CN114666047A - Device and method for encrypting and decrypting network data - Google Patents
Device and method for encrypting and decrypting network data Download PDFInfo
- Publication number
- CN114666047A CN114666047A CN202210287822.7A CN202210287822A CN114666047A CN 114666047 A CN114666047 A CN 114666047A CN 202210287822 A CN202210287822 A CN 202210287822A CN 114666047 A CN114666047 A CN 114666047A
- Authority
- CN
- China
- Prior art keywords
- key
- field
- message
- protocol
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims description 11
- 230000005540 biological transmission Effects 0.000 claims abstract description 17
- 239000000284 extract Substances 0.000 claims abstract description 10
- 238000005516 engineering process Methods 0.000 description 5
- 230000007547 defect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/067—Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
- H04L9/16—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The device for encrypting and decrypting the network data comprises a first key generation unit, an encryption unit, a second key generation unit and a decryption unit; the first key generation unit is used for extracting the characteristic field in the message, generating a first key according to the characteristic field and outputting the first key to the encryption unit; the encryption unit encrypts a transmission layer load of the message by using a first key according to an encryption algorithm agreed between a source address and a destination address, and transmits the encrypted message to a network; the second key generation unit extracts the characteristic field from the network message to form a second key and outputs the second key to the decryption unit; and the decryption unit is used for decrypting the transmission layer load of the message from the network by using the second key according to a decryption algorithm agreed between the source address and the destination address and outputting the decrypted message to the application equipment of the destination address. The encryption and decryption keys used by the invention realize dynamic change, improve the safety and have low cost.
Description
Technical Field
The invention relates to the technical field of network communication, in particular to a device and a method for encrypting and decrypting data above a network transmission layer.
Background
The transparent encryption transmission of network data is a link security technology widely applied at present, and the technology only encrypts data above a transmission layer, does not need to establish a security tunnel, does not need to plan a new IP (Internet protocol) address, and has no influence on the original network topology.
When implementing network transparent encryption, two schemes are commonly used:
1. a transparent encryption machine is arranged between the application equipment and the network, and the transparent encryption machine completes message encryption and decryption. The scheme has the defects that the secret key of the transparent encryption machine is fixed and unchanged, and the safety has hidden danger.
2. And arranging transparent encryption equipment between the application equipment and the network, additionally arranging a safety server, issuing a secret key to all the transparent encryption equipment by the safety server, and updating the secret key periodically. The scheme makes up the defects of the scheme 1, but increases the deployment complexity and the maintenance difficulty. Once the security server is abnormal, the encryption and decryption will fail, and the application service will fail.
Disclosure of Invention
In view of the above, the present invention provides a device for encrypting and decrypting network data.
The invention adopts the following technical scheme that a device for encrypting and decrypting network data is constructed and comprises a first secret key generation unit, an encryption unit, a second secret key generation unit and a decryption unit;
the first key generation unit is used for extracting a characteristic field in a message sent by the source address application equipment, generating a first key according to the characteristic field and outputting the first key to the encryption unit;
the encryption unit encrypts a transport layer load of a message sent by the source address application equipment by using a first secret key according to an encryption algorithm appointed between a source address and a destination address, and transmits the encrypted message to a network;
the second key generation unit extracts the characteristic field from the network message to form a second key and outputs the second key to the decryption unit;
and the decryption unit is used for decrypting the transmission layer load of the message from the network by using the second key according to a decryption algorithm agreed between the source address and the destination address and outputting the decrypted message to the application equipment of the destination address.
Preferably, the characteristic field includes an IP ID field, and the IP ID field is an identification field in an IP packet header and is used for uniquely identifying each packet sent by the source address application device.
Preferably, the characteristic field further comprises an ethernet frame protocol field, an IP version number field and an IP protocol field; the field value of the Ethernet frame protocol is 0x0800, the field value of the IP version number is 0x4, the IP protocol field is the protocol field in the IP message header, and the IP protocol uses the protocol number to distinguish the upper layer protocol.
Preferably, the first key and the second key are the same.
The invention also provides a method for encrypting and decrypting network data, which comprises the following steps:
s1: the first key generating unit extracts the characteristic field in the message sent by the source address application device and generates a first key, and outputs the first key to the encrypting unit, and the step S2 is executed;
s2: according to the encryption algorithm agreed between the source address and the destination address, the encryption unit encrypts the transport layer load of the message sent by the source address application equipment by using the first key, and transmits the encrypted message to the network, and the step S3 is executed;
s3: the second key generating unit extracts the characteristic field from the network message to form a second key, and outputs the second key to the decryption unit, and the step S4 is executed;
s4: and the decryption unit is used for decrypting the transmission layer load of the message from the network by using the second key according to a decryption algorithm agreed between the source address and the destination address and outputting the decrypted message to the application equipment of the destination address.
Preferably, the characteristic field includes an IP ID field, and the IP ID field is an identification field in an IP packet header and is used for uniquely identifying each packet sent by the source address application device.
Preferably, the characteristic field further comprises an ethernet frame protocol field, an IP version number field and an IP protocol field; the field value of the Ethernet frame protocol is 0x0800, the field value of the IP version number is 0x4, the IP protocol field is a protocol field in an IP message header, and the IP protocol uses the protocol number to distinguish an upper layer protocol.
Preferably, the first key and the second key are the same.
The beneficial technical effects of the invention are as follows:
compared with a transparent encryptor scheme: the encryption and decryption keys used by the invention realize dynamic change and improve the security.
Compared with the scheme of the security server and the transparent encryption equipment: the invention does not need a security server to carry out uniform key management, and the transparent encryption and decryption node determines the key according to the message, thereby reducing the complexity of the scheme and improving the stability of the scheme.
Drawings
Fig. 1 is a schematic composition diagram of an apparatus for encrypting and decrypting network data in a first embodiment;
fig. 2 is a flowchart illustrating a method for encrypting and decrypting network data according to a first embodiment.
Detailed Description
In order to make the technical solutions and technical effects of the present patent clearer, the following describes in detail specific embodiments of the present patent with reference to the accompanying drawings and examples.
The first embodiment is as follows:
transparent encryption encrypts only data above the transport layer, and data below and above the transport layer are transmitted transparently in the network. As shown in fig. 1, the network data encryption and decryption apparatus in this embodiment includes a first key generation unit, an encryption unit, a second key generation unit, and a decryption unit.
And the first key generation unit is used for extracting the characteristic field in the message sent by the source address application equipment, generating a first key according to the characteristic field and outputting the first key to the encryption unit. The characteristic fields at least comprise the following fields:
the value of the Ethernet frame protocol field is 0x0800, which indicates that the message is a TCP/IP protocol message.
The IP version number field value of 0x4 indicates the packet version number IPv4 (fourth version of Internet Protocol).
The IP ID field is an identification field (identification) in the IP packet header. Rfc (messages for comments) specifies that this field is used to uniquely identify each message sent by the application device, and the identification field of each message sent by the application device is different. This field is thus dynamically changed. The IP ID field is one of the characteristic fields, and since the IP ID field is different for each packet, the first key generated by the characteristic field is also different.
The IP protocol field is a protocol field in an IP message header, the IP protocol uses a protocol number to distinguish an upper layer protocol, the protocol number of an ICMP protocol is 1, the protocol number of an IGMP protocol is 2, the protocol number of a TCP protocol is 6, and the protocol number of a UDP protocol is 17.
The characteristic field selected by the scheme of the application is a relatively fixed field in the message; that is, after a message is generated, in the transmission process between the encryption and decryption nodes, no matter how many times transmission is carried out, the characteristic field is not changed. Therefore, for the same message, the feature field extracted by the first key generation unit and the feature field extracted by the second key generation unit are the same, and the generated first key and the generated second key are also the same. Therefore, the encryption unit and the decryption unit can ensure that the keys used by the message are consistent, and the data encryption and decryption can be completed correctly.
On the other hand, the above-mentioned feature fields selected by the scheme of the present application also need to be ensured: at least one of the characteristic fields has a different field value for any two different messages. Therefore, the key corresponding to each message is ensured to be unique, and the dynamic property of the key is ensured, thereby ensuring the safe transmission.
And the encryption unit encrypts the message transmission layer load by using a first key according to an encryption algorithm agreed between the source address and the destination address, and transmits the encrypted message to the network. The encryption mode is the same as the prior transparent encryption technology.
And the second key generation unit extracts the characteristic field from the network message to form a second key and outputs the second key to the decryption unit. The characteristic field and the characteristic field in the first key extraction unit are the same in structure.
And the decryption unit is used for decrypting the transmission layer load of the message from the network by using the second key according to a decryption algorithm agreed between the source address and the destination address and outputting the decrypted message to the application equipment of the destination address. The decryption mode is the same as the existing transparent encryption technology.
In this embodiment, the first key extraction unit and the second key generation unit are the same for the extracted feature fields of the same message, so the first key and the second key are the same.
The network data encryption and decryption method in the embodiment comprises the following steps:
s1: the first key generating unit extracts the characteristic field in the message sent by the source address application device and generates a first key, and outputs the first key to the encrypting unit, and the step S2 is executed;
s2: according to the encryption algorithm agreed between the source address and the destination address, the encryption unit encrypts the message transmission layer load sent by the source address application equipment by using the first key, and transmits the encrypted message to the network, and the step S3 is carried out;
s3: the second key generating unit extracts the characteristic field from the network message to form a second key, and outputs the second key to the decryption unit, and goes to step S4;
s4: and the decryption unit is used for decrypting the transmission layer load of the message from the network by using the second key according to a decryption algorithm agreed between the source address and the destination address and outputting the decrypted message to the application equipment of the destination address.
The encryption and decryption methods in step S2 and step S4 are the same as those of the conventional transparent encryption technology.
Compared with a transparent encryption machine scheme: the encryption and decryption keys used by the invention realize dynamic change and improve the security.
Compared with the scheme of the security server and the transparent encryption equipment: the invention does not need a security server to carry out uniform key management, and the transparent encryption and decryption node determines the key according to the message, thereby reducing the complexity of the scheme and improving the stability of the scheme.
The above description is only a preferred embodiment of the present patent and is not intended to limit the present patent, and various modifications and changes may be made to the present patent by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of this patent shall fall within the protection scope of this patent.
Claims (8)
1. An apparatus for encrypting and decrypting network data, characterized in that: the encryption device comprises a first key generation unit, an encryption unit, a second key generation unit and a decryption unit;
the first key generation unit is used for extracting a characteristic field in a message sent by the source address application equipment, generating a first key according to the characteristic field and outputting the first key to the encryption unit;
the encryption unit encrypts a transmission layer load of a message sent by the source address application equipment by using a first secret key according to an encryption algorithm agreed between the source address and the destination address, and transmits the encrypted message to a network;
the second key generation unit extracts the characteristic field from the network message to form a second key and outputs the second key to the decryption unit;
and the decryption unit is used for decrypting the transmission layer load of the message from the network by using the second key according to a decryption algorithm agreed between the source address and the destination address and outputting the decrypted message to the application equipment of the destination address.
2. The apparatus for encrypting and decrypting network data according to claim 1, wherein: the characteristic field comprises an IP ID field, and the IP ID field is an identification field in an IP message header and is used for uniquely identifying each message sent by the source address application equipment.
3. The apparatus for encrypting and decrypting network data according to claim 2, wherein: the characteristic field also comprises an Ethernet frame protocol field, an IP version number field and an IP protocol field; the field value of the Ethernet frame protocol is 0x0800, the field value of the IP version number is 0x4, the IP protocol field is the protocol field in the IP message header, and the IP protocol uses the protocol number to distinguish the upper layer protocol.
4. The apparatus for encrypting and decrypting network data according to claims 1 to 3, wherein: the first key and the second key are the same.
5. A method for encrypting and decrypting network data is characterized by comprising the following steps:
s1: the first key generating unit extracts the characteristic field in the message sent by the source address application device and generates a first key, and outputs the first key to the encrypting unit, and the step S2 is executed;
s2: according to the encryption algorithm agreed between the source address and the destination address, the encryption unit encrypts the transport layer load of the message sent by the source address application equipment by using the first key, and transmits the encrypted message to the network, and the step S3 is executed;
s3: the second key generating unit extracts the characteristic field from the network message to form a second key, and outputs the second key to the decryption unit, and the step S4 is executed;
s4: and the decryption unit is used for decrypting the transmission layer load of the message from the network by using the second key according to a decryption algorithm agreed between the source address and the destination address and outputting the decrypted message to the application equipment of the destination address.
6. The method for encrypting and decrypting network data according to claim 5, wherein: the characteristic field comprises an IP ID field, and the IP ID field is an identification field in an IP message header and is used for uniquely identifying each message sent by the source address application equipment.
7. The method for encrypting and decrypting network data according to claim 6, wherein: the characteristic field also comprises an Ethernet frame protocol field, an IP version number field and an IP protocol field; the field value of the Ethernet frame protocol is 0x0800, the field value of the IP version number is 0x4, the IP protocol field is a protocol field in an IP message header, and the IP protocol uses the protocol number to distinguish an upper layer protocol.
8. The method for encrypting and decrypting network data according to claims 5 to 7, characterized in that: the first key and the second key are the same.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210287822.7A CN114666047A (en) | 2022-03-23 | 2022-03-23 | Device and method for encrypting and decrypting network data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210287822.7A CN114666047A (en) | 2022-03-23 | 2022-03-23 | Device and method for encrypting and decrypting network data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114666047A true CN114666047A (en) | 2022-06-24 |
Family
ID=82031274
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210287822.7A Pending CN114666047A (en) | 2022-03-23 | 2022-03-23 | Device and method for encrypting and decrypting network data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114666047A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116866902A (en) * | 2023-07-27 | 2023-10-10 | 烟台东方威思顿电气有限公司 | Data protection method based on interactive data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012083653A1 (en) * | 2010-12-20 | 2012-06-28 | 西安西电捷通无线网络通信股份有限公司 | Switch equipment and data processing method for supporting link layer security transmission |
| CN103618596A (en) * | 2013-05-15 | 2014-03-05 | 盛科网络(苏州)有限公司 | Encryption method for inner layer information in VXLAN (Virtual Extensible Local Area Net) tunnel |
| CN112104643A (en) * | 2020-09-11 | 2020-12-18 | 重庆邮电大学 | Encryption and decryption method for physical parameter characteristic value disturbance based on physical layer protocol data extraction random number |
| CN112788012A (en) * | 2020-12-30 | 2021-05-11 | 深圳市欢太科技有限公司 | Log file encryption method and device, storage medium and electronic equipment |
-
2022
- 2022-03-23 CN CN202210287822.7A patent/CN114666047A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012083653A1 (en) * | 2010-12-20 | 2012-06-28 | 西安西电捷通无线网络通信股份有限公司 | Switch equipment and data processing method for supporting link layer security transmission |
| CN103618596A (en) * | 2013-05-15 | 2014-03-05 | 盛科网络(苏州)有限公司 | Encryption method for inner layer information in VXLAN (Virtual Extensible Local Area Net) tunnel |
| CN112104643A (en) * | 2020-09-11 | 2020-12-18 | 重庆邮电大学 | Encryption and decryption method for physical parameter characteristic value disturbance based on physical layer protocol data extraction random number |
| CN112788012A (en) * | 2020-12-30 | 2021-05-11 | 深圳市欢太科技有限公司 | Log file encryption method and device, storage medium and electronic equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116866902A (en) * | 2023-07-27 | 2023-10-10 | 烟台东方威思顿电气有限公司 | Data protection method based on interactive data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| Choi et al. | Advanced key-management architecture for secure SCADA communications | |
| JP5060081B2 (en) | Relay device that encrypts and relays frames | |
| JP4016998B2 (en) | Communication apparatus and program | |
| US8160255B2 (en) | System and method for encrypted group network communication with point-to-point privacy | |
| US20100077203A1 (en) | Relay device | |
| US20080298592A1 (en) | Technique for changing group member reachability information | |
| CN103618596A (en) | Encryption method for inner layer information in VXLAN (Virtual Extensible Local Area Net) tunnel | |
| US11212265B2 (en) | Perfect forward secrecy (PFS) protected media access control security (MACSEC) key distribution | |
| CN102377571A (en) | Method and system for implementing IEC104 message transmission | |
| US11637699B2 (en) | Rollover of encryption keys in a packet-compatible network | |
| CN110798316A (en) | Encryption key generation method, decryption key generation method, encryption key generation program, decryption key generation program, and decryption program | |
| CN112332940B (en) | Data transmission method based on time synchronization network and related equipment | |
| CN110011786A (en) | A kind of IP secret communication method of high safety | |
| CN102088438A (en) | Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client | |
| CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
| CN114666047A (en) | Device and method for encrypting and decrypting network data | |
| CN106302386A (en) | A kind of method promoting IPv6 protocol data bag safety | |
| CN112929166A (en) | Master station, slave station and data transmission system based on Modbus-TCP protocol | |
| CN108989486B (en) | Communication method and communication system | |
| CN115834026A (en) | Safety encryption method based on industrial protocol | |
| CN115459913A (en) | Quantum key cloud platform-based link transparent encryption method and system | |
| Hirschler et al. | Internet protocol security and power line communication | |
| JP2004260556A (en) | Station-side apparatus, subscriber-side apparatus, communication system, and encryption key notifying method | |
| CN110650016B (en) | Method for realizing network data security of AC/DC control protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |