypt the service flow to be encrypted;
the network element comprises a key management module, an encryption and decryption module and SDN switching equipment;
wherein, the sending an encryption processing request including a service flow identifier to be encrypted to the network element, so as to instruct the network element to encrypt the service flow to be encrypted, further includes:
issuing a flow table to the network element so that the network element forwards the encrypted service flow according to the flow table;
wherein the issuing, to the network element, an encryption processing request including a service flow identifier to be encrypted includes:
if the number of the available encryption keys in the network element is identified to meet the requirement of encrypting the service flow to be encrypted, issuing an encryption processing request comprising the service flow identifier to be encrypted to the network element;
if the number of the available encryption keys in the network element is not recognized to meet the requirement of encrypting the service flow to be encrypted, selecting the service flow to be encrypted from the service flow to be encrypted according to the sending time of the service flow to be encrypted and/or the identity grade of the terminal for sending the service flow to be encrypted, and issuing an encryption processing request comprising the identifier of the service flow to be encrypted to the network element.
2. The method as recited in claim 1, further comprising:
if the service flow to be decrypted exists in the at least two service flows to be processed according to the basic information of the at least two service flows to be processed, a decryption processing request comprising the service flow identifier to be decrypted is issued to the network element so as to instruct the network element to decrypt the service flow to be decrypted.
3. The method as recited in claim 1, further comprising:
if the existence time of any unused key in the network element is longer than the set time, a key clearing request is issued to the network element, so that the network element clears the key.
4. The method as recited in claim 1, further comprising:
and if the number of the available keys in the network element is monitored to be smaller than the set value, sending a key acquisition request to the network element so as to instruct the network element to acquire the keys from the key distribution equipment.
5. The method according to claim 2, wherein the traffic flow identification to be encrypted or the traffic flow identification to be decrypted is a network protocol label.
6. A data processing apparatus, comprising:
the basic information acquisition module is used for acquiring basic information of at least two service flows to be processed, which are reported by the switching equipment in the network element;
the encryption module is used for issuing an encryption processing request comprising a service flow identifier to be encrypted to the network element if the service flow to be encrypted exists in the at least two service flows to be processed according to the basic information of the at least two service flows to be processed, so as to instruct the network element to encrypt the service flow to be encrypted;
the network element comprises a key management module, an encryption and decryption module and SDN switching equipment;
wherein, the encryption module is further used for:
issuing a flow table to the network element so that the network element forwards the encrypted service flow according to the flow table;
the encryption module is specifically used for:
if the number of the available encryption keys in the network element is identified to meet the requirement of encrypting the service flow to be encrypted, issuing an encryption processing request comprising the service flow identifier to be encrypted to the network element;
if the number of the available encryption keys in the network element is not satisfied with the requirement of encrypting the service flow to be encrypted, selecting the service flow which can be encrypted from the service flow to be encrypted according to the sending time of the service flow to be encrypted and/or the identity grade of the terminal for sending the service flow to be encrypted, and issuing an encryption processing request comprising the identification of the service flow which can be encrypted to the network element.
7. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the data processing method of any of claims 1-5.
8. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements a data processing method according to any one of claims 1-5.
CN202110936707.3A 2021-08-16 2021-08-16 Data processing method, device, equipment and storage medium Active CN113676467B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110936707.3A CN113676467B (en) 2021-08-16 2021-08-16 Data processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110936707.3A CN113676467B (en) 2021-08-16 2021-08-16 Data processing method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113676467A CN113676467A (en) 2021-11-19
CN113676467B true CN113676467B (en) 2024-01-05

Family

ID=78542917

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110936707.3A Active CN113676467B (en) 2021-08-16 2021-08-16 Data processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113676467B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488847A (en) * 2008-01-18 2009-07-22 华为技术有限公司 Method, apparatus and system for data ciphering
CN104935593A (en) * 2015-06-16 2015-09-23 杭州华三通信技术有限公司 Data message transmitting method and device
CN106161015A (en) * 2016-09-29 2016-11-23 长春大学 A kind of quantum key distribution method based on DPI
CN108900555A (en) * 2018-08-22 2018-11-27 郑州云海信息技术有限公司 A kind of data processing method and device
CN111182025A (en) * 2019-11-26 2020-05-19 腾讯科技(深圳)有限公司 Message processing method, device, server and storage medium
WO2020244070A1 (en) * 2019-06-06 2020-12-10 平安科技(深圳)有限公司 Digital information encryption method and apparatus, computer device, and storage medium
CN112131564A (en) * 2020-09-30 2020-12-25 腾讯科技(深圳)有限公司 Encrypted data communication method, apparatus, device, and medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488847A (en) * 2008-01-18 2009-07-22 华为技术有限公司 Method, apparatus and system for data ciphering
CN104935593A (en) * 2015-06-16 2015-09-23 杭州华三通信技术有限公司 Data message transmitting method and device
CN106161015A (en) * 2016-09-29 2016-11-23 长春大学 A kind of quantum key distribution method based on DPI
CN108900555A (en) * 2018-08-22 2018-11-27 郑州云海信息技术有限公司 A kind of data processing method and device
WO2020244070A1 (en) * 2019-06-06 2020-12-10 平安科技(深圳)有限公司 Digital information encryption method and apparatus, computer device, and storage medium
CN111182025A (en) * 2019-11-26 2020-05-19 腾讯科技(深圳)有限公司 Message processing method, device, server and storage medium
CN112131564A (en) * 2020-09-30 2020-12-25 腾讯科技(深圳)有限公司 Encrypted data communication method, apparatus, device, and medium

Also Published As

Publication number Publication date
CN113676467A (en) 2021-11-19

Similar Documents

Publication Publication Date Title
US10482270B2 (en) Method for processing data streams with multiple tenants
CN108028748A (en) For handling the method, equipment and system of VXLAN messages
CN108964893B (en) Key processing method, device, equipment and medium
CN107016291B (en) Computer testing tool and system and method based on secure communication between cloud servers
CN105610953B (en) A kind of distribution type data synchronous system and method
AU2018233003A1 (en) Ipsec connection to private networks
CN103746815B (en) Safety communicating method and device
CN107590396A (en) Data processing method and device, storage medium, electronic equipment
CN110383280A (en) Method and apparatus for the end-to-end stream of packets network with network safety for Time Perception
CN111143870A (en) Distributed encryption storage device, system and encryption and decryption method
EP3713147B1 (en) Railway signal security encryption method and system
CN111062045A (en) Information encryption and decryption method and device, electronic equipment and storage medium
CN108882030A (en) A kind of monitor video classification encryption and decryption method and system based on time-domain information
CN111786778A (en) Method and device for updating key
CN113676467B (en) Data processing method, device, equipment and storage medium
US10382199B2 (en) Keyword to set minimum key strength
CN112291072A (en) Secure video communication method, device, equipment and medium based on management plane protocol
CN105207991B (en) Data ciphering method and system
KR20130077202A (en) Method and system for determining security policy among ipsec vpn devices
CN105791301A (en) Key distribution management method with information and key separated for multiple user groups
CN110636031B (en) Video conference data processing method and device
CN202353573U (en) Safety management system for safety chip new key
CN112738023B (en) Safety transmission method for cross-substation GOOSE message of rail transit substation
JP2009164895A (en) Method and apparatus for encrypted authentication
CN117235752A (en) Cloud database encryption and decryption method, user and system based on service grid

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant