Realize the method and system of secure communication between the inside and outside net of computer based on the simplex principle
Technical field
The present invention relates to a kind of computer communication and system, especially a kind of method and system that realize secure communication between local area network (LAN) (being Intranet) and the wide area network (being outer net), specifically a kind of method and system that realize secure communication between the inside and outside net of computer based on the simplex principle.
Background technology
Computer network is widely used at numerous areas such as E-Government, ecommerce, automatic controls, and along with the development of Internet, increasing computer has been connected on the Internet.And mainly more and more troubling in today that network communication is more and more popularized by means of the virus and the trojan horse program of Internet communication, there is not the connection of safety assurance can make user's computer face serious threat on lawless person's invasion, attack and other Internet.Take precautions against and the protection information resources to avoid loss, upset, destruction and leakage that calculated attack, human error etc. cause in survival processes be the main contents of information security research.Some key sectors often adopt inside and outside net form formula as shown in Figure 1, and wherein LAN (Local Area Network) abbreviates Intranet as, and wide area network abbreviates outer net as.
In order to guarantee the safety of Intranet important information system, people have proposed various schemes, and wherein topmost have a firewall technology.By based on fire compartment wall, the customized firewall tool cover of router, be based upon fire compartment wall on the general-purpose operating system, have the fire compartment wall four-stage of SOS by now, be in now the 4th generation fire compartment wall stage.The fire compartment wall that disposed meticulously no doubt can will allow most Hacker retainings in the periphery, grasp the initiative of network control, still, fire compartment wall is not omnipotent, can be described as without any the same networking products to be perfectly safe.Therefore, in order to be perfectly safe, people have taked the way of separating on the inside and outside network physical, see Fig. 2.Make LAN (Local Area Network) (abbreviation Intranet) to strict physical isolation between two nets of wide area network (abbreviation outer net), prevent that effectively hacker and the virus on the wide area network from invading Intranet by network, i.e. local area network (LAN), wide area network two nets are worked under isolation.
But Intranet has many informational needs to send to outer net, for example:
1, the external information of government department is issued most of information from Intranet, need be published to outer net by Intranet.
2, be used for the warning message that network system produced of control automatically, need in many cases to be sent to wireless communication networks operator place, in time send on related personnel's the mobile phone again through outer net.
3, utilize the remote live backup of outer net as communication path.
Because the physical isolation of strictness can only rely on the mode of artificial copy to carry out between the intranet and extranet, real-time and fail safe all can not meet the demands.
Perhaps there is the problem of using inconvenience (physical isolation method) in existing in sum network security method or have poor stability (fire compartment wall method), has had a strong impact on the fail safe of message transmission and system.
Summary of the invention
The poor stability during direct connection that the objective of the invention is to exist at when communication between existing Intranet, the outer net uses inconvenience during physical isolation and the problem that can not directly communicate provides a kind of method and system that realize secure communication between the inside and outside net of computer based on the simplex principle.
Technical scheme of the present invention is:
A kind of method based on secure communication between the inside and outside net of simplex principle realization computer is characterized in that it may further comprise the steps:
A, between interior pass computer that links to each other with Intranet and the outer pass computer that links to each other with outer net, set up a unidirectional transmission line that can only outwards close the computer transmission by interior pass computer;
B, set up a unofficial biography security control computer that has two stand-alone interfaces at least, described stand-alone interface is corresponding with interior pass computer and the outer computer that closes respectively, between the stand-alone interface of described unofficial biography security control computer and interior pass computer and outer pass computer, set up can only inwardly close by unofficial biography security control computer computer or outside close the unidirectional transmission line that computer transmits;
C, make unofficial biography security control computer constantly inwardly close computer respectively and close computer outward and send Crypted password and clear crytpographic key by two stand-alone interfaces and unidirectional transmission line;
D, the computer utilization of interior pass by the unidirectional Crypted password of sending here of unofficial biography security control computer internally close computer to outwards close the information that computer transmits and carry out encryption, become encrypted message packet, and be sent to outer closing on the computer by the unidirectional transmission line of interior pass computer;
E, close after computer closes the encrypted message packet that computer transmitted in receiving outward, utilize by the unidirectional clear crytpographic key of sending of unofficial biography security control computer this encrypted message packet to be decrypted equally, Intranet information can be sent the realization one-way communication to outer net;
If the f Intranet is not utilize the Crypted password information encrypted bag of the unidirectional transmission of unofficial biography security control computer through the packets of information that interior pass computer sends, then this packets of information through outside close and just to become garbage after computer is handled with clear crytpographic key, to stop the illegal leakage of Intranet information, realize safe simplex.
Described unidirectional transmission line is the signal transmssion line that is serially connected with diode.
Described unofficial biography security control computer or be single-chip microcomputer or for microcomputer.
The Crypted password that described unofficial biography security control computer produces is with clear crytpographic key or be identical, or is difference.
A kind of system that realizes secure communication between the inside and outside net of computer based on the simplex principle, it is characterized in that it by Intranet, interior pass computer, close computer, outer net and unofficial biography security control computer outward and form, Intranet links to each other with interior pass computer, in close between computer and the outer pass computer and link to each other by unidirectional transmission line, the outer computer that closes links to each other with outer net, unofficial biography security control computer is provided with two stand-alone interfaces, and this stand-alone interface links to each other with interior pass computer and the outer computer that closes by unidirectional transmission line respectively.
Described unidirectional transmission line is the signal transmssion line that is serially connected with diode.
Described unofficial biography security control computer is made up of CPU, memory, keyboard, display, randomizer and two stand-alone interfaces at least, and the I/O end that memory, keyboard, display, randomizer and stand-alone interface are corresponding with CPU respectively links to each other.
Beneficial effect of the present invention:
Owing to realized the one-way transmission of information, can block outer net virus effectively to the erosion of Intranet with to the destruction of system, and guarantee in time issuing fast of Intranet authorization message, solved the safety problem that exists in the Intranet management for a long time, and method and system are simple.
Description of drawings
Fig. 1 is the inside and outside net composition form structural representation of the duplex mode in the background technology of the present invention.
Fig. 2 is the physically-isolated inside and outside net composition form structural representation in the background technology of the present invention.
Fig. 3 is the inside and outside net composition form of a single worker of the present invention structural representation.
Fig. 4 is a unofficial biography security control computer configuation block diagram of the present invention.
Embodiment
The present invention is further illustrated below in conjunction with drawings and Examples.
A kind of method based on secure communication between the inside and outside net of simplex principle realization computer, it may further comprise the steps:
A, between interior pass computer that links to each other with Intranet and the outer pass computer that links to each other with outer net, set up a unidirectional transmission line that can only outwards close the computer transmission, this unidirectional transmission line or for being serially connected with the normal signal transmission line of forward diode by interior pass computer;
B, set up a unofficial biography security control computer that has two outer stand-alone interfaces at least, this unofficial biography security control computer or be common single-chip microcomputer, also can be common microcomputer, described stand-alone interface is corresponding with interior pass computer and the outer computer that closes respectively, between the stand-alone interface of described unofficial biography security control computer and interior pass computer and outer pass computer, set up can only inwardly close by unofficial biography security control computer computer or outside close the unidirectional transmission line that computer transmits; This unidirectional transmission line also can be the normal signal transmission line that is serially connected with forward diode;
C, make unofficial biography security control computer constantly inwardly close computer respectively and close computer outward and send Crypted password and clear crytpographic key by two stand-alone interfaces and unidirectional transmission line; Described Crypted password can be identical with clear crytpographic key, also can be different;
D, the computer utilization of interior pass by the unidirectional Crypted password of sending here of unofficial biography security control computer internally close computer to outwards close the information that computer transmits and carry out encryption, become encrypted message packet, and be sent to outer closing on the computer by the unidirectional transmission line of interior pass computer;
E, close after computer closes the encrypted message packet that computer transmitted in receiving outward, utilize by the unidirectional clear crytpographic key of sending of unofficial biography security control computer this encrypted message packet to be decrypted equally, Intranet information can be sent the realization one-way communication to outer net;
If the f Intranet is not utilize the Crypted password information encrypted bag of the unidirectional transmission of unofficial biography security control computer through the packets of information that interior pass computer sends, then this packets of information through outside close and just to become garbage after computer is handled with clear crytpographic key, to stop the illegal leakage of Intranet information, realize safe simplex.
Realize system for carrying out said process as shown in Figure 3.
A kind of based in the simplex principle realization computer, the system of secure communication between the outer net, it is by Intranet 1, the interior computer 2 that closes, the outer computer 3 that closes, outer net 4 and unofficial biography security control computer 5 are formed, can adopt the existing conventional method and apparatus to link to each other between Intranet 1 and the interior pass computer 2, in close between computer 2 and the outer pass computer 3 and link to each other by the unidirectional transmission line 6 that is serially connected with forward diode, outer closing between computer 3 and the outer net 4 also adopts the existing conventional method and apparatus to link to each other, at least be provided with two stand-alone interfaces 506 on the unofficial biography security control computer 5, this stand-alone interface 506 links to each other with interior pass computer 2 and the outer computer 3 that closes by the unidirectional transmission line 7 that is serially connected with forward diode respectively.
Unofficial biography security control computer 5 can be common single-chip microcomputer or microcomputer, be made up of CPU501, memory 502, keyboard 503, display 504, randomizer 505 (being used for the auxiliary generation of password) and at least two stand-alone interfaces 506 as Fig. 4, the I/O end that memory 502, keyboard 503, display 504, randomizer 505 and stand-alone interface 506 are corresponding with CPU501 respectively links to each other.
Close in of the present invention computer 2 with outer close adopt between the computer 2 simplex mode (outwards closing computers 3) by interior pass computer 2 effectively prevent when transmitting information of same information have a mind to steal and deliberately leakage, physical signalling only can outwards close computer 3 one-way transmissions from interior pass computer 2, blocked by physics and close the computer 3 inside signal paths that close computer 2 reverse transfer outward, so just can avoid the interference and the destruction to Intranet 1 information that may cause by outer net 4 fully, see Fig. 3 from physical layer.
Because Intranet needs constantly outwards to release news, thus also need the information that prevents have a mind to steal and deliberately leak.
The present invention adopts the method for hardware and software to carry out suitable processing by Intranet being wanted information releasing, data message is separated with control information, and adopt the cipher authentication means, can avoid the intentional leakage of information effectively and have a mind to steal, thereby reach purpose of safety.As shown in Figure 3
Unofficial biography security control computer among Fig. 3 is made up of dedicated cpu, memory, simple and easy keyboard, LED (or liquid crystal) display and randomizer, sees Fig. 4.Simple and easy keyboard and display are used for human-computer dialogue,
Intranet keeper utilizes their input password and additional check codes; Dedicated cpu is accepted the random number that randomizer produces, and generate control information automatically according to specific algorithm, and send interior computer and the outer computer that closes of closing by interface respectively to cipher mode, for a dynamic logic link is set up in the efficient communication between the computer of inside and outside pass.Dedicated cpu, memory and randomizer adopt the PLD chip design, so both can improve the security performance of system, are beneficial to batch process again.
The interior computer that closes can be general desktop machine with outer pass computer.Interior main task of closing computer is that required information releasing is managed, and under the control of unofficial biography security control computer, send information effectively, the instruction that outer pass computer is sent according to unofficial biography security control computer, to screening from the information of interior pass computer, abandon invalid information, to stop leakage of information; Legal information is outwards issued by internet.
Below be a specific embodiment of the present invention:
Intranet: can be the internal network system of constituent parts system, the built-in system of bank's internal lan, chemical industry automated procedure control or the like.
Outer net: internet
Inner net computer is exactly an ordinary PC.
Unofficial biography security control computer can adopt single-chip microcomputer (as 80C51 etc.) or embedded system (as Arm9 etc.).
Now be provided with the Intranet of a chemical industry automated procedure control, connect all devices and be switched to internet with unidirectional tie.
At first, for the various attack (comprising computer virus) of outer net, the fail safe of its Intranet is equal to the physical isolation of intranet and extranet strictness fully, anyly attempts all to be completely blocked by the attack to Intranet (comprising computer virus) that unidirectional tie is initiated.Equally, inside and outside net all is completely blocked the attack (comprising computer virus) of unofficial biography security control computer.
The interior pass computer of supposing Intranet will send warning message " 700 " to outer net and be (total numeric string is " 123456700 ") on the mobile phone of " 123456 " to the telephone number of outer net mobile communication carrier, and interior pass computer is at first used the password (as the RSA Algorithm in the public key algorithm) that is produced from unofficial biography security control computer
If this moment p=37, q=41 (10 system), n=pq=1517, unofficial biography security control computer choose key e=17 and n=1517 and close computer in being sent to; Similarly D=593 and n=1517 are sent to the outer computer that closes.So, the numeric string after interior pass computer is encrypted " 123456700 " with e and n is C=11071292645, and the then interior computer that closes sends to the outer computer that closes with numeric string C by unidirectional tie; After outer pass computer is received numeric string C, use D=593 and n signal to be reduced to " 123456700 " from unofficial biography security control computer.If signal is encrypted without key e and n, then close computer outside and will discern through the decryption information of handling with D and n.