WO2021185314A1 - Data processing method and apparatus - Google Patents

Data processing method and apparatus Download PDF

Info

Publication number
WO2021185314A1
WO2021185314A1 PCT/CN2021/081536 CN2021081536W WO2021185314A1 WO 2021185314 A1 WO2021185314 A1 WO 2021185314A1 CN 2021081536 W CN2021081536 W CN 2021081536W WO 2021185314 A1 WO2021185314 A1 WO 2021185314A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
data packet
ciphertext
identity
identifier
Prior art date
Application number
PCT/CN2021/081536
Other languages
French (fr)
Chinese (zh)
Inventor
江伟玉
刘冰洋
王闯
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021185314A1 publication Critical patent/WO2021185314A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a data processing method and apparatus, which relate to the field of communications, and solve the problem of how to protect an IP address of a terminal to prevent the leakage of private information of the terminal. The method comprises: after receiving a first data packet, a network device encrypting an identifier of a terminal according to a key and a privacy variable, so as to obtain ciphertext, and replacing the identifier of the terminal with the ciphertext; and the network device sending a second data packet, wherein the second data packet comprises the ciphertext and does not comprise the identifier of the terminal.

Description

数据处理方法及装置Data processing method and device
本申请要求于2020年03月20日提交国家知识产权局、申请号为202010203158.4、申请名称为“数据处理方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office on March 20, 2020, the application number is 202010203158.4, and the application name is "Data Processing Method and Device", the entire content of which is incorporated into this application by reference.
技术领域Technical field
本申请涉及通信领域,尤其涉及数据处理方法及装置。This application relates to the field of communications, and in particular to data processing methods and devices.
背景技术Background technique
目前,网络设备可以根据数据包包含的终端的互联网协议(Internet Protocol,IP)地址转发数据包,以便将数据包转发到接收端。终端的IP地址可以指示终端的位置信息和终端的身份信息。通常,终端的IP地址位于数据包的包头中。在传输数据包的过程中,不可信的设备或非法窃听者都可以轻易获得终端的IP地址,利用终端的IP地址识别终端、跟踪终端和分析终端的隐私信息。终端的隐私信息包括终端的身份信息和位置信息。因此,终端的IP地址会引起泄露终端的隐私信息的安全问题。At present, the network device can forward the data packet according to the Internet Protocol (IP) address of the terminal included in the data packet, so as to forward the data packet to the receiving end. The IP address of the terminal can indicate the location information of the terminal and the identity information of the terminal. Usually, the IP address of the terminal is located in the header of the data packet. In the process of transmitting data packets, untrusted devices or illegal eavesdroppers can easily obtain the terminal's IP address, use the terminal's IP address to identify the terminal, track the terminal, and analyze the private information of the terminal. The privacy information of the terminal includes the identity information and location information of the terminal. Therefore, the IP address of the terminal may cause a security problem of leaking the private information of the terminal.
传统技术中,可以采用网络地址转换(Network Address Translation,NAT)技术保护终端的身份信息,但是网络设备需要存储转换信息,导致存储资源的开销较大。或者,采用洋葱网络保护终端的隐私信息。但是,洋葱网络中的每个网络设备都对接收到数据包进行加密,导致数据传输时延较大。因此,如何保护终端的IP地址,防止泄露终端的隐私信息是一个亟待解决的问题。In the traditional technology, the network address translation (NAT) technology can be used to protect the identity information of the terminal, but the network device needs to store the translation information, which results in a large storage resource overhead. Or, use the onion network to protect the private information of the terminal. However, each network device in the onion network encrypts the received data packet, which causes a large data transmission delay. Therefore, how to protect the IP address of the terminal and prevent the leakage of the private information of the terminal is an urgent problem to be solved.
发明内容Summary of the invention
本申请提供的数据处理方法及装置,解决了如何保护终端的IP地址,防止泄露终端的隐私信息的问题。The data processing method and device provided in this application solve the problem of how to protect the IP address of the terminal and prevent the leakage of the terminal's private information.
为达到上述目的,本申请采用如下技术方案:In order to achieve the above objectives, this application adopts the following technical solutions:
第一方面,本申请提供了一种数据处理方法,该方法可应用于网络设备,或者该方法可应用于可以支持网络设备实现该方法的数据处理装置,例如该数据处理装置包括芯片系统,方法包括:网络设备接收到第一数据包,根据终端的标识、隐私变量和密钥生成第一密文,然后,用第一密文替换终端的标识,向目的设备发送第二数据包,第二数据包包括第一密文。第二数据包不包括终端的标识。其中,第一数据包包括终端的标识,终端的标识用于指示终端;终端的标识设置于第一数据包包含的网络层协议头部中;终端的标识为终端的身份标识或终端的位置标识;第一密文设置于第二数据包包含的网络层协议头部中。In the first aspect, this application provides a data processing method that can be applied to network equipment, or the method can be applied to a data processing device that can support network equipment to implement the method, for example, the data processing device includes a chip system, Including: the network device receives the first data packet, generates the first ciphertext according to the terminal’s identity, privacy variables and the key, then replaces the terminal’s identity with the first ciphertext, and sends the second data packet to the destination device. The data packet includes the first ciphertext. The second data packet does not include the identification of the terminal. Wherein, the first data packet includes the identification of the terminal, and the identification of the terminal is used to indicate the terminal; the identification of the terminal is set in the network layer protocol header included in the first data packet; the identification of the terminal is the identity identification of the terminal or the location identification of the terminal ; The first ciphertext is set in the network layer protocol header included in the second data packet.
本申请实施例提供的数据处理方法,网络设备通过对终端的标识进行加密,隐藏终端的标识,从而,防止非法攻击者(如:不可信的设备或非法窃听者)获取终端的标识。In the data processing method provided by the embodiments of the present application, the network device conceals the terminal's identity by encrypting the terminal's identity, thereby preventing illegal attackers (such as untrusted devices or illegal eavesdroppers) from obtaining the terminal's identity.
在一种可能的实现方式中,在网络设备生成第一密文后,用第一密文替换第一数据包包括的终端的标识,得到第二数据包,使得第二数据包不包括终端的标识。In a possible implementation manner, after the network device generates the first ciphertext, the first ciphertext is used to replace the identification of the terminal included in the first data packet to obtain the second data packet, so that the second data packet does not include the terminal’s Logo.
例如,若终端的标识为终端的身份标识,用第一密文替换第一数据包包括的终端的标识包括:用第一密文替换第一数据包包括的终端的身份标识,得到第二数据包,第二数据包不包括终端的身份标识;隐私变量包括时间信息、与传输或接收第一数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。For example, if the identity of the terminal is the identity of the terminal, replacing the identity of the terminal included in the first data packet with the first ciphertext includes: replacing the identity of the terminal included in the first data packet with the first ciphertext to obtain the second data The second data packet does not include the identity of the terminal; the privacy variable includes at least one of time information, information related to the device transmitting or receiving the first data packet, random numbers, and regularly changing parameters.
又如,若终端的标识为终端的位置标识,用第一密文替换第一数据包包括的终端的标识包括:用第一密文替换第一数据包包括的终端的位置标识,得到第二数据包,第二数据包不包括终端的位置标识;隐私变量为加密后的终端的身份标识或者终端的身份标识;或者,隐私变量包括时间信息、与传输或接收第一数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。For another example, if the identifier of the terminal is the position identifier of the terminal, replacing the identifier of the terminal included in the first data packet with the first ciphertext includes: replacing the position identifier of the terminal included in the first data packet with the first ciphertext to obtain the second ciphertext. Data packet, the second data packet does not include the location identifier of the terminal; the privacy variable is the encrypted terminal identity or the terminal’s identity; or, the privacy variable includes time information and information related to the device transmitting or receiving the first data packet At least one of information, random numbers, and regularly changing parameters.
其中,与传输或接收第一数据包的设备相关的信息为第一数据包包含的目的IP地址。Wherein, the information related to the device that transmits or receives the first data packet is the destination IP address included in the first data packet.
又如,若终端的标识为终端的位置标识,用第一密文替换第一数据包包括的终端的标识包括:用第一密文替换第一数据包包括的加密后的终端的身份标识和终端的位置标识,得到第二数据包;隐私变量为加密后的终端的身份标识;或者,用第一密文替换第一数据包包括的终端的身份标识和终端的位置标识,得到第二数据包;隐私变量为终端的身份标识。For another example, if the identification of the terminal is the location identification of the terminal, replacing the identification of the terminal included in the first data packet with the first ciphertext includes: replacing the identification of the encrypted terminal included in the first data packet with the first ciphertext and The location identification of the terminal obtains the second data packet; the privacy variable is the encrypted terminal identification; or the first ciphertext replaces the terminal identification and the location identification of the terminal included in the first data packet to obtain the second data Package; the privacy variable is the identity of the terminal.
在一种可能的设计中,根据终端的标识、隐私变量和密钥生成第一密文,包括:根据密钥和隐私变量生成第二密文;根据第二密文和终端的标识确定第一密文。其中,根据第二密文和终端的标识确定第一密文,包括:对第二密文和终端的标识进行异或运算,得到第一密文。In a possible design, generating the first ciphertext according to the terminal's identity, privacy variables, and keys includes: generating a second ciphertext according to the key and privacy variables; and determining the first ciphertext according to the second ciphertext and the terminal's identity. Ciphertext. Wherein, determining the first ciphertext according to the second ciphertext and the identification of the terminal includes: performing an exclusive OR operation on the second ciphertext and the identification of the terminal to obtain the first ciphertext.
在另一种可能的设计中,根据终端的标识、隐私变量和密钥生成第一密文,包括:根据终端的标识和隐私变量生成待加密数据;根据密钥和待加密数据生成第一密文。In another possible design, generating the first ciphertext according to the terminal’s identity, privacy variables, and key includes: generating the data to be encrypted according to the terminal’s identity and privacy variables; generating the first password according to the key and the data to be encrypted Arts.
对于不同的目的设备,网络设备可以采用不同的隐私变量对终端的标识进行加密,以得到不同的密文。从而,不同的目的设备接收到的数据包包括不同的密文,无法分析出终端的隐私信息,避免通过合谋关联分析同一终端访问不同目的设备的流量。For different destination devices, the network device can use different privacy variables to encrypt the identification of the terminal to obtain different ciphertexts. Therefore, the data packets received by different destination devices include different ciphertexts, and it is impossible to analyze the privacy information of the terminal, and avoid analyzing the traffic of the same terminal accessing different destination devices through collusion and association.
可选的,第二数据包还包括寻址网络设备的定位符。Optionally, the second data packet further includes a locator for addressing the network device.
可选的,第一数据包还包括第一指示信息,第一指示信息用于指示对终端的标识进行加密。Optionally, the first data packet further includes first indication information, and the first indication information is used to instruct to encrypt the identification of the terminal.
进一步的,在发送第二数据包之后,方法还包括:网络设备接收第三数据包,第三数据包包括第一密文,第一密文是根据终端的标识、隐私变量和密钥确定的,终端的标识用于指示终端;第一密文设置于第三数据包包含的网络层协议头部中;然后,网络设备根据第一密文、隐私变量和密钥生成终端的标识;发送第四数据包,第四数据包包括终端的标识,终端的标识设置于第四数据包包含的网络层协议头部中。Further, after sending the second data packet, the method further includes: the network device receives a third data packet, the third data packet includes a first ciphertext, and the first ciphertext is determined according to the terminal's identity, privacy variable, and key , The terminal identifier is used to indicate the terminal; the first cipher text is set in the network layer protocol header included in the third data packet; then, the network device generates the terminal identifier according to the first cipher text, the privacy variable and the key; Four data packets, the fourth data packet includes the identification of the terminal, and the identification of the terminal is set in the network layer protocol header included in the fourth data packet.
本申请实施例提供的数据处理方法,网络设备接收到包含密文的第三数据包后,通过对密文解密得到终端的标识,向终端发送包含终端的标识的第四数据包,以便终端接收到第四数据包。In the data processing method provided by the embodiments of the present application, after the network device receives the third data packet containing the ciphertext, it obtains the identification of the terminal by decrypting the ciphertext, and sends the fourth data packet containing the identification of the terminal to the terminal so that the terminal can receive To the fourth packet.
在一种可能的实现方式中,在网络设备生成终端的标识后,用终端的标识替换第三数据包包括的第一密文,得到第四数据包,第四数据包不包括第一密文。In a possible implementation manner, after the network device generates the identification of the terminal, the first ciphertext included in the third data packet is replaced with the identification of the terminal to obtain a fourth data packet, and the fourth data packet does not include the first ciphertext .
例如,若终端的标识为终端的身份标识,用终端的标识替换第三数据包包括的第 一密文包括:用终端的身份标识替换第三数据包包括的第一密文,得到第四数据包;隐私变量包括时间信息、与传输或接收第三数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。For example, if the identity of the terminal is the identity of the terminal, replacing the first ciphertext included in the third data packet with the identity of the terminal includes: replacing the first ciphertext included in the third data packet with the identity of the terminal to obtain the fourth data Packet; privacy variables include at least one of time information, information related to the device that transmits or receives the third data packet, random numbers, and regularly changing parameters.
又如,若终端的标识为终端的位置标识,用终端的标识替换第三数据包包括的第一密文包括:用终端的位置标识替换第三数据包包括的第一密文,得到第四数据包;隐私变量为加密后的终端的身份标识或者终端的身份标识;或者,隐私变量包括时间信息、与传输或接收第三数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。For another example, if the identifier of the terminal is the location identifier of the terminal, replacing the first cipher text included in the third data packet with the identifier of the terminal includes: replacing the first cipher text included in the third data packet with the location identifier of the terminal to obtain the fourth Data packet; the privacy variable is the encrypted terminal’s identity or the terminal’s identity; or, the privacy variable includes time information, information related to the device that transmits or receives the third data packet, random numbers, and regularly changing parameters at least one.
其中,与传输或接收第三数据包的设备相关的信息为第三数据包包含的源IP地址。Wherein, the information related to the device that transmits or receives the third data packet is the source IP address included in the third data packet.
又如,若终端的标识为终端的位置标识,用终端的标识替换第三数据包包括的第一密文包括:用终端的位置标识和加密后的终端的身份标识替换第三数据包包括的第一密文,得到第四数据包,解密结果包括终端的位置标识和加密后的终端的身份标识,隐私变量为加密后的终端的身份标识;或者,用终端的位置标识和终端的身份标识替换第三数据包包括的第一密文,得到第四数据包,解密结果包括终端的位置标识和终端的身份标识,隐私变量为终端的身份标识。For another example, if the terminal's identifier is the terminal's location identifier, replacing the first ciphertext included in the third data packet with the terminal's identifier includes: replacing the third data packet with the terminal's location identifier and the encrypted terminal identifier The first ciphertext, the fourth data packet is obtained, the decryption result includes the terminal's location identifier and the encrypted terminal's identity, and the privacy variable is the encrypted terminal's identity; or, the terminal's location identifier and the terminal's identity are used Replace the first ciphertext included in the third data packet to obtain the fourth data packet. The decryption result includes the location identifier of the terminal and the identity identifier of the terminal, and the privacy variable is the identity identifier of the terminal.
在一种可能的设计中,根据第一密文、隐私变量和密钥生成终端的标识,包括:根据密钥和隐私变量生成第二密文;根据第二密文和第一密文确定终端的标识。In a possible design, generating the identification of the terminal according to the first ciphertext, the privacy variable and the key includes: generating the second ciphertext according to the key and the privacy variable; determining the terminal according to the second ciphertext and the first ciphertext Of the logo.
其中,根据第二密文和第一密文确定终端的标识,包括:对第二密文和第一密文进行异或运算,得到终端的标识。Wherein, determining the identity of the terminal according to the second ciphertext and the first ciphertext includes: performing an exclusive OR operation on the second ciphertext and the first ciphertext to obtain the identity of the terminal.
在另一种可能的设计中,根据第一密文、隐私变量和密钥生成终端的标识,包括:根据第一密文和密钥生成解密结果;根据解密结果和隐私变量确定终端的标识。In another possible design, generating the identification of the terminal according to the first ciphertext, the privacy variable and the key includes: generating a decryption result according to the first ciphertext and the key; and determining the identification of the terminal according to the decryption result and the privacy variable.
可选的,第三数据包还包括寻址网络设备的定位符;在发送第四数据包之前,方法还包括:网络设备用填充值替换第三数据包包括的寻址网络设备的定位符。Optionally, the third data packet further includes a locator for addressing the network device; before sending the fourth data packet, the method further includes: the network device replaces the locator for addressing the network device included in the third data packet with a padding value.
可选的,第三数据包还包括第二指示信息,第二指示信息用于指示终端的标识已加密。Optionally, the third data packet further includes second indication information, and the second indication information is used to indicate that the identity of the terminal has been encrypted.
第二方面,本申请实施例还提供了一种数据处理装置,有益效果可以参见第一方面的描述此处不再赘述。所述数据处理装置具有实现上述第一方面的方法实例中行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。在一个可能的设计中,所述数据处理装置包括:接收单元、处理单元和发送单元。所述接收单元,用于接收第一数据包,第一数据包包括终端的标识,终端的标识用于指示终端;终端的标识设置于第一数据包包含的网络层协议头部中;终端的标识为终端的身份标识或终端的位置标识。所述处理单元,用于根据终端的标识、隐私变量和密钥生成第一密文。所述发送单元,用于发送第二数据包,第二数据包包括第一密文,第一密文设置于第二数据包包含的网络层协议头部中。In the second aspect, the embodiments of the present application also provide a data processing device, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here. The data processing device has the function of realizing the behavior in the method example of the first aspect described above. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions. In a possible design, the data processing device includes: a receiving unit, a processing unit, and a sending unit. The receiving unit is configured to receive a first data packet, the first data packet includes an identification of the terminal, and the identification of the terminal is used to indicate the terminal; the identification of the terminal is set in the network layer protocol header included in the first data packet; The identifier is the identity identifier of the terminal or the location identifier of the terminal. The processing unit is used to generate the first ciphertext according to the terminal's identification, privacy variable and key. The sending unit is configured to send a second data packet, the second data packet includes a first ciphertext, and the first ciphertext is set in a network layer protocol header included in the second data packet.
在一种可能的实现方式中,在网络设备生成第一密文后,所述处理单元还用于用第一密文替换第一数据包包括的终端的标识,得到第二数据包,使得第二数据包不包括终端的标识。In a possible implementation manner, after the network device generates the first ciphertext, the processing unit is further configured to replace the identification of the terminal included in the first data packet with the first ciphertext to obtain the second data packet so that the first ciphertext is The second data packet does not include the identification of the terminal.
例如,若终端的标识为终端的身份标识,所述处理单元用于用第一密文替换第一 数据包包括的终端的身份标识,得到第二数据包,第二数据包不包括终端的身份标识;隐私变量包括时间信息、与传输或接收第一数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。For example, if the identity of the terminal is the identity of the terminal, the processing unit is configured to replace the identity of the terminal included in the first data packet with the first ciphertext to obtain a second data packet, and the second data packet does not include the identity of the terminal Identification; privacy variables include at least one of time information, information related to the device that transmits or receives the first data packet, random numbers, and regularly changing parameters.
又如,若终端的标识为终端的位置标识,所述处理单元用于用第一密文替换第一数据包包括的终端的位置标识,得到第二数据包,第二数据包不包括终端的位置标识;隐私变量为加密后的终端的身份标识或者终端的身份标识;或者,隐私变量包括时间信息、与传输或接收第一数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。For another example, if the identifier of the terminal is the location identifier of the terminal, the processing unit is configured to replace the location identifier of the terminal included in the first data packet with the first ciphertext to obtain a second data packet, and the second data packet does not include the terminal's location identifier. Location identification; the privacy variable is the encrypted terminal’s identity or the terminal’s identity; or, the privacy variable includes time information, information related to the device that transmits or receives the first data packet, random numbers, and regularly changing parameters at least one.
其中,与传输或接收第一数据包的设备相关的信息为第一数据包包含的目的IP地址。Wherein, the information related to the device that transmits or receives the first data packet is the destination IP address included in the first data packet.
又如,若终端的标识为终端的位置标识,所述处理单元用于用第一密文替换第一数据包包括的加密后的终端的身份标识和终端的位置标识,得到第二数据包;隐私变量为加密后的终端的身份标识;或者,用第一密文替换第一数据包包括的终端的身份标识和终端的位置标识,得到第二数据包;隐私变量为终端的身份标识。For another example, if the identifier of the terminal is the location identifier of the terminal, the processing unit is configured to replace the encrypted terminal identification and the location identifier of the terminal included in the first data packet with the first ciphertext to obtain the second data packet; The privacy variable is the identity of the terminal after encryption; or, replacing the identity of the terminal and the location of the terminal included in the first data packet with the first ciphertext to obtain the second data packet; the privacy variable is the identity of the terminal.
在一种可能的设计中,所述处理单元用于根据密钥和隐私变量生成第二密文,以及根据第二密文和终端的标识确定第一密文。其中,根据第二密文和终端的标识确定第一密文,包括:对第二密文和终端的标识进行异或运算,得到第一密文。In a possible design, the processing unit is configured to generate the second ciphertext according to the key and the privacy variable, and to determine the first ciphertext according to the second ciphertext and the identification of the terminal. Wherein, determining the first ciphertext according to the second ciphertext and the identification of the terminal includes: performing an exclusive OR operation on the second ciphertext and the identification of the terminal to obtain the first ciphertext.
在另一种可能的设计中,所述处理单元用于根据终端的标识和隐私变量生成待加密数据;根据密钥和待加密数据生成第一密文。In another possible design, the processing unit is configured to generate the data to be encrypted according to the identification of the terminal and the privacy variable; and generate the first ciphertext according to the key and the data to be encrypted.
对于不同的目的设备,网络设备可以采用不同的隐私变量对终端的标识进行加密,以得到不同的密文。从而,不同的目的设备接收到的数据包包括不同的密文,无法分析出终端的隐私信息,避免通过合谋关联分析同一终端访问不同目的设备的流量。For different destination devices, the network device can use different privacy variables to encrypt the identification of the terminal to obtain different ciphertexts. Therefore, the data packets received by different destination devices include different ciphertexts, and it is impossible to analyze the privacy information of the terminal, and avoid analyzing the traffic of the same terminal accessing different destination devices through collusion and association.
可选的,第二数据包还包括寻址网络设备的定位符。Optionally, the second data packet further includes a locator for addressing the network device.
可选的,第一数据包还包括第一指示信息,第一指示信息用于指示对终端的标识进行加密。Optionally, the first data packet further includes first indication information, and the first indication information is used to instruct to encrypt the identification of the terminal.
进一步的,所述接收单元还用于接收第三数据包,第三数据包包括第一密文,第一密文是根据终端的标识、隐私变量和密钥确定的,终端的标识用于指示终端,终端的标识为终端的身份标识或终端的位置标识;第一密文设置于第三数据包包含的网络层协议头部中;所述处理单元还用于根据第一密文、隐私变量和密钥生成终端的标识;所述发送单元还用于发送第四数据包,第四数据包包括终端的标识,终端的标识设置于第四数据包包含的网络层协议头部中。Further, the receiving unit is further configured to receive a third data packet, the third data packet includes a first ciphertext, the first ciphertext is determined according to the terminal's identity, privacy variables, and a key, and the terminal's identity is used to indicate The terminal, the terminal’s identifier is the terminal’s identity or the terminal’s location identifier; the first ciphertext is set in the network layer protocol header included in the third data packet; the processing unit is also used to And the identification of the key generation terminal; the sending unit is also used to send a fourth data packet, the fourth data packet includes an identification of the terminal, and the identification of the terminal is set in the network layer protocol header included in the fourth data packet.
在本申请实施例中,网络设备接收到包含密文的第三数据包后,通过对密文解密得到终端的标识,向终端发送包含终端的标识的第四数据包,以便终端接收到第四数据包。In the embodiment of the present application, after receiving the third data packet containing the ciphertext, the network device obtains the identification of the terminal by decrypting the ciphertext, and sends the fourth data packet containing the identification of the terminal to the terminal so that the terminal can receive the fourth data packet. data pack.
在一种可能的实现方式中,在网络设备生成终端的标识后,所述处理单元还用于用终端的标识替换第三数据包包括的第一密文,得到第四数据包,第四数据包不包括第一密文。In a possible implementation manner, after the network device generates the terminal identifier, the processing unit is further configured to replace the first ciphertext included in the third data packet with the terminal identifier to obtain the fourth data packet. The packet does not include the first ciphertext.
例如,若终端的标识为终端的身份标识,所述处理单元用于用终端的身份标识替换第三数据包包括的第一密文,得到第四数据包;隐私变量包括时间信息、与传输或 接收第三数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。For example, if the identity of the terminal is the identity of the terminal, the processing unit is used to replace the first ciphertext included in the third data packet with the identity of the terminal to obtain the fourth data packet; the privacy variables include time information, and transmission or At least one of information related to the device receiving the third data packet, a random number, and a parameter that changes according to the law.
又如,若终端的标识为终端的位置标识,所述处理单元用于用终端的位置标识替换第三数据包包括的第一密文,得到第四数据包;隐私变量为加密后的终端的身份标识或者终端的身份标识;或者,隐私变量包括时间信息、与传输或接收第三数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。For another example, if the identification of the terminal is the location identification of the terminal, the processing unit is configured to replace the first ciphertext included in the third data packet with the location identification of the terminal to obtain the fourth data packet; the privacy variable is the encrypted terminal's location identification The identity identifier or the identity identifier of the terminal; or, the privacy variable includes at least one of time information, information related to the device that transmits or receives the third data packet, a random number, and a parameter that changes according to law.
其中,与传输或接收第三数据包的设备相关的信息为第三数据包包含的源IP地址。Wherein, the information related to the device that transmits or receives the third data packet is the source IP address included in the third data packet.
又如,若终端的标识为终端的位置标识,所述处理单元用于用终端的位置标识和加密后的终端的身份标识替换第三数据包包括的第一密文,得到第四数据包,解密结果包括终端的位置标识和加密后的终端的身份标识,隐私变量为加密后的终端的身份标识;或者,用终端的位置标识和终端的身份标识替换第三数据包包括的第一密文,得到第四数据包,解密结果包括终端的位置标识和终端的身份标识,隐私变量为终端的身份标识。For another example, if the identifier of the terminal is the location identifier of the terminal, the processing unit is configured to replace the first ciphertext included in the third data packet with the location identifier of the terminal and the encrypted terminal identity to obtain the fourth data packet, The decryption result includes the terminal's location identifier and the encrypted terminal's identity, and the privacy variable is the encrypted terminal's identity; or, replace the first ciphertext included in the third data packet with the terminal's location identifier and the terminal's identity , Obtain the fourth data packet, the decryption result includes the terminal's location identifier and the terminal's identity, and the privacy variable is the terminal's identity.
在一种可能的设计中,所述处理单元用于根据密钥和隐私变量生成第二密文,以及根据第二密文和第一密文确定终端的标识。其中,根据第二密文和第一密文确定终端的标识,包括:对第二密文和第一密文进行异或运算,得到终端的标识。In a possible design, the processing unit is configured to generate the second ciphertext according to the key and the privacy variable, and determine the identity of the terminal according to the second ciphertext and the first ciphertext. Wherein, determining the identity of the terminal according to the second ciphertext and the first ciphertext includes: performing an exclusive OR operation on the second ciphertext and the first ciphertext to obtain the identity of the terminal.
在另一种可能的设计中,所述处理单元用于根据第一密文和密钥生成解密结果,以及根据解密结果和隐私变量确定终端的标识。In another possible design, the processing unit is configured to generate a decryption result according to the first ciphertext and the key, and determine the identity of the terminal according to the decryption result and the privacy variable.
可选的,第三数据包还包括寻址网络设备的定位符;在发送第四数据包之前,方法还包括:网络设备用填充值替换第三数据包包括的寻址网络设备的定位符。Optionally, the third data packet further includes a locator for addressing the network device; before sending the fourth data packet, the method further includes: the network device replaces the locator for addressing the network device included in the third data packet with a padding value.
可选的,第三数据包还包括第二指示信息,第二指示信息用于指示终端的标识已加密。Optionally, the third data packet further includes second indication information, and the second indication information is used to indicate that the identity of the terminal has been encrypted.
第三方面,提供了一种数据处理装置,该数据处理装置可以为上述方法实施例中的网络设备,或者为设置在网络设备中的芯片。该数据处理装置包括通信接口以及处理器,可选的,还包括存储器。其中,该存储器用于存储计算机程序或指令,处理器与存储器、通信接口耦合,当处理器执行所述计算机程序或指令时,使数据处理装置执行上述方法实施例中由网络设备所执行的方法。In a third aspect, a data processing device is provided. The data processing device may be the network device in the foregoing method embodiment, or a chip set in the network device. The data processing device includes a communication interface, a processor, and optionally, a memory. Wherein, the memory is used to store computer programs or instructions, and the processor is coupled with the memory and a communication interface. When the processor executes the computer programs or instructions, the data processing device is caused to execute the method executed by the network device in the above method embodiment. .
第四方面,提供了一种计算机程序产品,所述计算机程序产品包括:计算机程序代码,当所述计算机程序代码并运行时,使得上述各方面中由网络设备执行的方法被执行。In a fourth aspect, a computer program product is provided. The computer program product includes: computer program code, which when the computer program code is running, causes the methods executed by the network device in the above aspects to be executed.
第五方面,本申请提供了一种芯片系统,该芯片系统包括处理器,用于实现上述各方面的方法中网络设备的功能。在一种可能的设计中,所述芯片系统还包括存储器,用于保存程序指令和/或数据。该芯片系统,可以由芯片构成,也可以包括芯片和其他分立器件。In a fifth aspect, the present application provides a chip system, the chip system includes a processor, and is configured to implement the functions of the network device in the methods of the foregoing aspects. In a possible design, the chip system further includes a memory for storing program instructions and/or data. The chip system can be composed of chips, and can also include chips and other discrete devices.
第六方面,本申请提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,当该计算机程序被运行时,实现上述各方面中由网络设备执行的方法。In a sixth aspect, the present application provides a computer-readable storage medium that stores a computer program, and when the computer program is executed, the method executed by the network device in the above aspects is implemented.
本申请中,网络设备和数据处理装置的名字对设备本身不构成限定,在实际实现中,这些设备可以以其他名称出现。只要各个设备的功能和本申请类似,属于本申请权利要求及其等同技术的范围之内。In this application, the names of the network equipment and the data processing device do not constitute a limitation on the equipment itself. In actual implementation, these equipment may appear under other names. As long as the function of each device is similar to that of this application, it falls within the scope of the claims of this application and its equivalent technologies.
附图说明Description of the drawings
图1为本申请一实施例提供的IPv6数据包的结构示例图;FIG. 1 is a diagram of an example of the structure of an IPv6 data packet provided by an embodiment of this application;
图2为本申请一实施例提供的源IP地址的结构示例图;FIG. 2 is a structural example diagram of a source IP address provided by an embodiment of this application;
图3为本申请一实施例提供的目的IP地址的结构示例图;FIG. 3 is a structural example diagram of a destination IP address provided by an embodiment of this application;
图4为本申请一实施例提供的通信系统的架构示例图;FIG. 4 is an example diagram of the architecture of a communication system provided by an embodiment of the application;
图5为本申请一实施例提供的数据处理方法的流程图;FIG. 5 is a flowchart of a data processing method provided by an embodiment of this application;
图6为本申请一实施例提供的源IP地址的结构示例图;FIG. 6 is a structural example diagram of a source IP address provided by an embodiment of this application;
图7为本申请一实施例提供的数据处理方法的流程图;FIG. 7 is a flowchart of a data processing method provided by an embodiment of the application;
图8为本申请一实施例提供的源IP地址的加密过程示意图;FIG. 8 is a schematic diagram of a source IP address encryption process provided by an embodiment of this application;
图9为本申请一实施例提供的源IP地址的加密过程示意图;FIG. 9 is a schematic diagram of a source IP address encryption process provided by an embodiment of this application;
图10为本申请一实施例提供的数据处理方法的流程图;FIG. 10 is a flowchart of a data processing method provided by an embodiment of this application;
图11为本申请一实施例提供的目的IP地址的结构示例图;FIG. 11 is a structural example diagram of a destination IP address provided by an embodiment of this application;
图12为本申请一实施例提供的数据处理方法的流程图;FIG. 12 is a flowchart of a data processing method provided by an embodiment of the application;
图13为本申请一实施例提供的目的IP地址的解密过程示意图;FIG. 13 is a schematic diagram of the decryption process of the destination IP address provided by an embodiment of this application;
图14为本申请一实施例提供的目的IP地址的解密过程示意图;FIG. 14 is a schematic diagram of the decryption process of the destination IP address provided by an embodiment of this application;
图15为本申请一实施例提供的源IP地址的加密和目的IP地址解密过程示意图;FIG. 15 is a schematic diagram of a process of encryption of a source IP address and decryption of a destination IP address provided by an embodiment of this application;
图16为本申请一实施例提供的源IP地址的加密过程示意图;FIG. 16 is a schematic diagram of an encryption process of a source IP address provided by an embodiment of this application;
图17为本申请一实施例提供的目的IP地址的解密过程示意图;FIG. 17 is a schematic diagram of the decryption process of the destination IP address provided by an embodiment of this application;
图18为本申请一实施例提供的通信系统的架构示例图;FIG. 18 is a diagram of an example of the architecture of a communication system provided by an embodiment of this application;
图19为本申请一实施例提供的数据处理方法的流程图;FIG. 19 is a flowchart of a data processing method provided by an embodiment of this application;
图20为本申请一实施例提供的数据处理方法的流程图;FIG. 20 is a flowchart of a data processing method provided by an embodiment of the application;
图21为本申请一实施例提供的源IP地址的加密过程示意图;FIG. 21 is a schematic diagram of an encryption process of a source IP address provided by an embodiment of this application;
图22为本申请一实施例提供的目的IP地址的解密过程示意图;FIG. 22 is a schematic diagram of the decryption process of the destination IP address provided by an embodiment of this application;
图23为本申请一实施例提供的数据处理方法的流程图;FIG. 23 is a flowchart of a data processing method provided by an embodiment of this application;
图24为本申请一实施例提供的数据处理装置的结构示意图;FIG. 24 is a schematic structural diagram of a data processing device provided by an embodiment of the application;
图25为本申请一实施例提供的数据处理装置的结构示意图。FIG. 25 is a schematic structural diagram of a data processing device provided by an embodiment of the application.
具体实施方式Detailed ways
本申请说明书和权利要求书及上述附图中的术语“第一”、“第二”和“第三”等是用于区别不同对象,而不是用于限定特定顺序。The terms "first", "second", and "third" in the specification and claims of this application and the above-mentioned drawings are used to distinguish different objects, rather than to limit a specific order.
在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。In the embodiments of the present application, words such as "exemplary" or "for example" are used as examples, illustrations, or illustrations. Any embodiment or design solution described as "exemplary" or "for example" in the embodiments of the present application should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as "exemplary" or "for example" are used to present related concepts in a specific manner.
为了下述各实施例的描述清楚简洁,首先给出相关技术的简要介绍:In order to make the description of the following embodiments clear and concise, first a brief introduction of related technologies is given:
网际协议(Internet Protocol,IP)是因特网(Internet)中所有计算机网络相互连接进行通信的一套规则。IP地址(Internet Protocol Address)可以是因特网中的主机的编号。常见的IP地址包括IPv4地址和IPv6地址。通常,IP地址位于数据包的头部中。The Internet Protocol (IP) is a set of rules for all computer networks in the Internet to communicate with each other. The IP address (Internet Protocol Address) may be the number of the host in the Internet. Common IP addresses include IPv4 addresses and IPv6 addresses. Usually, the IP address is located in the header of the data packet.
示例的,如图1所示,为本申请一实施例提供的IPv6数据包的结构示例图。IPv6数据包包括基本首部、N个扩展首部和数据部分。N个扩展首部和数据部分可以称为有效载荷(payload)或净负荷。其中,基本首部包括版本(version)、通信量类(traffic  class)、流标号(flow label)、有效载荷长度(payload length)、下一个首部(next header)、跳数限制(hop limit)、源地址(source address)和目的地址(destination address)。Illustratively, as shown in FIG. 1, it is a structural example diagram of an IPv6 data packet provided by an embodiment of this application. The IPv6 data packet includes a basic header, N extended headers and a data part. The N extension headers and data parts can be called payload or payload. Among them, the basic header includes version, traffic class, flow label, payload length, next header, hop limit, source Address (source address) and destination address (destination address).
其中,源地址也可以称为源IP地址。源地址是指发送数据包的发送端的IP地址,源地址的长度为128比特(bit)。发送端可以是服务器或终端。示例的,如图2所示,为本申请一实施例提供的源IP地址的结构示例图。源地址包括外部定位符位、内部定位符位和主机标识符位。Among them, the source address may also be referred to as the source IP address. The source address refers to the IP address of the sender that sends the data packet, and the length of the source address is 128 bits. The sender can be a server or a terminal. Illustratively, as shown in FIG. 2, it is a structural example diagram of a source IP address provided by an embodiment of this application. The source address includes external locator bits, internal locator bits, and host identifier bits.
其中,外部定位符位的取值可以是转发数据包的网络设备的地址,以便于网络设备接收返回的数据包。外部定位符位占源地址中的x bit。例如,外部定位符位占源地址中的62bit。The value of the external locator bit may be the address of the network device that forwards the data packet, so that the network device can receive the returned data packet. The external locator bit occupies x bits in the source address. For example, the external locator bit occupies 62 bits in the source address.
内部定位符位用于指示源位置标识,即发送端的位置标识(source location,SrcLoc)。例如,若发送端为终端,源位置标识为终端的位置标识。又如,若发送端为服务器,源位置标识为服务器的位置标识。内部定位符位占源地址中的y1 bit。例如,内部定位符位占源地址中的32bit。The internal locator bit is used to indicate the source location identifier, that is, the location identifier (source location, SrcLoc) of the sender. For example, if the sending end is a terminal, the source location identifier is the location identifier of the terminal. For another example, if the sending end is a server, the source location identifier is the location identifier of the server. The internal locator bit occupies y1 bit in the source address. For example, the internal locator bit occupies 32 bits in the source address.
主机标识符位用于指示源身份标识,即发送端的身份标识(source identification,SrcID)。例如,若发送端为终端,源身份标识为终端的身份标识。又如,若发送端为服务器,源身份标识为服务器的身份标识。主机标识符位占源地址中的y2 bit。例如,主机标识符位占源地址中的32bit。The host identifier bit is used to indicate the source identity, that is, the source identification (SrcID) of the sender. For example, if the sending end is a terminal, the source identity is the identity of the terminal. For another example, if the sender is a server, the source identity is the identity of the server. The host identifier bit occupies y2 bits in the source address. For example, the host identifier bit occupies 32 bits in the source address.
示例的,假设源地址为IPv6地址。其中,源身份标识可以是局部或全局范围内唯一区分数据包发送者身份的标识符。源身份标识可以是IPv6地址的后64bit接口ID。定位符位用于指示网络层的设备找到数据包发送端所在位置的最小单元的标识符,例如,定位符位可以是IPv6地址的64bit前缀。定位符位包括外部定位符和内部定位符。需要加密的内部定位符位指示的源位置标识为前缀中16bit的子网号。For example, suppose the source address is an IPv6 address. Wherein, the source identity identifier may be an identifier that uniquely distinguishes the identity of the data packet sender in a local or global scope. The source identity can be the last 64-bit interface ID of the IPv6 address. The locator bit is used to instruct the network layer device to find the identifier of the smallest unit where the data packet sender is located. For example, the locator bit can be a 64-bit prefix of an IPv6 address. The locator position includes an external locator and an internal locator. The source location indicated by the internal locator bit that needs to be encrypted is the 16-bit subnet number in the prefix.
目的地址也可以称为目的IP地址。目的地址是指接收数据包的接收端的IP地址,目的地址的长度为128比特。接收端可以是服务器或终端。示例的,如图3所示,为本申请一实施例提供的目的IP地址的结构示例图。目的地址包括外部定位符位、内部定位符位和主机标识符位。The destination address can also be called the destination IP address. The destination address refers to the IP address of the receiving end that receives the data packet, and the length of the destination address is 128 bits. The receiving end can be a server or a terminal. Illustratively, as shown in FIG. 3, a structural example diagram of a destination IP address provided by an embodiment of this application. The destination address includes external locator bits, internal locator bits, and host identifier bits.
其中,外部定位符位的取值可以是转发数据包的网络设备的地址,以便于网络设备接收返回的数据包。外部定位符位占目的地址中的x bit。例如,外部定位符位占目的地址中的62bit。The value of the external locator bit may be the address of the network device that forwards the data packet, so that the network device can receive the returned data packet. The external locator bit occupies x bits in the destination address. For example, the external locator bit occupies 62 bits in the destination address.
内部定位符位用于指示目的位置标识,即接收端的位置标识(Destination location,DstLoc)。例如,若接收端为终端,目的位置标识为终端的位置标识。又如,若接收端为服务器,目的位置标识为服务器的位置标识。内部定位符位占目的地址中的y1 bit。例如,内部定位符位占目的地址中的32bit。The internal locator bit is used to indicate the destination location identifier, that is, the location identifier (Destination location, DstLoc) of the receiving end. For example, if the receiving end is a terminal, the destination location identifier is the location identifier of the terminal. For another example, if the receiving end is a server, the destination location identifier is the location identifier of the server. The internal locator bit occupies y1 bit in the destination address. For example, the internal locator bit occupies 32 bits in the destination address.
主机标识符位用于指示目的身份标识,即接收端的身份标识(DstID)。例如,若接收端为终端,目的身份标识为终端的身份标识。又如,若接收端为服务器,目的身份标识为服务器的身份标识。主机标识符位占目的地址中的y2 bit。例如,主机标识符位占目的地址中的32bit。The host identifier bit is used to indicate the destination identity, that is, the receiving end's identity (DstID). For example, if the receiving end is a terminal, the destination identity is the identity of the terminal. For another example, if the receiving end is a server, the destination identity is the identity of the server. The host identifier bit occupies y2 bits in the destination address. For example, the host identifier bit occupies 32 bits in the destination address.
示例的,假设目的地址为IPv6地址。其中,目的身份标识可以是局部或全局范围内唯一区分数据包接收者身份的标识符。目的身份标识可以是IPv6地址的后64bit接 口ID。定位符位用于指示网络层的设备找到数据包接收端所在位置的最小单元的标识符,例如,定位符位可以是IPv6地址的64bit前缀。定位符位包括外部定位符和内部定位符。需要加密的内部定位符位指示的目的位置标识为前缀中16bit的子网号。For example, assume that the destination address is an IPv6 address. Among them, the destination identity identifier may be an identifier that uniquely distinguishes the identity of the data packet receiver in a local or global scope. The destination identity can be the last 64-bit interface ID of the IPv6 address. The locator bit is used to instruct the network layer device to find the identifier of the smallest unit where the data packet receiving end is located. For example, the locator bit can be a 64-bit prefix of an IPv6 address. The locator position includes an external locator and an internal locator. The destination location indicated by the internal locator bit that needs to be encrypted is the 16-bit subnet number in the prefix.
关于IPv6数据包的各字段具体解释可以参考现有技术的阐述,不予赘述。Regarding the specific explanation of each field of the IPv6 data packet, reference may be made to the explanation of the prior art, and the details are not repeated.
为了解决如何保护终端的IP地址,防止泄露终端的隐私信息的问题,本申请实施例提供了一种数据处理方法。该方法包括:网络设备接收到第一数据包后,根据密钥和隐私变量对终端的标识进行加密,得到密文,用密文替换终端的标识。网络设备再发送第二数据包,该第二数据包包括密文,不包括终端的标识。其中,终端的标识可以是终端的身份标识或终端的位置标识。从而,网络设备通过对终端的标识进行加密,隐藏终端的IP地址,防止非法攻击者(如:不可信的设备或非法窃听者)获取终端的IP地址,进而根据终端的IP地址分析终端的身份信息和终端的位置信息。In order to solve the problem of how to protect the IP address of the terminal and prevent the leakage of the private information of the terminal, an embodiment of the present application provides a data processing method. The method includes: after receiving the first data packet, the network device encrypts the identification of the terminal according to the key and the privacy variable to obtain the ciphertext, and replaces the identification of the terminal with the ciphertext. The network device sends a second data packet again, and the second data packet includes the ciphertext but does not include the identification of the terminal. Wherein, the identification of the terminal may be the identity identification of the terminal or the location identification of the terminal. Therefore, the network device encrypts the terminal's identity to hide the terminal's IP address, preventing illegal attackers (such as untrusted devices or illegal eavesdroppers) from obtaining the terminal's IP address, and then analyzes the terminal's identity based on the terminal's IP address Information and location information of the terminal.
其中,终端的标识可以是一个能唯一标识实体身份的信息,也可以是包含身份属性(如年龄、角色标识、部门编号、职级)等信息的部分身份标识符。终端的位置标识可以是包含IP地址的定位符,也可以是包含全球定位系统(Global Positioning System,GPS)等地理位置信息的标识符或者包含其它地理位置相关信息的标识符。The identification of the terminal may be a piece of information that can uniquely identify the identity of an entity, or it may be a partial identification identifier that includes information such as identity attributes (such as age, role identification, department number, and rank). The location identifier of the terminal may be a locator that includes an IP address, or an identifier that includes geographic location information such as the Global Positioning System (GPS), or an identifier that includes other geographic location-related information.
下面将结合附图对本申请实施例的实施方式进行详细描述。The implementation of the embodiments of the present application will be described in detail below in conjunction with the accompanying drawings.
图4示出的是可以应用于本申请实施例的通信系统的架构示例图。如图4所示,该通信系统包括至少一个终端401、互联网络和数据中心。互联网络可以包括至少一个网络设备(如:网络设备402和网络设备403)。在本文中,网络设备可以是路由器。例如,网络设备402可以是指距离终端较近的终端侧路由器。网络设备403可以是指距离服务器较近的边界路由器或近目的端路由器。但是,不限于网络设备是路由器。网络设备也可以是具备数据包转发功能的交换机、接入网关等。互联网络还可以包括标识管理服务器404,标识管理服务器404用于为终端401分配终端的身份标识。所述数据中心可以包括至少一个应用服务器405。多个应用服务器可以是独立的不同的物理设备,也可以是将多个应用服务器的功能集成在同一个物理设备上(如:云服务提供商管辖范围内的多个应用服务器),还可以是一个物理设备上集成了部分应用服务器的功能。每个应用服务器上可以运行一个或多个服务(如:游戏服务)。服务也可称为应用。每个服务可以部署在多个应用服务器上,由多个应用服务器支持运行。终端401通过无线或有线的方式与网络设备402相连。网络设备402将通过无线或有线方式与其他网络设备连接。网络设备403通过无线或有线方式与应用服务器405连接。终端可以是固定位置的,也可以是可移动的。图4只是示意图,该通信系统中还可以包括其它设备,如还可以包括中继设备,在图4中未画出。本申请的实施例对该通信系统中包括的终端、网络设备和应用服务器的数量不做限定。FIG. 4 shows an example diagram of the architecture of a communication system that can be applied to the embodiments of the present application. As shown in FIG. 4, the communication system includes at least one terminal 401, an internet network and a data center. The internetwork may include at least one network device (for example, network device 402 and network device 403). In this article, the network device can be a router. For example, the network device 402 may refer to a terminal-side router closer to the terminal. The network device 403 may refer to a border router or a near-destination router closer to the server. However, it is not limited to the network device being a router. The network device can also be a switch, an access gateway, etc., with a data packet forwarding function. The Internet may also include an identity management server 404, and the identity management server 404 is configured to assign the terminal 401 an identity of the terminal. The data center may include at least one application server 405. Multiple application servers can be independent and different physical devices, or they can integrate the functions of multiple application servers on the same physical device (such as multiple application servers within the jurisdiction of a cloud service provider), or Some application server functions are integrated on a physical device. Each application server can run one or more services (such as game services). Services can also be called applications. Each service can be deployed on multiple application servers and supported by multiple application servers. The terminal 401 is connected to the network device 402 in a wireless or wired manner. The network device 402 will be connected to other network devices in a wireless or wired manner. The network device 403 is connected to the application server 405 in a wireless or wired manner. The terminal can be a fixed location or movable. FIG. 4 is only a schematic diagram. The communication system may also include other devices, such as relay devices, which are not shown in FIG. 4. The embodiments of the present application do not limit the number of terminals, network devices, and application servers included in the communication system.
其中,终端(Terminal)401也可以称为终端设备、用户设备(user equipment,UE)、移动台(mobile station,MS)、移动终端(mobile terminal,MT)等。终端401可以是手机(mobile phone)、平板电脑(Pad)、带无线收发功能的电脑、虚拟现实(Virtual Reality,VR)终端设备、增强现实(Augmented Reality,AR)终端设备、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程手术(remote medical surgery)中的无线终端、智能电网(smart grid)中的无线 终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端等等。本申请的实施例对终端所采用的具体技术和具体设备形态不做限定。The terminal (Terminal) 401 may also be referred to as a terminal device, a user equipment (UE), a mobile station (mobile station, MS), a mobile terminal (mobile terminal, MT), and so on. The terminal 401 may be a mobile phone (mobile phone), a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (Augmented Reality, AR) terminal device, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical surgery, wireless terminals in smart grid, and wireless terminals in transportation safety Terminals, wireless terminals in smart cities, wireless terminals in smart homes, and so on. The embodiments of the present application do not limit the specific technology and specific device form adopted by the terminal.
在一些实施例中,终端401可以向应用服务器405发送数据包。该数据包包括源地址,该源地址指示了终端401的标识(如:终端401的身份标识和终端401的位置标识)。在另一些实施例中,终端401还可以接收来自应用服务器405的数据包。该数据包可以包括目的地址,该目的地址指示了终端401的标识。In some embodiments, the terminal 401 may send a data packet to the application server 405. The data packet includes a source address, and the source address indicates the identity of the terminal 401 (for example, the identity of the terminal 401 and the location of the terminal 401). In other embodiments, the terminal 401 may also receive data packets from the application server 405. The data packet may include a destination address, and the destination address indicates the identity of the terminal 401.
在网络设备(如:网络设备402或网络设备403)接收到来自终端401的数据包,可以对终端401的标识加密得到密文,用密文替换终端401的标识,向应用服务器405转发包含密文的数据包。从而,避免泄露终端的隐私信息。网络设备可以配置常用的加密算法,使用加密算法对终端401的标识进行加密。When a network device (such as network device 402 or network device 403) receives a data packet from terminal 401, it can encrypt the identification of terminal 401 to obtain a cipher text, replace the identification of terminal 401 with the cipher text, and forward the cipher text to the application server 405. The data packet of the text. Thus, the privacy information of the terminal is prevented from being leaked. The network device can be configured with a commonly used encryption algorithm, and use the encryption algorithm to encrypt the identification of the terminal 401.
需要说明的是,为了避免对终端的标识进行加密后,网络设备无法将数据包传输至应用服务器405。可以在靠近终端401的网络设备(如:网络设备402)对终端401的身份标识加密。在靠近应用服务器405的网络设备(网络设备403)对终端401的位置标识加密。It should be noted that, in order to prevent the network device from being unable to transmit the data packet to the application server 405 after the identification of the terminal is encrypted. The identity of the terminal 401 can be encrypted in a network device (such as the network device 402) close to the terminal 401. The network device (network device 403) close to the application server 405 encrypts the location identification of the terminal 401.
在网络设备接收到来自应用服务器405的数据包,可以对该数据包包括的密文解密得到终端401的标识,用终端401的标识替换密文,向终端401转发包含终端401的标识的数据包。从而,以便于将数据包转发至终端401。When the network device receives the data packet from the application server 405, the ciphertext included in the data packet can be decrypted to obtain the identity of the terminal 401, the ciphertext is replaced with the identity of the terminal 401, and the data packet containing the identity of the terminal 401 is forwarded to the terminal 401 . Thus, it is convenient to forward the data packet to the terminal 401.
应用服务器405可以接收来自终端401包含密文的数据包。由于终端的标识已加密,应用服务器405无法获取终端的标识,避免泄露终端401的隐私信息,进而防止非法攻击者根据终端的IP地址分析终端的身份信息和终端的位置信息。另外,应用服务器405还可以向终端401发送的数据包包含了该密文。The application server 405 can receive a data packet containing a ciphertext from the terminal 401. Since the identification of the terminal is encrypted, the application server 405 cannot obtain the identification of the terminal to avoid leaking the private information of the terminal 401, thereby preventing illegal attackers from analyzing the terminal's identity information and the terminal's location information based on the terminal's IP address. In addition, the data packet sent by the application server 405 to the terminal 401 may also contain the ciphertext.
由于终端401与应用服务器405之间的链路上存在不可信的设备或非法窃听者。终端401向应用服务器405发送数据包的过程中,数据包会经过多个网络设备的转发,通过网络设备对终端401的标识进行加密,从而,避免泄露终端的隐私信息。Because there are untrusted devices or illegal eavesdroppers on the link between the terminal 401 and the application server 405. When the terminal 401 sends a data packet to the application server 405, the data packet will be forwarded by multiple network devices, and the identification of the terminal 401 will be encrypted by the network device, thereby avoiding the leakage of the terminal's private information.
接下来,对本申请提供的数据处理方法进行详细说明。图5为本申请一实施例提供的数据处理方法流程图,这里以终端401向应用服务器405发送数据,网络设备402和网络设备403对终端401的标识进行加密处理为例进行说明。如图5所示,该方法可以包括:Next, the data processing method provided by this application will be described in detail. 5 is a flowchart of a data processing method provided by an embodiment of the application. Here, the terminal 401 sends data to the application server 405, and the network device 402 and the network device 403 encrypt the identification of the terminal 401 as an example. As shown in Figure 5, the method may include:
S501、终端401向网络设备402发送第一数据包。S501. The terminal 401 sends a first data packet to the network device 402.
第一数据包包括基本首部、N个扩展首部和数据部分。N个扩展首部和数据部分可以称为有效载荷(payload)或净负荷。其中,基本首部包括版本(version)、通信量类(traffic class)、流标号(flow label)、有效载荷长度(payload length)、下一个首部(next header)、跳数限制(hop limit)、源地址(source address)和目的地址(destination address)。关于第一数据包的具体的数据结构可以参考上述图1所示,不予赘述。其中,源地址指示终端401的IP地址。目的地址指示应用服务器405的IP地址。The first data packet includes a basic header, N extended headers and a data part. The N extension headers and data parts can be called payload or payload. Among them, the basic header includes version, traffic class, flow label, payload length, next header, hop limit, source Address (source address) and destination address (destination address). For the specific data structure of the first data packet, reference may be made to the above-mentioned FIG. 1, which will not be repeated. Wherein, the source address indicates the IP address of the terminal 401. The destination address indicates the IP address of the application server 405.
在一些实施例中,终端401可以向网络设备402加密传输第一数据包。例如,终端401可以利用隧道技术与网络设备402之间建立安全通道,通过安全通道传输第一 数据包。例如,终端401利用互联网安全协议(Internet Protocol Security,IPsec)与网络设备402之间建立安全通道。又如,终端401与网络设备402之间建立虚拟局域网(Virtual Private Network,VPN)的通道。由于通过安全通道隐藏了终端401的标识,从而,避免终端401与网络设备402之间链路上的不可信的设备或非法窃听者窃取终端401的标识。例如,终端401的标识可以是终端401的IP地址。又如,终端401的标识可以是终端401的身份标识。又如,终端401的标识可以是终端401的地址标识。In some embodiments, the terminal 401 may encrypt and transmit the first data packet to the network device 402. For example, the terminal 401 may establish a secure channel between the terminal 401 and the network device 402 by using the tunnel technology, and transmit the first data packet through the secure channel. For example, the terminal 401 uses Internet Protocol Security (IPsec) to establish a secure channel with the network device 402. For another example, a virtual local area network (Virtual Private Network, VPN) channel is established between the terminal 401 and the network device 402. Since the identification of the terminal 401 is hidden through the secure channel, it is avoided that untrusted devices or illegal eavesdroppers on the link between the terminal 401 and the network device 402 steal the identification of the terminal 401. For example, the identification of the terminal 401 may be the IP address of the terminal 401. For another example, the identity of the terminal 401 may be the identity of the terminal 401. For another example, the identifier of the terminal 401 may be the address identifier of the terminal 401.
S502、网络设备402接收来自终端401的第一数据包。S502: The network device 402 receives the first data packet from the terminal 401.
网络设备402可以通过安全通道接收来自终端401的第一数据包。所述第一数据包包括终端401的标识。终端401的标识设置于第一数据包包含的网络层协议头部中。该终端401的标识用于指示终端401。若终端401的标识是终端401的身份标识,终端401的标识用于指示终端401的身份信息。若终端401的标识是终端401的位置标识,终端401的标识用于指示终端401的位置信息。The network device 402 may receive the first data packet from the terminal 401 through the secure channel. The first data packet includes the identification of the terminal 401. The identifier of the terminal 401 is set in the network layer protocol header included in the first data packet. The identifier of the terminal 401 is used to indicate the terminal 401. If the identity of the terminal 401 is the identity of the terminal 401, the identity of the terminal 401 is used to indicate the identity information of the terminal 401. If the identification of the terminal 401 is the location identification of the terminal 401, the identification of the terminal 401 is used to indicate the location information of the terminal 401.
在一些实施例中,网络设备402接收到来自终端401的第一数据包后,确定第一数据包的包头包括终端401的标识,便对终端401的标识加密,执行S503。In some embodiments, after the network device 402 receives the first data packet from the terminal 401, it determines that the header of the first data packet includes the identification of the terminal 401, and then encrypts the identification of the terminal 401, and executes S503.
在另一些实施例中,若第一数据包包括第一指示信息,第一指示信息用于指示对终端401的标识进行加密。网络设备402接收到来自终端401的第一数据包后,根据第一指示信息确定对终端401的标识加密,执行S503。In other embodiments, if the first data packet includes the first indication information, the first indication information is used to instruct to encrypt the identification of the terminal 401. After receiving the first data packet from the terminal 401, the network device 402 determines to encrypt the identification of the terminal 401 according to the first instruction information, and executes S503.
在一种可能的设计中,如图6所示,第一数据包包括的源地址包括标记位(flag),该标记位的取值用于指示对终端401的标识进行加密。标记位占源地址中的z bit。例如,标记位占源地址中的2bit。终端401的标识包括终端401的身份标识和终端401的位置标识。In a possible design, as shown in FIG. 6, the source address included in the first data packet includes a flag bit, and the value of the flag bit is used to indicate that the identification of the terminal 401 is encrypted. The mark bit occupies z bits in the source address. For example, the tag bit occupies 2 bits in the source address. The identity of the terminal 401 includes the identity of the terminal 401 and the location of the terminal 401.
可选的,当标记位的取值为00时,表示无需对终端401的标识进行加密。当标记位的取值为01时,表示对终端401的标识进行加密。Optionally, when the value of the flag bit is 00, it indicates that the identification of the terminal 401 does not need to be encrypted. When the value of the flag bit is 01, it means that the identification of the terminal 401 is encrypted.
可选的,当标记位的取值为00时,表示无需对终端401的标识进行加密。当标记位的取值为01时,表示对终端401的身份标识进行加密。当标记位的取值为10时,表示对终端401的位置标识进行加密。Optionally, when the value of the flag bit is 00, it indicates that the identification of the terminal 401 does not need to be encrypted. When the value of the flag bit is 01, it means that the identity of the terminal 401 is encrypted. When the value of the flag bit is 10, it means that the location identifier of the terminal 401 is encrypted.
可选的,当标记位的取值为00时,表示对终端401的标识进行加密。当标记位的取值为01时,表示无需对终端401的标识进行加密。Optionally, when the value of the flag bit is 00, it means that the identification of the terminal 401 is encrypted. When the value of the flag bit is 01, it indicates that there is no need to encrypt the identification of the terminal 401.
S503、网络设备402根据终端401的身份标识、第一隐私变量和第一密钥生成第一密文。S503. The network device 402 generates a first ciphertext according to the identity of the terminal 401, the first privacy variable, and the first key.
网络设备402可以从第一数据包包括的终端401的IP地址中提取出终端401的身份标识,对终端401的身份标识进行加密,得到第一密文,生成第二数据包,第二数据包包括第一密文。The network device 402 can extract the identity of the terminal 401 from the IP address of the terminal 401 included in the first data packet, encrypt the identity of the terminal 401 to obtain the first ciphertext, and generate a second data packet. Including the first ciphertext.
具体的,如图7所示,网络设备402对终端401的标识进行加密包括以下步骤。Specifically, as shown in FIG. 7, the network device 402 encrypts the identification of the terminal 401 includes the following steps.
S5031、网络设备402根据第一密钥和第一隐私变量生成第二密文。S5031. The network device 402 generates a second ciphertext according to the first key and the first privacy variable.
网络设备402可以从第一数据包的包头中提取第一隐私变量,利用加密算法,根据第一隐私变量和第一密钥进行加密运算,得到第二密文。其中,第一隐私变量包括时间信息、与传输或接收第一数据包的设备相关的信息、随机数和按规律变化的参数 中至少一个。第一隐私变量可以设置于第一数据包包含的网络层协议头部中的任何位置。The network device 402 may extract the first privacy variable from the header of the first data packet, and use an encryption algorithm to perform an encryption operation according to the first privacy variable and the first key to obtain the second ciphertext. Wherein, the first privacy variable includes at least one of time information, information related to the device that transmits or receives the first data packet, a random number, and a parameter that changes according to law. The first privacy variable can be set at any position in the network layer protocol header included in the first data packet.
例如,第一隐私变量可以隐藏在主机标识符位中。比如,第一隐私变量为时间信息,终端401在生成第一数据包中的终端401的身份标识时,加入了时间信息。网络设备402可以从第一数据包包含的网络层协议头部中的主机标识符位提取第一隐私变量。For example, the first privacy variable can be hidden in the host identifier bits. For example, the first privacy variable is time information, and when the terminal 401 generates the identity of the terminal 401 in the first data packet, the time information is added. The network device 402 may extract the first privacy variable from the host identifier bits in the network layer protocol header included in the first data packet.
又如,第一隐私变量暴露在第一数据包包含的网络层协议头部中。网络设备402可以从第一数据包包含的网络层协议头部中提取第一隐私变量。比如,第一隐私变量为目的IP地址。比如,第一数据包的长度是可变的,在第一数据包包含的网络层协议头部中增加设置第一隐私变量的字段。For another example, the first privacy variable is exposed in the network layer protocol header included in the first data packet. The network device 402 may extract the first privacy variable from the network layer protocol header included in the first data packet. For example, the first privacy variable is the destination IP address. For example, the length of the first data packet is variable, and a field for setting the first privacy variable is added to the network layer protocol header included in the first data packet.
示例的,若第一隐私变量为与传输或接收第一数据包的设备相关的信息,与传输或接收第一数据包的设备相关的信息为第一数据包包含的目的IP地址。目的IP地址可以是应用服务器405的地址。网络设备402可以从第一数据包包含的网络层协议头部中提取第一隐私变量。第二密文满足如下公式(1)。For example, if the first privacy variable is information related to the device that transmits or receives the first data packet, the information related to the device that transmits or receives the first data packet is the destination IP address included in the first data packet. The destination IP address may be the address of the application server 405. The network device 402 may extract the first privacy variable from the network layer protocol header included in the first data packet. The second ciphertext satisfies the following formula (1).
C=E SK1(DstIP)     (1) C=E SK1 (DstIP) (1)
其中,C表示第二密文。E()表示安全的分组加密算法。例如,高级加密标准(advanced encryption standard,AES)-256,AES-256的分组长度为128bit。SK1表示网络设备402的加密密钥,即第一密钥。Dst IP表示第一数据包包含的目的IP地址。Among them, C represents the second ciphertext. E() represents a secure block encryption algorithm. For example, the advanced encryption standard (AES)-256, and the packet length of AES-256 is 128 bits. SK1 represents the encryption key of the network device 402, that is, the first key. Dst IP represents the destination IP address included in the first data packet.
通常,第二密文的长度比较长。如第二密文的长度为128bit。因此,网络设备402根据终端401的标识对第二密文进行处理,得到与终端401的标识的长度一样长的密文。执行S5032。Generally, the length of the second ciphertext is relatively long. For example, the length of the second ciphertext is 128 bits. Therefore, the network device 402 processes the second ciphertext according to the identifier of the terminal 401, and obtains a ciphertext of the same length as the identifier of the terminal 401. Perform S5032.
S5032、网络设备402根据第二密文和终端401的身份标识确定第一密文。S5032. The network device 402 determines the first ciphertext according to the second ciphertext and the identity of the terminal 401.
网络设备402可以依据终端401的身份标识的长度截取第二密文,得到y2 bit数值,根据截取的y2 bit数值和终端401的标识确定第一密文。The network device 402 may intercept the second ciphertext according to the length of the identity identifier of the terminal 401 to obtain the y2bit value, and determine the first ciphertext according to the intercepted y2bit value and the identity of the terminal 401.
示例的,对第二密文和终端401的身份标识进行异或运算,得到第一密文。第一密文满足如下公式(2)。For example, an exclusive OR operation is performed on the second ciphertext and the identity of the terminal 401 to obtain the first ciphertext. The first ciphertext satisfies the following formula (2).
EHID=(C y2)XOR(HID)     (2) EHID=(C y2 )XOR(HID) (2)
其中,EHID表示第一密文。C y2表示截取的第二密文中的y2比特的数值。HID表示终端401的身份标识。XOR表示异或算法。 Among them, EHID represents the first ciphertext. C y2 represents the value of y2 bits in the second ciphertext that is intercepted. HID represents the identity of the terminal 401. XOR stands for exclusive OR algorithm.
可选的,第一密文的长度等于终端401的身份标识的长度。第二密文的长度大于终端401的身份标识的长度。Optionally, the length of the first ciphertext is equal to the length of the identity of the terminal 401. The length of the second ciphertext is greater than the length of the identity of the terminal 401.
对于不同的目的设备,网络设备402可以采用不同的隐私变量对终端的身份标识进行加密,以得到不同的密文。从而,不同的目的设备接收到的数据包包括不同的密文,避免通过合谋关联分析同一终端访问不同目的设备的流量。For different destination devices, the network device 402 can use different privacy variables to encrypt the identity of the terminal to obtain different ciphertexts. Therefore, the data packets received by different destination devices include different ciphertexts, avoiding collusion and association analysis of the traffic of the same terminal accessing different destination devices.
进一步的,网络设备402对终端401的身份标识加密,得到第一密文后,用第一密文替换第一数据包包括的终端401的身份标识,生成第二数据包。第一密文设置于第二数据包包含的网络层协议头部中。Further, the network device 402 encrypts the identity of the terminal 401, and after obtaining the first ciphertext, replaces the identity of the terminal 401 included in the first data packet with the first ciphertext to generate a second data packet. The first ciphertext is set in the network layer protocol header included in the second data packet.
可选的,若第一隐私变量是暴露在第一数据包包含的网络层协议头部中,第一隐私变量设置于第二数据包包含的网络层协议头部中。例如,若第一隐私变量为目的IP 地址,第一隐私变量设置于第二数据包包含的网络层协议头部中。第一隐私变量设置于第二数据包包含的网络层协议头部中,以便于网络设备402接收到包含第一密文的数据包时,网络设备402从包含第一密文的数据包中提取第一隐私变量,可以利用第一密钥和第一隐私变量对第一密文进行解密得到终端401的身份标识。Optionally, if the first privacy variable is exposed in the network layer protocol header included in the first data packet, the first privacy variable is set in the network layer protocol header included in the second data packet. For example, if the first privacy variable is the destination IP address, the first privacy variable is set in the network layer protocol header included in the second data packet. The first privacy variable is set in the network layer protocol header included in the second data packet, so that when the network device 402 receives the data packet containing the first ciphertext, the network device 402 extracts the data packet containing the first ciphertext The first privacy variable can use the first key and the first privacy variable to decrypt the first ciphertext to obtain the identity of the terminal 401.
可选的,若第一隐私变量是隐藏在第一数据包包含的网络层协议头部中。例如,若第一隐私变量为时间信息,第一隐私变量可以隐藏在主机标识符位中。网络设备402用第一密文替换了终端401的身份标识,第二数据包包含的网络层协议头部中不能看到第一隐私变量。第一隐私变量隐藏在第二数据包包含的网络层协议头部中。可理解的,第一隐私变量隐藏在第一密文中。Optionally, if the first privacy variable is hidden in the network layer protocol header included in the first data packet. For example, if the first privacy variable is time information, the first privacy variable can be hidden in the host identifier bit. The network device 402 replaces the identity of the terminal 401 with the first ciphertext, and the first privacy variable cannot be seen in the network layer protocol header included in the second data packet. The first privacy variable is hidden in the network layer protocol header included in the second data packet. Understandably, the first privacy variable is hidden in the first ciphertext.
示例的,如图8所示,为源IP地址的加密过程示意图。其中,对于终端401生成的第一数据包,外部定位符位的取值为填充值(padding)。填充值可以是系统约定的比特串,如00000。内部定位符位的取值是终端401的位置标识。主机标识符位的取值是终端401的身份标识。在下文中,假设终端401的身份标识为HID,第一密文为EHID。网络设备402对HID加密得到EHID后,用EHID替换HID。主机标识符位的取值可以是加密后的终端401的身份标识,即主机标识符位的取值是EHID。For example, as shown in Figure 8, it is a schematic diagram of the encryption process of the source IP address. Wherein, for the first data packet generated by the terminal 401, the value of the external locator bit is a padding value. The padding value can be a bit string agreed by the system, such as 00000. The value of the internal locator bit is the location identifier of the terminal 401. The value of the host identifier bit is the identity of the terminal 401. In the following, it is assumed that the identity of the terminal 401 is HID, and the first ciphertext is EHID. After the network device 402 encrypts the HID to obtain the EHID, it replaces the HID with the EHID. The value of the host identifier bit may be the encrypted identity of the terminal 401, that is, the value of the host identifier bit is EHID.
S504、网络设备402转发第二数据包,第二数据包包括所述第一密文。S504. The network device 402 forwards a second data packet, where the second data packet includes the first ciphertext.
网络设备402可以根据路由表等转发规则转发第二数据包,具体的可以参考现有技术,不予赘述。The network device 402 may forward the second data packet according to a forwarding rule such as a routing table. For details, reference may be made to the prior art, and details are not repeated.
S505、网络设备403接收第二数据包。S505: The network device 403 receives the second data packet.
网络设备403可以接收来自网络设备402的第二数据包,或者,网络设备403可以接收来自其他网络设备转发的第二数据包。The network device 403 may receive the second data packet from the network device 402, or the network device 403 may receive the second data packet forwarded from other network devices.
在一些实施例中,网络设备402接收到来自终端401的第二数据包后,确定第二数据包的包头包括终端401的位置标识,便对终端401的位置标识加密,执行S506。In some embodiments, after the network device 402 receives the second data packet from the terminal 401, it determines that the header of the second data packet includes the location identifier of the terminal 401, then encrypts the location identifier of the terminal 401, and executes S506.
在另一些实施例中,若第二数据包包括第一指示信息,第一指示信息用于指示对终端401的标识进行加密。网络设备402接收到来自终端401的第二数据包后,根据第一指示信息确定对终端401的位置标识加密,执行S506。第一指示信息的具体实现方式可以如上述S502中的阐述,不予赘述。In other embodiments, if the second data packet includes the first indication information, the first indication information is used to instruct to encrypt the identification of the terminal 401. After receiving the second data packet from the terminal 401, the network device 402 determines to encrypt the location identifier of the terminal 401 according to the first indication information, and executes S506. The specific implementation of the first indication information may be as described in S502 above, and will not be described in detail.
S506、网络设备403根据终端401的位置标识、第二隐私变量和第二密钥生成第三密文。S506: The network device 403 generates a third ciphertext according to the location identifier of the terminal 401, the second privacy variable, and the second key.
网络设备403可以从第二数据包包括的终端401的IP地址中提取出终端401的位置标识,对终端401的位置标识进行加密,得到第三密文,生成第三数据包,第三数据包包括第三密文。The network device 403 may extract the location identifier of the terminal 401 from the IP address of the terminal 401 included in the second data packet, encrypt the location identifier of the terminal 401 to obtain the third ciphertext, and generate the third data packet, the third data packet Including the third ciphertext.
具体的,如图7所示,网络设备403对终端401的位置标识进行加密包括以下步骤。Specifically, as shown in FIG. 7, the network device 403 encrypts the location identifier of the terminal 401 including the following steps.
S5061、网络设备403根据终端401的位置标识和第二隐私变量生成待加密数据。S5061. The network device 403 generates data to be encrypted according to the location identifier of the terminal 401 and the second privacy variable.
网络设备402可以从第二数据包的包含的网络层协议头部中提取第二隐私变量,根据终端401的位置标识和第二隐私变量组成待加密数据。The network device 402 may extract the second privacy variable from the network layer protocol header included in the second data packet, and compose the data to be encrypted according to the location identifier of the terminal 401 and the second privacy variable.
在一些实施例中,第二隐私变量为加密后的终端401的身份标识,即第一密文。所述第二数据包包括第一密文。待加密数据的长度可以等于终端401的身份标识的长 度和终端401的位置标识的长度之和。In some embodiments, the second privacy variable is the encrypted identity of the terminal 401, that is, the first ciphertext. The second data packet includes the first ciphertext. The length of the data to be encrypted may be equal to the sum of the length of the terminal 401's identity identifier and the length of the terminal 401's location identifier.
可选的,待加密数据的长度可以不等于终端401的身份标识的长度和终端401的位置标识的长度之和。Optionally, the length of the data to be encrypted may not be equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401.
S5062、网络设备403根据第二密钥和待加密数据生成第三密文。S5062. The network device 403 generates a third ciphertext according to the second key and the data to be encrypted.
网络设备403利用加密算法,根据第二密钥和待加密数据进行加密运算,得到第三密文。示例的,第三密文满足如下公式(3)。The network device 403 uses an encryption algorithm to perform an encryption operation according to the second key and the data to be encrypted to obtain the third ciphertext. For example, the third ciphertext satisfies the following formula (3).
EIP=F sk2(SrcLoc||EHID)      (3) EIP=F sk2 (SrcLoc||EHID) (3)
其中,EIP表示第三密文。F()表示一个轻量级对称加密算法,加密算法的分组长度为y1比特和y2比特之和。SK2表示网络设备403的加密密钥,即第二密钥。||表示连接符。EHID表示第一密文。SrcLoc表示终端401的位置标识。Among them, EIP represents the third ciphertext. F() represents a lightweight symmetric encryption algorithm, and the packet length of the encryption algorithm is the sum of y1 bits and y2 bits. SK2 represents the encryption key of the network device 403, that is, the second key. || represents the connector. EHID represents the first ciphertext. SrcLoc represents the location identifier of the terminal 401.
进一步的,网络设备403对终端401的位置标识加密,得到第三密文后,用第三密文替换第二数据包包括的终端401的位置标识,生成第三数据包。第三密文设置于第三数据包包含的网络层协议头部中。Further, the network device 403 encrypts the location identifier of the terminal 401, and after obtaining the third ciphertext, replaces the location identifier of the terminal 401 included in the second data packet with the third ciphertext to generate a third data packet. The third ciphertext is set in the network layer protocol header included in the third data packet.
在一些实施例中,若第二隐私变量为第一密文,可理解的,终端401的身份标识和终端401的位置标识均已加密。网络设备403用第三密文替换第一密文和终端401的位置标识。第二隐私变量是隐藏在第三数据包包含的网络层协议头部中。可理解的,第二隐私变量隐藏在第三密文中。In some embodiments, if the second privacy variable is the first ciphertext, it is understandable that both the identity identifier of the terminal 401 and the location identifier of the terminal 401 have been encrypted. The network device 403 replaces the first ciphertext and the location identifier of the terminal 401 with the third ciphertext. The second privacy variable is hidden in the network layer protocol header included in the third data packet. Understandably, the second privacy variable is hidden in the third ciphertext.
可选的,第三密文的长度等于终端401的身份标识的长度和终端401的位置标识的长度之和。可选的,第三密文的长度不等于终端401的身份标识的长度和终端401的位置标识的长度之和。Optionally, the length of the third ciphertext is equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401. Optionally, the length of the third ciphertext is not equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401.
示例的,如图9所示,为源IP地址的加密过程示意图。其中,对于终端401生成的第一数据包,外部定位符位的取值为填充值。内部定位符位的取值是终端401的位置标识。主机标识符位的取值是终端401的身份标识。对于网络设备402生成的第二数据包,与第一数据包不同点在于,主机标识符位的取值是EHID。在下文中,假设第三密文为EIP。网络设备403对终端401的位置标识加密得到EIP后,用EIP替换内部定位符位的取值和主机标识符位的取值,即用EIP替换终端401的位置标识和EHID。For example, as shown in Figure 9, it is a schematic diagram of the encryption process of the source IP address. Wherein, for the first data packet generated by the terminal 401, the value of the external locator bit is the filling value. The value of the internal locator bit is the location identifier of the terminal 401. The value of the host identifier bit is the identity of the terminal 401. The second data packet generated by the network device 402 is different from the first data packet in that the value of the host identifier bit is EHID. In the following, it is assumed that the third ciphertext is EIP. After the network device 403 encrypts the location identifier of the terminal 401 to obtain the EIP, it replaces the value of the internal locator bit and the value of the host identifier bit with EIP, that is, replaces the location identifier and EHID of the terminal 401 with EIP.
对于不同的目的设备,网络设备402可以采用不同的隐私变量对终端的位置标识进行加密,以得到不同的密文。从而,不同的目的设备接收到的数据包包括不同的密文,避免泄漏终端401的位置标识。For different destination devices, the network device 402 can use different privacy variables to encrypt the location identifier of the terminal to obtain different ciphertexts. Therefore, data packets received by different destination devices include different ciphertexts, so as to avoid leaking the location identifier of the terminal 401.
此外,网络设备403可以将外部定位符位的取值填充值替换为寻址网络设备的定位符。例如,将外部定位符位的取值填充值替换为网络设备403的位置标识。以便于向应用服务器405转发第三数据包。另外,使用网络设备403的位置标识作为新的外部可见定位符,从而可以防止不可信目的设备分析终端401的位置标识。In addition, the network device 403 may replace the value filling value of the external locator bit with the locator addressing the network device. For example, the value filling value of the external locator bit is replaced with the location identifier of the network device 403. In order to forward the third data packet to the application server 405. In addition, using the location identifier of the network device 403 as a new externally visible locator can prevent an untrusted destination device from analyzing the location identifier of the terminal 401.
S507、网络设备403转发第三数据包,第三数据包包括所述第三密文。S507. The network device 403 forwards the third data packet, where the third data packet includes the third ciphertext.
网络设备403可以根据路由表等转发规则转发第三数据包,具体的可以参考现有技术,不予赘述。The network device 403 may forward the third data packet according to a forwarding rule such as a routing table. For details, reference may be made to the prior art, and details are not repeated.
S508、应用服务器405接收第三数据包。S508. The application server 405 receives the third data packet.
应用服务器405可以接收来自网络设备403的第三数据包,或者,应用服务器405可以接收来自其他网络设备转发的第三数据包。应用服务器405接收到第三数据包后, 解析第三数据包,可以获取终端401向应用服务器405发送的数据。The application server 405 may receive the third data packet from the network device 403, or the application server 405 may receive the third data packet forwarded by other network devices. After receiving the third data packet, the application server 405 parses the third data packet to obtain the data sent by the terminal 401 to the application server 405.
在终端401不关机的情况下,终端401可以使用固定的IP地址与外界网络进行通信。目前,终端401通过浏览器访问的网页中,通常除了访问的主网页以外,还嵌入了多个第三方链接,多个服务器可以从数据包中提取终端401的IP地址进行关联分析。比如用户A在某段时刻使用IP地址访问W1网站,并且在同一时间段使用相同IP地址访问W2网站,如果W1和W2属于同一母公司运营或者W1和W2的提供商属于共享数据的合作方,那么用户在W1和W2中的行为就可以被关联。如果用户在W1中注册了实名身份信息,那么W2根据IP地址就可以关联出用户的真实身份信息,从而带来隐私泄露问题。并且,在未来IPv6大量使用的情况下,IPv6前缀信息可能会揭露更加具体的位置信息,只有用户的行为可以被某种ID进行关联,如用户使用应用层用户账号登录某服务器,即使用户没有告诉服务器其具体的位置信息,但是服务器依然可以根据IP地址刻画出用户的位置行踪轨迹。When the terminal 401 is not shut down, the terminal 401 can use a fixed IP address to communicate with the external network. Currently, in the webpage accessed by the terminal 401 through the browser, in addition to the visited main webpage, multiple third-party links are usually embedded, and multiple servers can extract the IP address of the terminal 401 from the data packet for correlation analysis. For example, user A uses an IP address to visit the W1 website at a certain time and uses the same IP address to visit the W2 website at the same time. If W1 and W2 are operated by the same parent company or the providers of W1 and W2 are partners that share data, Then the user's behavior in W1 and W2 can be correlated. If the user has registered the real-name identity information in W1, then W2 can associate the user’s real identity information based on the IP address, which will cause privacy leakage. Moreover, in the case of large-scale use of IPv6 in the future, IPv6 prefix information may reveal more specific location information. Only user behavior can be associated with a certain ID. For example, a user uses an application-layer user account to log in to a server, even if the user does not tell The server's specific location information, but the server can still trace the user's location and whereabouts based on the IP address.
本申请实施例中,网络设备402和网络设备403通过对终端401的标识进行加密,隐藏终端的IP地址,防止非法攻击者(如:不可信的设备或非法窃听者)获取终端的IP地址,根据终端401的IP地址分析终端401的身份标识和终端401的位置标识。由于不同的目的主机获取到的同一源主机的地址是不一样的,不能通过合谋关联分析出同一源主机访问不同目的主机的流量。目的主机或非法攻击者无法通过同一局域网沦陷的主机的IP地址分析出两台主机来自同一局域网。In the embodiment of this application, the network device 402 and the network device 403 encrypt the terminal 401's identity to hide the terminal’s IP address to prevent illegal attackers (such as untrusted devices or illegal eavesdroppers) from obtaining the terminal’s IP address. According to the IP address of the terminal 401, the identity identifier of the terminal 401 and the location identifier of the terminal 401 are analyzed. Since the addresses of the same source host obtained by different destination hosts are not the same, it is impossible to analyze the traffic from the same source host to different destination hosts through collusion and correlation. The destination host or an illegal attacker can't analyze the IP address of the host that has fallen on the same LAN to find that the two hosts are from the same LAN.
在应用服务器405接收到终端401的标识为密文的数据包后,应用服务器405还可利用密文向终端401发送数据包,数据包的具体传输过程如下实施例的阐述。After the application server 405 receives the data packet identified as the cipher text of the terminal 401, the application server 405 may also use the cipher text to send the data packet to the terminal 401. The specific transmission process of the data packet is described in the following embodiment.
接下来,对本申请提供的数据处理方法进行详细说明。图10为本申请一实施例提供的数据处理方法流程图,这里以应用服务器405向终端401发送数据,网络设备402和网络设备403对终端401的标识进行解密处理为例进行说明。如图10所示,该方法可以包括:Next, the data processing method provided by this application will be described in detail. 10 is a flowchart of a data processing method provided by an embodiment of the application. Here, the application server 405 sends data to the terminal 401, and the network device 402 and the network device 403 decrypt the identification of the terminal 401 as an example. As shown in Figure 10, the method may include:
S1001、应用服务器405向网络设备403发送第四数据包。S1001. The application server 405 sends a fourth data packet to the network device 403.
第四数据包包括基本首部、N个扩展首部和数据部分。其中,基本首部包括源地址(source address)和目的地址(destination address)。关于第四数据包的具体的数据结构可以参考上述图1所示,不予赘述。其中,源地址指示应用服务器405的地址。由于应用服务器405接收到终端401发送的第三数据包包含的源地址为第三密文,因此,第四数据包包含的目的地址的取值包含第三密文。第三密文设置于第四数据包包含的网络层协议头部中。第三密文是根据终端401的位置标识、第二隐私变量和第二密钥确定的。The fourth data packet includes a basic header, N extended headers and a data part. Among them, the basic header includes a source address (source address) and a destination address (destination address). For the specific data structure of the fourth data packet, reference may be made to the above-mentioned FIG. 1, which will not be repeated. The source address indicates the address of the application server 405. Since the source address contained in the third data packet sent by the terminal 401 received by the application server 405 is the third cipher text, the value of the destination address contained in the fourth data packet contains the third cipher text. The third ciphertext is set in the network layer protocol header included in the fourth data packet. The third ciphertext is determined according to the location identifier of the terminal 401, the second privacy variable, and the second key.
S1002、网络设备403接收来自应用服务器405的第四数据包。S1002. The network device 403 receives the fourth data packet from the application server 405.
网络设备403可以接收来自应用服务器405的第四数据包,或者,网络设备403可以接收来自其他网络设备转发的第四数据包。The network device 403 may receive the fourth data packet from the application server 405, or the network device 403 may receive the fourth data packet forwarded by other network devices.
在一些实施例中,网络设备403接收到来自应用服务器405的第四数据包后,确定第四数据包的包头包括第三密文,便对第三密文解密,执行S1003。In some embodiments, after receiving the fourth data packet from the application server 405, the network device 403 determines that the header of the fourth data packet includes the third ciphertext, then decrypts the third ciphertext, and executes S1003.
在另一些实施例中,若第四数据包包括第二指示信息,第二指示信息用于指示终端401的标识已加密。网络设备403接收到来自应用服务器405的第四数据包后,根 据第二指示信息确定对终端401的位置标识解密,执行S1003。In other embodiments, if the fourth data packet includes the second indication information, the second indication information is used to indicate that the identity of the terminal 401 has been encrypted. After receiving the fourth data packet from the application server 405, the network device 403 determines to decrypt the location identifier of the terminal 401 according to the second indication information, and executes S1003.
在一种可能的设计中,如图11所示,第四数据包包括的目的地址包括标记位,该标记位的取值用于指示对终端401的标识已加密。标记位占目的地址中的z bit。例如,标记位占目的地址中的2bit。终端401的标识包括终端401的身份标识和终端401的位置标识。In a possible design, as shown in FIG. 11, the destination address included in the fourth data packet includes a flag bit, and the value of the flag bit is used to indicate that the identification of the terminal 401 has been encrypted. The mark bit occupies the z bit in the destination address. For example, the tag bit occupies 2 bits in the destination address. The identity of the terminal 401 includes the identity of the terminal 401 and the location of the terminal 401.
可选的,当标记位的取值为00时,表示对终端401的标识未加密。当标记位的取值为01时,表示对终端401的标识已加密。Optionally, when the value of the flag bit is 00, it means that the identification of the terminal 401 is not encrypted. When the value of the flag bit is 01, it indicates that the identification of the terminal 401 has been encrypted.
可选的,当标记位的取值为00时,表示对终端401的标识未加密。当标记位的取值为01时,表示对终端401的身份标识已加密。当标记位的取值为10时,表示对终端401的位置标识已加密。Optionally, when the value of the flag bit is 00, it means that the identification of the terminal 401 is not encrypted. When the value of the flag bit is 01, it indicates that the identity of the terminal 401 has been encrypted. When the value of the flag bit is 10, it indicates that the location identifier of the terminal 401 has been encrypted.
可选的,当标记位的取值为00时,表示对终端401的标识已加密。当标记位的取值为01时,表示对终端401的标识未加密。Optionally, when the value of the flag bit is 00, it indicates that the identification of the terminal 401 has been encrypted. When the value of the flag bit is 01, it means that the identification of the terminal 401 is not encrypted.
S1003、网络设备403根据第三密文、第二隐私变量和第二密钥生成终端401的位置标识。S1003. The network device 403 generates a location identifier of the terminal 401 according to the third ciphertext, the second privacy variable, and the second key.
网络设备403可以从目的地址中提取出第三密文,对第三密文进行解密,得到终端401的位置标识,生成第五数据包,第五数据包包括终端401的位置标识。The network device 403 may extract the third ciphertext from the destination address, decrypt the third ciphertext, obtain the location identifier of the terminal 401, and generate a fifth data packet, where the fifth data packet includes the location identifier of the terminal 401.
具体的,如图12所示,网络设备403对第三密文进行解密包括以下步骤。Specifically, as shown in FIG. 12, the network device 403 decrypts the third ciphertext including the following steps.
S1003a、网络设备403根据第三密文和第二密钥生成解密结果。S1003a. The network device 403 generates a decryption result according to the third ciphertext and the second key.
网络设备403利用解密算法,根据第二密钥和第三密文进行解密运算,得到解密结果。示例的,解密结果满足如下公式(4)。The network device 403 uses a decryption algorithm to perform a decryption operation according to the second key and the third ciphertext to obtain the decryption result. For example, the decryption result satisfies the following formula (4).
P=D sk2(EIP)     (4) P=D sk2 (EIP) (4)
其中,P表示解密结果。D()为解密算法。SK2表示网络设备403的加密密钥,即第二密钥。EIP表示第三密文。Among them, P represents the decryption result. D() is the decryption algorithm. SK2 represents the encryption key of the network device 403, that is, the second key. EIP stands for the third ciphertext.
S1003b、网络设备403根据解密结果和第二隐私变量确定终端401的位置标识。S1003b. The network device 403 determines the location identifier of the terminal 401 according to the decryption result and the second privacy variable.
网络设备403可以从第四数据包包含的网络层协议头部中获取第二隐私变量,根据解密结果和第二隐私变量确定终端401的位置标识。可选的,解密结果的长度可以等于终端401的身份标识的长度和终端401的位置标识的长度之和。可选的,解密结果的长度可以不等于终端401的身份标识的长度和终端401的位置标识的长度之和。The network device 403 may obtain the second privacy variable from the network layer protocol header included in the fourth data packet, and determine the location identifier of the terminal 401 according to the decryption result and the second privacy variable. Optionally, the length of the decryption result may be equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401. Optionally, the length of the decryption result may not be equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401.
在一些实施例中,若第二隐私变量为加密后的终端401的身份标识,即第一密文。可理解的,终端401的身份标识和终端401的位置标识均已加密。第三密文的长度等于终端401的身份标识的长度和终端401的位置标识的长度之和。解密结果包括第一密文和终端401的位置标识。可理解的,第二隐私变量隐藏在了第四数据包包含的网络层协议头部中。网络设备403可以从解密结果中获取第二隐私变量。In some embodiments, if the second privacy variable is the encrypted identity of the terminal 401, that is, the first ciphertext. It is understandable that both the identity identifier of the terminal 401 and the location identifier of the terminal 401 have been encrypted. The length of the third ciphertext is equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401. The decryption result includes the first ciphertext and the location identifier of the terminal 401. Understandably, the second privacy variable is hidden in the network layer protocol header included in the fourth data packet. The network device 403 can obtain the second privacy variable from the decryption result.
在网络设备403解密第三密文得到解密结果后,可以用终端401的位置标识和第一密文替换第四数据包包括的第三密文,生成第五数据包。终端401的位置标识和第一密文设置于第五数据包包含的网络层协议头部中。After the network device 403 decrypts the third ciphertext to obtain the decryption result, it can replace the third ciphertext included in the fourth data packet with the location identifier of the terminal 401 and the first ciphertext to generate the fifth data packet. The location identifier of the terminal 401 and the first ciphertext are set in the network layer protocol header included in the fifth data packet.
示例的,如图13所示,为目的IP地址的解密过程示意图。其中,对于应用服务器405生成的第四数据包,外部定位符位的取值为网络设备403的位置标识。内部定位符位的取值和主机标识符位的取值可以是第三密文。网络设备403对第三密文解密 得到终端401的位置标识和第一密文后,将内部定位符位的取值EIP替换为终端401的位置标识,以及将主机标识符位的取值替换为第一密文(SrcID=EHID)。For example, as shown in Figure 13, it is a schematic diagram of the decryption process of the destination IP address. Wherein, for the fourth data packet generated by the application server 405, the value of the external locator bit is the location identifier of the network device 403. The value of the internal locator bit and the value of the host identifier bit may be the third ciphertext. After the network device 403 decrypts the third ciphertext to obtain the location identifier of the terminal 401 and the first ciphertext, it replaces the value EIP of the internal locator bit with the location identifier of the terminal 401, and replaces the value of the host identifier bit with The first ciphertext (SrcID=EHID).
网络设备403解密第三密文得到终端401的位置标识,替换第三密文后,生成第五数据包,第五数据包包括终端401的位置标识。从而,以便于将第五数据包传输至终端401。The network device 403 decrypts the third ciphertext to obtain the location identifier of the terminal 401, and after replacing the third ciphertext, generates a fifth data packet, and the fifth data packet includes the location identifier of the terminal 401. Thereby, it is convenient to transmit the fifth data packet to the terminal 401.
此外,第四数据包还包括寻址网络设备的定位符。网络设备403可以将外部定位符位的取值寻址网络设备的定位符替换为填充值。例如,将外部定位符位的取值网络设备403的位置标识替换为填充值。以便于向终端401转发第五数据包。In addition, the fourth data packet also includes a locator for addressing the network device. The network device 403 may replace the value of the external locator bit to the locator of the addressing network device with the padding value. For example, replace the location identifier of the network device 403 with the value of the external locator bit with the padding value. In order to forward the fifth data packet to the terminal 401.
S1004、网络设备403转发第五数据包,第五数据包包括所述终端401的位置标识和第一密文。S1004. The network device 403 forwards a fifth data packet, where the fifth data packet includes the location identifier of the terminal 401 and the first ciphertext.
网络设备403可以根据路由表等转发规则转发第五数据包,具体的可以参考现有技术,不予赘述。终端401的标识设置于第五数据包包含的网络层协议头部中。The network device 403 may forward the fifth data packet according to a forwarding rule such as a routing table. For details, reference may be made to the prior art, and details are not repeated. The identifier of the terminal 401 is set in the network layer protocol header included in the fifth data packet.
S1005、网络设备402接收第五数据包。S1005. The network device 402 receives the fifth data packet.
网络设备402可以接收来自网络设备403的第五数据包,或者,网络设备402可以接收来自其他网络设备转发的第五数据包。The network device 402 may receive the fifth data packet from the network device 403, or the network device 402 may receive the fifth data packet forwarded from other network devices.
在一些实施例中,网络设备402接收到来自网络设备403的第五数据包后,确定第五数据包的包含的网络层协议头部包括第一密文,便对第一密文解密,执行S1006。In some embodiments, after the network device 402 receives the fifth data packet from the network device 403, it determines that the network layer protocol header contained in the fifth data packet includes the first ciphertext, and then decrypts the first ciphertext, and executes S1006.
在另一些实施例中,若第五数据包包括第二指示信息,第二指示信息用于指示终端401的标识已加密。网络设备402接收到来自网络设备403的第五数据包后,根据第二指示信息确定对第一密文解密,执行S1006。第二指示信息的具体实现方式可以如上述S1002中的阐述,不予赘述。In other embodiments, if the fifth data packet includes the second indication information, the second indication information is used to indicate that the identity of the terminal 401 has been encrypted. After the network device 402 receives the fifth data packet from the network device 403, it determines to decrypt the first ciphertext according to the second instruction information, and executes S1006. The specific implementation of the second indication information can be as described in S1002 above, and will not be described in detail.
S1006、网络设备402根据第一密文、第一隐私变量和第一密钥生成终端401的身份标识。S1006. The network device 402 generates the identity of the terminal 401 according to the first ciphertext, the first privacy variable, and the first key.
网络设备402可以从目的地址中提取出第一密文,对第一密文进行解密,得到终端401的身份标识,生成第六数据包,第六数据包包括终端401的身份标识。The network device 402 may extract the first ciphertext from the destination address, decrypt the first ciphertext, obtain the identity of the terminal 401, and generate a sixth data packet, where the sixth data packet includes the identity of the terminal 401.
具体的,如图12所示,网络设备402对第一密文进行解密包括以下步骤。Specifically, as shown in FIG. 12, the network device 402 decrypting the first ciphertext includes the following steps.
S1006a、网络设备402根据第一隐私变量和第一密钥生成第二密文。S1006a. The network device 402 generates a second ciphertext according to the first privacy variable and the first key.
网络设备402可以从第五数据包的包含的网络层协议头部中提取第一隐私变量,利用加密算法,根据第一隐私变量和第一密钥进行加密运算,得到第二密文。第二密文的长度大于终端401的身份标识的长度。得到第二密文的具体方法可以参考S5031的阐述,不予赘述。The network device 402 may extract the first privacy variable from the network layer protocol header included in the fifth data packet, and use an encryption algorithm to perform an encryption operation according to the first privacy variable and the first key to obtain the second ciphertext. The length of the second ciphertext is greater than the length of the identity of the terminal 401. For the specific method of obtaining the second ciphertext, please refer to the description of S5031, which will not be repeated.
其中,第一隐私变量包括时间信息、与传输或接收第五数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。例如,与传输或接收第五数据包的设备相关的信息为第五数据包包含的源IP地址。源IP地址可以是应用服务器405的地址。第一隐私变量设置于第五数据包包含的网络层协议头部中。第五数据包还包括终端401的位置标识。Wherein, the first privacy variable includes at least one of time information, information related to the device that transmits or receives the fifth data packet, a random number, and a parameter that changes according to law. For example, the information related to the device that transmits or receives the fifth data packet is the source IP address included in the fifth data packet. The source IP address may be the address of the application server 405. The first privacy variable is set in the network layer protocol header included in the fifth data packet. The fifth data packet also includes the location identifier of the terminal 401.
S1006b、网络设备402根据第二密文和第一密文确定终端401的身份标识。S1006b. The network device 402 determines the identity of the terminal 401 according to the second ciphertext and the first ciphertext.
网络设备402可以依据终端401的身份标识的长度截取第二密文,得到y2 bit数值,根据截取的y2 bit数值和第一密文确定终端401的标识。可选的,第一密文的长 度等于终端401的身份标识的长度。第二密文的长度大于终端401的身份标识的长度。The network device 402 may intercept the second ciphertext according to the length of the identity of the terminal 401 to obtain the y2 bit value, and determine the identity of the terminal 401 according to the intercepted y2 bit value and the first ciphertext. Optionally, the length of the first ciphertext is equal to the length of the terminal 401's identity. The length of the second ciphertext is greater than the length of the identity of the terminal 401.
示例的,对第二密文和第一密文进行异或运算,得到终端401的身份标识。终端401的身份标识满足如下公式(5)。For example, an exclusive OR operation is performed on the second ciphertext and the first ciphertext to obtain the identity of the terminal 401. The identity of the terminal 401 satisfies the following formula (5).
HID=(C y2)XOR(EHID)    (5) HID=(C y2 )XOR(EHID) (5)
其中,EHID表示第一密文。C y2表示截取的第二密文中的y2比特的数值。HID表示终端401的身份标识。XOR表示异或算法。 Among them, EHID represents the first ciphertext. C y2 represents the value of y2 bits in the second ciphertext that is intercepted. HID represents the identity of the terminal 401. XOR stands for exclusive OR algorithm.
进一步的,网络设备402对第一密文解密得到终端401的身份标识后,用终端401的身份标识替换第五数据包包括的第一密文,生成第六数据包。终端401的身份标识设置于第六数据包包含的网络层协议头部中。Further, after the network device 402 decrypts the first ciphertext to obtain the identity of the terminal 401, it replaces the first ciphertext included in the fifth data packet with the identity of the terminal 401 to generate a sixth data packet. The identity of the terminal 401 is set in the network layer protocol header included in the sixth data packet.
示例的,如图14所示,为目的IP地址的解密过程示意图。其中,对于应用服务器405生成的第四数据包,外部定位符位的取值为网络设备403的位置标识。内部定位符位的取值和主机标识符位的取值可以是第三密文。对于网络设备403生成的第五数据包,外部定位符位的取值为填充值。内部定位符位的取值为终端401的位置标识。主机标识符位的取值可以是第一密文。网络设备402对第一密文解密得到终端401的身份标识后,将主机标识符位的取值第一密文(SrcID=EHID)替换为终端401的身份标识(SrcID=HID)。For example, as shown in FIG. 14, it is a schematic diagram of the decryption process of the destination IP address. Wherein, for the fourth data packet generated by the application server 405, the value of the external locator bit is the location identifier of the network device 403. The value of the internal locator bit and the value of the host identifier bit may be the third ciphertext. For the fifth data packet generated by the network device 403, the value of the external locator bit is the filling value. The value of the internal locator bit is the location identifier of the terminal 401. The value of the host identifier bit may be the first ciphertext. After the network device 402 decrypts the first ciphertext to obtain the identity of the terminal 401, it replaces the first ciphertext (SrcID=EHID) of the host identifier bit with the identity of the terminal 401 (SrcID=HID).
S1007、网络设备402转发第六数据包,第六数据包包括所述终端401的身份标识。S1007. The network device 402 forwards a sixth data packet, where the sixth data packet includes the identity of the terminal 401.
网络设备402可以根据路由表等转发规则转发第六数据包,具体的可以参考现有技术,不予赘述。The network device 402 may forward the sixth data packet according to a forwarding rule such as a routing table. For details, reference may be made to the prior art, and details are not repeated.
S1008、终端401接收第六数据包。S1008. The terminal 401 receives the sixth data packet.
终端401可以接收来自网络设备402的第六数据包,或者,终端401可以接收来自其他网络设备转发的第六数据包。终端401接收到第六数据包后,解析第六数据包,可以获取应用服务器405向终端401发送的数据。The terminal 401 may receive the sixth data packet from the network device 402, or the terminal 401 may receive the sixth data packet forwarded by other network devices. After receiving the sixth data packet, the terminal 401 parses the sixth data packet to obtain the data sent by the application server 405 to the terminal 401.
从而,网络设备402和网络设备403通过对密文进行解密,以便于将应用服务器405的数据传输至终端401。Therefore, the network device 402 and the network device 403 decrypt the ciphertext so as to transmit the data of the application server 405 to the terminal 401.
在另一些实施例中,若第二隐私变量为终端401的身份标识。可理解的,网络设备402接收到来自终端401的第一数据包后,未执行S503,即未对终端401的身份标识进行加密,转发第一数据包。网络设备403接收第一数据包,第一数据包包括终端401的身份标识。网络设备403可以根据第二密钥对终端401的身份标识和终端401的位置标识进行加密得到第三密文,用第三密文替换终端401的身份标识和终端401的位置标识。第二隐私变量可以是终端401的身份标识。第三密文的长度等于终端401的身份标识的长度和终端401的位置标识的长度之和。加密的过程可以参考S506的阐述,不予赘述。In other embodiments, if the second privacy variable is the identity of the terminal 401. It is understandable that after the network device 402 receives the first data packet from the terminal 401, S503 is not executed, that is, the identity identifier of the terminal 401 is not encrypted, and the first data packet is forwarded. The network device 403 receives the first data packet, and the first data packet includes the identity of the terminal 401. The network device 403 can encrypt the identity of the terminal 401 and the location of the terminal 401 according to the second key to obtain the third ciphertext, and replace the identity of the terminal 401 and the location of the terminal 401 with the third ciphertext. The second privacy variable may be the identity of the terminal 401. The length of the third ciphertext is equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401. For the encryption process, please refer to the description of S506, which will not be repeated.
示例的,如图15中的(a)所示,为源IP地址的加密过程示意图。其中,对于终端401生成的第一数据包,外部定位符位的取值为填充值。内部定位符位的取值可以是终端401的位置标识。主机标识符位的取值可以是终端401的身份标识。网络设备403对终端401的身份标识和终端401的位置标识进行加密得到第三密文(EIP),用EIP替换内部定位符位的取值和主机标识符位的取值,即用EIP替换终端401的位置标识和终端401的身份标识。As an example, as shown in (a) of FIG. 15, it is a schematic diagram of the encryption process of the source IP address. Wherein, for the first data packet generated by the terminal 401, the value of the external locator bit is the filling value. The value of the internal locator bit may be the location identifier of the terminal 401. The value of the host identifier bit may be the identity of the terminal 401. The network device 403 encrypts the identity of the terminal 401 and the location of the terminal 401 to obtain the third ciphertext (EIP), and replaces the value of the internal locator bit and the value of the host identifier bit with EIP, that is, replaces the terminal with EIP The location identifier of 401 and the identity identifier of the terminal 401.
在网络设备403解密第三密文得到解密结果,解密结果包括终端401的身份标识和终端401的位置标识。可理解的,第二隐私变量隐藏在了第四数据包包含的网络层协议头部中。第二隐私变量可以是终端401的身份标识。解密结果包括终端401的身份标识,网络设备403可以从解密结果中获取第二隐私变量。可以用终端401的位置标识和终端401的身份标识替换第三密文。The third ciphertext is decrypted at the network device 403 to obtain a decryption result. The decryption result includes the identity of the terminal 401 and the location of the terminal 401. Understandably, the second privacy variable is hidden in the network layer protocol header included in the fourth data packet. The second privacy variable may be the identity of the terminal 401. The decryption result includes the identity of the terminal 401, and the network device 403 can obtain the second privacy variable from the decryption result. The location identifier of the terminal 401 and the identity identifier of the terminal 401 may be used to replace the third ciphertext.
示例的,如图15中的(b)所示,为目的IP地址解密过程示意图。网络设备403将主机标识符位的取值替换为终端401的身份标识(SrcID=HID),以及将内部定位符位的取值替换为终端401的位置标识。Illustratively, as shown in (b) of FIG. 15, it is a schematic diagram of the decryption process of the destination IP address. The network device 403 replaces the value of the host identifier bit with the identity identifier of the terminal 401 (SrcID=HID), and replaces the value of the internal locator bit with the location identifier of the terminal 401.
在另一些实施例中,第一隐私变量包括时间信息、与传输或接收所述第一数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。其中,与传输或接收第一数据包的设备相关的信息为第一数据包包含的目的IP地址。目的IP地址可以是应用服务器405的地址。网络设备402可以利用第一密钥和第一隐私变量对终端401的身份标识进行加密得到第一密文后,用第一密文替换终端401的身份标识,得到第二数据包。第一密文可以设置于第二数据包包含的网络层协议头部中。可选的,第一密文的长度等于终端401的身份标识的长度。可选的,源地址的长度是可变的。第一密文的长度可以不等于终端401的身份标识的长度。In some other embodiments, the first privacy variable includes at least one of time information, information related to a device that transmits or receives the first data packet, a random number, and a parameter that changes regularly. Wherein, the information related to the device that transmits or receives the first data packet is the destination IP address included in the first data packet. The destination IP address may be the address of the application server 405. The network device 402 may use the first key and the first privacy variable to encrypt the identity of the terminal 401 to obtain the first ciphertext, and then replace the identity of the terminal 401 with the first ciphertext to obtain the second data packet. The first ciphertext may be set in the network layer protocol header included in the second data packet. Optionally, the length of the first ciphertext is equal to the length of the identity of the terminal 401. Optionally, the length of the source address is variable. The length of the first ciphertext may not be equal to the length of the identity of the terminal 401.
其中,第一隐私变量可以设置于第二数据包包含的网络层协议头部中的任何位置。Wherein, the first privacy variable can be set at any position in the network layer protocol header included in the second data packet.
例如,第一隐私变量可以隐藏在主机标识符中。比如,第一隐私变量为时间信息,终端401在生成第一数据包中的主机标识符位的主机标识符时,加入了时间信息。网络设备402可以从第一数据包包含的网络层协议头部中的主机标识符位提取第一隐私变量。For example, the first privacy variable can be hidden in the host identifier. For example, the first privacy variable is time information, and the terminal 401 adds the time information when generating the host identifier of the host identifier bit in the first data packet. The network device 402 may extract the first privacy variable from the host identifier bits in the network layer protocol header included in the first data packet.
又如,第一隐私变量暴露在第一数据包包含的网络层协议头部中。网络设备402可以从第一数据包包含的网络层协议头部中提取第一隐私变量。比如,第一隐私变量为目的IP地址。比如,第一数据包的长度是可变的,在第一数据包包含的网络层协议头部中增加设置第一隐私变量的字段。网络设备402可以从第一数据包包含的网络层协议头部中提取第一隐私变量。For another example, the first privacy variable is exposed in the network layer protocol header included in the first data packet. The network device 402 may extract the first privacy variable from the network layer protocol header included in the first data packet. For example, the first privacy variable is the destination IP address. For example, the length of the first data packet is variable, and a field for setting the first privacy variable is added to the network layer protocol header included in the first data packet. The network device 402 may extract the first privacy variable from the network layer protocol header included in the first data packet.
网络设备402可以采用S506或S503的加密方法对终端401的身份标识进行加密,加密的详细过程可以参考S506或S503的阐述,不予赘述。The network device 402 can use the encryption method of S506 or S503 to encrypt the identity of the terminal 401. For the detailed encryption process, please refer to the description of S506 or S503, which will not be repeated.
若第一隐私变量是暴露在第一数据包包含的网络层协议头部中,网络设备402采用S503的加密方法对终端401的身份标识进行加密。第一隐私变量设置于第二数据包包含的网络层协议头部中,以便于网络设备402接收到包含第一密文的数据包时,网络设备402从包含第一密文的数据包中提取第一隐私变量,可以利用第一密钥和第一隐私变量对第一密文进行解密得到终端401的身份标识。If the first privacy variable is exposed in the network layer protocol header included in the first data packet, the network device 402 uses the encryption method of S503 to encrypt the identity of the terminal 401. The first privacy variable is set in the network layer protocol header included in the second data packet, so that when the network device 402 receives the data packet containing the first ciphertext, the network device 402 extracts the data packet containing the first ciphertext The first privacy variable can use the first key and the first privacy variable to decrypt the first ciphertext to obtain the identity of the terminal 401.
若第一隐私变量是隐藏在第一数据包包含的网络层协议头部中,网络设备402采用S506的加密方法对终端401的身份标识进行加密。第一隐私变量隐藏在第二数据包包含的网络层协议头部中。网络设备402可以对第一密文解密得到解密结果,解密结果包括第一隐私变量。网络设备402从解密结果中获取第一隐私变量。If the first privacy variable is hidden in the network layer protocol header included in the first data packet, the network device 402 uses the encryption method of S506 to encrypt the identity of the terminal 401. The first privacy variable is hidden in the network layer protocol header included in the second data packet. The network device 402 may decrypt the first ciphertext to obtain a decryption result, and the decryption result includes the first privacy variable. The network device 402 obtains the first privacy variable from the decryption result.
第二隐私变量包括时间信息、与传输或接收第二数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。其中,与传输或接收第二数据包的设备相关的信 息为第二数据包包含的目的IP地址,即应用服务器405的IP地址。网络设备403可以利用第二密钥和第二隐私变量对终端401的位置标识进行加密得到第三密文后,用第三密文替换终端401的位置标识,得到第三数据包。第三密文可以设置于第三数据包包含的网络层协议头部中。可选的,第三密文的长度等于终端401的位置标识的长度。可选的,源地址的长度是可变的。第三密文的长度可以不等于终端401的位置标识的长度。The second privacy variable includes at least one of time information, information related to the device that transmits or receives the second data packet, a random number, and a parameter that changes regularly. The information related to the device that transmits or receives the second data packet is the destination IP address contained in the second data packet, that is, the IP address of the application server 405. The network device 403 may use the second key and the second privacy variable to encrypt the location identifier of the terminal 401 to obtain the third ciphertext, and replace the location identifier of the terminal 401 with the third ciphertext to obtain the third data packet. The third ciphertext may be set in the network layer protocol header included in the third data packet. Optionally, the length of the third ciphertext is equal to the length of the location identifier of the terminal 401. Optionally, the length of the source address is variable. The length of the third ciphertext may not be equal to the length of the location identifier of the terminal 401.
其中,第二隐私变量可以设置于第二数据包中的任何位置。Among them, the second privacy variable can be set anywhere in the second data packet.
例如,第二隐私变量隐藏在第二数据包包含的网络层协议头部中。比如,第二隐私变量可以隐藏在内部定位符中。第二隐私变量为时间信息,终端401在生成第一数据包中的内部定位符位的内部定位符时,加入了时间信息。网络设备403可以从第二数据包包含的网络层协议头部中的内部定位符位提取第二隐私变量。For example, the second privacy variable is hidden in the network layer protocol header included in the second data packet. For example, the second privacy variable can be hidden in the internal locator. The second privacy variable is time information. When the terminal 401 generates the internal locator of the internal locator in the first data packet, the time information is added. The network device 403 may extract the second privacy variable from the internal locator bit in the network layer protocol header included in the second data packet.
又如,第二隐私变量暴露在第二数据包包含的网络层协议头部中。网络设备403可以从第二数据包包含的网络层协议头部中提取第二隐私变量。比如,第二隐私变量为目的IP地址。比如,第二数据包的长度是可变的,在第二数据包包含的网络层协议头部中增加设置第二隐私变量的字段。For another example, the second privacy variable is exposed in the network layer protocol header included in the second data packet. The network device 403 may extract the second privacy variable from the network layer protocol header included in the second data packet. For example, the second privacy variable is the destination IP address. For example, the length of the second data packet is variable, and a field for setting the second privacy variable is added to the network layer protocol header included in the second data packet.
网络设备403可以采用S506或S503的加密方法对终端401的位置标识进行加密,加密的详细过程可以参考S506或S503的阐述,不予赘述。The network device 403 can use the encryption method of S506 or S503 to encrypt the location identifier of the terminal 401. For the detailed encryption process, please refer to the description of S506 or S503, which will not be repeated.
若第二隐私变量是暴露在第二数据包包含的网络层协议头部中,网络设备403采用S503的加密方法对终端401的位置标识进行加密。第二隐私变量设置于第三数据包包含的网络层协议头部中,以便于网络设备403接收到包含第三密文的数据包时,网络设备403从包含第三密文的数据包中提取第二隐私变量,可以利用第二密钥和第二隐私变量对第三密文进行解密得到终端401的位置标识。If the second privacy variable is exposed in the network layer protocol header included in the second data packet, the network device 403 uses the encryption method of S503 to encrypt the location identifier of the terminal 401. The second privacy variable is set in the network layer protocol header included in the third data packet, so that when the network device 403 receives the data packet containing the third cipher text, the network device 403 extracts the data packet containing the third cipher text The second privacy variable can use the second key and the second privacy variable to decrypt the third ciphertext to obtain the location identifier of the terminal 401.
若第二隐私变量是隐藏在第二数据包包含的网络层协议头部中,网络设备403采用S506的加密方法对终端401的位置标识进行加密。第二隐私变量隐藏在第三数据包包含的网络层协议头部中。网络设备403可以对第三密文解密得到解密结果,解密结果包括第二隐私变量。网络设备403从解密结果中获取第二隐私变量。If the second privacy variable is hidden in the network layer protocol header included in the second data packet, the network device 403 uses the encryption method of S506 to encrypt the location identifier of the terminal 401. The second privacy variable is hidden in the network layer protocol header included in the third data packet. The network device 403 may decrypt the third ciphertext to obtain a decryption result, and the decryption result includes the second privacy variable. The network device 403 obtains the second privacy variable from the decryption result.
可选的,第一隐私变量与第二隐私变量可以相同。例如,第一隐私变量与第二隐私变量均为同一个时间信息。Optionally, the first privacy variable and the second privacy variable may be the same. For example, the first privacy variable and the second privacy variable are both the same time information.
可选的,第一隐私变量与第二隐私变量可以不相同。Optionally, the first privacy variable and the second privacy variable may be different.
示例的,如图16所示,为源IP地址的加密过程示意图。其中,对于终端401生成的第一数据包,外部定位符位的取值为填充值,内部定位符位的取值可以是终端401的位置标识,主机标识符位的取值可以是终端401的身份标识。对于网络设备402生成的第二数据包,外部定位符位的取值为填充值,内部定位符位的取值可以是终端401的位置标识,主机标识符位的取值可以是EHID。网络设备402对终端401的身份标识加密得到EHID后,用EHID替换终端401的身份标识。对于网络设备403生成的第三数据包,外部定位符位的取值为网络设备403的定位符,内部定位符位的取值可以是EIP,主机标识符位的取值可以是EHID。网络设备403对终端401的位置标识加密得到EIP后,用EIP替换内部定位符位的取值,即用EIP替换终端401的位置标识。For example, as shown in Figure 16, it is a schematic diagram of the encryption process of the source IP address. Among them, for the first data packet generated by the terminal 401, the value of the external locator bit can be the padding value, the value of the internal locator bit can be the location identifier of the terminal 401, and the value of the host identifier bit can be the value of the terminal 401 Identification. For the second data packet generated by the network device 402, the value of the external locator bit may be a padding value, the value of the internal locator bit may be the location identifier of the terminal 401, and the value of the host identifier bit may be EHID. After the network device 402 encrypts the identity of the terminal 401 to obtain the EHID, it replaces the identity of the terminal 401 with the EHID. For the third data packet generated by the network device 403, the value of the external locator bit can be the locator of the network device 403, the value of the internal locator bit can be EIP, and the value of the host identifier bit can be EHID. After the network device 403 encrypts the location identifier of the terminal 401 to obtain the EIP, it replaces the value of the internal locator bit with EIP, that is, replaces the location identifier of the terminal 401 with EIP.
其中,对终端401的位置标识和终端401的身份标识加密的方法不予限定。The method for encrypting the location identifier of the terminal 401 and the identity identifier of the terminal 401 is not limited.
例如,网络设备402可以采用S503的加密方法对终端401的身份标识进行加密。网络设备403可以采用S503的加密方法对终端401的位置标识进行加密。For example, the network device 402 may use the encryption method of S503 to encrypt the identity of the terminal 401. The network device 403 may use the encryption method of S503 to encrypt the location identifier of the terminal 401.
又如,网络设备402可以采用S506的加密方法对终端401的身份标识进行加密。网络设备403可以采用S506的加密方法对终端401的位置标识进行加密。For another example, the network device 402 may use the encryption method of S506 to encrypt the identity of the terminal 401. The network device 403 may use the encryption method of S506 to encrypt the location identifier of the terminal 401.
又如,网络设备402可以采用S503的加密方法对终端401的身份标识进行加密。网络设备403可以采用S506的加密方法对终端401的位置标识进行加密。For another example, the network device 402 may use the encryption method of S503 to encrypt the identity of the terminal 401. The network device 403 may use the encryption method of S506 to encrypt the location identifier of the terminal 401.
又如,网络设备402可以采用S506的加密方法对终端401的身份标识进行加密。网络设备403可以采用S503的加密方法对终端401的位置标识进行加密。For another example, the network device 402 may use the encryption method of S506 to encrypt the identity of the terminal 401. The network device 403 may use the encryption method of S503 to encrypt the location identifier of the terminal 401.
对应的,网络设备403可以利用第二密钥和第二隐私变量对第三密文进行解密得到终端401的位置标识后,用终端401的位置标识替换第三密文,得到第五数据包。第三密文可以设置于第四数据包包含的网络层协议头部中。可选的,第三密文的长度等于终端401的位置标识的长度。可选的,目的地址的长度是可变的。第三密文的长度可以不等于终端401的位置标识的长度。Correspondingly, the network device 403 may use the second key and the second privacy variable to decrypt the third ciphertext to obtain the location identifier of the terminal 401, and then replace the third ciphertext with the location identifier of the terminal 401 to obtain the fifth data packet. The third ciphertext may be set in the network layer protocol header included in the fourth data packet. Optionally, the length of the third ciphertext is equal to the length of the location identifier of the terminal 401. Optionally, the length of the destination address is variable. The length of the third ciphertext may not be equal to the length of the location identifier of the terminal 401.
其中,第二隐私变量可以设置于第四数据包中的任何位置。例如,第二隐私变量是暴露在第四数据包包含的网络层协议头部中,网络设备403从第四数据包包含的网络层协议头部中提取第二隐私变量。又如,第二隐私变量是隐藏在第二数据包包含的网络层协议头部中。网络设备403可以对第三密文解密得到解密结果,解密结果包括第二隐私变量。网络设备403从解密结果中获取第二隐私变量。具体解释可以参考上述网络设备403加密过程的阐述。从而,以便于网络设备403接收到包含第三密文的第四数据包时,可以利用第二密钥和第二隐私变量对第三密文进行解密得到终端401的位置标识。第二隐私变量包括时间信息、与传输或接收第四数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。其中,与传输或接收第四数据包的设备相关的信息为第四数据包包含的源IP地址,即应用服务器405的IP地址。Among them, the second privacy variable can be set anywhere in the fourth data packet. For example, the second privacy variable is exposed in the network layer protocol header included in the fourth data packet, and the network device 403 extracts the second privacy variable from the network layer protocol header included in the fourth data packet. For another example, the second privacy variable is hidden in the network layer protocol header included in the second data packet. The network device 403 may decrypt the third ciphertext to obtain a decryption result, and the decryption result includes the second privacy variable. The network device 403 obtains the second privacy variable from the decryption result. For specific explanation, please refer to the explanation of the encryption process of the network device 403 above. Therefore, when the network device 403 receives the fourth data packet containing the third ciphertext, it can use the second key and the second privacy variable to decrypt the third ciphertext to obtain the location identifier of the terminal 401. The second privacy variable includes at least one of time information, information related to the device that transmits or receives the fourth data packet, a random number, and a parameter that changes regularly. Wherein, the information related to the device that transmits or receives the fourth data packet is the source IP address included in the fourth data packet, that is, the IP address of the application server 405.
网络设备403可以采用S1006或S1003的解密方法对终端401的位置标识进行解密,解密的详细过程可以参考S1006或S1003的阐述,不予赘述。第四数据包还包括第一密文。第一密文可以设置于第四数据包包含的网络层协议头部中。The network device 403 can use the decryption method of S1006 or S1003 to decrypt the location identifier of the terminal 401. For the detailed decryption process, please refer to the description of S1006 or S1003, which will not be repeated. The fourth data packet also includes the first ciphertext. The first ciphertext may be set in the network layer protocol header included in the fourth data packet.
网络设备402可以利用第一密钥和第一隐私变量对第一密文进行解密得到终端401的身份标识后,用终端401的身份标识替换第一密文,得到第六数据包。第一密文可以设置于第五数据包包含的网络层协议头部中。可选的,第一密文的长度等于终端401的身份标识的长度。可选的,目的地址的长度是可变的。第一密文的长度可以不等于终端401的身份标识的长度。The network device 402 can use the first key and the first privacy variable to decrypt the first ciphertext to obtain the identity of the terminal 401, and then replace the first ciphertext with the identity of the terminal 401 to obtain the sixth data packet. The first ciphertext may be set in the network layer protocol header included in the fifth data packet. Optionally, the length of the first ciphertext is equal to the length of the identity of the terminal 401. Optionally, the length of the destination address is variable. The length of the first ciphertext may not be equal to the length of the identity of the terminal 401.
其中,第一隐私变量可以设置于第五数据包中的任何位置。例如,第一隐私变量是暴露在第五数据包包含的网络层协议头部中,网络设备402从第五数据包包含的网络层协议头部中提取第一隐私变量。又如,第一隐私变量是隐藏在第五数据包包含的网络层协议头部中。网络设备402可以对第一密文解密得到解密结果,解密结果包括第一隐私变量。网络设备402从解密结果中获取第一隐私变量。具体解释可以参考上述网络设备402加密过程的阐述。从而,以便于网络设备402接收到包含第一密文的第五数据包时,可以利用第一密钥和第一隐私变量对第一密文进行解密得到终端401的身份标识。第一隐私变量包括时间信息、与传输或接收第五数据包的设备相关的信 息、随机数和按规律变化的参数中至少一个。其中,与传输或接收第五数据包的设备相关的信息为第五数据包包含的源IP地址,即应用服务器405的IP地址。Among them, the first privacy variable can be set anywhere in the fifth data packet. For example, the first privacy variable is exposed in the network layer protocol header included in the fifth data packet, and the network device 402 extracts the first privacy variable from the network layer protocol header included in the fifth data packet. For another example, the first privacy variable is hidden in the network layer protocol header included in the fifth data packet. The network device 402 may decrypt the first ciphertext to obtain a decryption result, and the decryption result includes the first privacy variable. The network device 402 obtains the first privacy variable from the decryption result. For specific explanation, refer to the explanation of the encryption process of the network device 402 described above. Therefore, when the network device 402 receives the fifth data packet containing the first ciphertext, it can use the first key and the first privacy variable to decrypt the first ciphertext to obtain the identity of the terminal 401. The first privacy variable includes at least one of time information, information related to the device transmitting or receiving the fifth data packet, a random number, and a parameter that changes regularly. Wherein, the information related to the device that transmits or receives the fifth data packet is the source IP address included in the fifth data packet, that is, the IP address of the application server 405.
网络设备402可以采用S1006或S1003的解密方法对终端401的身份标识进行解密,解密的详细过程可以参考S1006或S1003的阐述,不予赘述。The network device 402 can use the decryption method of S1006 or S1003 to decrypt the identity of the terminal 401. For the detailed decryption process, please refer to the description of S1006 or S1003, which will not be repeated.
示例的,如图17所示,为目的IP地址的解密过程示意图。对于应用服务器405生成的第四数据包,外部定位符位的取值为网络设备403的位置标识。内部定位符位的取值为EIP。主机标识符位的取值可以是EHID。对于网络设备403生成的第五数据包,外部定位符位的取值为填充值。内部定位符位的取值为终端401的位置标识。主机标识符位的取值可以是EHID。网络设备403对EIP解密得到终端401的位置标识后,用终端401的位置标识替换EIP。可选的,主机标识符位的取值也可以是终端401的身份标识。对于网络设备402生成的第五数据包,外部定位符位的取值为填充值。内部定位符位的取值为终端401的位置标识。主机标识符位的取值可以是终端401的身份标识(HID)。网络设备402对EHID解密得到终端401的身份标识后,用终端401的身份标识替换EHID。For example, as shown in FIG. 17, it is a schematic diagram of the decryption process of the destination IP address. For the fourth data packet generated by the application server 405, the value of the external locator bit is the location identifier of the network device 403. The value of the internal locator bit is EIP. The value of the host identifier bit can be EHID. For the fifth data packet generated by the network device 403, the value of the external locator bit is the filling value. The value of the internal locator bit is the location identifier of the terminal 401. The value of the host identifier bit can be EHID. After the network device 403 decrypts the EIP to obtain the location identifier of the terminal 401, it replaces the EIP with the location identifier of the terminal 401. Optionally, the value of the host identifier bit may also be the identity of the terminal 401. For the fifth data packet generated by the network device 402, the value of the external locator bit is the filling value. The value of the internal locator bit is the location identifier of the terminal 401. The value of the host identifier bit may be the identity identifier (HID) of the terminal 401. After the network device 402 decrypts the EHID to obtain the identity of the terminal 401, it replaces the EHID with the identity of the terminal 401.
其中,对第三密文解密得到终端401的位置标识的解密的方法不予限定。对第一密文解密得到终端401的身份标识的解密的方法不予限定。The method for decrypting the third ciphertext to obtain the location identifier of the terminal 401 is not limited. The method for decrypting the identity of the terminal 401 obtained by decrypting the first ciphertext is not limited.
例如,网络设备402可以采用S1003的解密方法对第一密文进行解密得到终端401的身份标识。网络设备403可以采用S1003的解密方法对第三密文进行解密得到终端401的位置标识。For example, the network device 402 may use the decryption method of S1003 to decrypt the first ciphertext to obtain the identity of the terminal 401. The network device 403 may use the decryption method of S1003 to decrypt the third ciphertext to obtain the location identifier of the terminal 401.
又如,网络设备402可以采用S1006的解密方法对第一密文进行解密得到终端401的身份标识。网络设备403可以采用S1006的解密方法对第三密文进行解密得到终端401的位置标识。For another example, the network device 402 may use the decryption method of S1006 to decrypt the first ciphertext to obtain the identity of the terminal 401. The network device 403 may use the decryption method of S1006 to decrypt the third ciphertext to obtain the location identifier of the terminal 401.
又如,网络设备402可以采用S1003的解密方法对第一密文进行解密得到终端401的身份标识。网络设备403可以采用S1006的解密方法对第三密文进行解密得到终端401的位置标识。For another example, the network device 402 may use the decryption method of S1003 to decrypt the first ciphertext to obtain the identity of the terminal 401. The network device 403 may use the decryption method of S1006 to decrypt the third ciphertext to obtain the location identifier of the terminal 401.
又如,网络设备402可以采用S1006的解密方法对第一密文进行解密得到终端401的身份标识。网络设备403可以采用S1003的解密方法对第三密文进行解密得到终端401的位置标识。For another example, the network device 402 may use the decryption method of S1006 to decrypt the first ciphertext to obtain the identity of the terminal 401. The network device 403 may use the decryption method of S1003 to decrypt the third ciphertext to obtain the location identifier of the terminal 401.
可选的,网络设备402接收到来自终端401的第一数据包后,未执行S503,即未对终端401的身份标识进行加密,转发第一数据包。网络设备403接收第一数据包,第一数据包包括终端401的身份标识。网络设备403可以根据第二密钥和第二隐私变量对终端401的位置标识进行加密得到第三密文,用第三密文替换终端401的位置标识。可选的,第三密文的长度等于终端401的位置标识的长度;或者,第三密文的长度不等于终端401的位置标识的长度。加密的过程可以参考S506或S503的阐述,不予赘述。Optionally, after the network device 402 receives the first data packet from the terminal 401, S503 is not executed, that is, the identity identifier of the terminal 401 is not encrypted, and the first data packet is forwarded. The network device 403 receives the first data packet, and the first data packet includes the identity of the terminal 401. The network device 403 may encrypt the location identifier of the terminal 401 according to the second key and the second privacy variable to obtain the third ciphertext, and replace the location identifier of the terminal 401 with the third ciphertext. Optionally, the length of the third cipher text is equal to the length of the location identifier of the terminal 401; or, the length of the third cipher text is not equal to the length of the location identifier of the terminal 401. For the encryption process, please refer to the description of S506 or S503, which will not be repeated.
可选的,第二隐私变量可以为第一密文(EHID)。在网络设备402对终端401的身份标识加密得到EHID后,用EHID替换终端401的身份标识。网络设备403对终端401的位置标识加密得到EIP后,用EIP替换内部定位符位的取值,即用EIP替换终端401的位置标识。网络设备403可以根据第二密钥和第一密文生成第四密文,再 根据第四密文和终端401的位置标识确定第三密文(EIP)。具体的加密方法可以参考S503的阐述,不予赘述。网络设备403用EIP替换内部定位符位的取值,即用EIP替换终端401的位置标识。主机标识符位的取值可以是加密后的终端401的身份标识,即第一密文(EHID)。Optionally, the second privacy variable may be the first ciphertext (EHID). After the network device 402 encrypts the identity of the terminal 401 to obtain the EHID, the identity of the terminal 401 is replaced with the EHID. After the network device 403 encrypts the location identifier of the terminal 401 to obtain the EIP, it replaces the value of the internal locator bit with EIP, that is, replaces the location identifier of the terminal 401 with EIP. The network device 403 may generate a fourth ciphertext according to the second key and the first ciphertext, and then determine the third ciphertext (EIP) according to the fourth ciphertext and the location identifier of the terminal 401. For the specific encryption method, please refer to the description of S503, which will not be repeated. The network device 403 replaces the value of the internal locator bit with EIP, that is, replaces the location identifier of the terminal 401 with EIP. The value of the host identifier bit may be the encrypted identity of the terminal 401, that is, the first cipher text (EHID).
在网络设备403解密第三密文时,网络设备403根据第二密钥和第一密文生成第四密文,根据第四密文和第三密文确定终端401的位置标识。网络设备403可以将主机标识符位的取值EIP替换为终端401的位置标识。When the network device 403 decrypts the third ciphertext, the network device 403 generates a fourth ciphertext according to the second key and the first ciphertext, and determines the location identifier of the terminal 401 according to the fourth ciphertext and the third ciphertext. The network device 403 may replace the value EIP of the host identifier bit with the location identifier of the terminal 401.
本申请提供的数据处理方法可以应用在云环境中,使部署了大量边缘节点的云服务提供商为用户提供隐私保护能力。用户可以选择提供IPv6地址的隐私保护能力的云服务为用于转发数据包。例如,图4中的多个应用服务器405可以为云服务提供商管辖范围内的应用服务器。云服务提供商可以部署大量的边缘节点,为用户提供传输数据的服务。其中,靠近终端的边缘节点可以称为近源端节点,例如,图4中的网络设备402。靠近网站服务器(如:应用服务器405)的边缘节点可以称为近目的端节点,例如,图4中的网络设备403。终端401向应用服务器405发送数据时,可以选择云服务提供商的边缘节点为终端401提供服务。The data processing method provided in this application can be applied in a cloud environment, enabling cloud service providers that have deployed a large number of edge nodes to provide users with privacy protection capabilities. Users can choose the cloud service that provides the privacy protection capabilities of IPv6 addresses for forwarding data packets. For example, multiple application servers 405 in FIG. 4 may be application servers within the jurisdiction of a cloud service provider. Cloud service providers can deploy a large number of edge nodes to provide users with data transmission services. Among them, the edge node close to the terminal may be referred to as a near-source end node, for example, the network device 402 in FIG. 4. The edge node close to the website server (such as the application server 405) may be called the near-destination node, for example, the network device 403 in FIG. 4. When the terminal 401 sends data to the application server 405, the edge node of the cloud service provider can be selected to provide services for the terminal 401.
示例的,如图18所示,为基于云服务的通信系统的架构示意图。该通信系统包括至少一个终端401、互联网络和至少一个应用服务器。互联网络可以包括至少一个网络设备(如:网络设备402和网络设备403)。其中,假设终端401的IP地址为IP UE,终端401的身份标识为HID UE。网络设备402的IP地址为IP0。网络设备403的IP地址为IP1。应用服务器405的IP地址为IP s1。关于通信系统的其他解释可以参考图4的说明,不予赘述。接下来,结合图19和图20,基于云服务的通信系统对数据处理进行说明。如图19所示,本申请实施例所述的数据处理方法包含以下步骤。 As an example, as shown in FIG. 18, it is a schematic diagram of the architecture of a communication system based on cloud services. The communication system includes at least one terminal 401, an internet network, and at least one application server. The internetwork may include at least one network device (for example, network device 402 and network device 403). Among them, it is assumed that the IP address of the terminal 401 is IP UE , and the identity of the terminal 401 is HID UE . The IP address of the network device 402 is IP0. The IP address of the network device 403 is IP1. The IP address of the application server 405 is IP s1 . For other explanations of the communication system, reference may be made to the explanation of FIG. 4, which will not be repeated. Next, in conjunction with FIG. 19 and FIG. 20, a cloud service-based communication system will describe data processing. As shown in FIG. 19, the data processing method described in the embodiment of the present application includes the following steps.
S1901、终端401向网络设备402发送第一数据包。S1901. The terminal 401 sends a first data packet to the network device 402.
终端401选择距离终端401最近的云服务提供商节点,即网络设备402。终端401与网络设备402建立安全通道,将终端401外发的第一数据包通过安全通道发送给网络设备402。其中,第一数据包的内层IP头部包含源地址和目的地址。其中,源地址包含标识位和终端401的身份标识为HID UE。目的地址包含应用服务器405的IP地址为IP s1。第一数据包的外层IP头部包含源地址和目的地址。源地址为终端401的IP地址为IP UE,目的地址为网络设备402的IP地址为IP0。 The terminal 401 selects the cloud service provider node closest to the terminal 401, that is, the network device 402. The terminal 401 establishes a secure channel with the network device 402, and sends the first data packet sent by the terminal 401 to the network device 402 through the secure channel. Wherein, the inner IP header of the first data packet contains the source address and the destination address. Wherein, the source address includes the identification bit and the identity of the terminal 401 is HID UE . The destination address includes the IP address of the application server 405 as IP s1 . The outer IP header of the first data packet contains the source address and the destination address. The source address is the IP address of the terminal 401 is IP UE , and the destination address is the IP address of the network device 402 is IP0.
S1902、网络设备402接收来自终端401的第一数据包。S1902. The network device 402 receives the first data packet from the terminal 401.
网络设备402接收到第一数据包,先解封装第一数据包,获得内层IP头部的目的地址,即应用服务器405的IP地址IP s1。根据应用服务器405的IP地址IP s1选择距离应用服务器405最近的云提供商节点,即网络设备403。 The network device 402 receives the first data packet, and first decapsulates the first data packet to obtain the destination address of the inner IP header, that is, the IP address IP s1 of the application server 405. The cloud provider node closest to the application server 405, that is, the network device 403, is selected according to the IP address IP s1 of the application server 405.
S1903、网络设备402向网络设备403转发第二数据包。S1903. The network device 402 forwards the second data packet to the network device 403.
网络设备402与网络设备403建立安全通道,将网络设备402外发的第二数据包通过安全通道发送给网络设备403。其中,第二数据包的内层IP头部包含源地址和目的地址。其中,源地址包含标识位和终端401的身份标识HID UE。目的地址包含应用服务器405的IP地址IP s1。第二数据包的外层IP头部包含源地址和目的地址。源地址为网络设备402的IP地址IP0,目的地址为网络设备403的IP地址IP1。 The network device 402 establishes a secure channel with the network device 403, and sends the second data packet sent by the network device 402 to the network device 403 through the secure channel. Wherein, the inner IP header of the second data packet contains the source address and the destination address. Wherein, the source address includes the identification bit and the identity identifier HID UE of the terminal 401. The destination address includes the IP address IP s1 of the application server 405. The outer IP header of the second data packet contains the source address and the destination address. The source address is the IP address IP0 of the network device 402, and the destination address is the IP address IP1 of the network device 403.
S1904、网络设备403接收来自网络设备402的第二数据包。S1904. The network device 403 receives the second data packet from the network device 402.
网络设备403接收到第二数据包,先解封装第二数据包,获得内层IP头部的源地址和目的地址。其中,源地址为终端401的身份标识为HID UE。目的地址为应用服务器405的IP地址IP s1The network device 403 receives the second data packet, and first decapsulates the second data packet to obtain the source address and the destination address of the inner IP header. Wherein, the source address is the terminal 401 and the identity is HID UE . The destination address is the IP address IP s1 of the application server 405.
S1905、网络设备403根据终端401的身份标识、第一隐私变量和第一密钥生成第一密文。S1905. The network device 403 generates a first ciphertext according to the identity of the terminal 401, the first privacy variable, and the first key.
网络设备403对终端401的身份标识HID UE进行加密保护。例如,网络设备403根据第一密钥和第一隐私变量生成第二密文,以及根据第二密文和终端401的身份标识HID UE确定第一密文。第一隐私变量可以是应用服务器405的IP地址IP s1。网络设备403用第一密文(EHID)替换终端401的身份标识(HID UE)。具体的可以参考S503的阐述,不予赘述。 The network device 403 encrypts and protects the HID UE of the terminal 401. For example, the network device 403 generates the second ciphertext according to the first key and the first privacy variable, and determines the first ciphertext according to the second ciphertext and the HID UE of the terminal 401. The first privacy variable may be the IP address IP s1 of the application server 405. The network device 403 replaces the identity (HID UE ) of the terminal 401 with the first cipher text (EHID). For details, please refer to the description of S503, which will not be repeated.
S1906、网络设备403根据网络设备402的位置标识、第二隐私变量和第二密钥生成第三密文。S1906: The network device 403 generates a third ciphertext according to the location identifier of the network device 402, the second privacy variable, and the second key.
网络设备403对网络设备402的位置标识进行加密保护。例如,网络设备403根据网络设备402的位置标识和第二隐私变量生成待加密数据,以及根据第二密钥和待加密数据生成第三密文(EIP)。网络设备403用第三密文替换网络设备402的位置标识和EHID。具体的可以参考S506的阐述,不予赘述。The network device 403 encrypts and protects the location identifier of the network device 402. For example, the network device 403 generates the data to be encrypted according to the location identifier of the network device 402 and the second privacy variable, and generates the third ciphertext (EIP) according to the second key and the data to be encrypted. The network device 403 replaces the location identifier and EHID of the network device 402 with the third ciphertext. For details, please refer to the description of S506, which will not be repeated.
其中,第二隐私变量可以是第一密文。网络设备402的位置标识可以是网络设备402的索引。可选的,网络设备403可以根据网络设备402的IP地址IP0查询定位符索引映射表,获取网络设备402的索引。Among them, the second privacy variable may be the first ciphertext. The location identifier of the network device 402 may be an index of the network device 402. Optionally, the network device 403 may query the locator index mapping table according to the IP address IP0 of the network device 402 to obtain the index of the network device 402.
与上述实施例的区别在于,将上述实施例中的对终端401的位置标识加密替换为对网络设备402的位置标识进行加密保护。The difference from the foregoing embodiment is that the encryption of the location identifier of the terminal 401 in the foregoing embodiment is replaced by the encryption and protection of the location identifier of the network device 402.
S1907、网络设备403向应用服务器405转发第三数据包。S1907. The network device 403 forwards the third data packet to the application server 405.
网络设备403向应用服务器405转发第三数据包,第三数据包包括第三密文和网络设备403的IP地址为IP1。The network device 403 forwards the third data packet to the application server 405. The third data packet includes the third ciphertext and the IP address of the network device 403 is IP1.
S1908、应用服务器405接收来自网络设备403的第三数据包。S1908. The application server 405 receives the third data packet from the network device 403.
进一步的,应用服务器405接收到终端401的标识为密文的数据包后,即在S1901~S1908之后,应用服务器405还可利用密文向终端401发送数据包。如图20所示,本申请实施例所述的数据处理方法还包含以下步骤。Further, after the application server 405 receives the data packet identified as the cipher text of the terminal 401, that is, after S1901 to S1908, the application server 405 may also use the cipher text to send the data packet to the terminal 401. As shown in FIG. 20, the data processing method described in the embodiment of the present application further includes the following steps.
S1909、应用服务器405向网络设备403发送第四数据包。S1909. The application server 405 sends a fourth data packet to the network device 403.
第四数据包包含的目的地址的取值包含第三密文。第三密文设置于第四数据包包含的网络层协议头部中。The value of the destination address included in the fourth data packet includes the third ciphertext. The third ciphertext is set in the network layer protocol header included in the fourth data packet.
S1910、网络设备403接收来自应用服务器405的第四数据包。S1910. The network device 403 receives the fourth data packet from the application server 405.
S1911、网络设备403根据第三密文、第二隐私变量和第二密钥生成第一密文。S1911. The network device 403 generates the first ciphertext according to the third ciphertext, the second privacy variable, and the second key.
网络设备403对第三密文解密,即根据第三密文和第二密钥生成解密结果,根据解密结果和第二隐私变量确定网络设备402的位置标识,即根据解密结果和第一密文确定网络设备402的位置标识。具体的可以参考S1103的阐述,不予赘述。The network device 403 decrypts the third ciphertext, that is, generates a decryption result according to the third ciphertext and the second key, and determines the location identifier of the network device 402 according to the decryption result and the second privacy variable, that is, according to the decryption result and the first ciphertext The location identifier of the network device 402 is determined. For details, please refer to the description of S1103, which will not be repeated.
在网络设备403解密第三密文得到解密结果后,可以用网络设备402的位置标识和第一密文替换第四数据包包括的第三密文,生成第五数据包。网络设备402的位置 标识和第一密文设置于第五数据包包含的网络层协议头部中。After the network device 403 decrypts the third ciphertext to obtain the decryption result, the location identifier of the network device 402 and the first ciphertext may be used to replace the third ciphertext included in the fourth data packet to generate the fifth data packet. The location identifier of the network device 402 and the first ciphertext are set in the network layer protocol header included in the fifth data packet.
S1912、网络设备403根据第一密文、第一隐私变量和第一密钥生成终端401的身份标识。S1912. The network device 403 generates the identity of the terminal 401 according to the first ciphertext, the first privacy variable, and the first key.
网络设备403对第一密文进行解密,得到终端401的身份标识,用终端401的身份标识替换第四数据包包括的第一密文,生成第五数据包。终端401的身份标识设置于第五数据包包含的网络层协议头部中。The network device 403 decrypts the first ciphertext to obtain the identity of the terminal 401, and replaces the first ciphertext included in the fourth data packet with the identity of the terminal 401 to generate a fifth data packet. The identity of the terminal 401 is set in the network layer protocol header included in the fifth data packet.
例如,网络设备402根据第一隐私变量和第一密钥生成第二密文,并根据第二密文和第一密文确定终端401的身份标识。第一隐私变量可以是应用服务器405的IP地址IP s1。具体的可以参考S1106的阐述,不予赘述。 For example, the network device 402 generates a second ciphertext according to the first privacy variable and the first key, and determines the identity of the terminal 401 according to the second ciphertext and the first ciphertext. The first privacy variable may be the IP address IP s1 of the application server 405. For details, please refer to the description of S1106, which will not be repeated.
S1913、网络设备403向网络设备402转发第五数据包。S1913. The network device 403 forwards the fifth data packet to the network device 402.
网络设备403根据网络设备402的位置标识通过安全通道向网络设备402转发第五数据包。其中,第五数据包的内层IP头部包含源地址和目的地址。其中,源地址包含应用服务器405的IP地址IP s1。目的地址包含网络设备402的位置标识和终端401的身份标识(HID UE)。第五数据包的外层IP头部包含源地址和目的地址。源地址为网络设备403的IP地址IP1。目的地址为网络设备402的IP地址IP0。 The network device 403 forwards the fifth data packet to the network device 402 through the secure channel according to the location identifier of the network device 402. Wherein, the inner IP header of the fifth data packet contains the source address and the destination address. Wherein, the source address includes the IP address IP s1 of the application server 405. The destination address includes the location identifier of the network device 402 and the identity identifier of the terminal 401 (HID UE ). The outer IP header of the fifth data packet contains the source address and the destination address. The source address is the IP address IP1 of the network device 403. The destination address is the IP address IP0 of the network device 402.
S1914、网络设备402接收来自网络设备403的第五数据包。S1914. The network device 402 receives the fifth data packet from the network device 403.
S1915、网络设备402向终端401转发第六数据包。S1915. The network device 402 forwards the sixth data packet to the terminal 401.
网络设备402通过安全通道向终端401转发第六数据包。The network device 402 forwards the sixth data packet to the terminal 401 through the secure channel.
其中,第六数据包的内层IP头部包含源地址和目的地址。其中,源地址包含应用服务器405的IP地址IP s1。目的地址包含网络设备402的位置标识和终端401的身份标识(HID UE)。第六数据包的外层IP头部包含源地址和目的地址。源地址为网络设备402的IP地址IP0。目的地址为终端401的IP地址IP UEAmong them, the inner IP header of the sixth data packet contains the source address and the destination address. Wherein, the source address includes the IP address IP s1 of the application server 405. The destination address includes the location identifier of the network device 402 and the identity identifier of the terminal 401 (HID UE ). The outer IP header of the sixth data packet contains the source address and the destination address. The source address is the IP address IP0 of the network device 402. The destination address is the IP address IP UE of the terminal 401.
S1916、终端401接收来自网络设备402的第六数据包。S1916. The terminal 401 receives the sixth data packet from the network device 402.
本申请实施例中,网络设备402和网络设备403通过对终端401的标识进行加密,隐藏终端的IP地址,防止非法攻击者(如:不可信的设备或非法窃听者)获取终端的IP地址,根据终端401的IP地址分析终端401的身份标识和终端401的位置标识。由于不同的目的主机获取到的同一源主机的地址是不一样的,不能通过合谋关联分析出同一源主机访问不同目的主机的流量。目的主机或非法攻击者无法通过同一局域网沦陷的主机的IP地址分析出两台主机来自同一局域网。In the embodiment of this application, the network device 402 and the network device 403 encrypt the terminal 401's identity to hide the terminal’s IP address to prevent illegal attackers (such as untrusted devices or illegal eavesdroppers) from obtaining the terminal’s IP address. According to the IP address of the terminal 401, the identity identifier of the terminal 401 and the location identifier of the terminal 401 are analyzed. Since the addresses of the same source host obtained by different destination hosts are not the same, it is impossible to analyze the traffic from the same source host to different destination hosts through collusion and correlation. The destination host or an illegal attacker can't analyze the IP address of the host that has fallen on the same LAN to find that the two hosts are from the same LAN.
示例的,如图21所示,为源IP地址的加密过程示意图。其中,对于终端401生成的数据包,外部定位符位的取值为填充值。内部定位符位的取值可以是网络设备402的索引。主机标识符位的取值可以是终端401的身份标识HID UE。网络设备403先对终端401的身份标识HID UE加密,得到EHID,用EHID替换主机标识符位的取值。网络设备403再对EHID和网络设备402的索引加密,生成EIP,用EIP替换内部定位符位的取值网络设备402的索引和EHID。具体的加密方法可以参考上述实施例的阐述,不予赘述。 For example, as shown in Figure 21, it is a schematic diagram of the encryption process of the source IP address. Among them, for the data packet generated by the terminal 401, the value of the external locator bit is the filling value. The value of the internal locator bit may be the index of the network device 402. The value of the host identifier bit may be the identity identifier HID UE of the terminal 401. The network device 403 first encrypts the HID UE of the terminal 401 to obtain the EHID, and replaces the value of the host identifier bit with the EHID. The network device 403 then encrypts the EHID and the index of the network device 402 to generate EIP, and replaces the value of the internal locator bit with the index and EHID of the network device 402. For the specific encryption method, please refer to the description of the above-mentioned embodiment, which will not be repeated.
其中,外部定位符位占源地址中的x bit。例如,外部定位符位占目的地址中的62bit。内部定位符位占源地址中的y1 bit。例如,内部定位符位占源地址中的48bit。主机标识符位占源地址中的y2 bit。例如,主机标识符位占源地址中的16bit。标记位占 源地址中的z bit。例如,标记位占源地址中的2bit。Among them, the external locator bit occupies x bits in the source address. For example, the external locator bit occupies 62 bits in the destination address. The internal locator bit occupies y1 bit in the source address. For example, the internal locator bit occupies 48 bits in the source address. The host identifier bit occupies y2 bits in the source address. For example, the host identifier bit occupies 16 bits in the source address. The tag bit occupies z bits in the source address. For example, the tag bit occupies 2 bits in the source address.
如图22所示,为目的IP地址的解密过程示意图。其中,对于应用服务器405生成的数据包包括EIP。网络设备403先对EIP解密得到网络设备402的索引和EHID,用于网络设备402的索引和EHID替换EIP。网络设备403再对EHID解密,得到HID UE,用HID UE替换EHID。具体的解密方法可以参考上述实施例的阐述,不予赘述。 As shown in Figure 22, it is a schematic diagram of the decryption process of the destination IP address. Wherein, the data packet generated by the application server 405 includes EIP. The network device 403 first decrypts the EIP to obtain the index and EHID of the network device 402, which are used to replace the EIP with the index and EHID of the network device 402. The network device 403 decrypts the EHID to obtain the HID UE , and replaces the EHID with the HID UE. For the specific decryption method, please refer to the description of the above-mentioned embodiment, which will not be repeated.
关于本申请实施例的中加密过程的其他可实现方式可以参考上述实施例的阐述,不予赘述。For other achievable manners of the encryption process in the embodiment of the present application, reference may be made to the description of the foregoing embodiment, which will not be repeated.
上述各个实施例是针对不同的场景阐述了对终端的标识进行加密的过程。综上所述,是由网络设备根据密钥和隐私变量对终端的标识进行加密,得到密文,用密文替换终端的标识。网络设备再发送第二数据包,该第二数据包包括密文。从而,网络设备通过对终端的标识进行加密,隐藏终端的IP地址,防止非法攻击者(如:不可信的设备或非法窃听者)获取终端的IP地址,根据终端的IP地址分析终端的身份标识和终端的位置标识。The foregoing embodiments describe the process of encrypting the identification of the terminal for different scenarios. In summary, the network device encrypts the terminal's identity according to the key and privacy variables to obtain the ciphertext, and replace the terminal's identity with the ciphertext. The network device sends the second data packet again, and the second data packet includes the ciphertext. Therefore, the network device encrypts the terminal's identity to hide the terminal's IP address, preventing illegal attackers (such as untrusted devices or illegal eavesdroppers) from obtaining the terminal's IP address, and analyzes the terminal's identity based on the terminal's IP address And the location identification of the terminal.
接下来,如图23所示,本申请一实施例提供的数据处理方法的流程图。该方法可以包括以下步骤:Next, as shown in FIG. 23, a flowchart of a data processing method provided by an embodiment of the present application. The method can include the following steps:
S2301、终端向网络设备发送第一数据包,第一数据包包括终端的标识。S2301. The terminal sends a first data packet to a network device, where the first data packet includes an identifier of the terminal.
终端的标识用于指示终端;终端的标识设置于第一数据包包含的网络层协议头部中。The terminal identifier is used to indicate the terminal; the terminal identifier is set in the network layer protocol header included in the first data packet.
S2302、网络设备接收第一数据包。S2302. The network device receives the first data packet.
S2303、网络设备根据终端的标识、隐私变量和密钥生成第一密文。S2303. The network device generates a first ciphertext according to the terminal's identity, privacy variable, and key.
终端的标识可以是终端的身份标识或终端的位置标识。若对终端的身份标识和终端的位置标识加密的网络设备和密钥可以不同,也可以相同,不予限定。具体的可以参考上述S503、S506、S1905和S1906的阐述,不予赘述。The identity of the terminal may be the identity of the terminal or the location of the terminal. If the network device and key for encrypting the terminal's identity identifier and the terminal's location identifier can be different or the same, it is not limited. For details, please refer to the descriptions of S503, S506, S1905, and S1906, which will not be repeated.
S2304、网络设备发送第二数据包,第二数据包包括第一密文。S2304. The network device sends a second data packet, where the second data packet includes the first ciphertext.
第一密文设置于第二数据包包含的网络层协议头部中。The first ciphertext is set in the network layer protocol header included in the second data packet.
S2305、应用服务器接收第二数据包。S2305. The application server receives the second data packet.
S2306、应用服务器向网络设备发送第三数据包,第三数据包包括第一密文。S2306. The application server sends a third data packet to the network device, where the third data packet includes the first ciphertext.
第一密文是根据终端的标识、隐私变量和密钥确定的。终端的标识用于指示终端,第一密文设置于第三数据包包含的网络层协议头部中。The first ciphertext is determined according to the terminal's identity, privacy variables, and keys. The identifier of the terminal is used to indicate the terminal, and the first ciphertext is set in the network layer protocol header included in the third data packet.
S2307、网络设备接收第三数据包。S2307. The network device receives the third data packet.
S2308、网络设备根据第一密文、隐私变量和密钥生成终端的标识。S2308. The network device generates an identification of the terminal according to the first ciphertext, the privacy variable, and the key.
对应的解密过程可以参考S1003、S1006、S1911和S1912的阐述,不予赘述。For the corresponding decryption process, please refer to the description of S1003, S1006, S1911 and S1912, which will not be repeated.
S2309、网络设备发送第四数据包,第四数据包包括终端的标识。S2309. The network device sends a fourth data packet, where the fourth data packet includes the identifier of the terminal.
终端的标识设置于第四数据包包含的网络层协议头部中。The identification of the terminal is set in the network layer protocol header included in the fourth data packet.
S2310、终端接收第四数据包。S2310. The terminal receives the fourth data packet.
可以理解的是,为了实现上述实施例中功能,网络设备包括了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本申请中所公开的实施例描述的各示例的单元及方法步骤,本申请能够以硬件或硬件和计算机软件相结合的形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取 决于技术方案的特定应用场景和设计约束条件。It can be understood that, in order to implement the functions in the foregoing embodiments, the network device includes hardware structures and/or software modules corresponding to each function. Those skilled in the art should easily realize that, in combination with the units and method steps of the examples described in the embodiments disclosed in the present application, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application scenarios and design constraints of the technical solution.
图24和图25为本申请的实施例提供的可能的数据处理装置的结构示意图。这些数据处理装置可以用于实现上述方法实施例中网络设备的功能,因此也能实现上述方法实施例所具备的有益效果。在本申请的实施例中,该数据处理装置可以是如图4所示的网络设备402或网络设备403,还可以是应用于网络设备的模块(如芯片)。24 and FIG. 25 are schematic structural diagrams of possible data processing apparatuses provided by embodiments of this application. These data processing apparatuses can be used to implement the functions of the network equipment in the foregoing method embodiments, and therefore can also achieve the beneficial effects of the foregoing method embodiments. In the embodiment of the present application, the data processing apparatus may be a network device 402 or a network device 403 as shown in FIG. 4, and may also be a module (such as a chip) applied to a network device.
如图24所示,数据处理装置2400包括接收单元2410、处理单元2420和发送单元2430。数据处理装置2400用于实现上述图5、图7、图10、图12、图19、图20或图23中所示的方法实施例中网络设备的功能。As shown in FIG. 24, the data processing device 2400 includes a receiving unit 2410, a processing unit 2420, and a sending unit 2430. The data processing apparatus 2400 is used to implement the functions of the network device in the method embodiment shown in FIG. 5, FIG. 7, FIG. 10, FIG. 12, FIG. 19, FIG. 20, or FIG. 23.
当数据处理装置2400用于实现图5所示的方法实施例中网络设备402的功能时:接收单元2410用于执行S502;处理单元2420用于执行S503;发送单元2430用于执行S504。When the data processing apparatus 2400 is used to implement the function of the network device 402 in the method embodiment shown in FIG. 5: the receiving unit 2410 is used to perform S502; the processing unit 2420 is used to perform S503; and the sending unit 2430 is used to perform S504.
当数据处理装置2400用于实现图5所示的方法实施例中网络设备403的功能时:接收单元2410用于执行S505;处理单元2420用于执行S506;发送单元2430用于执行S507。When the data processing device 2400 is used to implement the function of the network device 403 in the method embodiment shown in FIG. 5: the receiving unit 2410 is used to perform S505; the processing unit 2420 is used to perform S506; and the sending unit 2430 is used to perform S507.
当数据处理装置2400用于实现图7所示的方法实施例中网络设备402的功能时:接收单元2410用于执行S502;处理单元2420用于执行S5031和S5032;发送单元2430用于执行S504。When the data processing apparatus 2400 is used to implement the function of the network device 402 in the method embodiment shown in FIG. 7: the receiving unit 2410 is used to perform S502; the processing unit 2420 is used to perform S5031 and S5032; and the sending unit 2430 is used to perform S504.
当数据处理装置2400用于实现图7所示的方法实施例中网络设备403的功能时:接收单元2410用于执行S505;处理单元2420用于执行S5061和S5062;发送单元2430用于执行S507。When the data processing device 2400 is used to implement the function of the network device 403 in the method embodiment shown in FIG. 7: the receiving unit 2410 is used to perform S505; the processing unit 2420 is used to perform S5061 and S5062; and the sending unit 2430 is used to perform S507.
当数据处理装置2400用于实现图10所示的方法实施例中网络设备402的功能时:接收单元2410用于执行S1005;处理单元2420用于执行S1006;发送单元2430用于执行S1007。When the data processing apparatus 2400 is used to implement the function of the network device 402 in the method embodiment shown in FIG. 10: the receiving unit 2410 is used to perform S1005; the processing unit 2420 is used to perform S1006; and the sending unit 2430 is used to perform S1007.
当数据处理装置2400用于实现图10所示的方法实施例中网络设备403的功能时:接收单元2410用于执行S1002;处理单元2420用于执行S1003;发送单元2430用于执行S1004。When the data processing device 2400 is used to implement the function of the network device 403 in the method embodiment shown in FIG. 10: the receiving unit 2410 is used to perform S1002; the processing unit 2420 is used to perform S1003; and the sending unit 2430 is used to perform S1004.
当数据处理装置2400用于实现图12所示的方法实施例中网络设备402的功能时:接收单元2410用于执行S1005;处理单元2420用于执行S1006a和S1006b;发送单元2430用于执行S1007。When the data processing device 2400 is used to implement the function of the network device 402 in the method embodiment shown in FIG. 12: the receiving unit 2410 is used to perform S1005; the processing unit 2420 is used to perform S1006a and S1006b; and the sending unit 2430 is used to perform S1007.
当数据处理装置2400用于实现图12所示的方法实施例中网络设备403的功能时:接收单元2410用于执行S1002;处理单元2420用于执行S1003a和S1003b;发送单元2430用于执行S1004。When the data processing device 2400 is used to implement the function of the network device 403 in the method embodiment shown in FIG. 12: the receiving unit 2410 is used to perform S1002; the processing unit 2420 is used to perform S1003a and S1003b; and the sending unit 2430 is used to perform S1004.
当数据处理装置2400用于实现图19所示的方法实施例中网络设备402的功能时:接收单元2410用于执行S1902;发送单元2430用于执行S1903。When the data processing apparatus 2400 is used to implement the function of the network device 402 in the method embodiment shown in FIG. 19: the receiving unit 2410 is used to perform S1902; the sending unit 2430 is used to perform S1903.
当数据处理装置2400用于实现图19所示的方法实施例中网络设备403的功能时:接收单元2410用于执行S1904;处理单元2420用于执行S1905和S1906;发送单元2430用于执行S1907。When the data processing device 2400 is used to implement the function of the network device 403 in the method embodiment shown in FIG. 19: the receiving unit 2410 is used to perform S1904; the processing unit 2420 is used to perform S1905 and S1906; and the sending unit 2430 is used to perform S1907.
当数据处理装置2400用于实现图20所示的方法实施例中网络设备402的功能时:接收单元2410用于执行S1914;发送单元2430用于执行S1915。When the data processing apparatus 2400 is used to implement the function of the network device 402 in the method embodiment shown in FIG. 20: the receiving unit 2410 is used to perform S1914; the sending unit 2430 is used to perform S1915.
当数据处理装置2400用于实现图20所示的方法实施例中网络设备403的功能时:接收单元2410用于执行S1910;处理单元2420用于执行S1911和S1912;发送单元2430用于执行S1913。When the data processing device 2400 is used to implement the function of the network device 403 in the method embodiment shown in FIG. 20: the receiving unit 2410 is used to perform S1910; the processing unit 2420 is used to perform S1911 and S1912; and the sending unit 2430 is used to perform S1913.
当数据处理装置2400用于实现图23所示的方法实施例中网络设备的功能时:接收单元2410用于执行S2302和S2307;处理单元2420用于执行S2303和S2308;发送单元2430用于执行S2304和S2309。When the data processing device 2400 is used to implement the function of the network device in the method embodiment shown in FIG. 23: the receiving unit 2410 is used to perform S2302 and S2307; the processing unit 2420 is used to perform S2303 and S2308; the sending unit 2430 is used to perform S2304 And S2309.
有关上述接收单元2410、处理单元2420和发送单元2430更详细的描述可以直接参考图5、图7、图10、图12、图19、图20或图23所示的方法实施例中相关描述直接得到,这里不加赘述。For more detailed descriptions of the foregoing receiving unit 2410, processing unit 2420, and sending unit 2430, you can directly refer to the relevant description in the method embodiment shown in FIG. 5, FIG. 7, FIG. 10, FIG. 12, FIG. 19, FIG. 20, or FIG. 23. Get it, I won’t repeat it here.
如图25所示,数据处理装置2500包括处理器2510和接口电路2520。处理器2510和接口电路2520之间相互耦合。可以理解的是,接口电路2520可以为收发器或输入输出接口。可选的,数据处理装置2500还可以包括存储器2530,用于存储处理器2510执行的指令或存储处理器2510运行指令所需要的输入数据或存储处理器2510运行指令后产生的数据。As shown in FIG. 25, the data processing device 2500 includes a processor 2510 and an interface circuit 2520. The processor 2510 and the interface circuit 2520 are coupled with each other. It can be understood that the interface circuit 2520 may be a transceiver or an input/output interface. Optionally, the data processing apparatus 2500 may further include a memory 2530 for storing instructions executed by the processor 2510 or storing input data required by the processor 2510 to run the instructions or storing data generated after the processor 2510 runs the instructions.
当数据处理装置2500用于实现图5、图7、图10、图12、图19、图20或图23所示的方法时,处理器2510用于执行上述处理单元2420的功能,接口电路2520用于执行上述接收单元2410和发送单元2430的功能。When the data processing device 2500 is used to implement the method shown in FIG. 5, FIG. 7, FIG. 10, FIG. 12, FIG. 19, FIG. 20, or FIG. It is used to perform the functions of the receiving unit 2410 and the sending unit 2430 described above.
可以理解的是,本申请的实施例中的处理器可以是中央处理单元(CentralIt is understandable that the processor in the embodiment of the present application may be a central processing unit (Central
Processing Unit,CPU),还可以是其它通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field Programmable Gate Array,FPGA)或者其它可编程逻辑器件、晶体管逻辑器件,硬件部件或者其任意组合。通用处理器可以是微处理器,也可以是任何常规的处理器。Processing Unit, CPU), it can also be other general processors, Digital Signal Processor (DSP), Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array, FPGA ) Or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. The general-purpose processor may be a microprocessor or any conventional processor.
本申请的实施例中的方法步骤可以通过硬件的方式来实现,也可以由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于随机存取存储器(Random Access Memory,RAM)、闪存、只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)、寄存器、硬盘、移动硬盘、CD-ROM或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。另外,该ASIC可以位于网络设备或终端设备中。当然,处理器和存储介质也可以作为分立组件存在于网络设备或终端设备中。The method steps in the embodiments of the present application can be implemented by hardware, and can also be implemented by a processor executing software instructions. Software instructions can be composed of corresponding software modules, which can be stored in random access memory (Random Access Memory, RAM), flash memory, read-only memory (Read-Only Memory, ROM), and programmable read-only memory (Programmable ROM) , PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electrically erasable programmable read-only memory (Electrically EPROM, EEPROM), register, hard disk, mobile hard disk, CD-ROM or well-known in the art Any other form of storage medium. An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and write information to the storage medium. Of course, the storage medium may also be an integral part of the processor. The processor and the storage medium may be located in the ASIC. In addition, the ASIC can be located in a network device or a terminal device. Of course, the processor and the storage medium may also exist as discrete components in the network device or the terminal device.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机程序或指令。在计算机上加载和执行所述计算机程序或指令时,全部或部分地执行本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、网络设备、用户设备或者其它可编程装置。 所述计算机程序或指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机程序或指令可以从一个网站站点、计算机、服务器或数据中心通过有线或无线方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是集成一个或多个可用介质的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,例如,软盘、硬盘、磁带;也可以是光介质,例如,数字视频光盘(digital video disc,DVD);还可以是半导体介质,例如,固态硬盘(solid state drive,SSD)。In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer programs or instructions. When the computer program or instruction is loaded and executed on the computer, the process or function described in the embodiment of the present application is executed in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, network equipment, user equipment, or other programmable devices. The computer program or instruction may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer program or instruction may be downloaded from a website, computer, The server or data center transmits to another website site, computer, server or data center through wired or wireless means. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center that integrates one or more available media. The usable medium may be a magnetic medium, such as a floppy disk, a hard disk, and a magnetic tape; it may also be an optical medium, such as a digital video disc (digital video disc, DVD); and it may also be a semiconductor medium, such as a solid state drive (solid state drive). , SSD).
在本申请的各个实施例中,如果没有特殊说明以及逻辑冲突,不同的实施例之间的术语和/或描述具有一致性、且可以相互引用,不同的实施例中的技术特征根据其内在的逻辑关系可以组合形成新的实施例。In the various embodiments of this application, if there are no special instructions and logical conflicts, the terms and/or descriptions between different embodiments are consistent and can be mutually cited. The technical features in different embodiments are based on their inherent Logical relationships can be combined to form new embodiments.
本申请中,“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中A,B可以是单数或者复数。在本申请的文字描述中,字符“/”,一般表示前后关联对象是一种“或”的关系;在本申请的公式中,字符“/”,表示前后关联对象是一种“相除”的关系。In this application, "at least one" refers to one or more, and "multiple" refers to two or more. "And/or" describes the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A, B can be singular or plural. In the text description of this application, the character "/" generally indicates that the associated object before and after is an "or" relationship; in the formula of this application, the character "/" indicates that the associated object before and after is a kind of "division" Relationship.
可以理解的是,在本申请的实施例中涉及的各种数字编号仅为描述方便进行的区分,并不用来限制本申请的实施例的范围。上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定。It can be understood that the various numerical numbers involved in the embodiments of the present application are only for easy distinction for description, and are not used to limit the scope of the embodiments of the present application. The size of the sequence number of the above processes does not mean the order of execution, and the execution order of each process should be determined by its function and internal logic.

Claims (46)

  1. 一种数据处理方法,其特征在于,包括:A data processing method, characterized in that it comprises:
    接收第一数据包,所述第一数据包包括终端的标识,所述终端的标识用于指示所述终端;所述终端的标识设置于所述第一数据包包含的网络层协议头部中;所述终端的标识为所述终端的身份标识或所述终端的位置标识;Receive a first data packet, where the first data packet includes an identification of the terminal, the identification of the terminal is used to indicate the terminal; the identification of the terminal is set in the network layer protocol header included in the first data packet The identifier of the terminal is the identity identifier of the terminal or the location identifier of the terminal;
    根据所述终端的标识、隐私变量和密钥生成第一密文;Generating a first ciphertext according to the terminal's identification, privacy variable, and key;
    发送第二数据包,所述第二数据包包括所述第一密文,所述第一密文设置于所述第二数据包包含的网络层协议头部中。A second data packet is sent, the second data packet includes the first ciphertext, and the first ciphertext is set in a network layer protocol header included in the second data packet.
  2. 根据权利要求1所述的方法,其特征在于,在所述发送第二数据包之前,所述方法还包括:The method according to claim 1, characterized in that, before the sending the second data packet, the method further comprises:
    用所述第一密文替换所述第一数据包包括的终端的标识,得到所述第二数据包,所述第二数据包不包括所述终端的标识。Substituting the first ciphertext for the identification of the terminal included in the first data packet to obtain the second data packet, and the second data packet does not include the identification of the terminal.
  3. 根据权利要求2所述的方法,其特征在于,若所述终端的标识为所述终端的身份标识,所述用所述第一密文替换所述第一数据包包括的终端的标识包括:The method according to claim 2, wherein if the terminal identifier is the terminal identifier, the replacing the terminal identifier included in the first data packet with the first ciphertext comprises:
    用所述第一密文替换所述第一数据包包括的所述终端的身份标识,得到所述第二数据包,所述第二数据包不包括所述终端的身份标识;Replacing the identity of the terminal included in the first data packet with the first ciphertext to obtain the second data packet, where the second data packet does not include the identity of the terminal;
    所述隐私变量包括时间信息、与传输或接收所述第一数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。The privacy variable includes at least one of time information, information related to a device that transmits or receives the first data packet, a random number, and a parameter that changes regularly.
  4. 根据权利要求2所述的方法,其特征在于,若所述终端的标识为所述终端的位置标识,所述用所述第一密文替换所述第一数据包包括的终端的标识包括:The method according to claim 2, wherein if the identifier of the terminal is the location identifier of the terminal, the replacing the identifier of the terminal included in the first data packet with the first ciphertext comprises:
    用所述第一密文替换所述第一数据包包括的所述终端的位置标识,得到所述第二数据包,所述第二数据包不包括所述终端的位置标识;Replacing the location identifier of the terminal included in the first data packet with the first ciphertext to obtain the second data packet, and the second data packet does not include the location identifier of the terminal;
    所述隐私变量为加密后的所述终端的身份标识或者所述终端的身份标识;或者,所述隐私变量包括时间信息、与传输或接收所述第一数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。The privacy variable is the encrypted identity of the terminal or the identity of the terminal; or, the privacy variable includes time information, information related to the device that transmits or receives the first data packet, and a random number And at least one of the parameters that change regularly.
  5. 根据权利要求3或4所述的方法,其特征在于,所述与传输或接收所述第一数据包的设备相关的信息为所述第一数据包包含的目的互联网协议IP地址。The method according to claim 3 or 4, wherein the information related to the device that transmits or receives the first data packet is a destination Internet Protocol IP address included in the first data packet.
  6. 根据权利要求2所述的方法,其特征在于,若所述终端的标识为所述终端的位置标识,所述用所述第一密文替换所述第一数据包包括的终端的标识包括:The method according to claim 2, wherein if the identifier of the terminal is the location identifier of the terminal, the replacing the identifier of the terminal included in the first data packet with the first ciphertext comprises:
    用所述第一密文替换所述第一数据包包括的加密后的所述终端的身份标识和所述终端的位置标识,得到所述第二数据包;所述隐私变量为加密后的所述终端的身份标识;Use the first ciphertext to replace the encrypted terminal identification and the location identification of the terminal included in the first data packet to obtain the second data packet; the privacy variable is the encrypted all The identity of the terminal;
    或者,用所述第一密文替换所述第一数据包包括的所述终端的身份标识和所述终端的位置标识,得到所述第二数据包;所述隐私变量为所述终端的身份标识。Or, replace the identity of the terminal and the location of the terminal included in the first data packet with the first ciphertext to obtain the second data packet; the privacy variable is the identity of the terminal Logo.
  7. 根据权利要求1-5中任一项所述的方法,其特征在于,根据所述终端的标识、隐私变量和密钥生成第一密文,包括:The method according to any one of claims 1-5, wherein generating the first ciphertext according to the terminal's identity, privacy variable, and key comprises:
    根据所述密钥和所述隐私变量生成第二密文;Generating a second ciphertext according to the key and the privacy variable;
    根据所述第二密文和所述终端的标识确定所述第一密文。The first ciphertext is determined according to the second ciphertext and the identifier of the terminal.
  8. 根据权利要求7所述的方法,其特征在于,根据所述第二密文和所述终端的标 识确定所述第一密文,包括:The method according to claim 7, wherein determining the first ciphertext according to the second ciphertext and the identification of the terminal comprises:
    对所述第二密文和所述终端的标识进行异或运算,得到所述第一密文。Perform an exclusive OR operation on the second ciphertext and the terminal identifier to obtain the first ciphertext.
  9. 根据权利要求1-3、6中任一项所述的方法,其特征在于,根据所述终端的标识、隐私变量和密钥生成第一密文,包括:The method according to any one of claims 1-3 and 6, wherein generating the first ciphertext according to the terminal's identity, privacy variable, and key, comprises:
    根据所述终端的标识和所述隐私变量生成待加密数据;Generating the data to be encrypted according to the identification of the terminal and the privacy variable;
    根据所述密钥和所述待加密数据生成所述第一密文。The first ciphertext is generated according to the key and the data to be encrypted.
  10. 根据权利要求4-6中任一项所述的方法,其特征在于,所述第二数据包还包括寻址网络设备的定位符。The method according to any one of claims 4-6, wherein the second data packet further includes a locator for addressing a network device.
  11. 根据权利要求1-10中任一项所述的方法,其特征在于,所述第一数据包还包括第一指示信息,所述第一指示信息用于指示对所述终端的标识进行加密。The method according to any one of claims 1-10, wherein the first data packet further includes first indication information, and the first indication information is used to instruct to encrypt the identity of the terminal.
  12. 根据权利要求1-11中任一项所述的方法,其特征在于,在所述发送第二数据包之后,所述方法还包括:The method according to any one of claims 1-11, wherein after the sending the second data packet, the method further comprises:
    接收第三数据包,所述第三数据包包括第一密文,所述第一密文是根据终端的标识、隐私变量和密钥确定的,所述终端的标识用于指示所述终端,所述终端的标识为所述终端的身份标识或所述终端的位置标识;所述第一密文设置于所述第三数据包包含的网络层协议头部中;Receiving a third data packet, the third data packet including a first ciphertext, the first ciphertext being determined according to the terminal's identity, privacy variables, and a key, and the terminal's identity is used to indicate the terminal, The identifier of the terminal is the identity identifier of the terminal or the location identifier of the terminal; the first ciphertext is set in the network layer protocol header included in the third data packet;
    根据所述第一密文、所述隐私变量和所述密钥生成所述终端的标识;Generating an identifier of the terminal according to the first ciphertext, the privacy variable, and the key;
    发送第四数据包,所述第四数据包包括所述终端的标识,所述终端的标识设置于所述第四数据包包含的网络层协议头部中。A fourth data packet is sent, the fourth data packet includes an identification of the terminal, and the identification of the terminal is set in a network layer protocol header included in the fourth data packet.
  13. 根据权利要求12所述的方法,其特征在于,在所述发送第四数据包之前,所述方法还包括:The method according to claim 12, characterized in that, before the sending the fourth data packet, the method further comprises:
    用所述终端的标识替换所述第三数据包包括的第一密文,得到所述第四数据包,所述第四数据包不包括所述第一密文。Replace the first ciphertext included in the third data packet with the identifier of the terminal to obtain the fourth data packet, and the fourth data packet does not include the first ciphertext.
  14. 根据权利要求13所述的方法,其特征在于,若所述终端的标识为所述终端的身份标识,所述用所述终端的标识替换所述第三数据包包括的第一密文包括:The method according to claim 13, wherein if the identifier of the terminal is the identity of the terminal, the replacing the first ciphertext included in the third data packet with the identifier of the terminal comprises:
    用所述终端的身份标识替换所述第三数据包包括的第一密文,得到所述第四数据包;Replacing the first ciphertext included in the third data packet with the identity of the terminal to obtain the fourth data packet;
    所述隐私变量包括时间信息、与传输或接收所述第三数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。The privacy variable includes at least one of time information, information related to a device that transmits or receives the third data packet, a random number, and a parameter that changes regularly.
  15. 根据权利要求13所述的方法,其特征在于,若所述终端的标识为所述终端的位置标识,所述用所述终端的标识替换所述第三数据包包括的第一密文包括:The method according to claim 13, wherein if the identifier of the terminal is the location identifier of the terminal, the replacing the first ciphertext included in the third data packet with the identifier of the terminal comprises:
    用所述终端的位置标识替换所述第三数据包包括的第一密文,得到所述第四数据包;Replacing the first ciphertext included in the third data packet with the location identifier of the terminal to obtain the fourth data packet;
    所述隐私变量为加密后的所述终端的身份标识或者所述终端的身份标识;或者,所述隐私变量包括时间信息、与传输或接收所述第三数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。The privacy variable is the encrypted identity of the terminal or the identity of the terminal; or, the privacy variable includes time information, information related to the device that transmits or receives the third data packet, and a random number And at least one of the parameters that change regularly.
  16. 根据权利要求14或15所述的方法,其特征在于,所述与传输或接收所述第三数据包的设备相关的信息为所述第三数据包包含的源IP地址。The method according to claim 14 or 15, wherein the information related to the device that transmits or receives the third data packet is a source IP address included in the third data packet.
  17. 根据权利要求13所述的方法,其特征在于,若所述终端的标识为所述终端的 位置标识,所述用所述终端的标识替换所述第三数据包包括的第一密文包括:The method according to claim 13, wherein if the identifier of the terminal is a location identifier of the terminal, the replacing the first ciphertext included in the third data packet with the identifier of the terminal comprises:
    用所述终端的位置标识和加密后的所述终端的身份标识替换所述第三数据包包括的第一密文,得到所述第四数据包,解密结果包括所述终端的位置标识和加密后的所述终端的身份标识,所述隐私变量为加密后的所述终端的身份标识;Replace the first ciphertext included in the third data packet with the location identifier of the terminal and the encrypted identity of the terminal to obtain the fourth data packet, and the decryption result includes the location identifier and encryption of the terminal The identity of the terminal, and the privacy variable is the encrypted identity of the terminal;
    或者,用所述终端的位置标识和所述终端的身份标识替换所述第三数据包包括的第一密文,得到所述第四数据包,解密结果包括所述终端的位置标识和所述终端的身份标识,所述隐私变量为所述终端的身份标识。Or, replace the first ciphertext included in the third data packet with the location identifier of the terminal and the identity of the terminal to obtain the fourth data packet, and the decryption result includes the location identifier of the terminal and the The identity of the terminal, and the privacy variable is the identity of the terminal.
  18. 根据权利要求12-16中任一项所述的方法,其特征在于,根据所述第一密文、所述隐私变量和所述密钥生成所述终端的标识,包括:The method according to any one of claims 12-16, wherein generating the terminal identifier according to the first ciphertext, the privacy variable, and the key comprises:
    根据所述密钥和所述隐私变量生成第二密文;Generating a second ciphertext according to the key and the privacy variable;
    根据所述第二密文和所述第一密文确定所述终端的标识。Determine the identity of the terminal according to the second ciphertext and the first ciphertext.
  19. 根据权利要求18所述的方法,其特征在于,根据所述第二密文和所述第一密文确定所述终端的标识,包括:The method according to claim 18, wherein determining the identity of the terminal according to the second ciphertext and the first ciphertext comprises:
    对所述第二密文和所述第一密文进行异或运算,得到所述终端的标识。Performing an exclusive OR operation on the second ciphertext and the first ciphertext to obtain the identity of the terminal.
  20. 根据权利要求12-14、17中任一项所述的方法,其特征在于,根据所述第一密文、所述隐私变量和所述密钥生成所述终端的标识,包括:The method according to any one of claims 12-14, 17, wherein generating the terminal identifier according to the first ciphertext, the privacy variable, and the key comprises:
    根据所述第一密文和所述密钥生成解密结果;Generating a decryption result according to the first ciphertext and the key;
    根据所述解密结果和所述隐私变量确定所述终端的标识。The identification of the terminal is determined according to the decryption result and the privacy variable.
  21. 根据权利要求15-17中任一项所述的方法,其特征在于,所述第三数据包还包括寻址网络设备的定位符;在所述发送第四数据包之前,所述方法还包括:The method according to any one of claims 15-17, wherein the third data packet further includes a locator for addressing a network device; before the fourth data packet is sent, the method further includes :
    用填充值替换所述第三数据包包括的寻址网络设备的定位符。The locator that addresses the network device included in the third data packet is replaced with a padding value.
  22. 根据权利要求12-21中任一项所述的方法,其特征在于,所述第三数据包还包括第二指示信息,所述第二指示信息用于指示所述终端的标识已加密。The method according to any one of claims 12-21, wherein the third data packet further includes second indication information, and the second indication information is used to indicate that the identity of the terminal is encrypted.
  23. 一种数据处理装置,其特征在于,包括:A data processing device, characterized in that it comprises:
    接收单元,用于接收第一数据包,所述第一数据包包括终端的标识,所述终端的标识用于指示所述终端;所述终端的标识设置于所述第一数据包包含的网络层协议头部中;所述终端的标识为所述终端的身份标识或所述终端的位置标识;The receiving unit is configured to receive a first data packet, where the first data packet includes an identification of the terminal, and the identification of the terminal is used to indicate the terminal; the identification of the terminal is set in the network included in the first data packet In the layer protocol header; the identifier of the terminal is the identity identifier of the terminal or the location identifier of the terminal;
    处理单元,用于根据所述终端的标识、隐私变量和密钥生成第一密文;A processing unit, configured to generate a first ciphertext according to the terminal's identification, privacy variable, and key;
    发送单元,用于发送第二数据包,所述第二数据包包括所述第一密文,所述第一密文设置于所述第二数据包包含的网络层协议头部中。The sending unit is configured to send a second data packet, the second data packet including the first ciphertext, and the first ciphertext is set in a network layer protocol header included in the second data packet.
  24. 根据权利要求23所述的装置,其特征在于,所述处理单元还用于:The device according to claim 23, wherein the processing unit is further configured to:
    用所述第一密文替换所述第一数据包包括的终端的标识,得到所述第二数据包,所述第二数据包不包括所述终端的标识。Substituting the first ciphertext for the identification of the terminal included in the first data packet to obtain the second data packet, and the second data packet does not include the identification of the terminal.
  25. 根据权利要求24所述的装置,其特征在于,若所述终端的标识为所述终端的身份标识,所述处理单元用于:The apparatus according to claim 24, wherein, if the identifier of the terminal is an identity identifier of the terminal, the processing unit is configured to:
    用所述第一密文替换所述第一数据包包括的所述终端的身份标识,得到所述第二数据包,所述第二数据包不包括所述终端的身份标识;Replacing the identity of the terminal included in the first data packet with the first ciphertext to obtain the second data packet, where the second data packet does not include the identity of the terminal;
    所述隐私变量包括时间信息、与传输或接收所述第一数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。The privacy variable includes at least one of time information, information related to a device that transmits or receives the first data packet, a random number, and a parameter that changes regularly.
  26. 根据权利要求24所述的装置,其特征在于,若所述终端的标识为所述终端的位置标识,所述处理单元用于:The apparatus according to claim 24, wherein if the identifier of the terminal is a location identifier of the terminal, the processing unit is configured to:
    用所述第一密文替换所述第一数据包包括的所述终端的位置标识,得到所述第二数据包,所述第二数据包不包括所述终端的位置标识;Replacing the location identifier of the terminal included in the first data packet with the first ciphertext to obtain the second data packet, and the second data packet does not include the location identifier of the terminal;
    所述隐私变量为加密后的所述终端的身份标识或者所述终端的身份标识;或者,所述隐私变量包括时间信息、与传输或接收所述第一数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。The privacy variable is the encrypted identity of the terminal or the identity of the terminal; or, the privacy variable includes time information, information related to the device that transmits or receives the first data packet, and a random number And at least one of the parameters that change regularly.
  27. 根据权利要求25或26所述的装置,其特征在于,所述与传输或接收所述第一数据包的设备相关的信息为所述第一数据包包含的目的互联网协议IP地址。The apparatus according to claim 25 or 26, wherein the information related to a device that transmits or receives the first data packet is a destination Internet Protocol IP address included in the first data packet.
  28. 根据权利要求24所述的装置,其特征在于,若所述终端的标识为所述终端的位置标识,所述处理单元用于:The apparatus according to claim 24, wherein if the identifier of the terminal is a location identifier of the terminal, the processing unit is configured to:
    用所述第一密文替换所述第一数据包包括的加密后的所述终端的身份标识和所述终端的位置标识,得到所述第二数据包;所述隐私变量为加密后的所述终端的身份标识;Use the first ciphertext to replace the encrypted terminal identification and the location identification of the terminal included in the first data packet to obtain the second data packet; the privacy variable is the encrypted all The identity of the terminal;
    或者,用所述第一密文替换所述第一数据包包括的所述终端的身份标识和所述终端的位置标识,得到所述第二数据包;所述隐私变量为所述终端的身份标识。Or, replace the identity of the terminal and the location of the terminal included in the first data packet with the first ciphertext to obtain the second data packet; the privacy variable is the identity of the terminal Logo.
  29. 根据权利要求23-27中任一项所述的装置,其特征在于,所述处理单元用于:The device according to any one of claims 23-27, wherein the processing unit is configured to:
    根据所述密钥和所述隐私变量生成第二密文;Generating a second ciphertext according to the key and the privacy variable;
    根据所述第二密文和所述终端的标识确定所述第一密文。The first ciphertext is determined according to the second ciphertext and the identifier of the terminal.
  30. 根据权利要求29所述的装置,其特征在于,所述处理单元用于:The device according to claim 29, wherein the processing unit is configured to:
    对所述第二密文和所述终端的标识进行异或运算,得到所述第一密文。Perform an exclusive OR operation on the second ciphertext and the terminal identifier to obtain the first ciphertext.
  31. 根据权利要求23-25、28中任一项所述的装置,其特征在于,所述处理单元用于:The device according to any one of claims 23-25, 28, wherein the processing unit is configured to:
    根据所述终端的标识和所述隐私变量生成待加密数据;Generating the data to be encrypted according to the identification of the terminal and the privacy variable;
    根据所述密钥和所述待加密数据生成所述第一密文。The first ciphertext is generated according to the key and the data to be encrypted.
  32. 根据权利要求26-28中任一项所述的装置,其特征在于,所述第二数据包还包括寻址网络设备的定位符。The apparatus according to any one of claims 26-28, wherein the second data packet further includes a locator for addressing a network device.
  33. 根据权利要求23-32中任一项所述的装置,其特征在于,所述第一数据包还包括第一指示信息,所述第一指示信息用于指示对所述终端的标识进行加密。The apparatus according to any one of claims 23-32, wherein the first data packet further comprises first indication information, and the first indication information is used to indicate to encrypt the identification of the terminal.
  34. 根据权利要求23-33中任一项所述的装置,其特征在于,The device according to any one of claims 23-33, wherein:
    所述接收单元还用于接收第三数据包,所述第三数据包包括第一密文,所述第一密文是根据终端的标识、隐私变量和密钥确定的,所述终端的标识用于指示所述终端,所述终端的标识为所述终端的身份标识或所述终端的位置标识;所述第一密文设置于所述第三数据包包含的网络层协议头部中;The receiving unit is further configured to receive a third data packet, the third data packet including a first ciphertext, the first ciphertext is determined according to the terminal's identity, privacy variables, and a key, and the terminal's identity For indicating the terminal, the terminal identifier is the identity identifier of the terminal or the location identifier of the terminal; the first ciphertext is set in the network layer protocol header included in the third data packet;
    所述处理单元还用于根据所述第一密文、所述隐私变量和所述密钥生成所述终端的标识;The processing unit is further configured to generate an identification of the terminal according to the first ciphertext, the privacy variable, and the key;
    所述发送单元还用于发送第四数据包,所述第四数据包包括所述终端的标识。The sending unit is further configured to send a fourth data packet, where the fourth data packet includes the identifier of the terminal.
  35. 根据权利要求34所述的装置,其特征在于,所述处理单元还用于:The device according to claim 34, wherein the processing unit is further configured to:
    用所述终端的标识替换所述第三数据包包括的第一密文,得到所述第四数据包, 所述第四数据包不包括所述第一密文。Replace the first ciphertext included in the third data packet with the identifier of the terminal to obtain the fourth data packet, and the fourth data packet does not include the first ciphertext.
  36. 根据权利要求35所述的装置,其特征在于,若所述终端的标识为所述终端的身份标识,所述处理单元用于:The apparatus according to claim 35, wherein, if the identifier of the terminal is an identity identifier of the terminal, the processing unit is configured to:
    用所述终端的身份标识替换所述第三数据包包括的第一密文,得到所述第四数据包;Replacing the first ciphertext included in the third data packet with the identity of the terminal to obtain the fourth data packet;
    所述隐私变量包括时间信息、与传输或接收所述第三数据包的设备相关的信息、随机数和按规律变化的参数中至少一个。The privacy variable includes at least one of time information, information related to a device that transmits or receives the third data packet, a random number, and a parameter that changes regularly.
  37. 根据权利要求35所述的装置,其特征在于,若所述终端的标识为所述终端的位置标识,所述处理单元用于:The apparatus according to claim 35, wherein if the identifier of the terminal is a location identifier of the terminal, the processing unit is configured to:
    用所述终端的位置标识替换所述第三数据包包括的第一密文,得到所述第四数据包;Replacing the first ciphertext included in the third data packet with the location identifier of the terminal to obtain the fourth data packet;
    所述隐私变量为加密后的所述终端的身份标识或者所述终端的身份标识;或者,所述隐私变量包括时间信息、与传输或接收所述第三数据包的设备相关的信息、随机数和按规律变化的参数中至少一个,所述隐私变量设置于所述第四数据包包含的网络层协议头部中。The privacy variable is the encrypted identity of the terminal or the identity of the terminal; or, the privacy variable includes time information, information related to the device that transmits or receives the third data packet, and a random number And at least one of the parameters that change according to the law, the privacy variable is set in the network layer protocol header included in the fourth data packet.
  38. 根据权利要求36或37所述的装置,其特征在于,所述与传输或接收所述第三数据包的设备相关的信息为所述第三数据包包含的源IP地址。The apparatus according to claim 36 or 37, wherein the information related to a device that transmits or receives the third data packet is a source IP address included in the third data packet.
  39. 根据权利要求35所述的装置,其特征在于,若所述终端的标识为所述终端的位置标识,所述处理单元用于:The apparatus according to claim 35, wherein if the identifier of the terminal is a location identifier of the terminal, the processing unit is configured to:
    用所述终端的位置标识和加密后的所述终端的身份标识替换所述第三数据包包括的第一密文,得到所述第四数据包,解密结果包括所述终端的位置标识和加密后的所述终端的身份标识,所述隐私变量为加密后的所述终端的身份标识;Replace the first ciphertext included in the third data packet with the location identifier of the terminal and the encrypted identity of the terminal to obtain the fourth data packet, and the decryption result includes the location identifier and encryption of the terminal The identity of the terminal, and the privacy variable is the encrypted identity of the terminal;
    或者,用所述终端的位置标识和所述终端的身份标识替换所述第三数据包包括的第一密文,得到所述第四数据包,解密结果包括所述终端的位置标识和所述终端的身份标识,所述隐私变量为所述终端的身份标识。Or, replace the first ciphertext included in the third data packet with the location identifier of the terminal and the identity of the terminal to obtain the fourth data packet, and the decryption result includes the location identifier of the terminal and the The identity of the terminal, and the privacy variable is the identity of the terminal.
  40. 根据权利要求34-38中任一项所述的装置,其特征在于,所述处理单元用于:The device according to any one of claims 34-38, wherein the processing unit is configured to:
    根据所述密钥和所述隐私变量生成第二密文;Generating a second ciphertext according to the key and the privacy variable;
    根据所述第二密文和所述第一密文确定所述终端的标识。Determine the identity of the terminal according to the second ciphertext and the first ciphertext.
  41. 根据权利要求40所述的装置,其特征在于,所述处理单元用于:The device according to claim 40, wherein the processing unit is configured to:
    对所述第二密文和所述第一密文进行异或运算,得到所述终端的标识。Performing an exclusive OR operation on the second ciphertext and the first ciphertext to obtain the identity of the terminal.
  42. 根据权利要求34-36、39中任一项所述的装置,其特征在于,所述处理单元用于:The device according to any one of claims 34-36 and 39, wherein the processing unit is configured to:
    根据所述第一密文和所述密钥生成解密结果;Generating a decryption result according to the first ciphertext and the key;
    根据所述解密结果和所述隐私变量确定所述终端的标识。The identification of the terminal is determined according to the decryption result and the privacy variable.
  43. 根据权利要求37-39中任一项所述的装置,其特征在于,所述第三数据包还包括寻址网络设备的定位符;所述处理单元还用于:用填充值替换所述第三数据包包括的寻址网络设备的定位符。The apparatus according to any one of claims 37-39, wherein the third data packet further includes a locator for addressing a network device; and the processing unit is further configured to: replace the first data packet with a padding value The locator that addresses the network device included in the three data packets.
  44. 根据权利要求34-43中任一项所述的装置,其特征在于,所述第三数据包还包括第二指示信息,所述第二指示信息用于指示所述终端的标识已加密。The apparatus according to any one of claims 34-43, wherein the third data packet further comprises second indication information, and the second indication information is used to indicate that the identity of the terminal has been encrypted.
  45. 一种数据处理装置,其特征在于,包括:至少一个处理器、存储器和总线,其中,所述存储器用于存储计算机程序,使得所述计算机程序被所述至少一个处理器执行时实现如权利要求1-22中任一项所述的数据处理方法。A data processing device, characterized by comprising: at least one processor, a memory, and a bus, wherein the memory is used to store a computer program, so that when the computer program is executed by the at least one processor, the implementation is as claimed in the claims. The data processing method described in any one of 1-22.
  46. 一种计算机可读存储介质,其特征在于,包括:计算机软件指令;A computer-readable storage medium, characterized by comprising: computer software instructions;
    当所述计算机软件指令在计算机设备或内置在计算机设备的芯片中运行时,使得所述计算机设备执行如权利要求1-22中任一项所述的数据处理方法。When the computer software instruction runs in a computer device or a chip built in the computer device, the computer device is caused to execute the data processing method according to any one of claims 1-22.
PCT/CN2021/081536 2020-03-20 2021-03-18 Data processing method and apparatus WO2021185314A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010203158.4A CN113497788A (en) 2020-03-20 2020-03-20 Data processing method and device
CN202010203158.4 2020-03-20

Publications (1)

Publication Number Publication Date
WO2021185314A1 true WO2021185314A1 (en) 2021-09-23

Family

ID=77770161

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/081536 WO2021185314A1 (en) 2020-03-20 2021-03-18 Data processing method and apparatus

Country Status (2)

Country Link
CN (1) CN113497788A (en)
WO (1) WO2021185314A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114844729B (en) * 2022-07-04 2022-09-30 中国人民解放军国防科技大学 Network information hiding method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050141531A1 (en) * 2003-12-25 2005-06-30 Hitachi, Ltd. Communication relay method and relay device
US7131141B1 (en) * 2001-07-27 2006-10-31 At&T Corp. Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network
CN101383831A (en) * 2008-10-15 2009-03-11 华东师范大学 Network flow standardized flow pretending method
US20110103394A1 (en) * 2009-11-05 2011-05-05 Telefonaktiebolaget L M Ericsson Network topology concealment using address permutation
CN103746893A (en) * 2013-12-19 2014-04-23 柳州职业技术学院 Safety type covert communication method aiming at IP data packet

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7131141B1 (en) * 2001-07-27 2006-10-31 At&T Corp. Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network
US20050141531A1 (en) * 2003-12-25 2005-06-30 Hitachi, Ltd. Communication relay method and relay device
CN101383831A (en) * 2008-10-15 2009-03-11 华东师范大学 Network flow standardized flow pretending method
US20110103394A1 (en) * 2009-11-05 2011-05-05 Telefonaktiebolaget L M Ericsson Network topology concealment using address permutation
CN103746893A (en) * 2013-12-19 2014-04-23 柳州职业技术学院 Safety type covert communication method aiming at IP data packet

Also Published As

Publication number Publication date
CN113497788A (en) 2021-10-12

Similar Documents

Publication Publication Date Title
US10992654B2 (en) Secure WAN path selection at campus fabric edge
JP4752510B2 (en) Encrypted communication system
CN109981633B (en) Method, apparatus and computer-readable storage medium for accessing server
CN113852552B (en) Network communication method, system and storage medium
CN109981820B (en) Message forwarding method and device
CN106209401B (en) A kind of transmission method and device
WO2021185314A1 (en) Data processing method and apparatus
CN109905310B (en) Data transmission method and device and electronic equipment
TW201236430A (en) Efficient NEMO security with IBE
Kouachi et al. Per packet flow anonymization in 6lowpan iot networks
US8514777B1 (en) Method and apparatus for protecting location privacy of a mobile device in a wireless communications network
KR100816309B1 (en) Communications system for speeding up communication path changeover between communication terminals
CN116527405B (en) SRV6 message encryption transmission method and device and electronic equipment
US8897441B2 (en) Packet transmitting and receiving apparatus and packet transmitting and receiving method
CN109150793B (en) Privacy protection method and device
CN115865845A (en) Method for realizing cross-Region virtual network communication based on SegmentRouting
Leshov et al. Content name privacy in tactical named data networking
CN117375862A (en) Message forwarding method, system, network device, storage medium and program product
CN112470438B (en) Method for discovering intermediate functions and selecting a path between two communication devices
JP2023042903A (en) Communication apparatus, communication method and communication system
JP7391496B2 (en) packet communication system
KR102538061B1 (en) System and method for transmitting security of medical information data
Freudiger et al. Private sharing of user location over online social networks
Prakoso et al. Performance analysis of OLSR Routing for secure medical data transmission for rural areas with Delay Tolerant Network
KR102208144B1 (en) Method for reducing size of frame including dtls packet

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21771337

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21771337

Country of ref document: EP

Kind code of ref document: A1