CN114844730A - Network system constructed based on trusted tunnel technology - Google Patents

Abstract

The invention is suitable for the field of internet technology improvement, and provides a network system constructed based on a trusted tunnel technology, which comprises an IP network and a novel safe private network, wherein the IP network is in communication connection with the novel safe private network, a resource server cluster is deployed in the novel safe private network, a tunnel server in communication connection with the resource server cluster, a novel network router in communication connection with the tunnel server, equipment in the private network in communication connection with the novel network router, a plurality of novel network routers are in communication connection with each other, and the tunnel server and an IP network user establish a trusted tunnel through signature verification, identity verification and safety verification to form the novel network system. The use of the trusted tunnel technology breaks the gap between the use of an IP network and a novel security private network, and an application program in the novel security private network is not required to be re-developed completely according to the protocol stack design of the novel network, so that a large amount of software and hardware cost is saved.

Description

Network system constructed based on trusted tunnel technology

Technical Field

The invention belongs to the field of internet technology improvement, and particularly relates to a network system constructed based on a trusted tunnel technology.

Background

The GRE (Generic Routing Encapsulation) protocol is a simple tunneling Encapsulation protocol and does not provide a flow control mechanism, a security mechanism, and a sequencing mechanism. The GRE protocol adopts a tunneling technology, can encapsulate various network layer protocols in a virtual point-to-point link, and is a third layer tunneling protocol.

And the GRE protocol encapsulates the GRE message at the tunnel client. The GRE message will be routed to the physical port of the designated router according to the destination address of the tunnel and decapsulated at the tunnel server side. The GRE protocol supports the user to select and set the tunnel key and carry out end-to-end verification on the message encapsulated by the tunnel. This is a design that is rarely made in the GRE protocol to improve security.

The GRE protocol is generally used to implement communication transmission between local networks of different types of protocols, so as to connect subnets that cannot be directly connected. The GRE Protocol is often used in combination with IPSec (Internet Protocol Security), thereby exerting greater application value.

The IPSec protocol is mainly composed of four parts: (1) AH (Authentication Header) protocol: protection such as data integrity, message authentication and replay attack prevention is provided; (2) ESP (Encapsulating Security Payload) protocol: protection such as confidentiality, data source authentication and the like is provided; (3) SA (Security Association): providing parameters required by an AH protocol and an ESP protocol, and providing partial algorithm support; (4) IKE (Internet Key Exchange) protocol: key exchange patterns and methods are provided.

The GRE protocol does not consider a complex and effective security mechanism design in the design level, and is a very simple third-layer tunneling encapsulation protocol. This results in the GRE protocol being less secure and often not directly applicable and requiring further design based thereon. The GRE protocol is carried and transported by the IP protocol and cannot be used in new networks where the format of network packets is redesigned.

The SSH (Secure Shell) protocol is a network security protocol that implements encrypted transmission of information, and is often applied to telnet. It adopts many mature cryptographic algorithms to strengthen the privacy of channel transmission and support host authentication and user identity authentication. SSH protocols have many commercial and open source implementations, such as OpenSSH and the like.

The SSH protocol design framework is mainly composed of three parts: transport layer protocol (SSH-TRANS), user authentication protocol (SSH-USEROUTH), connection protocol (SSH-CONNECT). The SSH transmission layer protocol provides an encrypted transmission tunnel with authenticated host identity for two upper layer protocols of a user authentication protocol and a connection protocol, and the specific functions of the SSH transmission layer protocol comprise services of key agreement, server identity authentication, data integrity verification, data compression and the like. The SSH transport layer protocol may run directly on top of the TCP/IP connection. The SSH user authentication protocol runs on top of the transport layer protocol. The SSH transmission layer constructs a safe channel from the client to the server for user authentication, and then the user authentication protocol can carry out user identity authentication on the SSH client by the server through public key authentication, password authentication and other authentication modes. The SSH connection protocol is used for establishing a logic channel above an encryption channel established by a transport layer protocol, and supports operations of login, remote command execution and the like. The connection protocol enables SSH to easily extend more functionality.

The SSH protocol has some security holes in design, an attacker can steal an SSH login password at a communication terminal by carrying out password attack, and then the communication terminal is logged in to carry out more attack behaviors. Moreover, it is a security protocol designed only for use in IP networks, cannot be used in new types of networks, and does not design a network layer security protection mechanism like packet filtering.

Disclosure of Invention

The invention aims to provide a network system constructed based on a trusted tunnel technology, and aims to solve the technical problems.

The invention is realized in such a way that a network system constructed based on a trusted tunnel technology comprises an IP network and a novel safe private network, wherein the IP network is in communication connection with the novel safe private network, a resource server cluster is deployed in the novel safe private network, a tunnel server in communication connection with the resource server cluster, a novel network router in communication connection with the tunnel server, equipment in the private network in communication connection with the novel network router, and a plurality of novel network routers are in communication connection with each other, and the tunnel server and an IP network user establish a trusted tunnel through signature verification, identity verification and safety verification to form the novel network system.

The further technical scheme of the invention is as follows: and defining a network block coding format with an extensible structure for the network layer of the novel secure private network in the trusted tunnel construction and enabling the novel network to support gradual development deployment.

The further technical scheme of the invention is as follows: the network block coding is based on a TLV coding scheme to carry out field design, wherein TLV coding divides a data block into three intervals, and the first interval is a Type field and represents the Type of the current data block; the second interval is a Length field and represents the Length of the Value field; the third interval is a Value field for storing the data content of the actual bearer or nesting one or more TLV data blocks.

The invention further adopts the technical scheme that: the trusted tunnel realizes safety protection through identity authentication and packet filtering technology, and the safety protection of the data is realized through data encryption technology and signature verification technology.

The further technical scheme of the invention is as follows: the trusted tunnel protocol framework is composed of a security negotiation protocol, an identity authentication protocol and an SOCKS proxy protocol, wherein the security negotiation protocol mainly relates to key negotiation between a tunnel client and a tunnel server, and encryption transmission of the front end and the back end of a tunnel is realized; the identity authentication protocol is based on a security negotiation protocol and supports two basic identity authentication modes of public key authentication and password authentication, and after authentication, a tunnel client signs a novel network group by using a private key bound with a user identity so as to realize integrity protection and packet filtering of a novel network group load; the SOCKS proxy protocol plays a role in the session layer of the TCP/IP protocol stack after passing through the packet filtering process flow of the tunnel server.

The further technical scheme of the invention is as follows: the establishment of the trusted tunnel between the client user and the server comprises the following steps:

s11, the client requests the server for the algorithm list and the server public key supported by the server;

s12, the server sends the supported algorithm list and the server public key to the client according to the request;

s13, according to the algorithm list supported by the server, the client confirms the algorithm list used by the session, generates a random session key, and sends the confirmed algorithm list result and the generated random session key to the server;

s14, the server determines the algorithm list and the encryption key used by the session and sends a key negotiation confirmation to the client;

s15, the client and the server negotiate a user authentication mode, and after the authentication mode is determined, the client user sends a request user authentication to the server;

and S16, the server performs multiple authentications on the identity of the client user, and feeds back the authentication success of the client user to construct a trusted tunnel after the authentication is successful.

The further technical scheme of the invention is as follows: the packet filtering process includes the steps of:

s21, receiving the novel network packet, analyzing a user ID field and a signature field, if the analysis is successful, searching the user certificate according to the user ID and executing the next step, and if the analysis is failed, discarding the network packet;

s22, judging whether a user ID certificate is retrieved, if the certificate retrieval is successful, performing signature verification operation on the network grouping according to a public key field in the certificate and executing the next step, if the certificate retrieval is failed, the network grouping is an illegal unregistered user, and discarding the network grouping;

s23, judging whether the signature verification operation passes, if the signature verification fails, the network packet is an illegal disguised user, if the signature verification passes, taking out all the rights owned by the user from the rights management module according to the user ID;

s24, verifying whether the user has the operation authority, if the authority verification fails, the user is an unauthorized user, discarding the network packet, if the authority verification succeeds, analyzing the IP message load field of the novel network packet, and sending the message to the resource server.

The further technical scheme of the invention is as follows: the access operation of the user in the process of establishing and maintaining the trusted tunnel is recorded through log records in the trusted tunnel, so that the access of the user to private network resources is traceable, the log records depend on the design of a socket proxy protocol in a tunnel protocol, the tunnel server senses the connection operation of a transmission layer of a TCP/IP protocol stack in the handshake phase of the socket protocol, and the operation is recorded into a log file according to the user identity in a novel network packet.

The further technical scheme of the invention is as follows: on the client side of the trusted tunnel, the MIN-VPN system respectively realizes MIN-VPN client programs by a common Windows operating system in desktop equipment and a common Android operating system in mobile equipment, and an encryption transmission tunnel is established between the MIN-VPN client and the MIN-VPN server according to trusted tunnel protocol specifications.

The further technical scheme of the invention is as follows: the data processing of the MIN-VPN-Android client program comprises the following steps:

s31, the application program such as browser generates application layer data, the data flow to the TCP/IP protocol stack in the system kernel state;

s32, capturing an IP message in a TCP/IP protocol stack in a system kernel state by a virtual network card, and then transmitting the IP message to a TCP/IP protocol stack module in a MIN-VPN client process to analyze IP, UDP and TCP data packets;

s33, after packet analysis, the MIN-VPN client process proxies UDP and TCP connection of other application programs of the local machine, thereby using a SOCKS log module to perform proxy negotiation with a VPN server program on a transmission layer of a TCP/IP protocol stack, and the server program communicates with the MIS system to achieve the purpose of recording the transmission layer connection log in the MIS;

s34, after passing the SOCKS protocol layer agent, the IP data packet still needs to realize TLV format encoding and signature field adding of the network layer through the MIN secure communication module; the MIN packet encoded in TLV format is sent to the physical network card, and finally data transmission is realized.

The invention has the beneficial effects that: a novel safe private network constructed based on a novel network is an application background, and a safe and credible encryption tunnel is opened between an IP network and the novel safe private network by combining a cryptographic algorithm and the communication characteristic of the novel network, so that a service program designed based on a TCP/IP protocol stack can be directly deployed under the novel safe private network. The application of the trusted tunnel technology breaks the gap between the use of an IP network and a novel safe private network, the application program in the novel safe private network is not required to be re-developed completely according to the protocol stack design of the novel network, a large amount of software and hardware cost is saved, the application ecology in the novel safe private network is enriched, and the application ecology plays a great promoting role in the continuous evolution of the novel network and the novel safe private network. The function is similar to that an Android simulator is installed in an ecologically closed iOS operating system, so that an application program on the Android operating system can run on the apple mobile phone device, and the iOS application ecology is directly compatible with the Android application ecology.

Drawings

Fig. 1 is a schematic device deployment diagram of a novel secure private network provided by an embodiment of the present invention.

Fig. 2 is a schematic diagram of a network packet coding format according to an embodiment of the present invention.

Fig. 3 is a schematic diagram of a trusted tunneling protocol framework according to an embodiment of the present invention.

Fig. 4 is a schematic diagram of a trusted tunneling protocol according to an embodiment of the present invention.

Fig. 5 is a schematic diagram illustrating a comparison between a trusted tunneling protocol and an IPSec tunneling mode overlaid on a GRE protocol according to an embodiment of the present invention.

Fig. 6 is a schematic diagram of an establishment process of a trusted tunnel according to an embodiment of the present invention.

Fig. 7 is a schematic diagram of logging in conjunction with a MIS system according to an embodiment of the present invention.

Fig. 8 is a schematic view of a MIN-VPN system deployment in an experimental environment according to an embodiment of the present invention.

Fig. 9 is a communication architecture diagram of a MIN-VPN-Android client program according to an embodiment of the present invention.

Fig. 10 is a processing logic diagram of a TCP/IP protocol stack module in a MIN-VPN-Android client program according to an embodiment of the present invention.

Detailed Description

Network and novel network

Today, in an era of vigorous development of information technology, rapid development of internet technology is beneficial to billions of people worldwide. The IP network, as an infrastructure for internet communication, has a great impact on modern society. The IP architecture is an hourglass structure with the IP protocol as a thin waist, and is designed in such a way that a communicator can acquire desired data from a specified host according to an IP address. With the continuous development of the times, the demands of people for network services are gradually diversified, and the IP architecture gradually shows limitations, such as insufficient security, increasingly complex protocol stack, poor transmission performance in a mobile scene, and the like.

At the end of the twentieth century, many countries in the world have continuously proposed various new network architectures to make more fundamental solutions to the problems emerging under the IP network architecture. Among these new networks are architectures that support gradual evolution from IP networks, as well as some that are very disruptive. Among them, the well-known novel network architecture with great innovation and influence is as follows: an express Internet Architecture (XIA), an Innovation-oriented Internet Framework (FII), a Named Data Network (NDN), a multi-identity Network (MIN), and the like. The design objectives of these new networks vary, but all contribute greatly to exploring the possible patterns of future networks.

Novel secure private network and multi-identification network

In a general sense, a Private Network (Private Network) refers to a Private communication Network built within a particular group (industry, department, organization, etc.). At the business application level, private networks are often used in the fields of e-government, public safety, emergency linkage, city management, etc.

The new secure private network refers to a private network deployed by the new network. Because a novel network is used, compared with a private network in an IP network, the private network can well utilize the design advantages of the novel network. Especially, in recent years, some new networks have built-in security mechanisms in a network layer, and the mechanisms are very beneficial to the construction of a high-security private network, so that important resources are better protected.

The multi-identification network is a novel network system. The method aims to support a multi-edge common management, common control and shared network space, has better compatibility and evolveability, and is superior to the traditional IP network in the aspects of network standard measurement such as safety, transmission efficiency and the like.

The multi-identity network can be divided into two levels of a management plane and a data plane in a general structure. The data plane mainly supports the analysis operation of various network identifications such as identity identification, content identification, address identification and the like, and can complete efficient and extensible routing addressing and forwarding functions based on heterogeneous identifications. The functions of the data plane are carried by a Multi-identity Router (MIR). The management plane mainly supports generation and management of various identifications. The supervision node of the management surface verifies the identification data through a consensus algorithm, and records the attribution information and the operation information on the block chain after consensus is achieved, so that the information can not be tampered and traced. The functions of the management plane are carried by a Multi-identity management System (MIS).

Compared with the IP network and other novel networks, the multi-identification network has the following characteristics: (1) the multi-identification network takes the identity identification as a center and supports coexistence of various network addressing identifications such as identity, content, IP, ground, air and the like. The design has excellent compatibility, and is very beneficial to the evolution of a multi-identification network. (2) The multi-identification network simultaneously supports two communication semantics of push type and pull type, and the network transmission performance under various complex use scenes is optimized to the maximum extent. (3) The multi-identity network support is deployed directly on top of existing IP networks. (4) The multi-identifier network integrates a block chain technology to realize decentralized identifier generation, management and analysis. (5) In the aspect of designing a network security mechanism, a multi-identification network directly focuses on data, and a whole set of security protection mechanism based on technologies such as cryptography, identity authentication and the like is designed, so that the security of network data is ensured to the maximum extent.

The secure private network constructed by the multi-identification network can well utilize the architectural advantages of high security and the like of the multi-identification network, can be directly deployed on the existing IP network, and has very wide application prospect.

Tunnel technique

Tunneling technology (Tunneling) refers to a technology for implementing data transmission between networks using Tunneling. It uses one network protocol to transport another network protocol to support the transport of data over incompatible or unsecured networks.

In tunneling, three network protocol concepts are involved, namely encapsulation protocol, transport protocol and passenger protocol. The encapsulation protocol, i.e., tunneling protocol, uses a transport protocol to encapsulate the passenger protocol in the payload portion to enable data transfer between incompatible networks by establishing and maintaining tunnels. The transport protocol is a bearer protocol under the encapsulation protocol and is responsible for actually transmitting data of the encapsulation protocol to the tunnel correspondent node. The passenger protocol is a carried protocol above the encapsulation protocol and is the data that the end user of the tunnel really wants to transmit.

The application scenarios of the tunneling technique are very wide, such as establishing a Virtual Private Network (VPN). Virtual private network technology extends private networks onto public networks. A user may remotely access resources in a private network server over a public network through VPN technology. It increases the function of special network, and makes the management of special network become convenient and quick.

A network proxy is a special network service that allows one network terminal (typically a client) to make an indirect connection with another network terminal (typically a server) through the service. Some virtual private network technologies may provide connection relay services directly using proxy protocols, such as the Shadowclocks protocol, which uses SOCKS proxy protocols.

Socket (socket secure) is a proxy protocol located in the session layer, which is mainly used for message passing between the client and the server communicating using TCP/IP protocol, so that the client can access the resource server which the client cannot directly access through the socket proxy server. The SOCKS protocol works at a lower level than application layer proxy protocols such as HTTP proxy and the like, and the processing flow is simpler, more efficient and more transparent.

The internet technology is developed rapidly and rapidly, and the private network technology in the IP network is mature. In recent years, new network architectures are proposed, and the concept of constructing new secure private networks using these new networks is emerging. The application of the multi-identification network in the aspect of private network construction has been a practical precedent.

The new secure private network has many advantages, and there are many problems that remain to be solved since it is still in the early exploration stage. An important problem is how to build the application ecology of the novel safe private network. In the world where IP networks are still mainstream networks today, most terminal devices only support the TCP/IP protocol stack, and various applications running on these devices should be designed for data transmission based on the TCP/IP protocol cluster. The situation causes the novel safety private network to be difficult to apply to ecological construction, the novel safety private network is difficult to be rapidly applied to a certain production scene by a user, and a plurality of advantages of the novel safety private network cannot be reflected.

In order to solve the problems, the invention, namely a network system constructed based on a trusted tunnel technology, designs the trusted tunnel technology suitable for a novel secure private network environment, and gets through the use gap between an application program developed based on an IP network and the novel secure private network, so that the deployable application in the novel secure private network is greatly enriched. The invention realizes a system based on a trusted tunnel technology, namely MIN-VPN, supports the deployment of client programs on a desktop terminal represented by a Windows operating system and a mobile terminal device represented by an Android operating system, and provides a more detailed technical solution for the client programs for realizing the trusted tunnel technology on the Android operating system.

Equipment deployment method under novel secure private network

In a broad sense, new generation networks refer to a new generation of networks that are faster and more secure than traditional IP networks. Since the architecture design of the new network system is very diverse, there is a need for new networks to indicate new types of networks that can be ecologically optimized for applications using the trusted tunneling technique of the present invention. In the present invention, the new network on which the new secure private network is based is required to simultaneously satisfy the following conditions to support the use of the trusted tunnel technology in the invention:

condition 1: the novel network defines a network packet coding format with an extensible structure at a network layer, namely, the field type and the field length of a network packet can be changed.

Condition 2: the novel network supports gradual development deployment, is compatible with data transmission under the existing TCP/IP protocol stack, and can receive and send novel network packets designed in the network system through a communication interface of the TCP/IP protocol stack.

In fact, many new networks are designed to take into account and satisfy both of these basic conditions, e.g., information-centric networks, multiple identity networks.

A novel safe private network is constructed, and an environment for forwarding and routing network packets by using the communication semantics of the novel network is required to be deployed in the private network. This requires that the resource server will need to connect to the public network through a router that supports this new network architecture. In new secure private networks, new network routers connected to the public network are customarily referred to as border routers. There are typically multiple border routers to share the risk of unexpected downtime. The boundary router is directly connected with the IP network through a network, and supports the reading and writing of novel network packets through TCP/IP sockets, so that the resource server in the private network can be in data communication with the machine in the IP public network.

In order to embody the beneficial influence of the trusted tunneling technology on the application ecology in the novel network private network, all application programs on the resource server are assumed to only support the TCP/IP protocol stack. In this case, the new type of network packet transmitted in the new type of secure private network must be parsed by the tunnel server into an IP network packet recognizable by the TCP/IP protocol stack and then proxied to the resource server. And (3) equipment deployment under the novel secure private network, as shown in FIG. 1.

Example of a method of encoding scalable network packets

The tunneling technique in the present invention requires that the network packet design of the new network be an extensible structure to support cryptographic protection, such as signing, on the network packet and loading necessary user information into the network packet.

The present invention proposes a network block coding method to demonstrate a possible approach to meet the above requirements. The network grouping coding method provided by the invention is based on the field design of a TLV (Type-Length-Value) coding scheme. TLV encoding divides one data block into three intervals. The first interval is a Type field and represents the Type of the current data block; the second interval is a Length field and represents the Length of the Value field; the third interval is a Value field for storing the data content of the actual bearer or nesting one or more TLV data blocks.

The TLV encoding scheme is more scalable than the predefined static fields used in TCP, UDP, IP, etc. protocols, as it adds fields almost arbitrarily to support the population of content.

As shown in fig. 2, a possible field design is provided for a new type of network packet. The positioning identification area is used for storing positioning information of two communication parties or one communication party in a novel network system, and can be in the forms of data ID, host ID and the like so as to support routing forwarding; the digital signature area is used for storing signature information of a data sender; the read-only data area is used for bearing upper protocol data; the variable data area is used to carry fields that can be modified by the intermediate router, such as congestion identification, etc.

It is emphasized that the network packet encoding method and network packet field design referred to in the present invention is only one implementation form that can be used. The extensible network packet structure implementation style is not limited to the TLV encoding scheme, and other encoding schemes such as KLV (Key-Length-Value) encoding, xml (extensible Markup language) encoding and the like also have better structural extensibility.

Cryptographic protection in tunneling

The trusted tunnel technology not only can carry out safety protection on the data, but also can carry out safety protection on the data source. The data source is protected through identity authentication and packet filtering technology, and the data itself is protected through data encryption technology and signature verification technology.

The cryptographic algorithm related to the tunnel technology in the invention supports national cryptographic algorithm standard by default. The national cryptographic algorithm, i.e. the domestic cryptographic algorithm identified by the national crypto-authority, includes a series of cryptographic standards that can implement encryption, decryption, authentication, etc. functions of commercial cryptographic algorithms, such as SM1, SM2, SM3, SM4, SM7, SM9, etc. Among them, the asymmetric encryption algorithm SM2, the symmetric encryption algorithm SM4, and the hash algorithm SM3 are used for the trusted tunnel technology.

Whether cryptographic algorithms other than the national cryptographic algorithm are supported depends on the version of the trusted tunneling protocol. In design, the trusted tunnel protocol is left with a step of algorithm negotiation to support extensions to other cryptographic algorithms. The symmetric key cryptographic algorithm, the asymmetric key cryptographic algorithm, the message authentication algorithm and the hash algorithm will be negotiated at the beginning of the trusted tunnel establishment process.

Trusted tunneling protocol framework and principles

The trusted tunnel protocol is designed to be C/S architecture. A safe tunnel is established between the tunnel client and the tunnel server through a trusted tunnel technology, and IP network packets which can be processed by a TCP/IP protocol stack are encrypted and transmitted through the tunnel. A trusted tunneling protocol framework, as shown in fig. 3.

The trusted tunneling protocol framework consists of three protocol layers: security Negotiation (Security Negotiation) protocol, Identity Authentication (Identity Authentication) protocol, socket (socket secure) proxy protocol. The safety negotiation protocol mainly relates to key negotiation between a tunnel client and a tunnel server, and realizes encrypted transmission of the front end and the back end of a tunnel. The identity authentication protocol is based on a security negotiation protocol, two basic identity authentication modes of public key authentication and password authentication are supported, and after authentication, a tunnel client signs a novel network packet by using a private key bound with the identity of a user so as to realize integrity protection and packet filtering of the novel network packet load. The two protocol layers of security negotiation and identity authentication are based on protocol communication on a network layer of a novel network, and the SOCKS proxy protocol plays a role in a session layer of a TCP/IP protocol stack after processing flows such as packet filtering of a tunnel server. Therefore, the SOCKS proxy protocol directly uses the communication flow of SOCKS5 proxy protocol under the IP network. Since the SOCKS proxy protocol is designed on the basis of the security negotiation protocol and the identity authentication protocol, the encryption and authentication processes are not performed by default in the handshake phase, so that the network loss is reduced.

The trusted tunnel protocol supports an application program in an IP network to request data from a resource server in the novel secure private network, and the resource server deploys a server program based on a TCP/IP protocol stack. Passenger protocols of the trusted tunnel inside and outside the private network are IP protocols; outside the private network, the transmission protocol is a TCP/UDP protocol, and the transmission protocol in the private network is a network layer protocol in the new network (in fig. 4, the network layer protocol of the new network is named as a "NewNet" protocol); the encapsulation protocols inside and outside the private network are trusted tunneling protocols (mainly referred to as a security negotiation protocol and an identity authentication protocol which are located above a new network layer in the trusted tunneling protocols) which use new network packets as communication packet formats. The novel network packet is extensible in structure, and the trusted tunneling protocol does not need to cover a layer of tunneling protocol header field outside the network layer communication packet format like the tunneling protocol in the IP network, so in order to show the form conciseness and clarity, in fig. 4, the trusted tunneling protocol is implicitly shown in the "NewNet" protocol layer as a functional protocol of the novel network layer protocol. A trusted tunneling protocol schematic, as shown in fig. 4.

Compared with the tunnel protocol in the IP network, the trusted tunnel protocol in the invention fully considers the safety protection. The design idea is not to simply establish a tunnel similar to the GRE protocol, but is closer to a network transmission protocol cluster which has security protection measures such as encryption, authentication and the like, such as SSH protocol and IPSec protocol. In the IP network, the tunnel technology for establishing the safe transmission tunnel by the IPSec protocol covered on the GRE protocol is closer to the function realized by the credible tunnel protocol, but the former is only suitable for the IP network, and the latter combines the characteristics of the novel network to realize the safe tunnel transmission from the IP network to the novel network. Fig. 5 shows the difference in protocol design between the two protocols, starting from the concept of three network protocols (passenger protocol, encapsulation protocol, transport protocol) in the tunneling protocol.

Trusted tunnel establishment procedure

The establishment of trusted tunnels relies on encrypted transmission of data, integrity protection, and authentication of the user's identity. Before the tunnel is established, the tunnel server generates a public key; after the tunnel is established, the symmetric key and the user identity are both negotiated and approved. And (3) establishing the trusted tunnel, as shown in fig. 6.

In the security negotiation stage, the main process of the symmetric key negotiation is as follows:

(1) a client requests an algorithm list and a server public key supported by a server from the server;

(2) the client selects an algorithm which is expected to be used by the session, generates a symmetric key required by encryption transmission, encrypts the symmetric key by using a server public key and sends the symmetric key to the server;

(3) the server decrypts to obtain the algorithm list and the symmetric key and sends confirmation of the negotiation result to the client.

After the key agreement is successful, all subsequent data transmissions between the tunnel client and the tunnel server will be encrypted. This ensures the authenticity of the data.

In the identity authentication phase, the tunnel client and the server negotiate an authentication mode first. After the mode is determined, the server authenticates the identity of the client user according to the negotiated authentication mode. When the password verification mode is selected, the password input by the user is verified; when the key is used for verification, the client needs to send the public key of the client to the server, and then whether the client has the private key is verified. It should be noted that, regardless of password authentication or key authentication, the tunnel client adds an extension field in the new network packet, and places signature information based on the user identity in the extension field, which will be used for packet filtering and rights management of the new network packet. The public key corresponding to the signature information is transferred to the tunnel server program in the identity authentication phase.

After the identity authentication, the trusted tunnel is successfully established, and the SOCKS agent stage is entered. The SOCKS proxy stage performs traffic proxy operation according to a standard SOCKS flow, specifically including processes of proxy negotiation, proxy transfer and the like. SOCKS is a simple, efficient, transparent session layer proxy protocol that can support almost all proxies for application layer protocols. The SOCKS proxy protocol is designed mainly to support logging of transport layer connection information of the TCP/IP protocol stack.

Packet filtering technique

The packet filtering technology in the IP network generally identifies the basic packet header information, and the IP packets that do not meet the filtering rules are intercepted. This approach has many limitations, such as: (1) the header information of the IP packet is easy to disguise, and even if a very complicated filtering rule is established, address spoofing cannot be well prevented; (2) the packet filter cannot implement many security policies, for example, the IP packet can only show which host it comes from and cannot show what user it comes from, and therefore cannot limit the user access rights at the network layer; (3) packet filtering under a TCP/IP system usually does not provide any function of logging, and even cannot trace to a certain user through an IP packet, and after dangerous operation occurs, we cannot know which user causes adverse consequences.

The trusted tunnel technology supports user identity-based rights management for new network packets, and new network packets with unauthorized access are discarded. The novel network grouping in the novel network system is an extensible coding structure, and a signature field and a user ID field can be added. The tunnel server program, upon receipt of a new type of network packet, can confirm whether the data payload in the network packet is complete and whether the network packet is indeed from the declared user of the packet by performing a signature verification operation on the signature field. After the user identity is confirmed, the user authority can be verified through the authority management module, and the packets which fail to pass the verification are discarded.

And the authority management module in the tunnel server program is responsible for managing the operation authority of the user resource and indicating which resources the user can access. The authority management module supports different operation authorities set for different users, and achieves the purpose of fine-grained access control, so that the safety of the system is greatly improved. The private network resources are divided into individual resources and groups of resources. The specific functions of the authority management module are as follows: create resources, create resource groups, delete resources, delete resource groups, allocate resources, allocate resource groups, and the like.

The packet filtering technology realized on the basis of signature verification and authority management comprises the following processing flows:

(1) receiving the novel network packet, and analyzing a user ID field and a signature field;

(2) if the parsing fails, discarding the network packet;

(3) the analysis is successful, and the certificate of the user is searched according to the user ID;

(4) if the certificate retrieval fails, the network packet is discarded for an illegal unregistered user;

(5) successfully retrieving the certificate, and performing signature verification operation on the network packet according to a public key field in the certificate;

(6) if the signature verification fails, the network packet is discarded as an illegal disguised user;

(7) the signature passes the verification, and all the authorities owned by the user are taken out to an authority management module according to the user ID;

(8) verifying whether the user has the authority of the operation to be performed;

(9) if the authority verification fails, the user is an unauthorized user, and the network packet is discarded;

(10) and if the authority verification is successful, analyzing the IP message load field of the novel network packet and sending the message to the resource server.

Table 1 packet filtering process pseudo code in tunnel server

The enabled functions are selectable: log logging

The trusted tunnel technology in the invention considers the expansion of the log recording function at the beginning of designing the transmission protocol. To some extent, the logging function is beyond the scope of tunneling technology, but in consideration of the significance of the protection of the logging on private network resources, the invention considers that the logging needs to be supported in the design of a tunneling protocol. The log recording function supports recording of access operations of users in the tunnel establishment and maintenance process, so that the users have traceability on access to private network resources. The logging function is unnecessary in the tunneling technique and can be selectively enabled.

The implementation of the logging function depends on the design of the SOCKS proxy protocol in the tunneling protocol. When the log recording function is opened, the tunnel server senses the connection operation of a transmission layer of a TCP/IP protocol stack in a handshaking stage of a SOCKS protocol, and records the operation into a log file according to the user identity in a novel network packet. As shown in table 2, are fields included in the log information.

Table 2 log information table

The system comprises the following steps: MIN-VPN

The multi-identification network meets the two-point requirements of the invention on the novel network, and the trusted tunnel technology in the invention can be utilized to perform functional extension on the novel safe private network constructed by the multi-identification network, so that the novel safe private network supports the deployment and use of more application services. In addition, a multi-identifier management system is designed and developed in the multi-identifier network, and the identifier management is carried out by utilizing a block chain technology. The functions of identity authentication and logging can be easily added to a multi-identity management system, so that the user identity data and the log data are non-tamper-proof. Therefore, the multi-identification network is a good novel network which can test the technical effect of the trusted tunnel in the invention.

Based on the multi-identification network and the multi-identification management system, the system applying the trusted tunnel technology discussed in the invention, namely the MIN-VPN, is realized. The MIN-VPN may be used to establish private networks deployed by multiple identity networks over a public network and supports authenticatable, manageable, traceable secure encrypted communications.

In the MIN-VPN system, the multi-identity router naturally has a function of verifying a signature. Therefore, the system can support the label checking of the network packets in the tunnel server and can also start the label checking operation in any multi-identification router. The method is a point difference of a high-security private network constructed by a multi-identification network and other novel networks, but the method does not influence the design effect of the trusted tunnel technology.

Different from the traditional log storage, the multi-identifier management system realized by using the block chain technology cannot store the transaction data acquired by the log module into the database immediately after receiving the transaction data, but firstly stores the log in a transaction data pool in the memory by the accounting node. And only when the accounting node enters the Prepare stage, a certain amount of data is taken out from the transaction data pool and packaged into the block, and then consensus and storage are carried out. There is a certain time delay for storing data in the block chain, but the log module only needs to determine that the log data has been successfully transmitted to the multi-identifier management system, and does not need to wait for the data to finish storing. The logging module records the principle, as shown in fig. 7.

In an experimental environment, a MIN-VPN system is deployed as shown in fig. 8. The deployment of the MIN-VPN system follows the equipment deployment method under a novel secure private network, and on the basis of the MIN-VPN system, the deployment of a block chain program server is increased. The MIS server in the figure refers to a multi-identification management system realized based on a block chain technology, and the MIN-VPN server is a VPN server program which realizes a trusted tunnel technology and is additionally provided with a module for communicating with the MIS system. In a production environment, MIS servers are deployed in different cities, and important data such as identification and user identity are managed by a trusted authority such as a government agency.

On the client program side, the MIN-VPN system takes, for example, a Windows operating system common to desktop devices and an Android operating system common to mobile devices, on which the MIN-VPN client program is implemented, respectively. The MIN-VPN client program is internally provided with all necessary functions of the tunnel client and establishes an encryption transmission tunnel with the MIN-VPN server according to the trusted tunnel protocol specification in the invention.

In the implementation of the MIN-VPN-Windows client program, a global agent of an operating system can be configured by calling a third-party application program such as sysprox, so that the design crossing two layers in a protocol stack shown in a VPN protocol is easily realized. Compared with an Android operating system, the Windows operating system is high in configurability and has more related open source software. In the Android operating system, if it is desired to implement SOCKS proxies above the transport layer in the protocol stack to support transport layer connection awareness and logging, further design is required. The invention provides a data processing method for supporting the realization of necessary functions of a trusted tunnel client in an Android operating system.

The data processing flow of the MIN-VPN-Android client program is as follows:

(1) the application programs such as the browser and the like generate application layer data, and the data flow to a TCP/IP protocol stack in a system kernel state;

(2) an IP message in a TCP/IP protocol stack in a system kernel state is captured by a virtual network card and then transmitted to a TCP/IP protocol stack module in a MIN-VPN client process to analyze IP, UDP and TCP data packets;

(3) after the packet is analyzed, the MIN-VPN client process proxies UDP and TCP connection of other application programs of the local machine, thereby performing proxy negotiation with a VPN server program by using a SOCKS log module on a transmission layer of a TCP/IP protocol stack, and communicating with an MIS system by the server program to achieve the purpose of recording a transmission layer connection log in the MIS;

(4) after passing through the proxy of the SOCKS protocol layer, the IP data packet still needs to realize TLV format encoding and signature field adding of the network layer through the MIN secure communication module. And finally, the MIN packet encoded in the TLV format is sent to the physical network card, and finally data transmission is realized.

As shown in fig. 9, a communication architecture diagram of a MIN-VPN-Android client program in a MIN-VPN system is shown.

In the communication architecture diagram, the TCP/IP protocol stack module of the tunneling protocol processing layer is complex. Next, the present invention further dissects its principles so that the VPN protocol in the present invention has availability in engineering practice.

Taking TCP as an example, the processing logic of the TCP/IP protocol stack is shown in fig. 9. The data sending logic of the TCP/IP protocol stack module is as follows:

(1) and after the data packet is captured by the virtual network card, the protocol stack supports reading the packet from the virtual network card and sequentially analyzes the IP data packet and the TCP data packet. The result of the analysis is a TCP message object which has all the parameters of the TCP data packet in the form of the original byte array.

(2) The TCP message object is handed to the packet processing logic SessionHandler, which is responsible for performing different actions on different types of packets.

(3) The TCP message object is sent to the Session manager according to the type to decide to establish or destroy the Session.

(4) If a Session is established according to the type of the TCP message, the TCP message object is continuously handed over to the Socket processor Socket NIOService. According to the action of the TCP message, the operation of establishing a channel, destroying the channel, forwarding data, writing back data and the like between the TCP message and the resource server such as Baidu is carried out.

The data receiving process is the reverse process of the above process, the TCP/IP protocol stack module constructs a byte array according to the received TCP message object, and writes the constructed IP data packet into the virtual network card, thereby returning to the upper application program in the Android operating system.

For the convenience of understanding, the SOCKS protocol is removed in fig. 10, which directly shows how the IP data packet captured by the virtual network card is converted into a connection action with the destination server through the protocol stack module. In the implementation of the MIN-VPN-Android client program, SOCKS handshake is performed before a TCP or UDP channel is established, so that the MIN-VPN server program records the access log of the user.

The invention provides a safe and credible encryption tunnel between an IP network and a novel safe private network by taking the novel safe private network constructed based on the novel network as an application background and combining a cryptographic algorithm and the communication characteristic of the novel network, so that a service program designed based on a TCP/IP protocol stack can be directly deployed under the novel safe private network. The application of the trusted tunnel technology breaks the gap between the use of an IP network and a novel safe private network, the application program in the novel safe private network is not required to be re-developed completely according to the protocol stack design of the novel network, a large amount of software and hardware cost is saved, the application ecology in the novel safe private network is enriched, and the application ecology plays a great promoting role in the continuous evolution of the novel network and the novel safe private network. The function of the method is similar to that the Android simulator is installed in the ecologically-closed iOS operating system, so that the application program on the Android operating system can run on the apple mobile phone device, and the iOS application ecology is directly compatible with the Android application ecology.

The invention provides a new tunnel protocol communication specification, which spans a plurality of layers of a network protocol stack and can be used for establishing a safe and credible tunnel between an IP network and a novel safe private network, so that the novel safe private network supports the deployment of more various application services.

The invention provides a device deployment method for constructing a private network by using a novel network, which constructs the private network supporting a trusted tunnel protocol by using the novel network meeting the requirements, thereby not only retaining the unique design advantages of a novel network system in the private network, but also using an application program developed under an IP network in the novel safe private network by combining with the trusted tunnel technology.

The invention discloses an extensible network packet coding scheme based on a TLV (threshold-type-value) coding format, which is taken as an example to show a network packet coding design method with an extensible structure. The network grouping support with an expandable structure adds application layer information such as user identification and safety data in a network layer of a novel secure private network, thereby providing a safety authentication and protection mechanism positioned at a lower layer of a protocol stack, such as a packet filtering mechanism with an authority management function.

The invention provides a method for cryptographically protecting tunnel data by using a national secret algorithm, which can ensure the performance of encrypted communication and increase the security of a trusted tunnel protocol.

According to the invention, a SOCKS proxy protocol layer is added on the design of a trusted tunnel protocol to support the log recording of user operation after the trusted tunnel is established, so that the user access behavior has traceability. The trusted tunnel technology in the invention has stronger expandability and security.

The invention designs and realizes a system using the trusted tunnel technology, namely MIN-VPN, based on a multi-identification network and a multi-identification management system, and carries out engineering practice on the availability of the trusted tunnel technology. In the MIN-VPN system, different from the Windows operating system which can carry out global SOCKS proxy configuration by means of a third-party application program, the invention provides a method for solving the problem that the global SOCKS proxy cannot be automatically configured in the Android operating system by adding a TCP/IP protocol stack analysis module in a client program, and provides the realization principle of the protocol stack module.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (10)

1. The utility model provides a network system based on trusted tunnel technique founds, its characterized in that, network system based on trusted tunnel technique founds includes IP network and novel safe private network, IP network communication connection novel safe private network, dispose the resource server cluster in the novel safe private network, with resource server cluster communication connection's tunnel server, with the novel network router of tunnel server communication connection, with novel network router communication connection's equipment in the private network, it is many novel network router intercommunication connects, tunnel server with IP network user passes through signature verification, authentication and safe verification and establishes trusted tunnel and constitutes novel network system.

2. The network system constructed based on the trusted tunnel technology as claimed in claim 1, wherein a network block coding format with an extensible structure is defined for a network layer of the new secure private network in constructing the trusted tunnel and the new network supports gradual deployment.

3. The network system constructed based on the trusted tunneling technology according to claim 2, wherein the network block coding is field design based on a TLV coding scheme, the TLV coding divides a data block into three intervals, and a first interval is a Type field and represents a Type of a current data block; the second interval is a Length field and represents the Length of the Value field; the third interval is a Value field for storing the data content of the actual bearer or nesting one or more TLV data blocks.

4. The network system constructed based on the trusted tunnel technology according to claim 3, wherein the trusted tunnel is secured through identity authentication and packet filtering technology, and the data itself is secured through data encryption technology and signature verification technology.

5. The network system constructed based on the trusted tunnel technology according to claim 4, wherein a trusted tunnel protocol framework is composed of a security negotiation protocol, an identity authentication protocol, and a SOCKS proxy protocol, wherein the security negotiation protocol mainly relates to key negotiation between a tunnel client and a tunnel server, and realizes encrypted transmission of a tunnel front end and a tunnel back end; the identity authentication protocol is based on a security negotiation protocol, supports two basic identity authentication modes of public key authentication and password authentication, and after authentication, a tunnel client signs a novel network group by using a private key bound with a user identity so as to realize integrity protection and packet filtering of a novel network group load; the SOCKS proxy protocol plays a role in the session layer of the TCP/IP protocol stack after passing through the packet filtering process flow of the tunnel server.

6. The network system constructed based on the trusted tunnel technology as claimed in claim 5, wherein the trusted tunnel establishment between the client user and the server comprises the following steps:

s11, the client requests the server for the algorithm list and the server public key supported by the server;

s12, the server sends the supported algorithm list and the server public key to the client according to the request;

s13, according to the algorithm list supported by the server, the client confirms the algorithm list used by the session, generates a random session key, and sends the confirmed algorithm list result and the generated random session key to the server;

s14, the server determines the algorithm list and the encryption key used by the session and sends a key negotiation confirmation to the client;

s15, the client and the server negotiate a user authentication mode, and after the authentication mode is determined, the client user sends a request user authentication to the server;

and S16, the server performs multiple authentications on the identity of the client user, and feeds back the authentication success of the client user to construct a trusted tunnel after the authentication is successful.

7. The network system constructed based on the trusted tunneling technology according to claim 6, wherein the packet filtering process comprises the steps of:

s21, receiving the novel network packet, analyzing a user ID field and a signature field, if the analysis is successful, searching the user certificate according to the user ID and executing the next step, and if the analysis is failed, discarding the network packet;

s22, judging whether a user ID certificate is retrieved, if the certificate retrieval is successful, performing signature verification operation on the network grouping according to a public key field in the certificate and executing the next step, if the certificate retrieval is failed, the network grouping is an illegal unregistered user, and discarding the network grouping;

s23, judging whether the signature verification operation passes, if the signature verification fails, the network packet is an illegal disguised user, if the signature verification passes, taking out all the rights owned by the user from the rights management module according to the user ID;

s24, verifying whether the user has the operation authority, if the authority verification fails, the user is an unauthorized user, discarding the network packet, if the authority verification succeeds, analyzing the IP message load field of the novel network packet, and sending the message to the resource server.

8. The network system constructed based on the trusted tunnel technology according to claim 7, wherein the access operation of the user during the trusted tunnel establishment and maintenance process is recorded through log records in the trusted tunnel, so that the access of the user to the private network resource is traceable, the log records depend on the design of the SOCKS proxy protocol in the tunnel protocol, the tunnel server senses the connection operation of the transmission layer of the TCP/IP protocol stack at the handshake stage of the SOCKS protocol, and records the operation into the log file according to the user identity in the new network packet.

9. The network system constructed based on trusted tunneling technology of claim 8, wherein, on the client side of the trusted tunnel, the MIN-VPN system implements the MIN-VPN client program with Windows operating system common in desktop devices and Android operating system common in mobile devices, respectively, and the trusted tunnel protocol specification establishes an encrypted transmission tunnel with the MIN-VPN server.

10. The network system constructed based on the trusted tunneling technology according to claim 9, wherein the data processing of the MIN-VPN-Android client comprises the steps of:

s31, the browser and the application program generate application layer data, and the data flow to a TCP/IP protocol stack in a system kernel state;

s32, capturing the IP message in the TCP/IP protocol stack in the system kernel mode by the virtual network card, and then transmitting the IP message to the TCP/IP protocol stack module in the process of the MIN-VPN client to analyze the IP, UDP and TCP data packets;

s33, after packet analysis, the MIN-VPN client process proxies UDP and TCP connection of other application programs of the local machine, thereby using a SOCKS log module to perform proxy negotiation with a VPN server program on a transmission layer of a TCP/IP protocol stack, and the server program communicates with the MIS system to achieve the purpose of recording the transmission layer connection log in the MIS;

s34, after passing the SOCKS protocol layer agent, the IP data packet still needs to realize TLV format encoding and signature field adding of the network layer through the MIN secure communication module; the MIN packet encoded in TLV format is sent to the physical network card, and finally data transmission is realized.

Images