CN103220279A - Safe data transmission method and system - Google Patents
Safe data transmission method and system Download PDFInfo
- Publication number
- CN103220279A CN103220279A CN2013101132018A CN201310113201A CN103220279A CN 103220279 A CN103220279 A CN 103220279A CN 2013101132018 A CN2013101132018 A CN 2013101132018A CN 201310113201 A CN201310113201 A CN 201310113201A CN 103220279 A CN103220279 A CN 103220279A
- Authority
- CN
- China
- Prior art keywords
- data
- unit
- packet
- advance
- transmission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a safe data transmission method. The method comprises the steps of selecting a proper operation processing method to safely process network data, and extracting a data packet to obtain needed data information according to the preselected operation processing method after data is received. The invention further provides a safe data transmission system based on the method, the safe data transmission method and the safe data transmission system can filtrate received and dispatched transmission data packet through a self-defined safe strategy, so that access of unnecessary database can be effectively guaranteed; and moreover, the transmission data packet can be safely transmitted and preprocessed through the safe data transmission method and the safe data transmission system in the process of transmitting data, so that safety of data packet transmission can be guaranteed in the transmission process, and safety coefficient of data transmission can be effectively increased.
Description
Technical field
The present invention relates to the communication network transmission field, particularly relate to a kind of method and system of data security transmission.
Background technology
In recent years, more and more being paid close attention to of network data security by the people, the particularly rise of Internet of Things, make that people's life and network are more tight, the core and the basis of Internet of Things remain the Internet, be the extension on the basis, the Internet and the network of expansion, the Internet of Things user side extends and has expanded between any article and the article, carries out information exchange and communicates by letter.
Generally speaking, data packets for transmission unencryption and signature on the Internet are easy to take place eavesdropped, distort, problems such as forgery and sender's denial, in the process of data packet transmission, are easy to reveal information, cause unnecessary loss.Even particular data packet is carried out encryption, system still can exchange many redundant data bags in the process of exchanges data, bring burden to exchanges data.
Summary of the invention
Based on this, being necessary provides a kind of method and system that can efficiently finish transfer of data and transmit than the data security of safety at exchanging unnecessary packet and the lower problem of data transmission security coefficient in the transfer of data easily.
A kind of method of data security transmission comprises step:
Filter transmits data packets according to the security policy information that sets in advance;
According to the arithmetic processing method of selecting in advance the transmits data packets after filtering is carried out safe transmission and anticipate, be sent to network;
Receive the packet on the network, the security policy information filtering data bag according to setting in advance obtains the secure data bag;
According to the described arithmetic processing method of selecting in advance described secure data bag is extracted and to obtain the desired data bag.
A kind of data security system for transmitting comprises at least two communicators, and described communicator comprises core layer unit, service layer unit and application layer unit, connects by network between the core layer unit of communicator;
When described core layer unit is used for transmission or receives packet, according to the security policy information filtering data bag that sets in advance;
Described service layer unit is used for when core layer unit transmission packet, according to the arithmetic processing method of selecting in advance the transmits data packets of the transmit leg after filtering being carried out safe transmission anticipates, when receiving packet in the core layer unit, according to the described arithmetic processing method of selecting in advance packet is extracted and to obtain the desired data bag;
Described application layer unit is used to set in advance security policy information and selects arithmetic processing method.
The method and system of above-mentioned data security transmission, set in advance security policy information and select arithmetic processing method by described application layer unit, when application software need be transmitted data, described core layer unit can receive the transmits data packets that application software need be transmitted, filter transmits data packets according to the security policy information that sets in advance, according to the arithmetic processing method of selecting in advance transmits data packets being carried out safe transmission by described service layer unit anticipates, obtain the secure data bag, sending on the network.The core layer unit of another communicator receives the packet that application software need receive by receiving the packet on the network by the core layer unit, filters the packet that receives according to the security policy information that sets in advance, and obtains the secure data bag.According to the arithmetic processing method of selecting in advance transmits data packets is extracted the desired data bag by described service layer unit again and handle, get needed to the end packet.The method and system of described data security transmission can filter the transmits data packets of transmitting-receiving by self-defining security strategy, can effectively stop the access of unnecessary packet, and the method and system of described data security transmission is in the process of transmission data, transmits data packets is carried out safe transmission anticipates, guarantee the fail safe of transmits data packets in the transmission course, increased the data transmission safety coefficient effectively.
Description of drawings
Fig. 1 is the method for the data security transmission method flow diagram of a kind of embodiment wherein;
Fig. 2 is the method for the data security transmission method flow diagram of another kind of embodiment wherein;
Fig. 3 is the method for the data security transmission method flow diagram of another kind of specific embodiment wherein;
Fig. 4 is the wherein structure connection layout of a kind of embodiment of data security system for transmitting;
Fig. 5 is the service layer unit structure connection layout of a kind of embodiment wherein in the data security system for transmitting
Embodiment
As shown in Figure 1, a kind of method of data security transmission comprises step:
Step S110 filters transmits data packets according to the security policy information that sets in advance.Security strategy is meant the set of rule that is used for all security-related activities in the communication data exchange in the present embodiment.These rules are that a safety right force mechanisms of being set up in the safety zone is thus set up, and are described, implement or realized by security control mechanism.Can filter transmits data packets according to the security policy information that sets in advance in the present embodiment, filter out the packet that does not meet this communication security strategy, thereby when reducing transmission quantity, also can guarantee the data security in the communication process.
Step S120 carries out safe transmission according to the arithmetic processing method of selecting in advance to the transmits data packets after filtering and anticipates, and is sent to network.In the present embodiment, the arithmetic processing method of Xuan Zeing can be selected suitable arithmetic processing method that transmits data packets is carried out safe transmission to anticipate by being provided with in advance, described safe transmission is anticipated to make transmits data packets is numbered, encrypts and a series of safe handling such as signature, guarantees the fail safe of transmits data packets.
Step S130 receives the packet on the network, and the security policy information filtering data bag according to setting in advance obtains the secure data bag.In the present embodiment, receive packet through safe handling, screen according to the security policy information that sets in advance again, obtain the packet that is consistent with security strategy, filter out the packet that does not meet security strategy, the packet of guaranteeing to receive is to an end that mates security strategy, and system can receive the source and the whereabouts of data according to IP, port and protocol restriction.
Step S140 extracts described secure data bag according to the described arithmetic processing method of selecting in advance and to obtain the desired data bag.In the present embodiment, described secure data bag can be through signature and encryption or the like the pretreated transmits data packets of a series of safety, each transmits data packets all has unique sequence number, before application software receives the transmission data, can according to the arithmetic processing method of selecting in advance to the secure data bag correspondence that transmits verify and decipher or the like a series of processing, effectively guarantee the communication network data transmission safety.
The method of above-mentioned data security transmission, can set in advance security policy information and select arithmetic processing method, when application software need be transmitted data, can receive application software and need data packets for transmission, filter transmits data packets according to the security policy information that sets in advance, according to the arithmetic processing method of selecting in advance transmits data packets is carried out safe transmission again and anticipate, obtain the secure data bag, re-send on the network.Connection object can receive packet from network, filter the packet that receives according to the security policy information that sets in advance again, obtain the secure data bag, by the arithmetic processing method of selecting in advance transmits data packets is extracted the desired data bag again and handle, get needed to the end packet.The method of described data security transmission can be filtered the transmits data packets of transmitting-receiving by self-defining security strategy, can effectively stop the access of unnecessary packet, and the method and system of described data security transmission is in the process of transmission data, transmits data packets is carried out safe transmission anticipates, guarantee the fail safe of transmits data packets in the transmission course, increased the data transmission safety coefficient effectively.
Among a kind of therein embodiment, the method for described data security transmission, described step S120 specifically comprises step:
Judge whether transmits data packets is broadcast packet;
If broadcast packet then to the transmits data packets processing of signing, generates the secure data bag and is sent to network;
If non-broadcast packet then carries out the mark safe handling to transmits data packets, generate the secure data bag and be sent to network.
Broadcast message will cause extremely heavy burden to network, all is their services because they require every main frame on the network, has been restricted to explicit mark in the socket that allows to broadcast so send the ability of broadcast data packet.In the present embodiment, consider the load of terminal, take that only need to add signing messages to show the true identity of transmit leg at the afterbody of each packet, the recipient can verify that the identity of transmit leg gets final product to the broadcast packet processing of directly signing.For non-broadcast packet, then carry out further mark safe handling, can carry out sequence number according to the arithmetic processing method of selecting in advance to transmits data packets and generate, packet encryption or the like preliminary treatment.
Among a kind of therein embodiment, the method for described data security transmission, described step S140 specifically comprises step:
Judge whether the secure data bag is broadcast packet;
If broadcast packet then carries out authentication processing to described secure data bag;
If non-broadcast packet, the checking extraction processing of then described secure data bag being extracted the desired data bag.
In the present embodiment, when receiving transmits data packets, broadcast packet is taked directly to carry out authentication processing, non-broadcast packet is verified the extraction processing, can carry out a series of processing of checking, deciphering or the like of transmits data packets sequence number according to the arithmetic processing method of selecting in advance to non-broadcast packet, obtain desired data.
Among a kind of therein embodiment, the method of described data security transmission, the described security policy information that sets in advance specifically comprises: source address and destination address are formed the pretreated arithmetic processing method of range information, safe transmission, the session key cycle information of domain information, communication protocol information, source port and the destination interface of data security transmission.
In the present embodiment, can open clients corresponding software setting security strategy, when needs change security policy information, also can change by client software.Choose source address and destination address can be become the protocol protection that present embodiment proposes by IP with mask set territory; the communication form of taking can be point-to-point, single-point to multiple spot and form such as multi-multipoint, thus can adaptive polytype network from the local area network (LAN) to the wide area network.When communication protocol is set, can select various protocols such as TCP, UDP, ICMP and IP, purpose is to make some Optimizing operation targetedly by core layer and network layer, to improve the efficient of communication.Choose the scope of source port and destination interface, can be arranged to single-port or a port range, the territory size when reducing to communicate by letter.Select the pretreated arithmetic processing method of safe transmission, can choose cryptographic algorithm and signature algorithm, for example, AES-128, AES-256,3DES, CPK, MD5 and SHA1 scheduling algorithm are to satisfy the needs of different occasions.Session key is set during the cycle, can be provided with according to the concrete needs of transfer of data, the preferred session key cycle is 30 seconds in the present embodiment, when session key expires, system can also exchange periodically session key, the purpose of exchanging periodically session key is to prevent that session key is cracked, and strengthens security of conversation.
As shown in Figure 2, among a kind of therein embodiment, the method for described data security transmission if described non-broadcast packet then carries out the mark safe handling to transmits data packets, generates the step that the secure data bag is sent to network, specifically comprises step:
Step S210 searches whether there be the data connection corresponding with transmits data packets, if do not exist, the data of then setting up communicating pair connect, if exist, then directly carry out subsequent step.In the present embodiment, can connect the exchange that communicates both sides' match information by setting up data, described data are connected to transmits data packets carries out corresponding match information transmission channel, main purpose is to carry out authentication and consult various parameters, and described parameter can be the sign of both sides' the encryption/decryption algorithm of initial sequence number, use and signature/identifying algorithm, password exchange cycle, communicating pair etc.
Step S220 generates the sequence of data packet corresponding with transmits data packets number.In the present embodiment, the form of taking transmits data packets to generate the sequence of data packet number of a correspondence is carried out unique identify label to transmits data packets, when receiving transmits data packets, carry out corresponding sequence number identification and can determine whether transmits data packets is the transmits data packets that transmit leg sends over.
Step S230, generates the secure data bag and is sent to network the transmits data packets encrypted signature according to the arithmetic processing method of selecting in advance.。In the present embodiment, described type of action can be transmits data packets to be carried out message authentication code generate, and also can be that transmits data packets is signed, and can select multiple type of action that transmits data packets is handled accordingly.In the present embodiment, when needing encrypted transmission, can encrypt transmits data packets, when using rivest, shamir, adelman, also can directly encrypt by PKI according to cryptographic algorithm and the session key selected in advance as if transmits data packets.If transmits data packets need not encrypted transmission, then transmits data packets directly is sent to network after carrying out processing such as message authentication code generation, signature.
As shown in Figure 3, among a kind of therein embodiment, the method for described data security transmission if described non-broadcast packet then extracts the step of the checking extraction processing of desired data bag to described secure data bag, specifically comprises step:
Whether step S310 searches and exists and the corresponding connection of described secure data bag, if do not exist, the data of then setting up communicating pair connect.In the present embodiment, to the non-broadcast packet that receives, search and whether exist and the corresponding connection of described secure data bag, if do not exist, after can carrying out buffer memory, the data of setting up communicating pair again connect, thereby carry out authentication and consult various parameters, and described parameter can be the sign of both sides' the encryption/decryption algorithm of initial sequence number, use and signature/identifying algorithm, password exchange cycle, communicating pair etc.
Step S320 filters and to obtain the secure data bag of sequence of data packet number in allowing the scope that receives; In the present embodiment, system can judge whether the transmits data packets that receives is the packet that communicating pair need exchange by the sequence number of packet, the sequence number of transmits data packets that can check reception and then is selected the transmits data packets of sequence number in allowing range of receiving whether in allowing the scope that receives.
Step S330 authenticates decryption processing according to the arithmetic processing method of selecting in advance to the secure data bag.When the type of action of transmits data packets is decided, can verify that to packet message authentication code is handled or certifying signature is handled according to the type of action of selecting in advance.
Among a kind of therein embodiment, the method of described data security transmission, described according to the described arithmetic processing method of selecting in advance described secure data bag is extracted obtain desired data bag step after, also comprise step: after packet exchange is finished, discharge the data of setting up in advance and connect.
In the present embodiment, in order to reduce the burden of system, and reduce the unnecessary wasting of resources, after packet exchange is finished, discharge the data of setting up in advance and connect.
Among a kind of therein embodiment, the method for described data security transmission, the described data step of connecting of setting up communicating pair specifically comprises step:
Cryptographic algorithm, message authentication algorithm and session key cycle that transmit leg will be to be selected and the message transmission that whether needs to sign are to the recipient; In the present embodiment, can be to setting up the information that object that data connect is recommended cryptographic algorithm, message authentication algorithm and the session key cycle that can adopt and whether needed to sign, wait for the affirmation of setting up the object that data connect.
The information whether transmit leg receives cryptographic algorithm, message authentication algorithm and the session key cycle of recipient's feedback and need to sign; The information that the cryptographic algorithm that system's confirmation of receipt is got off in this enforcement, message authentication algorithm and session key cycle and whether needing signs.
Connection index after transmit leg will be signed with the private key of transmit leg is transferred to the recipient with the parameter that is used for arranging key;
Connection index and the parameter that is used for arranging key after the private key with the recipient of transmit leg reception recipient feedback is signed;
Send key agreement parameter that the recipient received sends and empirical tests the information of recipient's identity to the recipient.
In the present embodiment, the information such as information that system signs by the private key that whether packet carries cryptographic algorithm, message authentication algorithm, session key cycle, needs to sign, communicating pair connects index, the parameter that is used for arranging key and communicating pair are mated exchange, after communication data connects foundation, send received key agreement parameter that the recipient sends and empirical tests the information of recipient's identity to the recipient, finally determine the communication data establishment of connection.
Among a kind of therein embodiment, the method for described data security transmission, described after packet exchange is finished, discharge the described packet step of connecting of setting up in advance, specifically comprise step:
Transmit leg is transferred to the recipient with both sides' sequence number, both sides' sign, type of message and the message authentication code that generates by session key;
Transmit leg receives both sides' sequence number of recipient's feedback, both sides' sign, type of message and the message authentication code that generates by session key;
After the transmit leg checking recipient feedback information, notify the recipient to delete and being connected of transmit leg, deletion simultaneously and recipient's the data that are connected.
In the present embodiment, after communicating pair is determined both sides' sequence number, both sides' sign, type of message and has been finished coupling by the information such as message authentication code that session key generates, deleting communication both sides' connection data again, the packet of discharge setting up connect can mitigation system burden, and the waste that reduces unnecessary resource.
Among a kind of therein embodiment, the method for described data security transmission is in the process that receives and handle the transmits data packets after safe transmission is anticipated, to taking discard processing with the unmatched transmits data packets of the described security policy information that sets in advance.In the present embodiment, system pair takes discard processing with the unmatched transmits data packets of the security policy information that sets in advance, can effectively avoid unnecessary transmits data packets to accumulate the pressure that brings to system, reduce the waste of unnecessary storage resources, make system's operation more smooth.
Among a kind of therein embodiment, the method of described data security transmission, when broadcast packet being carried out authentication processing when continuous unmatched number of times occurring greater than predetermined value, stop to receive broadcast packet and send warning message, receive broadcast packet or receive broadcast packet by the operation of manually setting the time value that receives broadcast packet according to the predefined broadcast packet time value that receives again.In the present embodiment, attack, be defined in broadcast packet is carried out authentication processing when occurring unmatched number of times greater than predetermined value continuously, stop to receive broadcast packet, simultaneously to User Alarms for preventing broadcast storm.At a time again allowed to receive broadcast packet by user decision this moment, perhaps wait for a less time interval after, allow to receive broadcast packet automatically.Preferred described predetermined value is between 10-15 in the present embodiment.
Among a kind of therein embodiment, the method for described data security transmission when described session key is expired, recomputates by communicating pair and to obtain new session key.
In the present embodiment, when expired and communicating pair still needs swap data when session key, then need to consult new session key.Can recomputate by following process and obtain new session key:
Initiator in the communicating pair at first suspends the transmission packet, generates a random number to identify this key agreement.Represent initiator's random number in the present embodiment with X, first packet is generated by the initiator, and content comprises: initiator's sequence number, type of message, random number X, initiator's PKI, both sides' sign and the message authentication code that above-mentioned information is generated with original key;
In the process that communicates, after the request of initiator's key agreement is received by response side, check at first whether initiator's random number is expired, then ignore the packet that sends over as if out of date, otherwise preserve this random number.Verify message authentication code then, verify by the back and suspend the transmission packet and generate a random number key agreement this time, represent response side's random number with Y in the present embodiment with unique identification and initiator.Second packet generated by response side, and content comprises both sides' sequence number, both sides' sign, type of message, random number Y, the PKI of response side and the message authentication code that above-mentioned information is produced with original key.This moment, the key that makes new advances can calculate in response side;
When the initiator receives the answer of response side, check earlier whether the random number Y of response side is expired, then ignore this packet as if out of date, otherwise preserve this random number.Verify message authentication code then, after checking, then the initiator generates the 3rd packet, and content comprises both sides' sequence number, type of message, both sides' PKI, both sides' random number, both sides' sign and the message authentication code that above-mentioned information is produced with new key.The purpose that generates the 3rd packet is to tell response side successfully to receive the key agreement parameter.At this moment, the initiator also can calculate the key that makes new advances;
After the packet that expression initiator key agreement finishes is received by response side, the checking message authentication code, checking by then this time key agreement finish.
As shown in Figure 4, among a kind of therein embodiment, a kind of data security system for transmitting comprises at least two communicators, described communicator 400 comprises core layer unit 410, service layer unit 420 and application layer unit 430, connects by network between the core layer unit of communicator;
When described core layer unit 410 is used for transmission or receives packet, according to the security policy information filtering data bag that sets in advance;
Described service layer unit 420 is used for when core layer unit transmission packet, according to the arithmetic processing method of selecting in advance the transmits data packets of the transmit leg after filtering being carried out safe transmission anticipates, when receiving packet in the core layer unit, according to the described arithmetic processing method of selecting in advance packet is extracted and to obtain the desired data bag;
Described application layer unit 430 is used to set in advance security policy information and selects arithmetic processing method.
The method and system of above-mentioned data security transmission, set in advance security policy information and select arithmetic processing method by described application layer unit, when application software need be transmitted data, described core layer unit can receive application software needs data packets for transmission, according to the security policy information filtering data bag that sets in advance, according to the arithmetic processing method of selecting in advance packet is carried out safe transmission by described service layer unit and anticipate, obtain the secure data bag, sending on the network.The core layer unit of another communicator receives the packet that application software need receive by the packet on the network reception network by the core layer unit, filters the packet that receives according to the security policy information that sets in advance, and obtains the secure data bag.According to the arithmetic processing method of selecting in advance packet is extracted the desired data bag by described service layer unit again and handle, get needed to the end packet.The method and system of described data security transmission can filter by the packet of self-defining security strategy to transmitting-receiving, can effectively stop the access of unnecessary packet, and the method and system of described data security transmission is in the process of transmission data, transmits data packets is carried out safe transmission anticipates, guarantee the fail safe of packet in the transmission course, increased the data transmission safety coefficient effectively.
As shown in Figure 5, among a kind of therein embodiment, described data security system for transmitting, described service layer unit comprises broadcast packet judging unit 510 and secure processing units 520;
Whether described broadcast packet judging unit 510 is used for the judgment data bag is broadcast packet;
Described secure processing units 520 is used for broadcast packet signed and handles or authentication processing, non-broadcast packet is carried out mark safe handling or checking extract and handle.
Among a kind of therein embodiment, described data security system for transmitting, described application layer unit comprise that source address and destination address are provided with unit, communication protocol and unit, source port and destination interface are set unit, the pretreated arithmetic processing method selected cell of safe transmission and session key cycle are set the unit is set.
As shown in Figure 5, among a kind of therein embodiment, described data security system for transmitting, described secure processing units 520 comprise also that data connect and set up unit 522, sequence of data packet processing unit 524, mark authentication unit 526 and packet encrypting and decrypting unit 528;
Described data connection is set up unit 522 and is used to search whether have the data connection corresponding with transmits data packets, if do not exist, the data of then setting up communicating pair connect;
Described sequence of data packet processing unit 524 is used to generate the sequence of data packet corresponding with transmits data packets number, filters to obtain the packet of sequence of data packet number in allowing the scope that receives;
Described mark authentication unit 526 is used for the type of action that basis is selected in advance, generate message authentication code or the signature corresponding with transmits data packets, described mark authentication unit 526 also is used for according to the type of action of selecting in advance transmits data packets being carried out corresponding checking to be handled;
Described packet encrypting and decrypting unit 528 is used for carrying out encryption or decryption processing according to the transmits data packets that the arithmetic processing method of selecting is in advance encrypted needs.
Among a kind of therein embodiment, described data security system for transmitting comprises that also data connect releasing unit, and described data connect releasing unit and are used for after packet exchange is finished, and discharge the data of setting up in advance and connect.
Among a kind of therein embodiment, described data security system for transmitting, described data connection is set up the unit and is comprised that data message exchanges the unit, parameter information exchanges unit and message pick-up confirmation unit;
Described data message exchanges the unit and is used to the information transmitting cryptographic algorithm to be selected, message authentication algorithm and session key cycle and whether need to sign, and described data message exchanges the unit and also is used to the information that receives selected cryptographic algorithm, message authentication algorithm and session key cycle and whether need to sign;
Described parameter information exchanges the unit and is used to transmit or receives the connection index after signing with private key and be used for the parameter of arranging key;
Described message pick-up confirmation unit be used to transmit received the key agreement parameter sent and empirical tests the information of the other side's identity.
Among a kind of therein embodiment, described data security system for transmitting, described data connect releasing unit and comprise that configuration information exchanges the unit and is connected data delete unit;
Described configuration information exchanges the unit and is used to send or receive sequence number, both sides' sign, type of message and the message authentication code that generates by session key that data connect both sides;
After described connection data delete unit is used to verify feedback information, the side deletion of notice feedback information with verify being connected of feedback information one side, delete the data that are connected simultaneously with a side of feedback information.
Among a kind of therein embodiment, described data security system for transmitting also comprises the discard processing unit, and described discard processing unit is used for taking discard processing with the unmatched transmits data packets of the described security policy information that sets in advance.
Among a kind of therein embodiment, described data security system for transmitting, described secure processing units comprises that also broadcast packet receives setup unit, described broadcast packet receives setup unit and is used for when broadcast packet being carried out the unmatched number of times of the continuous appearance of authentication processing greater than predetermined value, stop to receive broadcast packet and warning, receive the broadcast packet time value again according to predefined time value and receive broadcast packet or receive broadcast packet by the manual operation of setting the time value of reception broadcast packet.
Among a kind of therein embodiment, described data security system for transmitting, described service layer unit also comprises the session key generation unit, and described session key generation unit is used for when described session key is expired, recomputates by communicating pair and obtains new session key.
Because other part technical characterictics of described data safe transmission system are identical with said method, do not repeat them here.
The above embodiment has only expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to claim of the present invention.Should be pointed out that for the person of ordinary skill of the art without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (22)
1. the method for a data security transmission is characterized in that, comprises step:
Filter transmits data packets according to the security policy information that sets in advance;
According to the arithmetic processing method of selecting in advance the transmits data packets after filtering is carried out safe transmission and anticipate, be sent to network;
Receive the packet on the network, the security policy information filtering data bag according to setting in advance obtains the secure data bag;
According to the described arithmetic processing method of selecting in advance described secure data bag is extracted and to obtain the desired data bag.
2. the method for data security transmission according to claim 1, it is characterized in that, the arithmetic processing method that described basis is selected in advance carries out safe transmission to the transmits data packets after filtering anticipates, and generates the step that the secure data bag is sent to network, specifically comprises step:
Judge whether transmits data packets is broadcast packet;
If broadcast packet then to the transmits data packets processing of signing, generates the secure data bag and is sent to network;
If non-broadcast packet then carries out the mark safe handling to transmits data packets, generate the secure data bag and be sent to network.
3. the method for data security according to claim 1 transmission is characterized in that, describedly according to the described arithmetic processing method of selecting in advance described secure data bag is extracted the step that obtains the desired data bag, specifically comprises:
Judge whether the secure data bag is broadcast packet;
If broadcast packet then carries out authentication processing to described secure data bag;
If non-broadcast packet, the checking extraction processing of then described secure data bag being extracted the desired data bag.
4. the method for data security transmission according to claim 1, it is characterized in that the described security policy information that sets in advance specifically comprises: source address and destination address are formed the pretreated arithmetic processing method of range information, safe transmission, the session key cycle information of domain information, communication protocol information, source port and the destination interface of data security transmission.
5. the method for data security transmission according to claim 2 is characterized in that, if described non-broadcast packet then carries out the mark safe handling to transmits data packets, generates the step that the secure data bag is sent to network, specifically comprises step:
Search whether there be the data connection corresponding with transmits data packets, if do not exist, the data of then setting up communicating pair connect, if exist, then directly carry out subsequent step;
Generate the sequence of data packet corresponding number with transmits data packets;
According to the arithmetic processing method of selecting in advance the transmits data packets encrypted signature is handled, generated the secure data bag and be sent to network.
6. the method for data security transmission according to claim 3 is characterized in that, if described non-broadcast packet then extracts the step of the checking extraction processing of desired data bag to described secure data bag, specifically comprises step:
Whether search and exist and the corresponding connection of described secure data bag, if do not exist, the data of then setting up communicating pair connect;
Filtration obtains the sequence of data packet number secure data bag in allowing range of receiving;
According to the arithmetic processing method of selecting in advance the secure data bag is authenticated decryption processing.
7. according to the method for claim 5 or the transmission of 6 described data securities, it is characterized in that, described according to the described arithmetic processing method of selecting in advance described secure data bag is extracted obtain desired data bag step after, also comprise step: after packet exchange is finished, discharge the data of setting up in advance and connect.
8. according to the method for claim 5 or 6 described data security transmission, it is characterized in that the described data step of connecting of setting up communicating pair specifically comprises step:
Cryptographic algorithm, message authentication algorithm and session key cycle that transmit leg will be to be selected and the message transmission that whether needs to sign are to the recipient;
The information whether transmit leg receives cryptographic algorithm, message authentication algorithm and the session key cycle of recipient's feedback and need to sign;
Connection index after transmit leg will be signed with the private key of transmit leg is transferred to the recipient with the parameter that is used for arranging key;
Connection index and the parameter that is used for arranging key after the private key with the recipient of transmit leg reception recipient feedback is signed;
Send key agreement parameter that the recipient received sends and empirical tests the information of recipient's identity to the recipient.
9. the method for data security transmission according to claim 7 is characterized in that, and is described after packet exchange is finished, and discharges the described packet step of connecting of setting up in advance, specifically comprises step:
Transmit leg is transferred to the recipient with both sides' sequence number, both sides' sign, type of message and the message authentication code that generates by session key;
Transmit leg receives both sides' sequence number of recipient's feedback, both sides' sign, type of message and the message authentication code that generates by session key;
After the transmit leg checking recipient feedback information, notify the recipient to delete and being connected of transmit leg, deletion simultaneously and recipient's the data that are connected.
10. according to the method for claim 1 or the transmission of 3 described data securities, it is characterized in that, receiving and handling and carry out in the process of the transmits data packets after safe transmission is anticipated, to taking discard processing with the unmatched transmits data packets of the described security policy information that sets in advance.
11. the method for data security transmission according to claim 3, it is characterized in that, when broadcast packet being carried out authentication processing when continuous unmatched number of times occurring greater than predetermined value, stop to receive broadcast packet and send warning message, receive broadcast packet or receive broadcast packet by the operation of manually setting the time value that receives broadcast packet according to the predefined broadcast packet time value that receives again.
12. the method for data security according to claim 9 transmission is characterized in that, when described session key is expired, recomputates by communicating pair and to obtain new session key.
13. a data security system for transmitting is characterized in that, comprises at least two communicators, described communicator comprises core layer unit, service layer unit and application layer unit, connects by network between the core layer unit of communicator;
When described core layer unit is used for transmission or receives packet, according to the security policy information filtering data bag that sets in advance;
Described service layer unit is used for when core layer unit transmission packet, according to the arithmetic processing method of selecting in advance the transmits data packets of the transmit leg after filtering being carried out safe transmission anticipates, when receiving packet in the core layer unit, according to the described arithmetic processing method of selecting in advance packet is extracted and to obtain the desired data bag;
Described application layer unit is used to set in advance security policy information and selects arithmetic processing method.
14. data security system for transmitting according to claim 13 is characterized in that, described service layer unit comprises broadcast packet judging unit and secure processing units;
Whether described broadcast packet judging unit is used for the judgment data bag is broadcast packet;
Described secure processing units is used for broadcast packet signed and handles or authentication processing, non-broadcast packet is carried out mark safe handling or checking extract and handle.
15. data security system for transmitting according to claim 13, it is characterized in that described application layer unit comprises that source address and destination address are provided with unit, communication protocol and unit, source port and destination interface are set unit, the pretreated arithmetic processing method selected cell of safe transmission and session key cycle are set the unit is set.
16. data security system for transmitting according to claim 14 is characterized in that, described secure processing units comprises also that data connect and sets up unit, sequence of data packet processing unit, mark authentication unit and packet encrypting and decrypting unit;
Described data connection is set up the unit and is used to search whether have the data connection corresponding with transmits data packets, if do not exist, the data of then setting up communicating pair connect;
Described sequence of data packet processing unit is used to generate the sequence of data packet corresponding with transmits data packets number, filters to obtain the packet of sequence of data packet number in allowing the scope that receives;
Described mark authentication unit is used for the type of action that basis is selected in advance, generates message authentication code or the signature corresponding with transmits data packets, and described mark authentication unit also is used for according to the type of action of selecting in advance transmits data packets being carried out corresponding checking processing;
Described packet encrypting and decrypting unit is used for carrying out encryption or decryption processing according to the transmits data packets that the arithmetic processing method of selecting is in advance encrypted needs.
17. data security system for transmitting according to claim 16 is characterized in that, comprises that also data connect releasing unit, described data connect releasing unit and are used for after packet exchange is finished, and discharge the data of setting up in advance and connect.
18. data security system for transmitting according to claim 16 is characterized in that, described data connection is set up the unit and is comprised that data message exchanges the unit, parameter information exchanges unit and message pick-up confirmation unit;
Described data message exchanges the unit and is used to the information transmitting cryptographic algorithm to be selected, message authentication algorithm and session key cycle and whether need to sign, and described data message exchanges the unit and also is used to the information that receives selected cryptographic algorithm, message authentication algorithm and session key cycle and whether need to sign;
Described parameter information exchanges the unit and is used to transmit or receives the connection index after signing with private key and be used for the parameter of arranging key;
Described message pick-up confirmation unit be used to transmit received the key agreement parameter sent and empirical tests the information of the other side's identity.
19. data security system for transmitting according to claim 17 is characterized in that, described data connect releasing unit and comprise that configuration information exchanges the unit and is connected data delete unit;
Described configuration information exchanges the unit and is used to send or receive sequence number, both sides' sign, type of message and the message authentication code that generates by session key that data connect both sides;
After described connection data delete unit is used to verify feedback information, the side deletion of notice feedback information with verify being connected of feedback information one side, delete the data that are connected simultaneously with a side of feedback information.
20. according to claim 13 or 14 or 17 described data security system for transmitting, it is characterized in that, also comprise the discard processing unit, described discard processing unit is used for taking discard processing with the unmatched transmits data packets of the described security policy information that sets in advance.
21. data security system for transmitting according to claim 14, it is characterized in that, described secure processing units comprises that also broadcast packet receives setup unit, described broadcast packet receives setup unit and is used for when broadcast packet being carried out the unmatched number of times of the continuous appearance of authentication processing greater than predetermined value, stop to receive broadcast packet and propose and report to the police, receive the broadcast packet time value again according to predefined time value and receive broadcast packet or receive broadcast packet by the operation of manually setting the time value that receives broadcast packet.
22. data security system for transmitting according to claim 13, it is characterized in that, described service layer unit also comprises the session key generation unit, and described session key generation unit is used for when described session key is expired, recomputates by communicating pair and obtains new session key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013101132018A CN103220279A (en) | 2013-04-02 | 2013-04-02 | Safe data transmission method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013101132018A CN103220279A (en) | 2013-04-02 | 2013-04-02 | Safe data transmission method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103220279A true CN103220279A (en) | 2013-07-24 |
Family
ID=48817744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013101132018A Pending CN103220279A (en) | 2013-04-02 | 2013-04-02 | Safe data transmission method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103220279A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401865A (en) * | 2013-07-30 | 2013-11-20 | 东莞宇龙通信科技有限公司 | Terminal and data transmission method |
| CN108833340A (en) * | 2018-04-26 | 2018-11-16 | 浙江麦知网络科技有限公司 | A kind of internal home network communication security protection system |
| CN108885674A (en) * | 2016-03-24 | 2018-11-23 | 瑞典爱立信有限公司 | Data object transmission between network domains |
| CN109803331A (en) * | 2017-11-16 | 2019-05-24 | 华为技术有限公司 | Data processing method, device and computer storage medium |
| CN109951414A (en) * | 2017-12-20 | 2019-06-28 | 贵州数据宝网络科技有限公司 | A kind of data safe transmission method |
| CN110099062A (en) * | 2019-05-07 | 2019-08-06 | 山东渔翁信息技术股份有限公司 | A kind of encryption method of network data, decryption method and relevant apparatus |
| CN110535816A (en) * | 2018-05-24 | 2019-12-03 | 广东技术师范学院 | A kind of safe data information transmission method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080181409A1 (en) * | 2007-01-31 | 2008-07-31 | Zhuqiang Wang | Method for guaranteeing security of critical data, terminal and secured chip |
| CN101470783A (en) * | 2007-12-25 | 2009-07-01 | 中国长城计算机深圳股份有限公司 | Identity recognition method and device based on trusted platform module |
| CN101594229A (en) * | 2009-06-30 | 2009-12-02 | 华南理工大学 | A kind of trusted network connection system and method based on combined public key |
| CN102984154A (en) * | 2012-11-29 | 2013-03-20 | 无锡华御信息技术有限公司 | Method and system for safely transmitting/receiving data in local network |
-
2013
- 2013-04-02 CN CN2013101132018A patent/CN103220279A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080181409A1 (en) * | 2007-01-31 | 2008-07-31 | Zhuqiang Wang | Method for guaranteeing security of critical data, terminal and secured chip |
| CN101470783A (en) * | 2007-12-25 | 2009-07-01 | 中国长城计算机深圳股份有限公司 | Identity recognition method and device based on trusted platform module |
| CN101594229A (en) * | 2009-06-30 | 2009-12-02 | 华南理工大学 | A kind of trusted network connection system and method based on combined public key |
| CN102984154A (en) * | 2012-11-29 | 2013-03-20 | 无锡华御信息技术有限公司 | Method and system for safely transmitting/receiving data in local network |
Non-Patent Citations (1)
| Title |
|---|
| 谢志远: "基于组合公钥的IP安全通信系统", 《中国优秀硕士论文学位论文全文数据库》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401865A (en) * | 2013-07-30 | 2013-11-20 | 东莞宇龙通信科技有限公司 | Terminal and data transmission method |
| CN108885674A (en) * | 2016-03-24 | 2018-11-23 | 瑞典爱立信有限公司 | Data object transmission between network domains |
| CN109803331A (en) * | 2017-11-16 | 2019-05-24 | 华为技术有限公司 | Data processing method, device and computer storage medium |
| CN109803331B (en) * | 2017-11-16 | 2021-05-18 | 华为技术有限公司 | Data processing method, device and computer storage medium |
| US11304107B2 (en) | 2017-11-16 | 2022-04-12 | Huawei Technologies Co., Ltd. | Data processing method and apparatus, and computer storage medium |
| US11627510B2 (en) | 2017-11-16 | 2023-04-11 | Huawei Technologies Co., Ltd. | Data processing method and apparatus, and computer storage medium |
| US11902844B2 (en) | 2017-11-16 | 2024-02-13 | Huawei Technologies Co., Ltd. | Data processing method and apparatus, and computer storage medium |
| CN109951414A (en) * | 2017-12-20 | 2019-06-28 | 贵州数据宝网络科技有限公司 | A kind of data safe transmission method |
| CN108833340A (en) * | 2018-04-26 | 2018-11-16 | 浙江麦知网络科技有限公司 | A kind of internal home network communication security protection system |
| CN110535816A (en) * | 2018-05-24 | 2019-12-03 | 广东技术师范学院 | A kind of safe data information transmission method |
| CN110099062A (en) * | 2019-05-07 | 2019-08-06 | 山东渔翁信息技术股份有限公司 | A kind of encryption method of network data, decryption method and relevant apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103220279A (en) | Safe data transmission method and system | |
| CN101867530B (en) | Things-internet gateway system based on virtual machine and data interactive method | |
| WO2018214719A1 (en) | Dynamic safety method and system based on multi-fusion linked responses | |
| CN102065016B (en) | Message method of sending and receiving and device, message processing method and system | |
| CN101600203B (en) | Control method for security service and terminal of wireless local area network | |
| CN108173644A (en) | Data transmission encryption method and device, storage medium, equipment and server | |
| CN101558599B (en) | Client device, mail system, program, and recording medium | |
| WO2010124474A1 (en) | Method and device for establishing security mechanism of air interface link | |
| CN104811427B (en) | A kind of safe industrial control system communication means | |
| CN208986966U (en) | A kind of ciphering terminal and corresponding data transmission system | |
| CN104113839A (en) | Mobile data safety protection system and method based on SDN | |
| CN102547688A (en) | Virtual-dedicated-channel-based establishment method for high-credibility mobile security communication channel | |
| CN102710624B (en) | Customizable network identity authentication method based on SM2 algorithm | |
| CN102045210A (en) | End-to-end session key consultation method and system for supporting lawful interception | |
| CN101478388B (en) | Multi-stage security mobile IPSec access authentication method | |
| CN104022867A (en) | Method and equipment of preprocessing soft restart of ISSU (In-Service Software Upgrade) | |
| CN102761553A (en) | IPSec SA consultation method and device | |
| CN103685181A (en) | Key negotiation method based on SRTP | |
| CN107534555B (en) | Method and device for certificate verification | |
| CN102098307A (en) | Password type instant message (IM) encryption method and system in self-service bank | |
| CN109951414A (en) | A kind of data safe transmission method | |
| CN106230840B (en) | A kind of command identifying method of high security | |
| CN107666491A (en) | The data transmission method of air-ground integrated network based on symmetric cryptography | |
| CN107294968A (en) | The monitoring method and system of a kind of audio, video data | |
| CN104135469B (en) | A kind of method of raising RSSP II protocol safeties |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130724 |
|
| RJ01 | Rejection of invention patent application after publication |