CN102984154B - The method and system of safe sending/receiving data in LAN - Google Patents
The method and system of safe sending/receiving data in LAN Download PDFInfo
- Publication number
- CN102984154B CN102984154B CN201210499899.7A CN201210499899A CN102984154B CN 102984154 B CN102984154 B CN 102984154B CN 201210499899 A CN201210499899 A CN 201210499899A CN 102984154 B CN102984154 B CN 102984154B
- Authority
- CN
- China
- Prior art keywords
- data
- packet
- information
- lan
- network port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention provides a kind of in LAN the method and system of safe sending/receiving data. Described system is in the time sending data, obtain the packet that the network port sends, and determine whether described packet transmits in described LAN, if, the secure authenticated information of target device is loaded into packet as data signature, and will loads the data of digital signature, again be encapsulated in described packet for the key of verification msg signature, and sent, if not, disregard; While receiving data, the packet receiving by obtaining the network port, determine that whether described data are from the equipment in described LAN, if, verify the key in described packet, and determine whether described packet to remove based on the result the processing of data signature, if not, directly receive. Thus, guarantee the safety of transmission data in LAN.
Description
Technical field
The present invention relates to a kind of safe practice of LAN, particularly relate to one safety in LAN and send/connectReceive the method and system of data.
Background technology
Popularizing rapidly of internet, local area network applications has become a requisite part in enterprise development. But, in senseThe while easily that brought by network, be also faced with various attacks and threat: secret leakage, loss of data, networkAbuse, identity falsely uses, illegal invasion etc., at present some enterprise corresponding LAN security system, and formulatedCorresponding network security land use reform, but in actual use, due to the configuration of user to operating system security usage policy andVarious technology option interrogatorys are true, and various security tools can not get correct use, system vulnerability, violation software, virus, evilThe phenomenons such as meaning code invasion emerge in an endless stream, and cause subscriber computer operating system not reach the safe class that classification standard requires.
Because the data of transmitting in LAN are plaintext transmission, a lot of malicious codes utilize this leak to destroy officeIn the net of territory, the data of transmission, cannot be guaranteed the data security in LAN. Therefore, need to pass in local area networkDefeated data are carried out safe handling, to prevent that data from arbitrarily being distorted.
Summary of the invention
The shortcoming of prior art in view of the above, the object of the present invention is to provide one safety in LAN to send outSend/receive the method and system of data, for solving the data of transmitting in prior art LAN with plaintext transmissionProblem.
For achieving the above object and other relevant objects, the invention provides a kind of safety and send the method for data, be applied toAt least comprise that in the LAN of the first equipment and the second equipment, it at least comprises: 1) from the network port of described the first equipmentPlace obtains packet to be sent, and destination address based in described packet determines that whether described packet is to be sent to instituteState the second equipment in LAN, if so, from described packet, obtain the facility information of described the second equipment and to be passedDefeated data, if not, allow the described network port to send described packet; 2) corresponding based on described apparatus information acquiringSecure authenticated information and for removing the key of described secure authenticated information; And obtained secure authenticated information is signed as numeralName is loaded in described data waiting for transmission; 3) data of described secure authenticated information, described key Reseal will be loaded withIn described packet, and sent by the described network port.
Preferably, described step 2) also comprise: described data waiting for transmission are encrypted; And establish described in defaultThe standby corresponding secure authenticated information of information is loaded into the step in the described data after encryption as digital signature.
Preferably, described step 3) also comprises: will be loaded with the data of described secure authenticated information, described key and useIn indicating identification information Reseal that described data have carried out safe handling in described packet, and sent.
Based on above-mentioned purpose, the present invention also provides a kind of safety to receive the method for data, is applied to and at least comprises that first establishesIn the LAN of standby and the second equipment, it at least comprises: 1) obtain received from the network port of described the second equipmentPacket; And source address based in described packet determines whether described packet comes from first in described LANEquipment, if so, performs step 2), if not, confirm that described data are data expressly; 2) close in described packetKey is verified, is verified, and removes based on described key the digital signature loading in described data, to obtain number expresslyAccording to; Checking is not passed through, and confirms that the packet receiving is unsafe packet.
Preferably, while being verified, described step 2) also comprise: according to default decipherment algorithm, will remove after signatureData are decrypted, to obtain the step of data expressly.
Whether preferably, described step 1) also comprises: analyze in described packet and also comprise for having indicated described dataCarry out the identification information of safe handling, if comprise described identification information, perform step 2), otherwise, if do not comprise described markInformation, confirms that the packet receiving is unsafe packet.
Based on above-mentioned purpose, the present invention also provides a kind of system of safe sending/receiving data, is applied to and is positioned at LANIn electronic equipment in network, described electronic equipment comprises the network port, and described system at least comprises: be connected with the described network portTransmission subsystem, and the receiving subsystem being connected with the described network port; Wherein, described transmission subsystem comprises: firstJudge module, for obtaining packet to be sent from the described network port, and destination address based in described packetDetermine described packet other electronic equipments to described LAN whether to be sent, if so, from described packetObtain facility information and the data waiting for transmission of described other electronic equipments, if not, allow described in described network port transmissionPacket; The first data safe processing module, for the facility information of obtaining based on described the first judge module, obtains correspondingSecure authenticated information and for removing the key of described secure authenticated information; And using obtained secure authenticated information as numeralSignature is loaded in described data waiting for transmission; Sending module, for being loaded with described data safe processing module outputData, the described key of described secure authenticated information are encapsulated in described packet again, and are sent out by the described network portSend;
Described receiving subsystem comprises: the second judge module, and for obtaining received data from the described network portBag; And source address based in described packet determines whether described packet is established from other electronics in described LANStandby, if so, described packet is transported to the second safe handling module, if not, confirm that described data are data expressly;Described the second safe handling module, verifies for the key to described packet, is verified, based on described keyRemove the digital signature loading in described data, to obtain data expressly; Checking is not passed through, and confirms the packet receivingFor unsafe packet.
Preferably, described the first data safe processing module is also for being encrypted described data waiting for transmission; AndIn described data using the default corresponding secure authenticated information of described facility information after digital signature is loaded into encryption;Described the second safe handling module, also for the decipherment algorithm according to default, is decrypted the data of removing after signature, withTo data expressly.
Preferably, described sending module also for by be loaded with the data of described digital signature, described key and forIndicate identification information Reseal that described data have carried out safe handling in described packet, and sent.
Preferably, whether described the second judge module also also comprises for indicating described number for analyzing described packetAccording to carrying out the identification information of safe handling, if comprise described identification information, carry out described the second safe handling module, anti-It, if do not comprise described identification information, confirm that the packet receiving is unsafe packet.
As mentioned above, of the present invention in LAN the method and system of safe sending/receiving data, have following usefulEffect: carry out specified data bag whether in described LAN by the analysis of the packet to network port place sending/receivingTransmission, if so, carries out digital signature, even encryption to packet, can guarantee thus the number of transmission in LANAccording to can arbitrarily not intercepted and captured and analyze; Be specially adapted to the public place that level of security is higher; In addition, utilize key to verify instituteThe packet obtaining, can effectively prevent that the electronic equipment in WLAN from carrying out malice place to intercepted and captured described packetAfter reason, forward; In addition, described packet is encrypted, can further guarantees the peace of the data of transmission in LANEntirely.
Brief description of the drawings
Fig. 1 is shown as the flow chart of the method for safety transmission data of the present invention.
Fig. 2 is shown as the flow chart of the method for safety reception data of the present invention.
Fig. 3 is shown as the structural representation of the system of safe sending/receiving data of the present invention.
Element numbers explanation
1 system
11 network ports
12 send subsystem
121 first judge modules
122 first data safe processing modules
123 sending modules
13 receiving subsystems
131 second judge modules
132 second data safe processing modules
S1 ~ S4, S10 ~ S30 step
Detailed description of the invention
Below, by specific instantiation explanation embodiments of the present invention, those skilled in the art can be by this descriptionDisclosed content is understood other advantages of the present invention and effect easily. The present invention can also be by other different concrete realityThe mode of executing is implemented or is applied, and the every details in this description also can, based on different viewpoints and application, not deviate fromUnder spirit of the present invention, carry out various modifications or change.
As shown in Figure 1, the invention provides a kind of method of safety transmission data. Described sending method is mainly by sending subsystemSystem is carried out, and described sending method is applied in the LAN that at least comprises the first equipment and the second equipment. Wherein, describedOne equipment comprises any electronic equipment that can carry out network service, and it includes but not limited to: computer equipment, notebook electricityBrain, mobile phone etc. Described LAN includes but not limited to: WLAN and wired local area network.
In step S1, described transmission subsystem obtains data to be sent from the network port of described the first equipmentBag.
Particularly, described transmission subsystem is obtained and is carried out all of Internet Transmission from the configuration information of described the first equipmentThe network port, and monitor each network port, in the time that the network port has packet to be sent, obtain the packet that will send.
In step S2, whether the destination address of described transmission subsystem based in described packet determines described packetTo be sent to the second equipment in described LAN, if so, from described packet, obtain the equipment of described the second equipmentInformation and data waiting for transmission, if not, allow the described network port to send described packet. Wherein, described destination address bagDraw together IP address. Described facility information includes but not limited to: IP address, MAC Address etc. Described the second equipment comprises any institute that is positioned atState in LAN, and the electronic equipment that can communicate with described the first equipment, it includes but not limited to: computer is establishedStandby, notebook computer, mobile phone etc.
Particularly, the communication protocol of described transmission subsystem based on default, analyzes described packet, to obtain target groundLocation, and compared in the address of all electronic equipments in the described LAN of described destination address and pre-stored, to determineWhether described packet will send in the second equipment of described LAN inside, if so, from described packet, takes out instituteState facility information and the data of the second equipment, and perform step S3; If not, allow the corresponding network port to send described dataBag.
It should be noted that, it should be appreciated by those skilled in the art that described step S1 and step S2 are not necessarily not in orderCarry out, in fact, described transmission subsystem can synchronously perform step S1 and S2 by multiple processes.
In step S3, described transmission subsystem is based on the corresponding secure authenticated information of described apparatus information acquiring and useIn the key of removing described secure authenticated information; And be loaded into waiting for transmission using obtained secure authenticated information as digital signatureIn described data. Wherein, described secure authenticated information includes but not limited to: authenticate key, usemame/password etc.
Wherein, described transmission subsystem obtain the secure authenticated information corresponding based on described apparatus information acquiring and forThe mode of removing the key of described secure authenticated information includes but not limited to: 1) the each equipment of described transmission subsystem based on defaultThe corresponding relation of information and secure authenticated information, search is by the corresponding secure authenticated information of the obtained facility information of step S2And key. 2) corresponding relation of the secure authenticated information of the each facility information of described transmission subsystem based on default and each equipment,Search for by the corresponding secure authenticated information of the obtained facility information of step S2, and give birth to based on the secure authenticated information searchingBecome corresponding key.
Then, described transmission subsystem utilizes the loading technique of digital signature that described digital signature is loaded into described dataIn.
For example, described transmission subsystem utilizes RSA Algorithm that described secure authenticated information is loaded in described data.
In step S4, described transmission subsystem will be loaded with the data of described secure authenticated information and described key againBe encapsulated in described packet, and sent by the described network port.
Particularly, described transmission subsystem carries out after safe handling at the packet to obtained, then according to communication protocolTo be loaded with the data of described secure authenticated information, re-start encapsulation for described key, then sent out by the corresponding network portDeliver to described the second equipment.
Preferably, described transmission subsystem by be loaded with the data of described secure authenticated information, described key and forIndicate identification information Reseal that described data have carried out safe handling in described packet, and sent. Wherein, instituteStating identification information can be flag bit, can be also character string.
As a kind of preferred version, different from previous scheme: described step 3) also comprises: described in waiting for transmissionData are encrypted; And using corresponding described facility information secure authenticated information after digital signature is loaded into encryptionStep in described data.
Wherein, the mode described data waiting for transmission being encrypted includes but not limited to: utilize MD5, RSA or DES to addClose algorithm is encrypted.
It should be noted that, in the described data using described secure authenticated information after digital signature is loaded into encryptionMode is with aforementioned be loaded into mode in described data waiting for transmission using obtained secure authenticated information as digital signature identicalOr similar, be not described in detail in this.
The method that sends safely data in LAN corresponding of the present invention, the present invention also provides a kind of safety to receive dataMethod. Described method of reseptance is mainly carried out by receiving subsystem, and described method of reseptance is applied to and at least comprises the first equipmentIn the LAN of the second equipment. As shown in Figure 2.
In step S10, described receiving subsystem obtains received data from the network port of described the second equipmentBag, wherein, at least comprises data in described packet.
Particularly, described receiving subsystem is obtained and is carried out all of Internet Transmission from the configuration information of described the second equipmentThe network port, and monitor each network port, in the time that the network port receives packet, obtain received packet.
In step S20, whether the source address of described receiving subsystem based in described packet determines described packetFrom the first equipment in described LAN, if so, perform step S30, if not, confirm that described data are expresslyData. Wherein, described source address comprises IP address. Described the first equipment comprises and is anyly arranged in described LAN, and canWith the electronic equipment that described the second equipment communicates, it includes but not limited to: computer equipment, notebook computer, mobile phone etc.
Particularly, the communication protocol of described receiving subsystem based on default, analyzes described packet, to obtain seedbedLocation, and compared in the address of all electronic equipments in the described LAN of described source address and pre-stored, to determineState the first equipment whether packet comes from described LAN inside, if so, from described packet, take out and be loaded with numberThe data of word signature and for removing the key of described digital signature, and perform step S30; If not, confirm described dataFor data expressly, and allow the corresponding network port that described packet is offered to corresponding software to process.
Whether preferably, described step S20 also comprises: analyze in described packet and also comprise for having indicated described dataCarry out the identification information of safe handling, if comprise described identification information, perform step S30, otherwise, if do not comprise described markInformation, confirms that the packet receiving is unsafe packet.
Particularly, described receiving subsystem is according to the packaged type of default safety data transmission, from obtained dataIn bag, obtain described identification information and described data; Again obtained described identification information and default identification information are comparedRight, if compare successfully, perform step S30, if compare unsuccessfully, confirm not comprise described identification information, confirm that institute connectsThe packet of receiving is unsafe packet.
It should be noted that, it should be appreciated by those skilled in the art that described step S10 and step S20 are not necessarily by suitableOrder is carried out, and in fact, described receiving subsystem can synchronously perform step S10 and S20 by multiple processes.
In step S30, described receiving subsystem is verified the key in described packet, is verified, baseRemove in described key the digital signature loading in described data, to obtain data expressly; Checking is not passed through, and confirms that institute connectsThe packet of receiving is unsafe packet.
Particularly, the default key of described receiving subsystem utilization carry out pairing place to the key in described packetReason, whether correct to verify described key, if be verified, utilize releasing algorithm and the described data of corresponding digital signatureKey in bag is removed the digital signature loading in described data, to obtain data expressly, if checking is not passed through, confirms instituteThe packet receiving is unsafe packet.
As a kind of preferred version, described step S30 also comprises: according to default decipherment algorithm, will remove after signatureData are decrypted, to obtain the step of data expressly. Wherein, in described default decipherment algorithm and above-mentioned transmission subsystemAES corresponding. For example, in described transmission subsystem, adopt MD5 algorithm to be encrypted the data that will send,In described receiving subsystem, adopt MD5 algorithm to be decrypted received data, to obtain data expressly.
As shown in Figure 3, the present invention also provides a kind of system of safe sending/receiving data. Be applied to and be positioned at LANElectronic equipment in. Described electronic equipment comprises: the network port 11. Described system 1 comprises: be connected with the described network port 11The receiving subsystem 13 that sends subsystem 12 and be connected with the described network port 11.
Wherein, described transmission subsystem 12 comprises: the first judge module 121, the first data safe processing module 122 andSending module 123.
Described the first judge module 121 is for obtaining packet to be sent from the described network port 11, and based on instituteThe destination address of stating in packet is determined described packet other electronic equipments to described LAN whether to be sent, ifBe, from described packet, take out facility information and the data waiting for transmission of described other electronic equipments, if not, allow instituteState the network port 11 and send described packet. Wherein, described other electronic equipments comprise any be arranged in described LAN andThe system 1 that can communicate with described system 1, it includes but not limited to: mobile phone, computer equipment and notebook computer etc.Described destination address comprises IP address. Described facility information includes but not limited to: IP address, MAC Address etc.
Wherein, described the first judge module 121 is obtained and is carried out all of Internet Transmission from the configuration information of described system 1The network port 11, and monitor each network port 11, in the time that the network port 11 has packet to be sent, obtain the data that will sendBag.
Then, the communication protocol of described the first judge module 121 based on default, analyzes described packet, to obtain orderMark address, and the address of the every other electronic equipment in the described LAN of described destination address and pre-stored is comparedRight, to determine whether described packet will send in some other electronic equipments of described LAN inside, if so, fromIn described packet, take out facility information and the data of described other electronic equipments; If not, allow the corresponding network port 11Send described packet.
Described the first data safe processing module 122 is for the facility information based on obtaining from the first judge module 121,Obtain corresponding secure authenticated information and for removing the key of described secure authenticated information; And by obtained safety certification letterBreath is loaded in described data waiting for transmission as digital signature. Wherein, described secure authenticated information includes but not limited to: certificationKey, usemame/password etc.
Wherein, described the first data safe processing module 122 obtains the safety corresponding based on described apparatus information acquiringThe mode of authentication information and described key includes but not limited to: 1) described the first data safe processing module 122 is based on defaultThe corresponding relation of each facility information and secure authenticated information, search is by the obtained facility information of described the first judge module 121Corresponding secure authenticated information and for removing the key of described secure authenticated information. 2) described the first data safe processing mouldThe corresponding relation of the each facility information of piece 122 based on default and the secure authenticated information of each equipment, searches for and judges by described firstThe corresponding secure authenticated information of facility information that module 121 is obtained, and generate phase based on the secure authenticated information searchingThe key of answering.
Then, described the first data safe processing module 122 utilizes the loading technique of digital signature by described safety certificationInformation is loaded in described data.
For example, described the first data safe processing module 122 utilizes RSA Algorithm that described secure authenticated information is loaded into instituteState in data.
The be loaded with described secure authenticated information of described sending module 123 for described data safe processing module is exportedData, described key be again encapsulated in described packet, and sent by the described network port 11.
Particularly, described sending module 123 carries out after safe handling at the packet to obtained, then according to communication protocolBy being loaded with the data of described secure authenticated information, described key re-starts encapsulation, then sent by the corresponding network port 11To described the second equipment.
Preferably, described sending module 123 by be loaded with the data of described secure authenticated information, described key and forIndicate identification information Reseal that described data have carried out safe handling in described packet, and sent. Wherein, instituteStating identification information can be flag bit, can be also character string.
Described receiving subsystem 13 comprises: the second judge module 131 and the second safe handling module.
Described the second judge module 131 is for obtaining received packet from the described network port 11; And based on instituteThe source address of stating in packet determines that whether described packet is from other electronic equipments in described LAN, if so,Described packet is transported to described the second safe handling module, if not, confirm that described data are data expressly.
Wherein, described the second judge module 131 is obtained and is carried out all of Internet Transmission from the configuration information of described system 1The network port 11, and monitor each network port 11, in the time that the network port 11 receives packet, obtain received packet.Wherein, described source address comprises IP address.
Particularly, the communication protocol of described the second judge module 131 based on default, analyzes described packet, to obtainSource address, and compared in the address of the every other electronic equipment in the described LAN of described source address and pre-stored,To determine whether described packet comes from some other electronic equipments that send to described LAN inside, if so, fromIn described packet, take out and be loaded with the data of digital signature and for removing the key of described digital signature, and described in transporting toThe second safe handling module; If not, confirm that described data are data expressly, and allow described in the corresponding network port 11 generalsPacket offers corresponding software and processes.
Preferably, whether described the second judge module 131 is analyzed in described packet and is also comprised for indicating described dataCarry out the identification information of safe handling, if comprise described identification information, described packet has been transferred to described the second safe placeReason module, otherwise, if do not comprise described identification information, confirm that the packet receiving is unsafe packet.
Particularly, described the second judge module 131 is according to the packaged type of default safety data transmission, from obtainedIn packet, obtain described identification information and described data; Again obtained described identification information and default identification information are enteredRow comparison, if compare successfully, transports to described data described the second safe handling module, if compare unsuccessfully, i.e. confirmation is notComprise described identification information, confirm that the packet receiving is unsafe packet.
Described the second safe handling module for the key of described packet is verified, is verified, based onDescribed key is removed the digital signature loading in described data, to obtain data expressly; Checking is not passed through, and confirms that institute receivesPacket be unsafe packet.
Particularly, the default key of described the second safe handling module utilization is joined the key in described packetTo process, whether correct to verify described key, if be verified, utilize corresponding digital signature releasing algorithm and described inKey in packet is removed the digital signature loading in described data, to obtain data expressly, does not pass through if verify, trueRecognizing received packet is unsafe packet.
As a kind of preferred version, described the first data safe processing module 122 is also for by described data waiting for transmissionBe encrypted; And the default corresponding digital signature of described facility information is loaded in the described data after encryption.
Wherein, the mode described data waiting for transmission being encrypted includes but not limited to: utilize MD5, RSA or DES to addClose algorithm is encrypted.
It should be noted that, by described digital signature be loaded into mode in the described data after encryption and aforementioned by obtainGetting digital signature, to be loaded into mode in described data waiting for transmission same or similar, is not described in detail in this.
Corresponding, described the second safe handling module, also for the decipherment algorithm according to default, will be removed after signatureData are decrypted, to obtain data expressly. Wherein, adding in described default decipherment algorithm and above-mentioned transmission subsystem 12Close algorithm is corresponding. For example, in described transmission subsystem 12, adopt MD5 algorithm to be encrypted the data that will send, instituteState in receiving subsystem 13 and adopt MD5 algorithm to be decrypted received data, to obtain data expressly.
The course of work that described system 1 sends packet is as follows:
Described the first judge module 121 each network port 11 of the described system 1 of monitoring in real time, and obtain 1 of described systemEach packet sending, described in judging that destination address in packet determines whether described packet send toIn other electronic equipments in LAN, if so, transfer to described the first data safe processing module 122 by described packetIn data be encrypted, and facility information based in described packet obtains corresponding secure authenticated information and useIn removing the key of described secure authenticated information, and using described secure authenticated information the institute after digital signature is loaded into encryptionState in data, then, by described sending module 123 by described be loaded with the data of described secure authenticated information, described key withAnd for indicating identification information Reseal that described data have carried out safe handling at described packet, and sent.
The course of work that described system 1 receives packet is as follows:
Described the second judge module 131 each network port 11 of the described system 1 of monitoring in real time, and obtain the described network port11 each packet receiving, described in judging that source address in packet determines whether described packet come fromSome other electronic equipments in local networking, if so, further judge whether just identification information in described packetReally, if correctly transfer to described the second data safe processing module 132 to process, if incorrect, confirm this packet notSafety; Then, described the second data safe processing module 132 is verified the key in described packet, is verified,Remove the data signature in the data in described packet, and the data of removing after signature are decrypted, to obtain expresslyData, if checking is not passed through, determine that described packet is unsafe.
In sum, of the present invention in LAN the method and system of safe sending/receiving data, by network-sideWhether the analysis of the packet of mouth place sending/receiving carrys out specified data bag and in described LAN, transmits, if so, to dataBag carries out digital signature, even encryption, the data that can guarantee thus transmission in LAN can arbitrarily do not intercepted and not captured andAnalyze; Be specially adapted to the public place that level of security is higher; In addition, utilize key to verify obtained packet, can haveEffect prevents that the electronic equipment in WLAN from carrying out after malice is processed forwarding to intercepted and captured described packet; In addition, rightDescribed packet is encrypted, and can further guarantee the safety of the data of transmission in LAN. So the present invention hasEffect has overcome various shortcoming of the prior art and tool high industrial utilization.
Above-described embodiment is illustrative principle of the present invention and effect thereof only, but not for limiting the present invention. Any ripeThe personage who knows this technology all can, under spirit of the present invention and category, modify or change above-described embodiment. CauseThis, have in technical field under such as conventionally know the knowledgeable do not depart under disclosed spirit and technological thought completeAll equivalences that become are modified or change, and must be contained by claim of the present invention.
Claims (3)
1. safety sends a method for data, be applied in the LAN that at least comprises the first equipment and the second equipment, itsBe characterised in that, at least comprise:
1) obtain packet to be sent from the network port of described the first equipment, and target based in described packet groundDescribed packet the second equipment to described LAN whether to be sent is determined in location, if so, from described packet, getsThe facility information and the data waiting for transmission that obtain described the second equipment, if not, allow the described network port to send described packet;
2) based on the corresponding secure authenticated information of described apparatus information acquiring with for removing the close of described secure authenticated informationKey; And be loaded into obtained secure authenticated information as digital signature in described data waiting for transmission;
3) by being loaded with the data of described secure authenticated information, described key is encapsulated in described packet again, and by describedThe network port is sent;
Described step 3) also comprise: will be loaded with the data of described secure authenticated information, described key and for described in indicatingData have been carried out the identification information Reseal of safe handling in described packet, and are sent;
Described step 2) also comprise: described data waiting for transmission are encrypted; And by right default described facility information instituteThe secure authenticated information of answering is loaded into the step in the described data after encryption as digital signature.
2. safety receives a method for data, be applied in the LAN that at least comprises the first equipment and the second equipment, itsBe characterised in that, at least comprise:
1) obtain received packet from the network port of described the second equipment; And source address based in described packetDetermine that whether described packet comes from the first equipment in described LAN, if so, performs step 2), if not,Confirm that described data are data expressly;
2) key in packet is verified, is verified, and removes based on described key the numeral loading in described dataSignature, to obtain data expressly; Checking is not passed through, and confirms that the packet receiving is unsafe packet;
Described step 1) also comprise: analyze in described packet and whether also comprise for indicating described data and carried out safe handlingIdentification information, if comprise described identification information, perform step 2), otherwise, if do not comprise described identification information, confirm instituteThe packet receiving is unsafe packet;
While being verified, described step 2) also comprise: according to default decipherment algorithm, the data of removing after signature are separatedClose, to obtain the step of data expressly.
3. a system for safe sending/receiving data, is applied to the electronic equipment that is arranged in LAN, and described electronics is establishedThe network port is characterized in that standby comprising, described system at least comprises:
The transmission subsystem being connected with the described network port, and the receiving subsystem being connected with the described network port;
Wherein, described transmission subsystem comprises:
The first judge module, for obtaining packet to be sent from the described network port, and based in described packetDestination address is determined described packet other electronic equipments to described LAN whether to be sent, if so, from describedThe facility information and the data waiting for transmission that in packet, obtain described other electronic equipments, if not, allow the described network portSend described packet;
The first data safe processing module, for the facility information of obtaining based on described the first judge module, obtains correspondingSecure authenticated information and for removing the key of described secure authenticated information; And obtained secure authenticated information is signed as numeralName is loaded in described data waiting for transmission;
Sending module, for the data that are loaded with described secure authenticated information, institute that described data safe processing module is exportedState key and be again encapsulated in described packet, and sent by the described network port;
Described receiving subsystem comprises:
The second judge module, for obtaining received packet from the described network port; And based in described packetSource address determines that whether described packet is from other electronic equipments in described LAN, if so, by described packetTransport to the second safe handling module, if not, confirm that described data are data expressly;
Described the second safe handling module, verifies for the key to described packet, is verified, based on describedKey is removed the digital signature loading in described data, to obtain data expressly; Checking is not passed through, and confirms the number receivingBe unsafe packet according to bag;
Described sending module is also for being loaded with the data of described digital signature, described key and for indicating described dataCarry out the identification information Reseal of safe handling in described packet, and sent;
Whether described the second judge module also also comprises for indicating described data and pacifies for analyzing described packetThe full identification information of processing, if comprise described identification information, carries out described the second safe handling module, otherwise, if do not compriseDescribed identification information, confirms that the packet receiving is unsafe packet;
Described the first data safe processing module is also for being encrypted described data waiting for transmission; And by described in defaultThe corresponding secure authenticated information of facility information is loaded in the described data after encryption as digital signature;
Described the second safe handling module, also for the decipherment algorithm according to default, is decrypted the data of removing after signature,To obtain data expressly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210499899.7A CN102984154B (en) | 2012-11-29 | 2012-11-29 | The method and system of safe sending/receiving data in LAN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210499899.7A CN102984154B (en) | 2012-11-29 | 2012-11-29 | The method and system of safe sending/receiving data in LAN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102984154A CN102984154A (en) | 2013-03-20 |
| CN102984154B true CN102984154B (en) | 2016-05-18 |
Family
ID=47857898
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210499899.7A Expired - Fee Related CN102984154B (en) | 2012-11-29 | 2012-11-29 | The method and system of safe sending/receiving data in LAN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102984154B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220279A (en) * | 2013-04-02 | 2013-07-24 | 工业和信息化部电子第五研究所 | Safe data transmission method and system |
| JP6436425B2 (en) * | 2015-05-08 | 2018-12-12 | パナソニックIpマネジメント株式会社 | Authentication method, authentication system, and controller |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101290642A (en) * | 2007-04-16 | 2008-10-22 | 瞬联软件科技(北京)有限公司 | Electronic file transmission control method and its system based on area limit |
| CN100571125C (en) * | 2005-12-30 | 2009-12-16 | 上海贝尔阿尔卡特股份有限公司 | A kind of method and device that is used for secure communication between subscriber equipment and internal network |
| CN102685119A (en) * | 2012-04-28 | 2012-09-19 | 上海杰之能信息科技有限公司 | Data transmitting/receiving method, data transmitting/receiving device, transmission method, transmission system and server |
-
2012
- 2012-11-29 CN CN201210499899.7A patent/CN102984154B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100571125C (en) * | 2005-12-30 | 2009-12-16 | 上海贝尔阿尔卡特股份有限公司 | A kind of method and device that is used for secure communication between subscriber equipment and internal network |
| CN101290642A (en) * | 2007-04-16 | 2008-10-22 | 瞬联软件科技(北京)有限公司 | Electronic file transmission control method and its system based on area limit |
| CN102685119A (en) * | 2012-04-28 | 2012-09-19 | 上海杰之能信息科技有限公司 | Data transmitting/receiving method, data transmitting/receiving device, transmission method, transmission system and server |
Non-Patent Citations (1)
| Title |
|---|
| 数据加密和数字签名技术在局域网中的应用;李如忠;《计算机应用研究》;20040531;参见第1、2、3、4、6节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102984154A (en) | 2013-03-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3529965B1 (en) | System and method for configuring a wireless device for wireless network access | |
| US9686294B2 (en) | Protection of communication on a vehicular network via a remote security service | |
| US11432150B2 (en) | Method and apparatus for authenticating network access of terminal | |
| US8850211B2 (en) | Method and apparatus for improving code and data signing | |
| WO2018127081A1 (en) | Method and system for obtaining encryption key | |
| CN109309685B (en) | Information transmission method and device | |
| CN105227537A (en) | Method for authenticating user identity, terminal and service end | |
| CN105450406A (en) | Data processing method and device | |
| CN111131300B (en) | Communication method, terminal and server | |
| CN106919811A (en) | File test method and device | |
| CN106131021B (en) | Request authentication method and system | |
| CN106576047B (en) | Make Password Operations from the method and apparatus of malicious modification | |
| CN106850207A (en) | Identity identifying method and system without CA | |
| CN110113351A (en) | The means of defence and device, storage medium, computer equipment of CC attack | |
| CN104994115B (en) | A kind of login authentication method and system | |
| Li et al. | Passwords in the air: Harvesting wi-fi credentials from smartcfg provisioning | |
| CN104796262B (en) | Data ciphering method and terminal system | |
| CN102984154B (en) | The method and system of safe sending/receiving data in LAN | |
| WO2015156622A2 (en) | Authentication apparatus and method | |
| CN107040508B (en) | Device and method for adapting authorization information of terminal device | |
| CN111898101A (en) | Application security equipment verification method and device | |
| WO2017040124A1 (en) | System and method for detection of cloned devices | |
| CN107528810A (en) | A kind of method and device for logging in Cloud Server | |
| KR20060044049A (en) | Security router system and method for authentication of the user who connects the system | |
| JP2003069581A (en) | Unjust packet prevention method and preventing apparatus of radio multi-hop network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160518 Termination date: 20191129 |