CN117376039A - Encryption method, system, equipment and medium of SD-WAN communication system - Google Patents
Encryption method, system, equipment and medium of SD-WAN communication system Download PDFInfo
- Publication number
- CN117376039A CN117376039A CN202311681963.8A CN202311681963A CN117376039A CN 117376039 A CN117376039 A CN 117376039A CN 202311681963 A CN202311681963 A CN 202311681963A CN 117376039 A CN117376039 A CN 117376039A
- Authority
- CN
- China
- Prior art keywords
- terminal
- algorithm
- encryption
- wan
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 64
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 114
- 238000012795 verification Methods 0.000 claims abstract description 47
- 230000005540 biological transmission Effects 0.000 claims abstract description 18
- 238000006467 substitution reaction Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 6
- 239000011159 matrix material Substances 0.000 claims description 5
- 238000006073 displacement reaction Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000013478 data encryption standard Methods 0.000 description 3
- 230000006872 improvement Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of communication encryption transmission, in particular to an encryption method, a system, equipment and a medium of an SD-WAN communication system, which comprise the steps of creating a transmission process through an SD-WAN, wherein the SD-WAN is used for connecting communication interconnection between a first terminal and a second terminal; when a first terminal initiates a communication connection request to a second terminal, acquiring certificates of the first terminal and the second terminal, and verifying the legitimacy of the identities of the first terminal and the second terminal; after verification is passed, the first terminal and the second terminal use a first algorithm to determine a second algorithm and an encryption key used for subsequent communication, and the first algorithm is used for switching to the second algorithm to encrypt and decrypt after determining the encryption key between the first terminal and the second terminal; and the third algorithm is used for carrying out signature verification on the received data to complete the establishment of a safety channel, so that the received tampered data can be effectively avoided, and the safety of the system is ensured.
Description
Technical Field
The invention relates to the technical field of communication encryption transmission, in particular to an encryption method, an encryption system, encryption equipment and encryption media of an SD-WAN communication system.
Background
The SD-WAN may optimize network performance through intelligent routing, load balancing, application optimization, security enhancement, and the like. The SD-WAN can also be used for constructing a network connection between two terminals, and can automatically select an optimal path and connection according to network traffic and application requirements, thereby providing better bandwidth utilization and delay control. In addition, the SD-WAN can also provide higher network reliability, and ensure the continuity of network connection through a multi-path redundancy and a fault transfer mechanism.
In the field of communication encryption algorithms, there is generally a symmetric encryption algorithm, which is an algorithm for encrypting and decrypting using the same key, and common symmetric encryption algorithms include DES (data encryption standard), 3DES (Triple DES), AES (advanced encryption standard), and the like. The asymmetric encryption algorithm is an algorithm for encrypting and decrypting using different keys, and common asymmetric encryption algorithms include RSA (Rivest-Shamir-Adleman), diffie-Hellman key exchange algorithm, ECC (elliptic curve encryption), and the like. The hash function is a function of mapping arbitrary length data to a fixed length hash value, and common hash functions include MD5 (message digest algorithm 5), SHA-1 (secure hash algorithm 1), SHA-256, and the like. Digital signature algorithms are one type of algorithm for verifying the authenticity and integrity of messages, and common digital signature algorithms include RSA, DSA (digital signature algorithm), and the like. In the above-mentioned various encryption algorithm fields, only one of the encryption algorithms is generally used for encrypting the transmission, and the encryption degree and security of the whole transmission process are still insufficient, so that further improvement is required.
Disclosure of Invention
The invention aims to provide an encryption method, an encryption system, encryption equipment and encryption media of an SD-WAN communication system, which are used for solving the problem that the encryption degree and the security of a transmission process in the prior art are still insufficient.
The embodiment of the invention is realized by the following technical scheme:
in a first aspect, the present invention provides an encryption method for an SD-WAN communication system, comprising;
s101: creating a transmission process through an SD-WAN, wherein the SD-WAN is used for connecting communication interconnection between a first terminal and a second terminal;
s102: when a first terminal initiates a communication connection request to a second terminal, acquiring certificates of the first terminal and the second terminal, and verifying the legitimacy of the identities of the first terminal and the second terminal;
s103: after verification is passed, the first terminal and the second terminal use a first algorithm to determine a second algorithm and an encryption key used for subsequent communication, and the first algorithm is used for switching to the second algorithm to encrypt and decrypt after determining the encryption key between the first terminal and the second terminal;
s104: and carrying out signature verification on the received data through a third algorithm to complete the establishment of the security channel.
In an embodiment of the present invention, the S102 further includes;
the first terminal generates a first protocol value and an encryption algorithm list, and sends the first protocol value and the encryption algorithm list to the second terminal;
the first terminal and the second terminal store a first protocol value;
the certificate of the second terminal generates a second protocol value, a group of encryption suite is selected, the second protocol value and the encryption suite are sent to the first terminal, the certificate is required for the first terminal, and the validity of the first terminal is verified;
the first terminal and the second terminal store a first protocol value.
In an embodiment of the present invention, the step S103 further includes;
the first terminal verifies the first certificate of the second terminal, and if the verification fails, the communication connection is disconnected and a corresponding error prompt is given;
if the verification is successful, encrypting by using a first algorithm through a public key of the second terminal to generate a third protocol value, and then sending the first certificate and the third protocol to the second terminal;
the second terminal verifies the second certificate of the first terminal, and if the verification fails, the communication connection is disconnected and a corresponding error prompt is given;
if the verification is successful, decrypting the third protocol value through the private key of the second terminal;
and calculating the decrypted first protocol value, the decrypted second protocol value and the decrypted third protocol value to generate a communication key of the second algorithm.
In an embodiment of the present invention, the S104 further includes:
the first terminal calculates a third protocol value by using a third algorithm to obtain a first hash value;
encrypting the first hash value through a second algorithm to obtain first handshake data;
the first terminal encrypts the first handshake data through a public key of the second terminal by using a first algorithm and then sends the encrypted first handshake data to the second terminal for data signature verification;
the second terminal decrypts the first handshake data sent by the first terminal through a private key of the second terminal to obtain a second hash value;
comparing whether the first hash value is consistent with the second hash value, if not, disconnecting communication connection and giving out corresponding error prompt;
and if the results are consistent, the second terminal sends second handshake data to the first terminal, and secondary data signature verification is carried out.
In one embodiment of the invention, the secondary data signature verification includes:
the second terminal encrypts the first hash value through a second algorithm to obtain second handshake data;
the second handshake data is encrypted by a public key of the first terminal through a first algorithm and then sent to the first terminal for data signature verification;
the first terminal decrypts the second handshake data through a second algorithm to obtain a third hash value;
comparing the first hash value with the third hash value, if the result is inconsistent, disconnecting the communication connection and giving out a corresponding error prompt;
if the two paths are consistent, the establishment of the safety channel is completed.
In an embodiment of the present invention, the second algorithm is an AES encryption algorithm, further including;
acquiring an input state matrix of the byte substitution and column mixing steps, and defining four lookup tables;
the byte substitution, displacement steps and column mixing steps are combined and converted into a continuous table query.
In an embodiment of the present invention, the first algorithm is an RSA encryption algorithm, and further includes;
the decryption operation in the RSA encryption algorithm is converted from an exponential form of the calculated modulus to a form that is solved for the system of equations.
In a second aspect, the present invention provides an encryption system for an SD-WAN communication system, comprising;
the transmission construction module is configured to establish a transmission process through an SD-WAN, and the SD-WAN is used for connecting communication interconnection between the first terminal and the second terminal;
the certificate verification module is configured to acquire certificates of the first terminal and the second terminal when the first terminal initiates a communication connection request to the second terminal, and verify the legality of the identities of the first terminal and the second terminal;
the encryption and decryption module is configured to determine a second algorithm and an encryption key used for subsequent communication by using a first algorithm by the first terminal and the second terminal after verification is passed, wherein the first algorithm is used for switching to the second algorithm to encrypt and decrypt after the encryption key between the first terminal and the second terminal is determined;
the signature verification module is configured to verify the signature of the received data through a third algorithm, so as to complete the establishment of a security channel;
the main control module is used for being connected with the transmission construction module, the certificate verification module, the encryption and decryption module and the signature verification module and executing the encryption method of the SD-WAN communication system.
In a third aspect, the present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements an encryption method of an SD-WAN communication system when executing the computer program.
In a fourth aspect, a computer readable storage medium stores a computer program thereon, which when executed by a processor implements an encryption method of an SD-WAN communication system as described above.
The technical scheme of the embodiment of the invention has at least the following advantages and beneficial effects:
the method adopts a first algorithm to mutually authenticate the legality of the first terminal and the second terminal, verifies the legality of certificates of both communication sides, adopts the first terminal to send an encryption algorithm to the second terminal after the mutual authentication is passed, and feeds back a selection result to the first terminal; then the two parties randomly generate a communication session key, and the random key is used in the encryption and decryption process of the data sent and received by the two parties; and finally, verifying the integrity and accuracy of the data through a third algorithm. The method provided by the invention realizes the whole communication encryption process by using a plurality of encryption algorithms, and improves the complexity of the whole system, thereby effectively avoiding receiving tampered data and ensuring the safety of the system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
The terms first, second and the like in the description and in the claims of the present application and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. The naming or numbering of the steps in the present application does not mean that the steps in the method flow must be executed according to the time/logic sequence indicated by the naming or numbering, and the execution sequence of the steps in the flow that are named or numbered may be changed according to the technical purpose to be achieved, so long as the same or similar technical effects can be achieved.
The division of the modules presented in this application is a logical division, and there may be other manners of division in practical application, for example, multiple modules may be combined or integrated in another system, or some features may be omitted, or not performed.
The modules or sub-modules described separately may or may not be physically separate, may or may not be implemented in software, and may be implemented in part in software, where the processor invokes the software to implement the functions of the part of the modules or sub-modules, and where other parts of the templates or sub-modules are implemented in hardware, for example in hardware circuits. In addition, some or all of the modules may be selected according to actual needs to achieve the purposes of the present application.
Referring to fig. 1, the present invention provides an encryption method of an SD-WAN communication system, comprising;
s101: creating a transmission process through an SD-WAN, wherein the SD-WAN is used for connecting communication interconnection between a first terminal and a second terminal;
s102: when a first terminal initiates a communication connection request to a second terminal, acquiring certificates of the first terminal and the second terminal, and verifying the legitimacy of the identities of the first terminal and the second terminal;
s103: after verification is passed, the first terminal and the second terminal use a first algorithm to determine a second algorithm and an encryption key used for subsequent communication, and the first algorithm is used for switching to the second algorithm to encrypt and decrypt after determining the encryption key between the first terminal and the second terminal;
s104: and carrying out signature verification on the received data through a third algorithm to complete the establishment of the security channel.
In the embodiment of the present invention, the first algorithm may be an RSA algorithm, the second algorithm may be an AES algorithm, the third algorithm may be a SHA algorithm, the first terminal may be a client, and the second terminal may be a server.
In an embodiment of the present invention, the S102 further includes;
the first terminal generates a first protocol value and an encryption algorithm list, wherein the encryption algorithm list can be a cipher suite, and the first protocol value and the encryption algorithm list are sent to the second terminal; the first terminal and the second terminal store a first protocol value; the certificate of the second terminal generates a second protocol value, a group of encryption suite is selected from the encryption algorithm list, the second protocol value and the encryption suite are sent to the first terminal, the certificate is required for the first terminal, and the validity of the first terminal is verified; the first terminal and the second terminal store a first protocol value.
In an embodiment of the present invention, the step S103 further includes;
the first terminal verifies the first certificate of the second terminal, and if the verification fails, the communication connection is disconnected and a corresponding error prompt is given; if the verification is successful, encrypting by using a first algorithm through a public key of the second terminal to generate a third protocol value, and then sending the first certificate and the third protocol to the second terminal; the second terminal verifies the second certificate of the first terminal, and if the verification fails, the communication connection is disconnected and a corresponding error prompt is given; if the verification is successful, decrypting the first protocol value, the second protocol value and the third protocol value through the private key of the second terminal; and calculating the decrypted first protocol value, the decrypted second protocol value and the decrypted third protocol value to generate a communication key of the second algorithm.
In an embodiment of the present invention, the S104 further includes:
the first terminal calculates a third protocol value by using a third algorithm to obtain a first hash value; encrypting the first hash value through a second algorithm to obtain first handshake data; the first terminal encrypts the first handshake data through a public key of the second terminal by using a first algorithm and then sends the encrypted first handshake data to the second terminal for data signature verification; the second terminal decrypts the first handshake data sent by the first terminal through a private key of the second terminal to obtain a second hash value; comparing whether the first hash value is consistent with the second hash value, if not, disconnecting communication connection and giving out corresponding error prompt; and if the results are consistent, the second terminal sends second handshake data to the first terminal, and secondary data signature verification is carried out.
In one embodiment of the invention, the secondary data signature verification includes:
the second terminal encrypts the first hash value through a second algorithm to obtain second handshake data; the second handshake data is encrypted by a public key of the second terminal through a first algorithm and then sent to the first terminal for data signature verification; the first terminal decrypts the second handshake data through a second algorithm to obtain a third hash value; comparing the first hash value with the third hash value, if the result is inconsistent, disconnecting the communication connection and giving out a corresponding error prompt; if the two paths are consistent, the establishment of the safety channel is completed.
In an embodiment of the present invention, the second algorithm is an AES encryption algorithm, further including;
acquiring an input state matrix of the byte substitution and column mixing steps, and defining four lookup tables;
the byte substitution, displacement steps and column mixing steps are combined and converted into a continuous table query.
Wherein the byte-replaced input state matrix is denoted by a, and the input state matrix for column mixing is denoted byDRepresenting byte substitution operationsDenoted T is a look-up table.
The T lookup tables can be stored in a ROM structure of the embedded device, byte substitution, row shifting and column mixing steps can be rapidly realized, higher operation speed and higher running speed are obtained, and logic resources are further saved.
In an embodiment of the present invention, the first algorithm is an RSA encryption algorithm, and further includes;
the decryption operation in the RSA encryption algorithm is converted from an exponential form of the calculated modulus to a form that is solved for the system of equations.
Specifically, it is provided withIs a positive integer of S, which is a plurality of mutually prime pairs, ">Is->One of them, i.e;
Then the congruence isAnd the congruence equation set->Equivalent.
Operations in decryption process for RSA encryption algorithmWherein->Meaning that the d-th power of the number C is the result of the remainder of N, since the legitimate recipient has the private key (d, N) and the modulus n=pq is known, the decryption process of the RSA encryption algorithm can be converted from an exponential operation that calculates the modulus N to a set of congruence equations that calculate the primes p and q.
In the method, in the process of the invention,is p's congruence equation set>Is the congruence equation set with q.
Wherein, the Fermat's theorem and the property of the congruence are utilized to makeI.e. ] a +>。
That is to say,。
in the same way, the processing method comprises the steps of,。
where r is a base number, d is a private key exponent in the private key (d, N), k is an encryption exponent, and mod is a modulo operation, i.e., a modulo operation.
Therefore, the decryption mode is optimized by the method, and the decryption speed is accelerated.
Based on the above method, an example is provided for explanation.
Obtaining ciphertext information C;
calculation of:
In the method, in the process of the invention,n moduli.
Calculation of:
In the method, in the process of the invention,n arbitrary numbers.
Calculation of:
In the method, in the process of the invention,is->Corresponding n sets of congruence equations, +.>Is->Is->To the power.
Calculating a plaintext message M:
in the method, in the process of the invention,,···/>a system of congruence equations for n prime numbers pP 1 -1 toPn-1And (5) carrying out operation of the power.
The plaintext message M is output.
Regarding the original RSA algorithm described above:
randomly selecting a plurality of strong prime numbers with different values;
Calculating modulus;
Computing modeEuler function->;
Randomly selecting a positive integer e as a public key, wherein the public key is as large as possible,and->Gcd () is the greatest common divisor operation;
obtaining a public key (e, N) and a private key (d, N), d being the private key exponent;
plaintext message M is encrypted:。
decrypting the ciphertext message C:。
wherein the third algorithm SHA may be a conventional algorithm.
In a second aspect, the present invention provides an encryption system for an SD-WAN communication system, comprising;
the transmission construction module is configured to establish a transmission process through an SD-WAN, and the SD-WAN is used for connecting communication interconnection between the first terminal and the second terminal;
the certificate verification module is configured to acquire certificates of the first terminal and the second terminal when the first terminal initiates a communication connection request to the second terminal, and verify the legality of the identities of the first terminal and the second terminal;
the encryption and decryption module is configured to determine a second algorithm and an encryption key used for subsequent communication by using a first algorithm by the first terminal and the second terminal after verification is passed, wherein the first algorithm is used for switching to the second algorithm to encrypt and decrypt after the encryption key between the first terminal and the second terminal is determined;
the signature verification module is configured to verify the signature of the received data through a third algorithm, so as to complete the establishment of a security channel;
the main control module is used for being connected with the transmission construction module, the certificate verification module, the encryption and decryption module and the signature verification module and executing the SD-WAN communication system.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. The computer software product is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a second or network device, etc.) to perform all or part of the steps of the methods of the various embodiments of the invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only memory (ROM), a random access memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method of encrypting an SD-WAN communication system, comprising;
s101: creating a transmission process through an SD-WAN, wherein the SD-WAN is used for connecting communication interconnection between a first terminal and a second terminal;
s102: when a first terminal initiates a communication connection request to a second terminal, acquiring certificates of the first terminal and the second terminal, and verifying the legitimacy of the identities of the first terminal and the second terminal;
s103: after verification is passed, the first terminal and the second terminal use a first algorithm to determine a second algorithm and an encryption key used for subsequent communication, and the first algorithm is used for switching to the second algorithm to encrypt and decrypt after determining the encryption key between the first terminal and the second terminal;
s104: and carrying out signature verification on the received data through a third algorithm to complete the establishment of the security channel.
2. The encryption method of an SD-WAN communication system according to claim 1, wherein said S102 further comprises;
the first terminal generates a first protocol value and an encryption algorithm list, and sends the first protocol value and the encryption algorithm list to the second terminal;
the first terminal and the second terminal store a first protocol value;
the certificate of the second terminal generates a second protocol value, a group of encryption suite is selected from the encryption algorithm list, the second protocol value and the encryption suite are sent to the first terminal, the certificate is required for the first terminal, and the validity of the first terminal is verified;
the first terminal and the second terminal store a first protocol value.
3. The encryption method of an SD-WAN communication system according to claim 2, wherein said S103 further comprises;
the first terminal verifies the first certificate of the second terminal, and if the verification fails, the communication connection is disconnected and a corresponding error prompt is given;
if the verification is successful, encrypting by using a first algorithm through a public key of the second terminal to generate a third protocol value, and then sending the first certificate and the third protocol to the second terminal;
the second terminal verifies the second certificate of the first terminal, and if the verification fails, the communication connection is disconnected and a corresponding error prompt is given;
if the verification is successful, decrypting the first protocol value, the second protocol value and the third protocol value through the private key of the second terminal;
and calculating the decrypted first protocol value, the decrypted second protocol value and the decrypted third protocol value to generate a communication key of the second algorithm.
4. A method of encrypting an SD-WAN communication system according to claim 3, wherein said S104 further comprises:
the first terminal calculates a third protocol value by using a third algorithm to obtain a first hash value;
encrypting the first hash value through a second algorithm to obtain first handshake data;
the first terminal encrypts the first handshake data through a public key of the second terminal by using a first algorithm and then sends the encrypted first handshake data to the second terminal for data signature verification;
the second terminal decrypts the first handshake data sent by the first terminal through a private key of the second terminal to obtain a second hash value;
comparing whether the first hash value is consistent with the second hash value, if not, disconnecting communication connection and giving out corresponding error prompt;
and if the results are consistent, the second terminal sends second handshake data to the first terminal, and secondary data signature verification is carried out.
5. The encryption method of an SD-WAN communication system according to claim 4, wherein said secondary data signature verification comprises:
the second terminal encrypts the first hash value through a second algorithm to obtain second handshake data;
the second handshake data is encrypted by a public key of the first terminal through a first algorithm and then sent to the first terminal for data signature verification;
the first terminal decrypts the second handshake data through a second algorithm to obtain a third hash value;
comparing the first hash value with the third hash value, if the result is inconsistent, disconnecting the communication connection and giving out a corresponding error prompt;
if the two paths are consistent, the establishment of the safety channel is completed.
6. The encryption method of claim 1, wherein the second algorithm is an AES encryption algorithm, further comprising;
acquiring an input state matrix of the byte substitution and column mixing steps, and defining four lookup tables;
the byte substitution, displacement steps and column mixing steps are combined and converted into a continuous table query.
7. The encryption method of claim 1, wherein the first algorithm is an RSA encryption algorithm, further comprising;
the decryption operation in the RSA encryption algorithm is converted from an exponential form of the calculated modulus to a form that is solved for the system of equations.
8. An encryption system for an SD-WAN communication system, comprising;
the transmission construction module is configured to establish a transmission process through an SD-WAN, and the SD-WAN is used for connecting communication interconnection between the first terminal and the second terminal;
the certificate verification module is configured to acquire certificates of the first terminal and the second terminal when the first terminal initiates a communication connection request to the second terminal, and verify the legality of the identities of the first terminal and the second terminal;
the encryption and decryption module is configured to determine a second algorithm and an encryption key used for subsequent communication by using a first algorithm by the first terminal and the second terminal after verification is passed, wherein the first algorithm is used for switching to the second algorithm to encrypt and decrypt after the encryption key between the first terminal and the second terminal is determined;
the signature verification module is configured to verify the signature of the received data through a third algorithm, so as to complete the establishment of a security channel;
the main control module is used for being connected with the transmission construction module, the certificate verification module, the encryption and decryption module and the signature verification module and executing the encryption method of the SD-WAN communication system according to any one of claims 1 to 7.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements an encryption method of an SD-WAN communication system according to any of claims 1 to 7 when executing the computer program.
10. A computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, which computer program, when executed by a processor, implements an encryption method of an SD-WAN communication system according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311681963.8A CN117376039A (en) | 2023-12-08 | 2023-12-08 | Encryption method, system, equipment and medium of SD-WAN communication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311681963.8A CN117376039A (en) | 2023-12-08 | 2023-12-08 | Encryption method, system, equipment and medium of SD-WAN communication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117376039A true CN117376039A (en) | 2024-01-09 |
Family
ID=89391478
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311681963.8A Pending CN117376039A (en) | 2023-12-08 | 2023-12-08 | Encryption method, system, equipment and medium of SD-WAN communication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117376039A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103747001A (en) * | 2014-01-14 | 2014-04-23 | 中电长城(长沙)信息技术有限公司 | Audio-access mobile payment terminal based on security algorithm and communication method based on security algorithm |
| JP2015091070A (en) * | 2013-11-07 | 2015-05-11 | 株式会社日立製作所 | Semiconductor element, information terminal, semiconductor element control method and information terminal control method |
| CN109347809A (en) * | 2018-09-25 | 2019-02-15 | 北京计算机技术及应用研究所 | A kind of application virtualization safety communicating method towards under autonomous controllable environment |
| CN110099072A (en) * | 2019-05-21 | 2019-08-06 | 唯伊云(武汉)科技有限公司 | A kind of safety protecting method being directed to industrial data transmission of internet of things |
| CN110839036A (en) * | 2019-11-19 | 2020-02-25 | 武汉思普崚技术有限公司 | Attack detection method and system for SDN (software defined network) |
| CN113141260A (en) * | 2021-06-22 | 2021-07-20 | 深圳市光联世纪信息科技有限公司 | Secure access method, system and equipment based on software-defined wide area network (SD-WAN) |
| US20230014894A1 (en) * | 2021-07-08 | 2023-01-19 | Cisco Technology, Inc. | Quantum resistant secure key distribution in various protocols and technologies |
| CN115766050A (en) * | 2022-08-24 | 2023-03-07 | 深圳市高德信通信股份有限公司 | SD-WAN encryption communication system and method |
| CN115913672A (en) * | 2022-11-02 | 2023-04-04 | 广州市南方人力资源评价中心有限公司 | Electronic file encryption transmission method, system, terminal equipment and computer medium |
| US20230216947A1 (en) * | 2021-12-31 | 2023-07-06 | Avila Technology, LLC | Method and System to Implement Secure Real Time Communications (SRTC) Between WebRTC and the Internet of Things (IoT) |
| CN219999393U (en) * | 2023-05-31 | 2023-11-10 | 四川科朗新创建设有限公司 | Data encryption equipment |
-
2023
- 2023-12-08 CN CN202311681963.8A patent/CN117376039A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2015091070A (en) * | 2013-11-07 | 2015-05-11 | 株式会社日立製作所 | Semiconductor element, information terminal, semiconductor element control method and information terminal control method |
| CN103747001A (en) * | 2014-01-14 | 2014-04-23 | 中电长城(长沙)信息技术有限公司 | Audio-access mobile payment terminal based on security algorithm and communication method based on security algorithm |
| CN109347809A (en) * | 2018-09-25 | 2019-02-15 | 北京计算机技术及应用研究所 | A kind of application virtualization safety communicating method towards under autonomous controllable environment |
| CN110099072A (en) * | 2019-05-21 | 2019-08-06 | 唯伊云(武汉)科技有限公司 | A kind of safety protecting method being directed to industrial data transmission of internet of things |
| CN110839036A (en) * | 2019-11-19 | 2020-02-25 | 武汉思普崚技术有限公司 | Attack detection method and system for SDN (software defined network) |
| CN113141260A (en) * | 2021-06-22 | 2021-07-20 | 深圳市光联世纪信息科技有限公司 | Secure access method, system and equipment based on software-defined wide area network (SD-WAN) |
| US20230014894A1 (en) * | 2021-07-08 | 2023-01-19 | Cisco Technology, Inc. | Quantum resistant secure key distribution in various protocols and technologies |
| US20230216947A1 (en) * | 2021-12-31 | 2023-07-06 | Avila Technology, LLC | Method and System to Implement Secure Real Time Communications (SRTC) Between WebRTC and the Internet of Things (IoT) |
| CN115766050A (en) * | 2022-08-24 | 2023-03-07 | 深圳市高德信通信股份有限公司 | SD-WAN encryption communication system and method |
| CN115913672A (en) * | 2022-11-02 | 2023-04-04 | 广州市南方人力资源评价中心有限公司 | Electronic file encryption transmission method, system, terminal equipment and computer medium |
| CN219999393U (en) * | 2023-05-31 | 2023-11-10 | 四川科朗新创建设有限公司 | Data encryption equipment |
Non-Patent Citations (1)
| Title |
|---|
| 李嘉宾: "RSA加密算法的优化与改进", 《CNKI中国知网》, 15 February 2021 (2021-02-15), pages 4 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112367175B (en) | Implicit certificate key generation method based on SM2 digital signature | |
| Rodriguez-Henriquez et al. | A brief introduction to modern cryptography | |
| CN110247757B (en) | Block chain processing method, device and system based on cryptographic algorithm | |
| US6058188A (en) | Method and apparatus for interoperable validation of key recovery information in a cryptographic system | |
| CN110120939B (en) | Encryption method and system capable of repudiation authentication based on heterogeneous system | |
| EP2566098A1 (en) | Signcryption method and device and corresponding signcryption verification method and device | |
| US20110307698A1 (en) | Masking the output of random number generators in key generation protocols | |
| EP2302834A2 (en) | System and method for providing credentials | |
| CN110113150B (en) | Encryption method and system based on non-certificate environment and capable of repudiation authentication | |
| Al-Riyami | Cryptographic schemes based on elliptic curve pairings | |
| WO2017167771A1 (en) | Handshake protocols for identity-based key material and certificates | |
| CA2830285C (en) | Keyed pv signatures | |
| WO2019110399A1 (en) | Two-party signature device and method | |
| Zhang et al. | Secure and efficient data‐sharing in clouds | |
| Lizama-Pérez et al. | Public hash signature for mobile network devices | |
| Heninger | RSA, DH, and DSA in the Wild | |
| CA2742530C (en) | Masking the output of random number generators in key generation protocols | |
| CN111565108A (en) | Signature processing method, device and system | |
| WO2003063410A1 (en) | Cryptosystem | |
| CN114205077B (en) | Mixed encryption secure communication method based on boom key distribution algorithm | |
| CN117376039A (en) | Encryption method, system, equipment and medium of SD-WAN communication system | |
| Wu et al. | A publicly verifiable PCAE scheme for confidential applications with proxy delegation | |
| Li et al. | Certificateless identity-concealed authenticated encryption under multi-KGC | |
| JPH07118709B2 (en) | Confidential information communication method | |
| Lee et al. | Toward a secure single sign-on mechanism for distributed computer networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |