CN102891848B - Ipsec security alliance is utilized to be encrypted the method for deciphering - Google Patents
Ipsec security alliance is utilized to be encrypted the method for deciphering Download PDFInfo
- Publication number
- CN102891848B CN102891848B CN201210360662.0A CN201210360662A CN102891848B CN 102891848 B CN102891848 B CN 102891848B CN 201210360662 A CN201210360662 A CN 201210360662A CN 102891848 B CN102891848 B CN 102891848B
- Authority
- CN
- China
- Prior art keywords
- message
- compartment wall
- fire compartment
- address
- opposite equip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention provides a kind of method utilizing ipsec security alliance to be encrypted deciphering, at least one local device sends message to opposite equip., and the method comprises: A, local device send message to the first fire compartment wall of local terminal; B, the first fire compartment wall receive message, utilize ipsec security alliance to be encrypted message, and encrypted message are sent to the second fire compartment wall of opposite end; After C, the second fire compartment wall receive encrypted message, carry out searching of ipsec security alliance according to the type of security protocol of encrypted message and Security Parameter Index, and by the ipsec security alliance found, encrypted message is decrypted, obtain decrypted message; D, the second fire compartment wall create mapping relations table, and decrypted message are sent to described opposite equip..Present invention achieves when multiple local device sends message respectively to an opposite equip., the fire compartment wall of opposite equip. returns back message according to mapping relations respectively to multiple local device.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of method utilizing ipsec security alliance to be encrypted deciphering.
Background technology
Internet protocol security (IPSec, InternetProtocolSecurity) is a kind of security protocol of extensive use in network service.In the application of this agreement, carrying out information transmission between two equipment needs to set up the encrypting and decrypting process of ipsec security alliance for information, to guarantee the safe transfer of information.When multiple equipment sends information respectively to an equipment, when an equipment receives information and returns echo message respectively to multiple equipment, echo message can be caused not corresponding with multiple equipment, easily cause entanglement.
Summary of the invention
(1) technical problem solved
The invention solves multiple local device and send message respectively to an opposite equip., an opposite equip. returns the technical problem of back message respectively to multiple local device.
(2) technical scheme
The present invention proposes a kind of method utilizing ipsec security alliance to be encrypted deciphering, it is characterized in that, at least one local device sends message to opposite equip., and described method comprises:
A, local device send message to the first fire compartment wall of local terminal;
B, the first fire compartment wall receive message, utilize ipsec security alliance to be encrypted message, and encrypted message are sent to the second fire compartment wall of opposite end;
After C, the second fire compartment wall receive encrypted message, carry out searching of ipsec security alliance according to the type of security protocol of encrypted message and Security Parameter Index, and by the ipsec security alliance found, encrypted message is decrypted, obtain decrypted message;
D, the second fire compartment wall create mapping relations table, and decrypted message are sent to described opposite equip..
Preferably, described in steps A, message comprises: local device address and opposite equip. address.
Preferably, described in step B, encrypted message comprises: the first fire compartment wall address and the second fire compartment wall address.
Preferably, described in step C, decrypted message comprises: local device address and opposite equip. address.
Preferably, the table of mapping relations described in step D comprises the corresponding relation of local device address, opposite equip. address, the first fire compartment wall address, the second fire compartment wall address and ipsec security alliance.
Preferably, step D opposite equip. also comprises after receiving decrypted message:
E, opposite equip. send back message to the second fire compartment wall, and described back message comprises opposite equip. address and local device address;
The back message received mates with mapping relations table by F, the second fire compartment wall, obtains the first fire compartment wall address corresponding with the opposite equip. address in back message and local device address and the second fire compartment wall address, ipsec security alliance;
G, utilize described ipsec security alliance to be encrypted back message, after encryption, back message comprises the first fire compartment wall address and the second fire compartment wall address, and encryption back message is sent to the first fire compartment wall;
H, the first fire compartment wall utilize ipsec security alliance to be decrypted encryption back message after receiving encryption back message, and deciphering back message is sent to local device.
Preferably, when the back message received being mated with mapping relations table in step F, mate with mapping relations table again after opposite equip. address in back message and local device address are exchanged.
(3) beneficial effect
The message encryption of the present invention by multiple local device is sent respectively to an opposite equip., and the fire compartment wall of opposite equip. is after deciphering message, create mapping relations table, achieve when multiple local device sends message respectively to an opposite equip., the fire compartment wall of opposite equip. returns back message according to mapping relations respectively to multiple local device.
Accompanying drawing explanation
Fig. 1 is that the ipsec security alliance that utilizes that the present invention proposes is encrypted the method flow diagram of deciphering.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described.
Embodiment 1
The present invention proposes a kind of method utilizing ipsec security alliance to be encrypted deciphering, it is characterized in that, at least one local device sends message to opposite equip., and described method comprises:
A, local device send message to the first fire compartment wall of local terminal;
B, the first fire compartment wall receive message, utilize ipsec security alliance to be encrypted message, and encrypted message are sent to the second fire compartment wall of opposite end;
After C, the second fire compartment wall receive encrypted message, carry out searching of ipsec security alliance according to the type of security protocol of encrypted message and Security Parameter Index SPI, and by the ipsec security alliance found, encrypted message is decrypted, obtain decrypted message;
D, the second fire compartment wall create mapping relations table, and decrypted message are sent to described opposite equip..
Embodiment 2
The present embodiment includes all the elements of embodiment 1, in addition, is further defined to by message described in steps A and comprises: local device address and opposite equip. address.
Described in step B, encrypted message comprises: the first fire compartment wall address and the second fire compartment wall address.Message encryption is carried (EncapsulatingSecurityPayload, ESP)/certification header (AuthenticationHeader, AH) message for encapsulation safety is clean by the first fire compartment wall.
Described in step C, decrypted message comprises: local device address and opposite equip. address.After the second fire compartment wall receives ESP/AH message, the IPSecSA(IPsec Security Association on server is searched) according to the type of security protocol (AH agreement or ESP agreement) of message and Security Parameter Index, after finding, utilize ipsec security alliance to be decrypted by encrypted message, and send to opposite equip..
The table of mapping relations described in step D comprises: the corresponding relation of local device address and opposite equip. address, the first fire compartment wall address and the second fire compartment wall address, ipsec security alliance.After encrypted message is deciphered, form mapping relations table, and decrypted message is sent to opposite equip..
Step D opposite equip. also comprises after receiving decrypted message:
E, opposite equip. send back message to the second fire compartment wall, and described back message comprises opposite equip. address and local device address;
The back message received mates with mapping relations table by F, the second fire compartment wall, obtains the first fire compartment wall address corresponding with the opposite equip. address in back message and local device address and the second fire compartment wall address, ipsec security alliance;
G, utilize described ipsec security alliance to be encrypted back message, after encryption, back message comprises the first fire compartment wall address and the second fire compartment wall address, and encryption back message is sent to the first fire compartment wall;
H, the first fire compartment wall utilize ipsec security alliance to be decrypted encryption back message after receiving encryption back message, and deciphering back message is sent to local device.
When the back message received being mated with mapping relations table in step F, mate with mapping relations table again after opposite equip. address in back message and local device address are exchanged.Owing to being back message, therefore in back message, opposite equip. address and local device address need to exchange, after exchanging and mapping relations table mate.
Embodiment 3
The present embodiment utilizes concrete IP address to carry out a kind of method utilizing ipsec security alliance to be encrypted deciphering of more specific detail, and specific embodiment is as follows:
Pc1-------------first fire compartment wall------------the second fire compartment wall------------Pc2
Client Pc1 sends message, wherein, through the first fire compartment wall (Firewall, fw) and the second fire compartment wall to client Pc2.
The local device IP2 address 1.1.1.1 of Pc1 sends the opposite equip. IP2 address 2.2.2.2 of message to pc2.
Now message structure is:
When needing to be encrypted as ESP message by IPSecSA through the first fire compartment wall, the IP1 address of the first fire compartment wall is 192.168.1.1 to the IP1 address of the second fire compartment wall is 192.168.1.2
Message structure after first fire compartment wall encryption is:
Second fire compartment wall receives rear and carries out searching of IPSecSA according to the Security Parameter Index in message ESP and ESP type of security protocol, and is decrypted by the IPSecSA found, and create mapping relations table after successful decryption, mapping relations table is as follows:
1, IP address: IP1(src192.168.1.1/dst192.168.1.2 after encryption)
2, ipsec security alliance: IPSecSA
3, IP address: IP2(src1.1.1.1/dst2.2.2.2 after deciphering)
Carried out being transmitted to Pc2 by message after deciphering after deciphering, now message structure is:
Pc2 sends back message after obtaining message, and message format is as follows:
Second fire compartment wall mates IP address: IP2(src1.1.1.1/dst2.2.2.2 after the deciphering in mapping relations table after receiving back message), src1.1.1.1 and dst2.2.2.2 is needed to carry out exchanging coupling during coupling, just according to the ipsec security alliance in table, back message is encrypted after matching, back message after encryption comprises the first fire compartment wall address and the second fire compartment wall address, back message after encryption is sent to the first fire compartment wall, forwards the packet to Pc1 after the first fire compartment wall deciphering.
Above execution mode is only for illustration of the present invention; and be not limitation of the present invention; the those of ordinary skill of relevant technical field; without departing from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all equivalent technical schemes also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (5)
1. utilize ipsec security alliance to be encrypted a method for deciphering, it is characterized in that, at least one local device sends message to opposite equip., and described method comprises:
A, local device send message to the first fire compartment wall of local terminal;
B, the first fire compartment wall receive message, utilize ipsec security alliance to be encrypted message, and encrypted message are sent to the second fire compartment wall of opposite end;
After C, the second fire compartment wall receive encrypted message, carry out searching of ipsec security alliance according to the type of security protocol of encrypted message and Security Parameter Index, and by the ipsec security alliance found, encrypted message is decrypted, obtain decrypted message;
D, the second fire compartment wall create mapping relations table, and decrypted message are sent to described opposite equip.;
The table of mapping relations described in step D comprises the corresponding relation of local device address, opposite equip. address, the first fire compartment wall address, the second fire compartment wall address and ipsec security alliance;
Step D opposite equip. also comprises after receiving decrypted message:
E, opposite equip. send back message to the second fire compartment wall, and described back message comprises opposite equip. address and local device address;
The back message received mates with mapping relations table by F, the second fire compartment wall, obtains the first fire compartment wall address corresponding with the opposite equip. address in back message and local device address and the second fire compartment wall address, ipsec security alliance;
G, utilize described ipsec security alliance to be encrypted back message, after encryption, back message comprises the first fire compartment wall address and the second fire compartment wall address, and encryption back message is sent to the first fire compartment wall;
H, the first fire compartment wall utilize ipsec security alliance to be decrypted encryption back message after receiving encryption back message, and deciphering back message is sent to local device.
2. method according to claim 1, is characterized in that, described in steps A, message comprises: local device address and opposite equip. address.
3. method according to claim 1, is characterized in that, described in step B, encrypted message comprises: the first fire compartment wall address and the second fire compartment wall address.
4. method according to claim 1, is characterized in that, described in step C, decrypted message comprises: local device address and opposite equip. address.
5. method according to claim 1, is characterized in that, when being mated with mapping relations table by the back message received in step F, mates after being exchanged in opposite equip. address in back message and local device address with mapping relations table again.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210360662.0A CN102891848B (en) | 2012-09-25 | 2012-09-25 | Ipsec security alliance is utilized to be encrypted the method for deciphering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210360662.0A CN102891848B (en) | 2012-09-25 | 2012-09-25 | Ipsec security alliance is utilized to be encrypted the method for deciphering |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102891848A CN102891848A (en) | 2013-01-23 |
| CN102891848B true CN102891848B (en) | 2015-12-02 |
Family
ID=47535215
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210360662.0A Expired - Fee Related CN102891848B (en) | 2012-09-25 | 2012-09-25 | Ipsec security alliance is utilized to be encrypted the method for deciphering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102891848B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220273B (en) * | 2013-03-19 | 2016-01-06 | 汉柏科技有限公司 | A kind of method and system of CPU fast-forwarding message |
| CN103227742B (en) * | 2013-03-26 | 2015-09-16 | 汉柏科技有限公司 | A kind of method of ipsec tunnel fast processing message |
| CN104168106A (en) * | 2013-05-20 | 2014-11-26 | 鸿富锦精密工业(深圳)有限公司 | Data transmission system, data sending terminal and data receiving terminal |
| CN103516574A (en) * | 2013-09-26 | 2014-01-15 | 汉柏科技有限公司 | Message encrypting method through virtual interfaces |
| CN107342964B (en) * | 2016-04-28 | 2019-05-07 | 华为技术有限公司 | A kind of message parsing method and equipment |
| CN109639721B (en) * | 2019-01-08 | 2022-02-22 | 郑州云海信息技术有限公司 | IPsec message format processing method, device, equipment and storage medium |
| CN110430111B (en) * | 2019-06-26 | 2022-07-26 | 厦门网宿有限公司 | OpenVPN data transmission method and VPN server |
| CN112600802B (en) * | 2020-12-04 | 2022-04-15 | 苏州盛科通信股份有限公司 | SRv6 encrypted message and SRv6 message encryption and decryption methods and devices |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1574839A (en) * | 2003-06-06 | 2005-02-02 | 微软公司 | Multi-layered firewall architecture |
| CN102281180A (en) * | 2011-07-14 | 2011-12-14 | 冶金自动化研究设计院 | Virtual network interface card (NIC) communication device applied in mutual communication of terminals in different local area networks |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101471936B (en) * | 2007-12-29 | 2012-08-08 | 华为技术有限公司 | Method, device and system for establishing IP conversation |
-
2012
- 2012-09-25 CN CN201210360662.0A patent/CN102891848B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1574839A (en) * | 2003-06-06 | 2005-02-02 | 微软公司 | Multi-layered firewall architecture |
| CN102281180A (en) * | 2011-07-14 | 2011-12-14 | 冶金自动化研究设计院 | Virtual network interface card (NIC) communication device applied in mutual communication of terminals in different local area networks |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102891848A (en) | 2013-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102891848B (en) | Ipsec security alliance is utilized to be encrypted the method for deciphering | |
| US10601594B2 (en) | End-to-end service layer authentication | |
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| CN102882789B (en) | A kind of data message processing method, system and equipment | |
| EP3213486B1 (en) | Device to device communication between user equipments | |
| CN107104977B (en) | Block chain data secure transmission method based on SCTP | |
| JP2006121510A (en) | Encryption communications system | |
| CN102035845B (en) | Switching equipment for supporting link layer secrecy transmission and data processing method thereof | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| CN107147666A (en) | The method of data encrypting and deciphering between internet-of-things terminal and cloud data platform | |
| CN104219217A (en) | SA (security association) negotiation method, device and system | |
| CN105516062B (en) | Method for realizing L2 TP over IPsec access | |
| CN101707767B (en) | Data transmission method and devices | |
| CN102571790B (en) | A kind of method and apparatus of the encrypted transmission for realize target file | |
| CN111756528B (en) | Quantum session key distribution method, device and communication architecture | |
| CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
| CN101521667B (en) | Method and device for safety data communication | |
| KR20180130203A (en) | APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME | |
| CN109344639A (en) | A kind of distribution automation double protection safety chip, data transmission method and equipment | |
| KR100948604B1 (en) | Security method of mobile internet protocol based server | |
| CN105025472A (en) | Method and system for encrypting, hiding and discovering of WIFI access point | |
| CN104184646A (en) | VPN data interaction method and system and VPN data interaction device | |
| US20160366191A1 (en) | Single Proxies in Secure Communication Using Service Function Chaining | |
| CN110035061A (en) | Trust server information processing method and system | |
| CN104335621B (en) | Association identification communication device and association identification communication means |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PP01 | Preservation of patent right |
Effective date of registration: 20180823 Granted publication date: 20151202 |
|
| PP01 | Preservation of patent right | ||
| PD01 | Discharge of preservation of patent |
Date of cancellation: 20210823 Granted publication date: 20151202 |
|
| PD01 | Discharge of preservation of patent | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20151202 Termination date: 20180925 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |