CN102244649B - Data transmission method among secure networks and data processors - Google Patents
Data transmission method among secure networks and data processors Download PDFInfo
- Publication number
- CN102244649B CN102244649B CN201010175353.7A CN201010175353A CN102244649B CN 102244649 B CN102244649 B CN 102244649B CN 201010175353 A CN201010175353 A CN 201010175353A CN 102244649 B CN102244649 B CN 102244649B
- Authority
- CN
- China
- Prior art keywords
- data
- document processor
- validated user
- key
- mobile memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a data transmission method among secure networks and data processors. In the invention, the data processors are respectively arranged in the two secure networks for data exchange, each data processor is provided with an interface for connecting a mobile memory and an interface for receiving data from legal users, and keys corresponding to the legal users are synchronized between the data processors. The data transmission method comprises the following steps: the data processors encrypt the data from the legal users and then store the encrypted data in the mobile memory by virtue of the keys corresponding to the legal users; and the data processors decrypt the data read from the mobile memory and then send the decrypted data to the legal users by virtue of the keys corresponding to the legal users. By utilizing the data transmission method and the data processors, man-made intervention is avoided, labor cost is saved and safety of isolation network is ensured.
Description
Technical field
The present invention relates to network communication technology field, particularly between a kind of secure network, transmit method and the document processor of data.
Background technology
Network Isolation (Network Isolation) is in security consideration, two or more routable networks carried out exchanges data by non-routable agreement and reaches isolation object.Because its principle adopts in net and can complete exchanges data by Routing Protocol, adopt between net and can not complete exchanges data by Routing Protocol.Usually the network implementing Network Isolation is become secure network.
All can there be the situation of office, many places in many mechanisms, if the security requirements of office is higher, network then in each office all can carry out Network Isolation with external network, but between multiple office, carry out exchanges data like this will be pretty troublesome thing.Such as, for the software outsourcing business that security requirements is higher, the network of give out a contract for a project company and outsourcing company all can arrange Network Isolation.In order to prevent divulging a secret, in each secure network, the interface be connected with computer, switch by all computer network cables is all locked, switch is locked in special machine cabinet, the output type Peripheral Interface of switch is all closed, the outlet of secure network arranges safety lock, all like this data all cannot with extraneous network exchange, guarantee data security.
But the demand always having exchanges data between secure network, the data usually adopting mobile memory to exchange move to another secure network from a secure network.As shown in Figure 1, safe assistant director is encrypted data file to be sent in network of giving out a contract for a project existing settling mode, and after opening the safety lock of computer, derived data is to mobile memory; This mobile memory is taken to the computer connecting outer packet network in outer packet network, safe assistant director opens the safety lock in outer packet network, from mobile memory derived data file, and is decrypted data file.Because the data transmission procedure between above-mentioned secure network must have safe assistant director to access, realize trouble, human cost is high, and fail safe depends on the loyalty of safe assistant director.
Summary of the invention
In view of this, the invention provides a kind of between secure network, transmit data method and document processor, so that without the need to manually accessing the Security Data Transmission realized between secure network.
The method of data is transmitted between a kind of secure network, carry out being respectively arranged with document processor in two secure networks of exchanges data, described document processor has the interface connecting mobile memory and the interface received from validated user data, and the key that between described document processor, synchronous described validated user is corresponding; The method comprises:
The key that described document processor utilizes validated user corresponding, stored in mobile memory after being encrypted the data from described validated user;
Described document processor utilizes the key that described validated user is corresponding, sends to described validated user by after the decrypt data read from described mobile memory.
A kind of document processor, described document processor provides connecting interface for mobile memory, and described document processor comprises: network interface unit, encryption/decryption element and memory interface unit;
Described network interface unit, for receiving the data from validated user; Data after described encryption/decryption element deciphering are sent to described validated user;
The described data from validated user, for utilizing the key that described validated user is corresponding, are encrypted by described encryption/decryption element; Utilize the key that described validated user is corresponding, by the decrypt data that described memory interface unit provides;
Described memory interface unit, for by the data after the encryption of described encryption/decryption element stored in mobile memory; Read data from described mobile memory, the data of reading are supplied to described encryption/decryption element.
As can be seen from the above technical solutions, the present invention by arranging document processor in each secure network, the data that the double secret key validated user utilizing validated user corresponding by this document processor is uploaded automatically encrypt after stored in mobile memory, or after reading data from mobile memory, the double secret key data utilizing validated user corresponding are supplied to validated user after automatically deciphering.That is, the automatic encryption and decryption of data for validated user is completed by document processor in the present invention, do not need the safety lock opening rack completely, also safe assistant director encryption and decryption mustn't be carried out at user terminal place to data by hand, thus avoid artificial intervention, save human cost and ensure that the safety of isolation network.
Accompanying drawing explanation
Fig. 1 is the method schematic diagram transmitting data between existing secure network;
Fig. 2 is the document processor connection diagram in secure network;
Fig. 3 is the exchanges data configuration diagram between two secure networks;
Fig. 4 is the schematic flow sheet from user terminal 1 uploading data to mobile memory;
Fig. 5 is the schematic flow sheet from mobile memory downloading data to user terminal 2;
A kind of ciphertext form schematic diagram that Fig. 6 provides for the embodiment of the present invention;
The another kind of ciphertext form schematic diagram that Fig. 7 provides for the embodiment of the present invention;
Fig. 8 is the structural representation of document processor provided by the invention.
Embodiment
In order to make the object, technical solutions and advantages of the present invention clearly, describe the present invention below in conjunction with the drawings and specific embodiments.
Method provided by the invention mainly comprises: in two secure networks carrying out exchanges data, arrange document processor respectively, this document processor has the interface connecting mobile memory and the interface received from validated user data, and the key that between described document processor, synchronous described validated user is corresponding; The key that document processor utilizes validated user corresponding, stored in mobile memory after being encrypted the data from validated user; The key utilizing validated user corresponding sends to validated user by after the decrypt data read from mobile memory.
Below by specific embodiment, said method is described in detail.In the present invention by arranging document processor in each secure network, this document processor possesses the network interface of interconnection network equipment and is connected the connecting interface of mobile memory, wherein, the network interface of interconnection network equipment can be Ethernet interface, token ring interface etc.; The connecting interface connecting mobile memory can be USB interface or IEEE1394 interface etc.As shown in Figure 2, this document processor can be deployed in and add in the rack of safety lock, be connected with switch by netting twine, mobile memory connecting line extends to rack outside, to connect mobile memory, this document processor mainly provides data encrypting and deciphering and data input/output function, will specifically describe follow-up.
If need to carry out exchanges data between two secure networks, suppose as shown in Figure 3, document processor 1 is set in secure network 1, document processor 2 is set in secure network 2, by mobile memory, the data in secure network 1 are carried in secure network 2, so that the data in secure network 1 are exchanged to secure network 2, concrete process are described below.
Fig. 4 is the schematic flow sheet from user terminal 1 uploading data to mobile memory, and as shown in Figure 4, this flow process can comprise the following steps:
Step 401: user terminal 1, according to the IP address of document processor 1, adopts the account of pre-first to file to log in document processor 1.
The IP address that document processor in each secure network can disclose oneself in secure network logs in for user terminal.User terminal can adopt various ways to log in document processor, and such as, Web logs in, FTP mode logs in, TELNET mode logs in etc.
In addition, user can the account of application materials processor in advance, and the successful user of application account is validated user, and document processor is safeguarded each account and key corresponding to each account.
When user terminal 1 will carry out the exchanges data across secure network, first adopt the account of pre-first to file to log in document processor 1, document processor 1 determines that this account is after the account of the validated user of pre-first to file, allows this user terminal 1 to log in.
Step 402: user terminal 1 sends data to document processor 1.
User terminal 1 can send data by the switch connected to data process 1, and these data are clear datas.
Step 403: document processor 1 utilizes the key corresponding with login account, is encrypted the data carrying out user terminal 1.
Document processor 1 is safeguarded the key having each account corresponding, when after the data receiving user terminal 1, first determines that user terminal 1 logs in the account adopted, determine the key that this account is corresponding, utilize these double secret key data to be encrypted.It should be noted that, the key that on document processor 1, each account of maintenance is corresponding can regularly upgrade, as long as ensure the key synchronization of each account on document processor 1 and document processor 2.
Such as, at the new Secure Network Construction initial stage, in advance two document processors can be connected in general headquarters, key synchronization is set and key updating is synchronous, then document processor be delivered to appointment secure network.Also document processor regularly can be delivered to general headquarters and carry out key synchronization, key also can be set and carry out regular update according to the strategy preset.
Step 404: document processor 1 by encryption after data stored in mobile memory.
So far the data upload process in secure network 1 terminates, and can find out, said process does not need the safety lock opening rack completely, does not also need safe assistant director data to be encrypted at user terminal place by hand, does not namely need the artificial intervention of safe assistant director.
Fig. 5 is the schematic flow sheet from mobile memory downloading data to user terminal 2, and as shown in Figure 5, this flow process can comprise the following steps:
Step 501: user terminal 2, according to the IP address of document processor 2, adopts the account of pre-first to file to log in document processor 2.
In this step, the mode that user terminal 2 logs in document processor 2 is identical with the mode in step 401, repeats no more herein.It should be noted that, if user wants the data that download user terminal 1 is uploaded in secure network 1, then need to adopt the account logging in during uploading data in secure network 1 and use to log in document processor 2, otherwise, cannot proper solution ciphertext data in step 506.
Step 502: document processor 2 will obtain the data list of mobile memory.
Step 503: the data list of acquisition is supplied to user terminal 2 by document processor 2.
Step 502 and step 503 are optional steps, if user terminal knows the data message that will download, the data message also can directly will downloaded is supplied to document processor 2, and without the need to obtaining data list.
Step 504: user terminal 2, according to data list, determines the data needing to download, and sends to document processor 2 by needing the data message downloaded.
Step 505: document processor reads the data that will download from mobile memory.
Step 506: the data that document processor reads according to the secret key decryption that login account is corresponding.
Document processor obtains clear data, then sends to user terminal 2 by step 507 after automatically deciphering according to the data that the double secret key that the account that user logs in is corresponding reads.
Step 507: the data after deciphering are sent to user terminal 2.
So far, data downloading process in secure network 2 terminates, and user takes external network to after just data can being encrypted, because data in mobile memory are now encryptions, therefore be safe, must can be read the data in mobile memory by validated user.This process does not need the safety lock opening rack completely, does not need safe assistant director craft at user terminal place by decrypt data yet.Combined by the flow process shown in Fig. 4 and Fig. 5, the exchanges data of secure network 1 to secure network 2 can be realized.The exchanges data flow process of secure network 2 to secure network 1 is identical with said process, repeats no more.
In the present invention, document processor can adopt multiple enciphering and deciphering algorithm when carrying out encryption and decryption, such as data encryption standard (DES) algorithm, 3DES algorithm, IDEA (IDEA), Digital Signature Algorithm, based on number theory asymmetry (RSA) algorithm, Advanced Encryption Standard (AES) algorithm, digest algorithm (MD5), novel elliptic curve (ECC) etc.The present invention does not limit concrete enciphering and deciphering algorithm, the enciphering and deciphering algorithm that pre-configured each account uses in document processor.
For 3DES enciphering and deciphering algorithm, the ciphertext form after being encrypted data can as shown in Figure 6, wherein, be source address or the destination address information of these data in mark (FLAG) field, such as, when source address be company of giving out a contract for a project, destination address be outsourcing company time, FLAG is 1.Key A is the key that encryption adopts, and suppose that length is X byte, the generative process of key A is: when certain data encrypted by needs, first generates the RC4 key B of X byte length, then uses predefined 3DES ciphering key to be encrypted key B, generates key A.Filling length (Pad Length) field is the length of random character, and random character field is the random character of filling, for improving degree of safety.Ciphertext field is the data obtained after being adopted by clear data key B to be encrypted.
Also has a kind of processing mode, that the key B of X byte length is combined with the Pad Length field of Y byte the character string D becoming length X+Y byte, then use ciphering key to be encrypted character string D, form the key E of X+Y byte, by key B, formation ciphertext is encrypted to clear data.Ciphertext form now can be as shown in Figure 7.
Be more than the detailed description that method provided by the present invention is carried out, below system provided by the present invention and document processor be described.System provided by the present invention can comprise: mobile memory, the second document processor being arranged on the first document processor in the first secure network and being arranged in the second secure network.Its structure can see Fig. 3.
First document processor, for the key utilizing validated user corresponding, stored in mobile memory after being encrypted the data from this validated user.
Second document processor, for utilizing the key that this validated user is corresponding, sends to validated user by after the decrypt data read from mobile memory.
Wherein, the first document processor and key corresponding to the synchronous validated user of the second document processor.
Fig. 8 is the structural representation of document processor provided by the invention, this document processor provides connecting interface for mobile memory, as shown in Figure 8, document processor can specifically comprise: network interface unit 801, encryption/decryption element 802 and memory interface unit 803.
Network interface unit 801, for receiving the data from validated user; Data after being deciphered by encryption/decryption element 802 send to validated user.
Data from validated user, for the key utilizing validated user corresponding, are encrypted by encryption/decryption element 802; Utilize the key that validated user is corresponding, by the decrypt data that memory interface unit 803 provides.
Memory interface unit 803, for the data after being encrypted by encryption/decryption element 802 stored in mobile memory; Read data from mobile memory, the data of reading are supplied to encryption/decryption element 802.
Further, this document processor can also comprise: service management unit 804, for determining user's whether this document processor of Successful login, if so, then determining that the user is validated user, otherwise determining that the user is disabled user.
Now, encryption/decryption element 802 determines that key corresponding to account that this document processor of Successful login uses is for key corresponding to validated user.
In addition, encryption/decryption element 802 can also be used for key corresponding to regular update validated user.
Above-mentioned document processor is deployed in and has added in the rack of safety lock, and the connecting line connecting mobile memory extends to rack outside.
In addition, document processor provided by the invention can independently be arranged, and also can be arranged in other network equipment, such as, arrange and arrange in the router in the form of software, and the network interface that can directly utilize router to possess and USB interface.
Described as can be seen from above, the present invention by arranging document processor in each secure network, the data that the double secret key validated user utilizing validated user corresponding by this document processor is uploaded automatically encrypt after stored in mobile memory, or after reading data from mobile memory, the double secret key data utilizing validated user corresponding are supplied to validated user after automatically deciphering.That is, the automatic encryption and decryption of data for validated user is completed by document processor in the present invention, do not need the safety lock opening rack completely, also safe assistant director encryption and decryption mustn't be carried out at user terminal place to data by hand, thus avoid artificial intervention, save human cost and ensure that the safety of isolation network.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (10)
1. between a secure network, transmit the method for data, it is characterized in that, carry out being respectively arranged with document processor in two secure networks of exchanges data, described document processor has the interface connecting mobile memory and the interface received from validated user data, and the key that between described document processor, synchronous described validated user is corresponding; The method comprises:
The key that described document processor utilizes validated user corresponding, stored in mobile memory after being encrypted the data from described validated user;
Described document processor utilizes the key that described validated user is corresponding, sends to described validated user by after the decrypt data read from described mobile memory.
2. method according to claim 1, is characterized in that, the key that described document processor utilizes validated user corresponding, comprises after the data from described validated user being encrypted stored in mobile storage implement body:
A1, described validated user adopt the account of pre-first to file to log in described document processor;
After A2, described validated user login successfully, send data to described document processor;
A3, described document processor utilize the key corresponding with described account, after being encrypted the data from described validated user, stored in described mobile memory.
3. method according to claim 1, is characterized in that, described document processor utilizes the key that described validated user is corresponding, specifically comprises sending to described validated user after the decrypt data read from described mobile memory:
B1, described validated user adopt the account of pre-first to file to log in described document processor;
After B2, described validated user login successfully, send to described document processor by needing the data message downloaded;
B3, described document processor read the data needing to download from described mobile memory;
Data after deciphering are sent to described validated user by the data that B4, described document processor read according to the secret key decryption that described account is corresponding.
4. according to the method in claim 2 or 3, it is characterized in that, carry out periodic synchronization between the document processor that arranges in two secure networks of exchanges data and upgrade key corresponding to described account.
5. the method according to claim 1,2 or 3, is characterized in that, described document processor is deployed in and has added in the rack of safety lock, and the connecting line connecting mobile memory extends to described rack outside.
6. a document processor, is characterized in that, described document processor provides connecting interface for mobile memory, and described document processor comprises: network interface unit, encryption/decryption element and memory interface unit;
Described network interface unit, for receiving the data from validated user; Data after described encryption/decryption element deciphering are sent to described validated user;
The described data from validated user, for utilizing the key that described validated user is corresponding, are encrypted by described encryption/decryption element; Utilize the key that described validated user is corresponding, by the decrypt data that described memory interface unit provides;
Described memory interface unit, for by the data after the encryption of described encryption/decryption element stored in mobile memory; Read data from described mobile memory, the data of reading are supplied to described encryption/decryption element.
7. document processor according to claim 6, is characterized in that, this document processor also comprises: service management unit, for determining user's whether this document processor of Successful login, if so, then determine that the user is validated user, otherwise determine that the user is disabled user;
Key corresponding to the account that described this document processor of encryption/decryption element determination Successful login uses is the key that described validated user is corresponding.
8. the document processor according to claim 6 or 7, is characterized in that, described encryption/decryption element is also for key that validated user described in regular update is corresponding.
9. the document processor according to claim 6 or 7, is characterized in that, described document processor is deployed in and has added in the rack of safety lock, and the connecting line connecting mobile memory extends to described rack outside.
10. the document processor according to claim 6 or 7, is characterized in that, described document processor is arranged in the router.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010175353.7A CN102244649B (en) | 2010-05-12 | 2010-05-12 | Data transmission method among secure networks and data processors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010175353.7A CN102244649B (en) | 2010-05-12 | 2010-05-12 | Data transmission method among secure networks and data processors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102244649A CN102244649A (en) | 2011-11-16 |
| CN102244649B true CN102244649B (en) | 2015-06-10 |
Family
ID=44962488
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010175353.7A Expired - Fee Related CN102244649B (en) | 2010-05-12 | 2010-05-12 | Data transmission method among secure networks and data processors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102244649B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882850B (en) * | 2012-09-03 | 2015-11-18 | 广东电网公司电力科学研究院 | A kind of encryption apparatus and method thereof adopting non-network mode isolated data |
| CN103795780A (en) * | 2013-12-06 | 2014-05-14 | 中国科学院深圳先进技术研究院 | Cloud storage data protection method and device |
| WO2015087216A1 (en) | 2013-12-13 | 2015-06-18 | Bombardier Inc. | Apparatus and methods for providing network security on a mobile platform |
| CN107800713A (en) * | 2017-11-10 | 2018-03-13 | 北京明朝万达科技股份有限公司 | The secure exchange method and system of data between a kind of net |
| CN108786115B (en) * | 2018-05-03 | 2021-06-01 | 南京赛宁信息技术有限公司 | Method and system for generating CTF dynamic Flag based on transparent proxy |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1372181A (en) * | 2001-02-26 | 2002-10-02 | 张巨洪 | Encryption device for computer data |
| CN1694415A (en) * | 2005-04-29 | 2005-11-09 | 北京邦诺存储科技有限公司 | Method and device for safety of storaged network data |
| CN101488952A (en) * | 2008-12-10 | 2009-07-22 | 华中科技大学 | Mobile storage apparatus, data secured transmission method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2000078004A2 (en) * | 1999-06-10 | 2000-12-21 | Alcatel Internetworking, Inc. | Policy based network architecture |
-
2010
- 2010-05-12 CN CN201010175353.7A patent/CN102244649B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1372181A (en) * | 2001-02-26 | 2002-10-02 | 张巨洪 | Encryption device for computer data |
| CN1694415A (en) * | 2005-04-29 | 2005-11-09 | 北京邦诺存储科技有限公司 | Method and device for safety of storaged network data |
| CN101488952A (en) * | 2008-12-10 | 2009-07-22 | 华中科技大学 | Mobile storage apparatus, data secured transmission method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102244649A (en) | 2011-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11626979B2 (en) | ECDHE key exchange for mutual authentication using a key server | |
| US20220376904A1 (en) | Mutually Authenticated ECDHE Key Exchange for a Device and a Network Using Multiple PKI Key Pairs | |
| US11271730B2 (en) | Systems and methods for deployment, management and use of dynamic cipher key systems | |
| JP7086327B2 (en) | Securely transfer user information between applications | |
| US9509510B2 (en) | Communication device, communication method, and computer program product | |
| CN103067158B (en) | Encrypting and decrypting method, encrypting and decrypting device and key management system | |
| KR101936758B1 (en) | Encryption apparatus and method for integrity of information inquiry history | |
| WO2019119278A1 (en) | Method and apparatus for acquiring trusted node, and storage medium and blockchain node | |
| US20030233573A1 (en) | System and method for securing network communications | |
| CN112400299B (en) | Data interaction method and related equipment | |
| JP6326173B1 (en) | Data transmission / reception system and data transmission / reception method | |
| CN105072107A (en) | System and method for enhancing data transmission and storage security | |
| CN104023085A (en) | Security cloud storage system based on increment synchronization | |
| CN104660603A (en) | Method and system for extended use of quantum keys in IPSec VPN (internet protocol security-virtual private network) | |
| CN105993146A (en) | Secure session capability using public-key cryptography without access to the private key | |
| CN101605137A (en) | Safe distribution file system | |
| CN106411504B (en) | Data encryption system, method and device | |
| CN102244649B (en) | Data transmission method among secure networks and data processors | |
| EP3360069A1 (en) | Device and method for password generation in a user device | |
| US10999073B2 (en) | Secure network communication method | |
| WO2022125302A1 (en) | Cryptographic platform system and method | |
| CN102045343B (en) | DC (Digital Certificate) based communication encrypting safety method, server and system | |
| CN109450849B (en) | Cloud server networking method based on block chain | |
| US20190245861A1 (en) | Method for user administration of a field device | |
| CA2849174C (en) | System and method for the safe spontaneous transmission of confidential data over unsecure connections and switching computers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150610 Termination date: 20200512 |