CN100521598C - Method and system of implementing secure communication between internal and external computer networks based on simplex communication principle - Google Patents
Method and system of implementing secure communication between internal and external computer networks based on simplex communication principle Download PDFInfo
- Publication number
- CN100521598C CN100521598C CNB2006100381988A CN200610038198A CN100521598C CN 100521598 C CN100521598 C CN 100521598C CN B2006100381988 A CNB2006100381988 A CN B2006100381988A CN 200610038198 A CN200610038198 A CN 200610038198A CN 100521598 C CN100521598 C CN 100521598C
- Authority
- CN
- China
- Prior art keywords
- computer
- security control
- unofficial biography
- information
- close
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
This invention discloses one method and system to realize computer inside and outside network safe communication based on single machine communication computer, which prevents physical outside network to steal and damage inner net information by establishing single direction transmission wire between inner and outer net and outer computer and at same time establishes outer safety control computer for coding to realize inner net transmission safety management.
Description
Technical field
The present invention relates to a kind of computer communication and system, especially a kind of method and system that realize secure communication between local area network (LAN) (being Intranet) and the wide area network (being outer net), specifically a kind of method and system that realize secure communication between the inside and outside net of computer based on the simplex principle.
Background technology
Computer network is widely used at numerous areas such as E-Government, ecommerce, automatic controls, and along with the development of Internet, increasing computer has been connected on the Internet.And mainly more and more troubling in today that network communication is more and more popularized by means of the virus and the trojan horse program of Internet communication, there is not the connection of safety assurance can make user's computer face serious threat on lawless person's invasion, attack and other Internet.Take precautions against and the protection information resources to avoid loss, upset, destruction and leakage that calculated attack, human error etc. cause in survival processes be the main contents of information security research.Some key sectors often adopt inside and outside net form formula as shown in Figure 1, and wherein LAN (Local Area Network) abbreviates Intranet as, and wide area network abbreviates outer net as.
In order to guarantee the safety of Intranet important information system, people have proposed various schemes, and wherein topmost have a firewall technology.By based on fire compartment wall, the customized firewall tool cover of router, be based upon fire compartment wall on the general-purpose operating system, have the fire compartment wall four-stage of SOS by now, be in now the 4th generation fire compartment wall stage.The fire compartment wall that disposed meticulously no doubt can will allow most Hacker retainings in the periphery, grasp the initiative of network control, still, fire compartment wall is not omnipotent, can be described as without any the same networking products to be perfectly safe.Therefore, in order to be perfectly safe, people have taked the way of separating on the inside and outside network physical, see Fig. 2.Make LAN (Local Area Network) (abbreviation Intranet) to strict physical isolation between two nets of wide area network (abbreviation outer net), prevent that effectively hacker and the virus on the wide area network from invading Intranet by network, i.e. local area network (LAN), wide area network two nets are worked under isolation.
But Intranet has many informational needs to send to outer net, for example:
1, the external information of government department is issued most of information from Intranet, need be published to outer net by Intranet.
2, be used for the warning message that network system produced of control automatically, need in many cases to be sent to wireless communication networks operator place, in time send on related personnel's the mobile phone again through outer net.
3, utilize the remote live backup of outer net as communication path.
Because the physical isolation of strictness can only rely on the mode of artificial copy to carry out between the intranet and extranet, real-time and fail safe all can not meet the demands.
Perhaps there is the problem of using inconvenience (physical isolation method) in existing in sum network security method or have poor stability (fire compartment wall method), has had a strong impact on the fail safe of message transmission and system.
Summary of the invention
The poor stability during direct connection that the objective of the invention is to exist at when communication between existing Intranet, the outer net uses inconvenience during physical isolation and the problem that can not directly communicate provides a kind of method and system that realize secure communication between the inside and outside net of computer based on the simplex principle.
Technical scheme of the present invention is:
A kind of method based on secure communication between the inside and outside net of simplex principle realization computer is characterized in that it may further comprise the steps:
A, between interior pass computer that links to each other with Intranet and the outer pass computer that links to each other with outer net, set up a unidirectional transmission line that can only outwards close the computer transmission by interior pass computer;
B, set up a unofficial biography security control computer that has two stand-alone interfaces at least, described stand-alone interface is corresponding with interior pass computer and the outer computer that closes respectively, between the stand-alone interface of described unofficial biography security control computer and interior pass computer and outer pass computer, set up can only inwardly close by unofficial biography security control computer computer or outside close the unidirectional transmission line that computer transmits;
C, make unofficial biography security control computer constantly inwardly close computer respectively and close computer outward and send Crypted password and clear crytpographic key by two stand-alone interfaces and unidirectional transmission line;
D, the computer utilization of interior pass by the unidirectional Crypted password of sending here of unofficial biography security control computer internally close computer to outwards close the information that computer transmits and carry out encryption, become encrypted message packet, and be sent to outer closing on the computer by the unidirectional transmission line of interior pass computer;
E, close after computer closes the encrypted message packet that computer transmitted in receiving outward, utilize by the unidirectional clear crytpographic key of sending of unofficial biography security control computer this encrypted message packet to be decrypted equally, Intranet information can be sent the realization one-way communication to outer net;
If the f Intranet is not utilize the Crypted password information encrypted bag of the unidirectional transmission of unofficial biography security control computer through the packets of information that interior pass computer sends, then this packets of information through outside close and just to become garbage after computer is handled with clear crytpographic key, to stop the illegal leakage of Intranet information, realize safe simplex.
Described unidirectional transmission line is the signal transmssion line that is serially connected with diode.
Described unofficial biography security control computer or be single-chip microcomputer or for microcomputer.
The Crypted password that described unofficial biography security control computer produces is with clear crytpographic key or be identical, or is difference.
A kind of system that realizes secure communication between the inside and outside net of computer based on the simplex principle, it is characterized in that it by Intranet, interior pass computer, close computer, outer net and unofficial biography security control computer outward and form, Intranet links to each other with interior pass computer, in close between computer and the outer pass computer and link to each other by unidirectional transmission line, the outer computer that closes links to each other with outer net, unofficial biography security control computer is provided with two stand-alone interfaces, and this stand-alone interface links to each other with interior pass computer and the outer computer that closes by unidirectional transmission line respectively.
Described unidirectional transmission line is the signal transmssion line that is serially connected with diode.
Described unofficial biography security control computer is made up of CPU, memory, keyboard, display, randomizer and two stand-alone interfaces at least, and the I/O end that memory, keyboard, display, randomizer and stand-alone interface are corresponding with CPU respectively links to each other.
Beneficial effect of the present invention:
Owing to realized the one-way transmission of information, can block outer net virus effectively to the erosion of Intranet with to the destruction of system, and guarantee in time issuing fast of Intranet authorization message, solved the safety problem that exists in the Intranet management for a long time, and method and system are simple.
Description of drawings
Fig. 1 is the inside and outside net composition form structural representation of the duplex mode in the background technology of the present invention.
Fig. 2 is the physically-isolated inside and outside net composition form structural representation in the background technology of the present invention.
Fig. 3 is the inside and outside net composition form of a single worker of the present invention structural representation.
Fig. 4 is a unofficial biography security control computer configuation block diagram of the present invention.
Embodiment
The present invention is further illustrated below in conjunction with drawings and Examples.
A kind of method based on secure communication between the inside and outside net of simplex principle realization computer, it may further comprise the steps:
A, between interior pass computer that links to each other with Intranet and the outer pass computer that links to each other with outer net, set up a unidirectional transmission line that can only outwards close the computer transmission, this unidirectional transmission line or for being serially connected with the normal signal transmission line of forward diode by interior pass computer;
B, set up a unofficial biography security control computer that has two outer stand-alone interfaces at least, this unofficial biography security control computer or be common single-chip microcomputer, also can be common microcomputer, described stand-alone interface is corresponding with interior pass computer and the outer computer that closes respectively, between the stand-alone interface of described unofficial biography security control computer and interior pass computer and outer pass computer, set up can only inwardly close by unofficial biography security control computer computer or outside close the unidirectional transmission line that computer transmits; This unidirectional transmission line also can be the normal signal transmission line that is serially connected with forward diode;
C, make unofficial biography security control computer constantly inwardly close computer respectively and close computer outward and send Crypted password and clear crytpographic key by two stand-alone interfaces and unidirectional transmission line; Described Crypted password can be identical with clear crytpographic key, also can be different;
D, the computer utilization of interior pass by the unidirectional Crypted password of sending here of unofficial biography security control computer internally close computer to outwards close the information that computer transmits and carry out encryption, become encrypted message packet, and be sent to outer closing on the computer by the unidirectional transmission line of interior pass computer;
E, close after computer closes the encrypted message packet that computer transmitted in receiving outward, utilize by the unidirectional clear crytpographic key of sending of unofficial biography security control computer this encrypted message packet to be decrypted equally, Intranet information can be sent the realization one-way communication to outer net;
If the f Intranet is not utilize the Crypted password information encrypted bag of the unidirectional transmission of unofficial biography security control computer through the packets of information that interior pass computer sends, then this packets of information through outside close and just to become garbage after computer is handled with clear crytpographic key, to stop the illegal leakage of Intranet information, realize safe simplex.
Realize system for carrying out said process as shown in Figure 3.
A kind of based in the simplex principle realization computer, the system of secure communication between the outer net, it is by Intranet 1, the interior computer 2 that closes, the outer computer 3 that closes, outer net 4 and unofficial biography security control computer 5 are formed, can adopt the existing conventional method and apparatus to link to each other between Intranet 1 and the interior pass computer 2, in close between computer 2 and the outer pass computer 3 and link to each other by the unidirectional transmission line 6 that is serially connected with forward diode, outer closing between computer 3 and the outer net 4 also adopts the existing conventional method and apparatus to link to each other, at least be provided with two stand-alone interfaces 506 on the unofficial biography security control computer 5, this stand-alone interface 506 links to each other with interior pass computer 2 and the outer computer 3 that closes by the unidirectional transmission line 7 that is serially connected with forward diode respectively.
Unofficial biography security control computer 5 can be common single-chip microcomputer or microcomputer, be made up of CPU501, memory 502, keyboard 503, display 504, randomizer 505 (being used for the auxiliary generation of password) and at least two stand-alone interfaces 506 as Fig. 4, the I/O end that memory 502, keyboard 503, display 504, randomizer 505 and stand-alone interface 506 are corresponding with CPU501 respectively links to each other.
Close in of the present invention computer 2 with outer close adopt between the computer 2 simplex mode (outwards closing computers 3) by interior pass computer 2 effectively prevent when transmitting information of same information have a mind to steal and deliberately leakage, physical signalling only can outwards close computer 3 one-way transmissions from interior pass computer 2, blocked by physics and close the computer 3 inside signal paths that close computer 2 reverse transfer outward, so just can avoid the interference and the destruction to Intranet 1 information that may cause by outer net 4 fully, see Fig. 3 from physical layer.
Because Intranet needs constantly outwards to release news, thus also need the information that prevents have a mind to steal and deliberately leak.
The present invention adopts the method for hardware and software to carry out suitable processing by Intranet being wanted information releasing, data message is separated with control information, and adopt the cipher authentication means, can avoid the intentional leakage of information effectively and have a mind to steal, thereby reach purpose of safety.As shown in Figure 3
Unofficial biography security control computer among Fig. 3 is made up of dedicated cpu, memory, simple and easy keyboard, LED (or liquid crystal) display and randomizer, sees Fig. 4.Simple and easy keyboard and display are used for human-computer dialogue,
Intranet keeper utilizes their input password and additional check codes; Dedicated cpu is accepted the random number that randomizer produces, and generate control information automatically according to specific algorithm, and send interior computer and the outer computer that closes of closing by interface respectively to cipher mode, for a dynamic logic link is set up in the efficient communication between the computer of inside and outside pass.Dedicated cpu, memory and randomizer adopt the PLD chip design, so both can improve the security performance of system, are beneficial to batch process again.
The interior computer that closes can be general desktop machine with outer pass computer.Interior main task of closing computer is that required information releasing is managed, and under the control of unofficial biography security control computer, send information effectively, the instruction that outer pass computer is sent according to unofficial biography security control computer, to screening from the information of interior pass computer, abandon invalid information, to stop leakage of information; Legal information is outwards issued by internet.
Below be a specific embodiment of the present invention:
Intranet: can be the internal network system of constituent parts system, the built-in system of bank's internal lan, chemical industry automated procedure control or the like.
Outer net: internet
Inner net computer is exactly an ordinary PC.
Unofficial biography security control computer can adopt single-chip microcomputer (as 80C51 etc.) or embedded system (as Arm9 etc.).
Now be provided with the Intranet of a chemical industry automated procedure control, connect all devices and be switched to internet with unidirectional tie.
At first, for the various attack (comprising computer virus) of outer net, the fail safe of its Intranet is equal to the physical isolation of intranet and extranet strictness fully, anyly attempts all to be completely blocked by the attack to Intranet (comprising computer virus) that unidirectional tie is initiated.Equally, inside and outside net all is completely blocked the attack (comprising computer virus) of unofficial biography security control computer.
The interior pass computer of supposing Intranet will send warning message " 700 " to outer net and be (total numeric string is " 123456700 ") on the mobile phone of " 123456 " to the telephone number of outer net mobile communication carrier, and interior pass computer is at first used the password (as the RSA Algorithm in the public key algorithm) that is produced from unofficial biography security control computer
If this moment p=37, q=41 (10 system), n=pq=1517, unofficial biography security control computer choose key e=17 and n=1517 and close computer in being sent to; Similarly D=593 and n=1517 are sent to the outer computer that closes.So, the numeric string after interior pass computer is encrypted " 123456700 " with e and n is C=11071292645, and the then interior computer that closes sends to the outer computer that closes with numeric string C by unidirectional tie; After outer pass computer is received numeric string C, use D=593 and n signal to be reduced to " 123456700 " from unofficial biography security control computer.If signal is encrypted without key e and n, then close computer outside and will discern through the decryption information of handling with D and n.
Claims (3)
1, a kind of method based on secure communication between the inside and outside net of simplex principle realization computer is characterized in that it may further comprise the steps:
A, set up a unidirectional transmission line that can only outwards be closed the computer transmission signals by interior pass computer between interior pass computer that links to each other with Intranet and the outer pass computer that links to each other with outer net, described unidirectional transmission line is the signal transmssion line that is serially connected with diode;
B, set up a unofficial biography security control computer that has two stand-alone interfaces at least, described stand-alone interface is corresponding with interior pass computer and the outer computer that closes respectively, set up the unidirectional transmission line that can only inwardly be closed computer and outer pass computer transmission signals by unofficial biography security control computer between the computer at the stand-alone interface of described unofficial biography security control computer and interior pass computer and outer closing, described unidirectional transmission line also is the signal transmssion line that is serially connected with diode;
C, make unofficial biography security control computer constantly inwardly close computer respectively and close computer outward and send Crypted password and clear crytpographic key by two stand-alone interfaces and unidirectional transmission line;
D, the computer utilization of interior pass by the unidirectional Crypted password of sending here of unofficial biography security control computer internally close computer to outwards close the information that computer transmits and carry out encryption, become encrypted message packet, and be sent to outer closing on the computer by interior pass computer and the outer unidirectional transmission line that closes between the computer;
E, close after computer closes the encrypted message packet that computer transmitted in receiving outward, utilize by the unidirectional clear crytpographic key of sending of unofficial biography security control computer this encrypted message packet to be decrypted equally, Intranet information can be sent the realization one-way communication to outer net;
If the f Intranet is not utilize the Crypted password information encrypted bag of the unidirectional transmission of unofficial biography security control computer through the packets of information that interior pass computer sends, then this packets of information through outside close and just to become garbage after computer is handled with clear crytpographic key, to stop the illegal leakage of Intranet information, realize safe simplex.
2, according to claim 1ly realize the method for secure communication between the inside and outside net of computer, it is characterized in that described unofficial biography security control computer or for single-chip microcomputer or be microcomputer based on the simplex principle.
3, according to claim 1ly realize the method for secure communication between the inside and outside net of computer, it is characterized in that Crypted password that described unofficial biography security control computer produces with clear crytpographic key or for identical, or be difference based on the simplex principle.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100381988A CN100521598C (en) | 2006-02-09 | 2006-02-09 | Method and system of implementing secure communication between internal and external computer networks based on simplex communication principle |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100381988A CN100521598C (en) | 2006-02-09 | 2006-02-09 | Method and system of implementing secure communication between internal and external computer networks based on simplex communication principle |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1808971A CN1808971A (en) | 2006-07-26 |
| CN100521598C true CN100521598C (en) | 2009-07-29 |
Family
ID=36840680
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100381988A Expired - Fee Related CN100521598C (en) | 2006-02-09 | 2006-02-09 | Method and system of implementing secure communication between internal and external computer networks based on simplex communication principle |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100521598C (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197822B (en) * | 2006-12-04 | 2011-04-13 | 西门子公司 | System for preventing information leakage and method based on the same |
| CN101355484B (en) * | 2008-09-08 | 2012-11-07 | 石家庄科林电气股份有限公司 | Communication isolation device using unidirection analog transmission |
| CN101958885A (en) * | 2009-07-20 | 2011-01-26 | 新奥特(北京)视频技术有限公司 | Non-IP data tunnel-based file secure transmission method and system |
| CN102710638A (en) * | 2012-05-31 | 2012-10-03 | 广东电网公司电力科学研究院 | Device and method for isolating data by adopting non-network manner |
| CN102882850B (en) * | 2012-09-03 | 2015-11-18 | 广东电网公司电力科学研究院 | A kind of encryption apparatus and method thereof adopting non-network mode isolated data |
| CN104486053A (en) * | 2014-12-05 | 2015-04-01 | 浪潮集团有限公司 | Anti-catastrophe system of network encryption machine |
| CN105245520B (en) * | 2015-10-12 | 2018-03-30 | 中国人民解放军信息工程大学 | A kind of active defense method for the eavesdropping of telecommunications speech communication |
| DK3395041T3 (en) * | 2015-12-22 | 2022-01-24 | Hirschmann Automation & Control Gmbh | Network with partially unidirectional data transfer |
| CN106302532A (en) * | 2016-09-30 | 2017-01-04 | 广州特道信息科技有限公司 | Data boundary safety detecting system |
| CN106412068A (en) * | 2016-09-30 | 2017-02-15 | 珠海全视通信息技术有限公司 | Communication method of network system link |
| CN108600274A (en) * | 2018-05-17 | 2018-09-28 | 淄博职业学院 | Safe communication system and its application method between a kind of realization computer inner-external network |
| CN108769076B (en) * | 2018-07-06 | 2023-12-05 | 北京绪水互联科技有限公司 | Data acquisition system, method and device with network isolation function |
-
2006
- 2006-02-09 CN CNB2006100381988A patent/CN100521598C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1808971A (en) | 2006-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100521598C (en) | Method and system of implementing secure communication between internal and external computer networks based on simplex communication principle | |
| Sandaruwan et al. | PLC security and critical infrastructure protection | |
| EP2945350B1 (en) | Protocol splitter and corresponding communication method | |
| CN1883154B (en) | Method and apparatus of communicating security/encryption information to a physical layer transceiver | |
| CN1319294A (en) | Adapter having secure function and computer secure system using it | |
| CN101072096A (en) | Data safety transmission method for wireless sensor network | |
| CN107493292B (en) | Heterogeneous multi-channel safety isolation information transmission system and method | |
| EP3713147B1 (en) | Railway signal security encryption method and system | |
| Gmiden et al. | Cryptographic and Intrusion Detection System for automotive CAN bus: Survey and contributions | |
| CN114500068B (en) | Information data exchange system based on safety isolation gatekeeper | |
| Uluagac et al. | Designing secure protocols for wireless sensor networks | |
| CN106161330A (en) | A kind of security isolation system being applied to PROFINET EPA | |
| EP3018878B1 (en) | Firewall based prevention of the malicious information flows in smart home | |
| CN105721458A (en) | Industrial Ethernet switching method based on ISG security password technique | |
| CN1120455C (en) | Omnibearing electronic household guard and alarm method and system | |
| CN109996230B (en) | Method for improving Bluetooth mesh network communication safety through MCU serial port communication confusion encryption | |
| CN218850785U (en) | Network data isolation encryption system | |
| CN217935630U (en) | Network isolation encryption system with KVM function | |
| CN115412402B (en) | Communication gateway | |
| Lin et al. | Research on the vulnerability of software defined network | |
| Mahmood et al. | Securing Industrial Internet of Things (Industrial IoT)-A Reviewof Challenges and Solutions | |
| Yadav et al. | IoT Smart Home Using Li-Fi: Security Challenges and Solutions | |
| CN108462702B (en) | Method and device for operating a control unit on a bus | |
| Kumar et al. | Comparative Analysis of Security Techniques in Internet of Things | |
| EP2156283A1 (en) | Data-type management unit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Assignee: NANJING MIND SOFTWARE CO., LTD. Assignor: Nanjing University of Technology Contract record no.: 2012320000791 Denomination of invention: Method and system of implementing secure communication between internal and external computer networks based on simplex communication principle Granted publication date: 20090729 License type: Exclusive License Open date: 20060726 Record date: 20120615 |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090729 Termination date: 20170209 |