CN107395592A - A kind of security processing and system of the Internet protocol data bag - Google Patents

A kind of security processing and system of the Internet protocol data bag Download PDF

Info

Publication number
CN107395592A
CN107395592A CN201710592618.5A CN201710592618A CN107395592A CN 107395592 A CN107395592 A CN 107395592A CN 201710592618 A CN201710592618 A CN 201710592618A CN 107395592 A CN107395592 A CN 107395592A
Authority
CN
China
Prior art keywords
packet
protocol data
data bag
internet protocol
appointment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710592618.5A
Other languages
Chinese (zh)
Inventor
乔海权
胡进
张庆勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Original Assignee
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WUHAN ARGUSEC TECHNOLOGY CO LTD, Beijing Infosec Technologies Co Ltd filed Critical WUHAN ARGUSEC TECHNOLOGY CO LTD
Priority to CN201710592618.5A priority Critical patent/CN107395592A/en
Publication of CN107395592A publication Critical patent/CN107395592A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention discloses a kind of security processing of the Internet protocol data bag, including:From client receiving network protocol packet P1, the Internet protocol data bag P1 is parsed, judge parsing after packet in whether the keyword identification containing application layer protocol, if find, then judge to whether there is in the Internet protocol data bag P1 packet header content and have the keyword made an appointment, if, alignment processing is first then carried out to the content in the Internet protocol data bag P1 packet header or inclusion according to the type for the keyword made an appointment, corresponding result Q2 after being handled with generation, further according to SSL record protocols to the Internet protocol data bag P1 and corresponding result Q2 processing, and the Internet protocol data bag S3 generated after processing is sent to remote server.The present invention can resist the network attack of different levels, so as to strengthen security, integrality and the non repudiation of packet transmission.

Description

A kind of security processing and system of the Internet protocol data bag
Technical field
The invention belongs to field of information security technology and field of Internet communication, more particularly, to a kind of procotol The security processing and system of packet.
Background technology
With the continuous improvement of the level of informatization, respective government agencies or enterprises and institutions have all deployed on the internet Substantial amounts of operation system, and business datum contact is carried out by the branch or affiliate of internet and other various regions, These business datums are the important numbers assets of government department or enterprises and institutions, need to ensure its machine during informatization Close property, authenticity, integrality and non-repudiation.
In these business datums, for reasons of safety, often it can not be sent directly to remote server, it Need secure internet to close after equipment carries out corresponding safe handling, remote server could be ultimately routed to, and remote Journey server is received, handles and responded.Meanwhile the signature information that sends for valid certificates client of some senders or test Demonstrate,prove the authenticity of signing messages and signed or verified signature operation in equipment, it is necessary to be closed in secure internet, come with this true It is strictly what is signed and issued by sender to determine message, with the integrality of this determination message.
However, existing secure internet closes the technical problem that equipment has several aspects:Firstth, only in the client of equipment The service end channel interior of end and equipment has carried out the encryption forwarding of packet, and packet without signature value is carried, waits in itself When packet reaches Batch Processing system, it is impossible to ensure the integrality and non repudiation of business datum;Secondth, all data Bag is uniformly processed, can not the different types of signature of classifying type progress and carrying signature value without Distinguish.
The content of the invention
For the disadvantages described above or Improvement requirement of prior art, the invention provides a kind of safety of the Internet protocol data bag Processing method and system, it is intended that different types of packet can be distinguished, by being signed or being verified packet Signature, and carry alignment processing result and be safely forwarded to remote server, the network attack of different levels can be resisted, from And strengthen security, integrality and the non repudiation of packet transmission.
To achieve the above object, according to one aspect of the present invention, there is provided a kind of safe place of the Internet protocol data bag Reason method, applied in secure internet closes equipment, the secure internet close equipment respectively with client and remote service Device communicates to connect, and methods described includes:
(1) from client receiving network protocol packet P1, and judge in the Internet protocol data bag P1 packet header or inclusion With the presence or absence of the packet for having the keyword identification made an appointment or form of making an appointment;
(2) keyword identification made an appointment is there are in the Internet protocol data bag P1 packet header or inclusion or is appointed in advance During the packet for the formula that fixes, according to the type for the keyword made an appointment or the form made an appointment to the Internet protocol data bag P1 Content in packet header or inclusion is handled, to generate corresponding result, according to SSL record protocols to the Internet protocol data bag P1 and Corresponding result is handled, and the Internet protocol data bag obtained after processing is sent into remote server.
Preferably, the Internet protocol data bag and corresponding result are handled according to SSL record protocols specifically, according to SSL record protocols are segmented to the Internet protocol data bag and corresponding result, are compressed, increase MAC information, encryption and addition The processing of SSL records.
Preferably, methods described further comprises whether there is in the Internet protocol data bag P1 packet header or inclusion is judged Before the packet for having the keyword identification made an appointment or form of making an appointment, judge whether contain in the packet after parsing The step of keyword identification of application layer protocol.
Preferably, the Internet protocol data bag P1 is parsed, judges whether contain application layer in the packet after parsing Then the keyword identification of agreement searches the row content specifically, parse the first row in the Internet protocol data bag P1 packet header first In whether have keyword, if so, then illustrating that the Internet protocol data bag P1 is exactly the packet of application layer protocol, otherwise represent It is not the packet of application layer protocol.
Preferably, methods described further comprises:Made an appointment when being not present in the Internet protocol data bag P1 packet header During the packet of form, determining whether to whether there is in the content in the Internet protocol data bag P1 inclusion has what is made an appointment With the presence or absence of the step for the packet for having form of making an appointment in content in keyword, or the Internet protocol data bag P1 inclusion Suddenly.
Preferably, methods described further comprises:Have when being not present in the content in the Internet protocol data bag P1 inclusion The number for having form of making an appointment is not present in content in the keyword made an appointment, or the Internet protocol data bag P1 inclusion According to bag, according to SSL record protocols to the Internet protocol data bag P1 processing, and the Internet protocol data bag that will be obtained after processing The step of being sent to remote server.
Preferably, the keyword made an appointment can be that secure internet closes the word that equipment is made an appointment with client both sides Symbol, the packet of form of making an appointment can be that secure internet closes equipment and client both sides and made an appointment the XML numbers of rule According to or TLV data or other type of data packet.
Preferably, if the type of keyword is the keyword for signature operation, at the content in inclusion Reason is exactly to carry out signature operation to it, if the type of keyword is the keyword for verifying signature operation, in inclusion Content handled and exactly verify signature operation.
Preferably, methods described further comprises:When pre- in the absence of having in the Internet protocol data bag P1 packet header and inclusion When appointing the packet for the formula of fixing, according to SSL record protocols to the Internet protocol data bag P1 processing, and it will be obtained after processing The Internet protocol data bag be sent to remote server.
It is to apply it is another aspect of this invention to provide that providing a kind of safe processing system of the Internet protocol data bag Secure internet is closed in equipment, and the secure internet closes equipment and communicated to connect respectively with client and remote server, described System includes:
First module, for from client receiving network protocol packet P1, and judge the Internet protocol data bag P1 bag With the presence or absence of the packet for having the keyword identification made an appointment or form of making an appointment in head or inclusion;
Second module, for there are the keyword mark made an appointment in the Internet protocol data bag P1 packet header or inclusion Know or during the packet for form of making an appointment, network is assisted according to the type for the keyword made an appointment or the form made an appointment Content in view packet P1 packet header or inclusion is handled, to generate corresponding result, according to SSL record protocols to procotol Packet P1 and corresponding result are handled, and the Internet protocol data bag obtained after processing is sent into remote server.
In general, by the contemplated above technical scheme of the present invention compared with prior art, it can obtain down and show Beneficial effect:
1st, the present invention can add signature value or checking signature value in the packet header of packet or inclusion, therefore can solve Certainly existing secure internet closes present in equipment it cannot be guaranteed that the integrality of business datum and the technical problem of non repudiation;
2nd, the present invention can distinguish polytype and signature value or checking signature value are added to different packets.Cause This can solve the problem that existing secure internet is closed present in equipment because all packets are in the case of no Distinguish It is uniformly processed, so as to cause that the technical problem of different types of signature and carrying signature value can not be carried out according to type.
3rd, method of the invention realizes simple that efficiency high, processing data packets are flexible, can be needed with the different client of quick response Ask.
Brief description of the drawings
Fig. 1 is the overview flow chart of the security processing of inventive network protocol data bag.
Fig. 2 is the refined flow chart of the security processing of inventive network protocol data bag.
Embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.As long as in addition, technical characteristic involved in each embodiment of invention described below Conflict can is not formed each other to be mutually combined.
According to an aspect of the invention, there is provided a kind of security processing of the Internet protocol data bag, it is application In secure internet closes equipment, the secure internet closes equipment one end and is connected with client communication, the other end and remote service Device communicates to connect.
In the present embodiment, client is that can send the application journey based on Transmission Control Protocol above the Internet protocol data bag Sequence or operation system, it is specifically including but not limited to browser, application program, browser/server (Browser/server, letter Claim B/S) system such as operation system, client/server (Client/server, abbreviation C/S) operation system.Remote server The communication of server end SSL record protocols, including but not limited to international standard SSL (Secure can be provided Sockets Layer, abbreviation SSL) system such as protocol server, national password ssl protocol service end.
As shown in figure 1, the invention provides a kind of security processing of the Internet protocol data bag, applied in safety mutual Join in gateway device, the secure internet closes equipment and communicated to connect respectively with client and remote server, methods described bag Include:
(1) from client receiving network protocol packet P1, and judge in the Internet protocol data bag P1 packet header or inclusion With the presence or absence of the packet for having the keyword identification made an appointment or form of making an appointment;
(2) keyword identification made an appointment is there are in the Internet protocol data bag P1 packet header or inclusion or is appointed in advance During the packet for the formula that fixes, according to the type for the keyword made an appointment or the form made an appointment to the Internet protocol data bag P1 Content in packet header or inclusion is handled, to generate corresponding result, according to SSL record protocols to the Internet protocol data bag P1 and Corresponding result is handled, and the Internet protocol data bag obtained after processing is sent into remote server.
Specifically, as shown in Fig. 2 the security processing of inventive network protocol data bag comprises the following steps:
(1) from client receiving network protocol packet P1;
It should be noted that the packet P1 that this step receives have passed through 0 before reaching secure internet and closing equipment It is individual to arrive multiple intermediate equipments, such as interchanger, hub equipment;
(2) the Internet protocol data bag P1 is parsed, judges whether contain application layer protocol in the packet after parsing Keyword identification, if comprising it is the packet of application layer protocol to illustrate the Internet protocol data bag P1, subsequently into step (4) it is not the packet of application layer protocol, otherwise to illustrate the Internet protocol data bag P1, subsequently into step (3);
Then this step is searched in the row content specifically, parse the first row in the Internet protocol data bag P1 packet header first Whether such as " HTTP/1.0 " or " HTTP/1.1 " keyword is had, if so, illustrating that the Internet protocol data bag P1 is exactly The packet of application layer protocol, it is not the packet of application layer protocol otherwise then to represent it.
In the present embodiment, application layer protocol is HTTP (HyperText Transfer Protocol, abbreviation HTTP), it should be understood that the invention is not limited in this, other application layer protocol, such as simple postal Part transportation protocol (Simple Mail Transfer Protocol, abbreviation SMTP), FTP (File Transfer Protocol, abbreviation FTP), Simple Network Management Protocol (simple Network Management Protocol, referred to as SNMP), domain name system (Domain Name System, abbreviation DNS) etc. is also within the scope of the present invention.
(3) judge to whether there is in the content in the Internet protocol data bag P1 inclusion and have the keyword made an appointment, or With the presence or absence of the packet for having form of making an appointment in content in person's the Internet protocol data bag P1 inclusion, if so, then saying Bright the Internet protocol data bag P1 is customized packet, subsequently into step (5), if it is not, explanation procotol number It is not customized packet according to bag P1, subsequently into step (6);
In the present embodiment, the keyword made an appointment can be that secure internet closes equipment and client both sides are advance The character of agreement.
The packet of form of making an appointment can be that secure internet closes equipment and client both sides and made an appointment rule XML data or TLV data or other type of data packet.
For example, can in advance by keyword "<origin_data>" keyword for signature operation is set to, it will close Key word "<signed_data>" it is set to keyword for verifying signature operation.
Can in advance by packet "<Xml version=" 1.0 " encoding=" GBK "><QLBankSignData ><opReq><bsnCode>CBE001</bsnCode><cstNo>1000046447</cstNo><serialNo>11445489 </serialNo><reqTime>20161221114454</reqTime><ReqParam><accountNo> 86611741101423000010</accountNo><currencyType>CNY</currencyType><ReceiptNo></ ReceiptNo><ReqReserved1></ReqReserved1><ReqReserved2></ReqReserved2></ ReqParam></opReq></QLBankSignData>" be set to packet for signature operation, by packet "<xml Version=" 1.0 " encoding=" GBK "><QLBankVerifyData><opReq><bsnCode>CBE001</ bsnCode><cstNo>1000046447</cstNo><serialNo>11445489</serialNo><reqTime> 20161221114454</reqTime><ReqParam><accountNo>86611741101423000010</accountNo> <currencyType>CNY</currencyType><ReceiptNo></ReceiptNo><ReqReserved1></ ReqReserved1><ReqReserved2></ReqReserved2></ReqParam></opReq></ QLBankVerifyData>" it is set to packet for verifying signature operation.
(4) judge to whether there is in the Internet protocol data bag P1 packet header content and have the keyword made an appointment, if so, It is the packet of user-defined format then to illustrate the Internet protocol data bag P1, subsequently into step (7), if it is not, explanation net Network protocol data bag P1 is the packet of application layer protocol, subsequently into step (8);
For example, in advance keyword " content-signature (i.e. Content-Sign) " can be set to be used for signature operation Keyword, keyword " content-checking (i.e. Content-Verify) " is set to the keyword for verifying signature operation.
(5) according to the type of keyword made an appointment to the content in the Internet protocol data bag P1 inclusion at Reason, with the corresponding result Q1 of generation, result Q1 processing to the Internet protocol data bag P1 and is corresponded to according to SSL record protocols, and The Internet protocol data bag S2 obtained after processing is sent to remote server, process terminates;
Specifically, if the type of keyword is the keyword for signature operation, this step is in inclusion Appearance is handled exactly carries out signature operation to it;If the type of keyword is the keyword for verifying signature operation, This step, which is handled the content in inclusion, exactly verifies signature operation;
The Internet protocol data bag P1 and corresponding result Q1 are handled specifically, being remembered according to SSL according to SSL record protocols Record Protocol Through Network protocol data bag P1 and corresponding result Q1 is segmented, compressed, increasing MAC information, encryption and addition The processing of SSL records.
(6) according to SSL record protocols to the Internet protocol data bag P1 processing, and the procotol that will be obtained after processing Packet S1 is sent to remote server, and process terminates;
Specifically, this step is that the Internet protocol data bag P1 is segmented according to SSL record protocols, compressed, is increased MAC information, encryption and increase SSL record processing.
(7) content in the Internet protocol data bag P1 inclusion or packet header is entered according to the type for the keyword made an appointment Go and handle, with the corresponding result Q2 of generation, to the Internet protocol data bag P1 and corresponded to according to SSL record protocols at result Q2 Reason, and the Internet protocol data bag S3 obtained after processing is sent to remote server, process terminates;
Specifically, if keyword is the keyword for signature operation, in inclusion or packet header in this step It is signature operation that content, which carries out processing, if keyword is the keyword for verifying signature operation, this step to inclusion or It is checking signature operation that content in person packet header, which carries out processing, and handling the corresponding result Q2 of generation can be added in packet header Ask in row, the optional position in the request header in packet header or in inclusion.
The Internet protocol data bag P1 and corresponding result Q2 are handled specifically, being remembered according to SSL according to SSL record protocols Record Protocol Through Network protocol data bag P1 and corresponding result Q2 is segmented, compressed, increasing MAC information, encryption and increase The processing of SSL records.
(8) judge to whether there is in the content in the Internet protocol data bag P1 inclusion and have the keyword made an appointment, or With the presence or absence of the packet for having form of making an appointment in content in person's the Internet protocol data bag P1 inclusion, if so, then saying Bright the Internet protocol data bag P1 is customized packet, subsequently into step (9), if it is not, explanation procotol number It is not customized packet according to bag P1, subsequently into step (10);
In the present embodiment, the key word type made an appointment includes the keyword for signature operation, and is used for The keyword of signature operation is verified, the type of data packet for form of making an appointment includes the packet for signature operation, Yi Jiyong In the packet of checking signature operation.
Specifically, can in advance by keyword "<origin_data>" keyword for signature operation is set to, it will close Key word "<signed_data>" it is set to keyword for verifying signature operation.
Can in advance by packet "<Xml version=" 1.0 " encoding=" GBK "><QLBankSignData ><opReq><bsnCode>CBE001</bsnCode><cstNo>1000046447</cstNo><serialNo>11445489 </serialNo><reqTime>20161221114454</reqTime><ReqParam><accountNo> 86611741101423000010</accountNo><currencyType>CNY</currencyType><ReceiptNo></ ReceiptNo><ReqReserved1></ReqReserved1><ReqReserved2></ReqReserved2></ ReqParam></opReq></QLBankSignData>" it is set to packet for signature operation.By packet "<xml Version=" 1.0 " encoding=" GBK "><QLBankVerifyData><opReq><bsnCode>CBE001</ bsnCode><cstNo>1000046447</cstNo><serialNo>11445489</serialNo><reqTime> 20161221114454</reqTime><ReqParam><accountNo>86611741101423000010</accountNo> <currencyType>CNY</currencyType><ReceiptNo></ReceiptNo><ReqReserved1></ ReqReserved1><ReqReserved2></ReqReserved2></ReqParam></opReq></ QLBankVerifyData>" it is set to packet for verifying signature operation.
(9) content in the Internet protocol data bag P1 inclusion or packet header is entered according to the type for the keyword made an appointment Go and handle, with the corresponding result Q3 of generation, to the Internet protocol data bag P1 and corresponded to according to SSL record protocols at result Q3 Reason, and the Internet protocol data bag S4 obtained after processing is sent to remote server, process terminates;
Specifically, if keyword is the keyword for signature operation, this step is in inclusion or packet header It is signature operation that content, which carries out processing, if keyword is the keyword for verifying signature operation, this step to inclusion or It is checking signature operation that content in person packet header, which carries out processing,;The corresponding result Q3 of generation can be added to the request in packet header The either optional position in request header or in inclusion in row.
The Internet protocol data bag P1 and corresponding result Q3 are handled and specifically remembered according to SSL according to SSL record protocols Record Protocol Through Network protocol data bag P1 and corresponding result Q3 is segmented, compressed, increasing MAC information, encryption and increase The processing of SSL records.
(10) according to SSL record protocols to the Internet protocol data bag P1 processing, and the network obtained after processing is assisted View packet S5 is sent to remote server, and process terminates;
Specifically, this step is that the Internet protocol data bag P1 is segmented according to SSL record protocols, compressed, is increased MAC information, encryption and increase SSL record processing.
The AES used it should be noted that in above-mentioned steps (5), step (6), step (10), during encryption can Think aes algorithm, DES algorithms, 3DES algorithms, SM1 algorithms, SM4 algorithms etc., it is understood that, the present invention never limits to In above-mentioned DEA, any symmetric encipherment algorithm well known in the art can be used;In addition, MAC algorithms can Think SHA-1, SM3 algorithm etc., but the present invention is not limited to above-mentioned DEA, any hash well known in the art Algorithm (digest algorithm) can be used.
In above-mentioned steps (7) and step (9), the AES that uses can be for when signature operation and checking signature operation SM2 algorithms, RSA Algorithm etc., but the present invention is not limited to above-mentioned DEA, it is any well known in the art asymmetric AES can be used.
Calculated it should be noted that the decipherment algorithm used in the above-mentioned steps of the inventive method is corresponding encryption Algorithm for inversion corresponding to method.
According to another aspect of the present invention, there is provided a kind of safe processing system of the Internet protocol data bag, be application In secure internet closes equipment, the secure internet closes equipment and communicated to connect respectively with client and remote server, institute The system of stating includes:
First module, for from client receiving network protocol packet P1;
It should be noted that the packet P1 received have passed through 0 to more before reaching secure internet and closing equipment Individual intermediate equipment, such as interchanger, hub equipment;
Second module, for being parsed to the Internet protocol data bag P1, judge whether contain in the packet after parsing The keyword identification of application layer protocol, if comprising it is the packet of application layer protocol to illustrate the Internet protocol data bag P1, so Enter the 4th module afterwards, it is not the packet of application layer protocol otherwise to illustrate the Internet protocol data bag P1, subsequently into the 3rd mould Block;
Specifically, parse the first row in the Internet protocol data bag P1 packet header first, then search in the row content whether There is such as " HTTP/1.0 " or " HTTP/1.1 " keyword, if so, illustrating that the Internet protocol data bag P1 is exactly to apply The packet of layer protocol, it is not the packet of application layer protocol otherwise then to represent it.
In the present embodiment, application layer protocol is HTTP (HyperText Transfer Protocol, abbreviation HTTP), it should be understood that the invention is not limited in this, other application layer protocol, such as simple postal Part transportation protocol (Simple Mail Transfer Protocol, abbreviation SMTP), FTP (File Transfer Protocol, abbreviation FTP), Simple Network Management Protocol (simple Network Management Protocol, referred to as SNMP), domain name system (Domain Name System, abbreviation DNS) etc. is also within the scope of the present invention.
3rd module, with the presence or absence of having what is made an appointment in the content in inclusion for judging the Internet protocol data bag P1 It whether there is the packet for having form of making an appointment in content in keyword, or the Internet protocol data bag P1 inclusion, such as Fruit has, then it is customized packet to illustrate the Internet protocol data bag P1, subsequently into the 5th module, if it is not, explanation The Internet protocol data bag P1 is not customized packet, subsequently into the 6th module;
In the present embodiment, the key word type made an appointment includes the keyword for signature operation, and is used for Verify the keyword of signature operation;Make an appointment form type of data packet include for signature operation packet, Yi Jiyong In the packet of checking signature operation.
For example, can in advance by keyword "<origin_data>" keyword for signature operation is set to, it will close Key word "<signed_data>" it is set to keyword for verifying signature operation.
Can in advance by packet "<Xml version=" 1.0 " encoding=" GBK "><QLBankSignData ><opReq><bsnCode>CBE001</bsnCode><cstNo>1000046447</cstNo><serialNo>11445489 </serialNo><reqTime>20161221114454</reqTime><ReqParam><accountNo> 86611741101423000010</accountNo><currencyType>CNY</currencyType><ReceiptNo></ ReceiptNo><ReqReserved1></ReqReserved1><ReqReserved2></ReqReserved2></ ReqParam></opReq></QLBankSignData>" be set to packet for signature operation, by packet "<xml Version=" 1.0 " encoding=" GBK "><QLBankVerifyData><opReq><bsnCode>CBE001</ bsnCode><cstNo>1000046447</cstNo><serialNo>11445489</serialNo><reqTime> 20161221114454</reqTime><ReqParam><accountNo>86611741101423000010</accountNo> <currencyType>CNY</currencyType><ReceiptNo></ReceiptNo><ReqReserved1></ ReqReserved1><ReqReserved2></ReqReserved2></ReqParam></opReq></ QLBankVerifyData>" it is set to packet for verifying signature operation.
4th module, with the presence or absence of there is the key made an appointment in the packet header content for judging the Internet protocol data bag P1 Word, if so, then illustrating that the Internet protocol data bag P1 is the packet of user-defined format, subsequently into the 7th module, if do not had Have, then it is the packet of application layer protocol to illustrate the Internet protocol data bag P1, subsequently into the 8th module;
For example, in advance keyword " content-signature (i.e. Content-Sign) " can be set to be used for signature operation Keyword, keyword " content-checking (i.e. Content-Verify) " is set to the keyword for verifying signature operation.
5th module, for according to the type of keyword made an appointment in the Internet protocol data bag P1 inclusion Appearance is handled, and with the corresponding result Q1 of generation, the Internet protocol data bag P1 and corresponding result Q1 are carried out according to SSL record protocols Processing, and the Internet protocol data bag S2 obtained after processing is sent to remote server, process terminates;
Specifically, if the type of keyword is the keyword for signature operation, the content in inclusion is carried out Processing is exactly to carry out signature operation to it;If the type of keyword is the keyword for verifying signature operation, to inclusion In content handled and exactly verify signature operation;
The Internet protocol data bag P1 and corresponding result Q1 are handled specifically, being remembered according to SSL according to SSL record protocols Record Protocol Through Network protocol data bag P1 and corresponding result Q1 is segmented, compressed, increasing MAC information, encryption and addition The processing of SSL records.
6th module, for, to the Internet protocol data bag P1 processing, and will be obtained according to SSL record protocols after processing The Internet protocol data bag S1 be sent to remote server, process terminates;
Specifically, it is that the Internet protocol data bag P1 is segmented according to SSL record protocols, compressed, increases MAC letters Breath, encryption and increase SSL record processing.
7th module, for according to inclusion or packet header of the type for the keyword made an appointment to the Internet protocol data bag P1 In content handled, with the corresponding result Q2 of generation, according to SSL record protocols to the Internet protocol data bag P1 and corresponding result Q2 processing, and the Internet protocol data bag S3 obtained after processing is sent to remote server, process terminates;
Specifically, if keyword is the keyword for signature operation, the content in inclusion or packet header is carried out Processing is signature operation, if keyword is the keyword for verifying signature operation, to the content in inclusion or packet header Carry out processing be checking signature operation, handle the corresponding result Q2 of generation can be added in the request row in packet header, packet header In request header in or inclusion in optional position.
The Internet protocol data bag P1 and corresponding result Q2 are handled specifically, being remembered according to SSL according to SSL record protocols Record Protocol Through Network protocol data bag P1 and corresponding result Q2 is segmented, compressed, increasing MAC information, encryption and increase The processing of SSL records.
8th module, with the presence or absence of having what is made an appointment in the content in inclusion for judging the Internet protocol data bag P1 It whether there is the packet for having form of making an appointment in content in keyword, or the Internet protocol data bag P1 inclusion, such as Fruit has, then it is customized packet to illustrate the Internet protocol data bag P1, subsequently into the 9th module, if it is not, explanation The Internet protocol data bag P1 is not customized packet, subsequently into the tenth module;
In the present embodiment, the key word type made an appointment includes the keyword for signature operation, and is used for The keyword of signature operation is verified, the type of data packet for form of making an appointment includes the packet for signature operation, Yi Jiyong In the packet of checking signature operation.
Specifically, can in advance by keyword "<origin_data>" keyword for signature operation is set to, it will close Key word "<signed_data>" it is set to keyword for verifying signature operation.
Can in advance by packet "<Xml version=" 1.0 " encoding=" GBK "><QLBankSignData ><opReq><bsnCode>CBE001</bsnCode><cstNo>1000046447</cstNo><serialNo>11445489 </serialNo><reqTime>20161221114454</reqTime><ReqParam><accountNo> 86611741101423000010</accountNo><currencyType>CNY</currencyType><ReceiptNo></ ReceiptNo><ReqReserved1></ReqReserved1><ReqReserved2></ReqReserved2></ ReqParam></opReq></QLBankSignData>" it is set to packet for signature operation.By packet "<xml Version=" 1.0 " encoding=" GBK "><QLBankVerifyData><opReq><bsnCode>CBE001</ bsnCode><cstNo>1000046447</cstNo><serialNo>11445489</serialNo><reqTime> 20161221114454</reqTime><ReqParam><accountNo>86611741101423000010</accountNo> <currencyType>CNY</currencyType><ReceiptNo></ReceiptNo><ReqReserved1></ ReqReserved1><ReqReserved2></ReqReserved2></ReqParam></opReq></ QLBankVerifyData>" it is set to packet for verifying signature operation.
9th module, for according to inclusion or packet header of the type for the keyword made an appointment to the Internet protocol data bag P1 In content handled, with the corresponding result Q3 of generation, according to SSL record protocols to the Internet protocol data bag P1 and corresponding result Q3 processing, and the Internet protocol data bag S4 obtained after processing is sent to remote server, process terminates;
Specifically, if keyword is the keyword for signature operation, the content in inclusion or packet header is entered Row processing is signature operation, if keyword is the keyword for verifying signature operation, in inclusion or packet header It is checking signature operation that appearance, which carries out processing,;The corresponding result Q3 of generation can be added in the request row in packet header or ask In head, or the optional position in inclusion.
The Internet protocol data bag P1 and corresponding result Q3 are handled and specifically remembered according to SSL according to SSL record protocols Record Protocol Through Network protocol data bag P1 and corresponding result Q3 is segmented, compressed, increasing MAC information, encryption and increase The processing of SSL records.
Tenth module, for, to the Internet protocol data bag P1 processing, and will be obtained according to SSL record protocols after processing The Internet protocol data bag S5 be sent to remote server, process terminates.
Sum it up, the present invention can distinguish different types of packet, by by packet carry out alignment processing and Carry corresponding result and be safely forwarded to remote server, the network attack of different levels can be resisted, so as to strengthen data Wrap security, integrality and the non repudiation of transmission.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, not to The limitation present invention, all any modification, equivalent and improvement made within the spirit and principles of the invention etc., all should be included Within protection scope of the present invention.

Claims (10)

1. a kind of security processing of the Internet protocol data bag, applied in secure internet closes equipment, the safety mutual Join gateway device to communicate to connect with client and remote server respectively, it is characterised in that methods described includes:
(1) from client receiving network protocol packet P1, and judge the Internet protocol data bag P1 packet header or inclusion in whether It there are the packet of the keyword identification made an appointment or form of making an appointment;
(2) in the Internet protocol data bag P1 packet header or inclusion it there are the keyword identification made an appointment or lattice of making an appointment During the packet of formula, according to the type for the keyword made an appointment or the form made an appointment to the Internet protocol data bag P1 packet header Or the content in inclusion is handled, to generate corresponding result, according to SSL record protocols to the Internet protocol data bag P1 and correspondingly As a result handled, and the Internet protocol data bag obtained after processing is sent to remote server.
2. security processing according to claim 1, it is characterised in that according to SSL record protocols to procotol number Handled according to wrapping and corresponding to result specifically, being divided according to SSL record protocols the Internet protocol data bag and corresponding result Section, compression, increase MAC information, encryption and addition SSL record processing.
3. security processing according to claim 1, it is characterised in that methods described further comprises judging network Whether there is in protocol data bag P1 packet header or inclusion has the keyword identification made an appointment or the data for form of making an appointment Before bag, judge in the packet after parsing whether keyword identification containing application layer protocol the step of.
4. security processing according to claim 3, it is characterised in that the Internet protocol data bag P1 is parsed, Judge whether the keyword identification containing application layer protocol specifically, parse the Internet protocol data first in the packet after parsing The first row in P1 packet header is wrapped, whether have keyword, if so, then illustrating the Internet protocol data bag if then searching in the row content P1 is exactly the packet of application layer protocol, and it is not the packet of application layer protocol otherwise to represent it.
5. security processing according to claim 1, it is characterised in that methods described further comprises:When network is assisted When the packet for having form of making an appointment being not present in view packet P1 packet header, determine whether the Internet protocol data bag P1's Whether there is in content in inclusion has the keyword made an appointment, or in the content in the Internet protocol data bag P1 inclusion The step of with the presence or absence of the packet for having form of making an appointment.
6. security processing according to claim 5, it is characterised in that methods described further comprises:When network is assisted Being not present in content in view packet P1 inclusion has the keyword made an appointment, or the Internet protocol data bag P1 inclusion In content in be not present and have the packet of form of making an appointment, the Internet protocol data bag P1 is carried out according to SSL record protocols The step of handling, and the Internet protocol data bag obtained after processing be sent to remote server.
7. the security processing according to claim 5 or 6, it is characterised in that
The keyword made an appointment can be that secure internet closes the character that equipment is made an appointment with client both sides;
The packet of form of making an appointment can be that secure internet closes equipment and client both sides and made an appointment the XML numbers of rule According to or TLV data or other type of data packet.
8. security processing according to claim 7, it is characterised in that
If the type of keyword is the keyword for signature operation, the content in inclusion is handled exactly to enter it Row signature operation;
If the type of keyword is the keyword for verifying signature operation, it is exactly to test that the content in inclusion, which handle, Demonstrate,prove signature operation.
9. security processing according to claim 1, it is characterised in that methods described further comprises:When network is assisted When the packet for having form of making an appointment being not present in view packet P1 packet header and inclusion, according to SSL record protocols to network Protocol data bag P1 processing, and the Internet protocol data bag obtained after processing is sent to remote server.
10. a kind of safe processing system of the Internet protocol data bag, applied in secure internet closes equipment, the safety mutual Join gateway device to communicate to connect with client and remote server respectively, it is characterised in that the system includes:
First module, for from client receiving network protocol packet P1, and judge the Internet protocol data bag P1 packet header or With the presence or absence of the packet for having the keyword identification made an appointment or form of making an appointment in inclusion;
Second module, for there are in the Internet protocol data bag P1 packet header or inclusion the keyword identification made an appointment or Make an appointment form packet when, according to the type for the keyword made an appointment or the form made an appointment to procotol number Handled according to the content in bag P1 packet header or inclusion, to generate corresponding result, according to SSL record protocols to the Internet protocol data Bag P1 and corresponding result are handled, and the Internet protocol data bag obtained after processing is sent into remote server.
CN201710592618.5A 2017-07-19 2017-07-19 A kind of security processing and system of the Internet protocol data bag Pending CN107395592A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710592618.5A CN107395592A (en) 2017-07-19 2017-07-19 A kind of security processing and system of the Internet protocol data bag

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710592618.5A CN107395592A (en) 2017-07-19 2017-07-19 A kind of security processing and system of the Internet protocol data bag

Publications (1)

Publication Number Publication Date
CN107395592A true CN107395592A (en) 2017-11-24

Family

ID=60335820

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710592618.5A Pending CN107395592A (en) 2017-07-19 2017-07-19 A kind of security processing and system of the Internet protocol data bag

Country Status (1)

Country Link
CN (1) CN107395592A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109698831A (en) * 2018-12-28 2019-04-30 中电智能科技有限公司 Data prevention method and device
CN111935081A (en) * 2020-06-24 2020-11-13 武汉绿色网络信息服务有限责任公司 Data packet desensitization method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231709A (en) * 2011-07-04 2011-11-02 清华大学 Control plane structure of virtual routing device and control method thereof
CN102497265A (en) * 2011-11-24 2012-06-13 飞天诚信科技股份有限公司 Pulse light signal identification method and apparatus thereof
CN102821101A (en) * 2012-07-27 2012-12-12 北京中科晶上科技有限公司 IP data packet identification method and gateway
CN105306536A (en) * 2015-09-22 2016-02-03 上海斐讯数据通信技术有限公司 Method for intelligent terminal to remotely execute service command based on WiFi (Wireless Fidelity)
CN106254355A (en) * 2016-08-10 2016-12-21 武汉信安珞珈科技有限公司 The security processing of a kind of the Internet protocol data bag and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231709A (en) * 2011-07-04 2011-11-02 清华大学 Control plane structure of virtual routing device and control method thereof
CN102497265A (en) * 2011-11-24 2012-06-13 飞天诚信科技股份有限公司 Pulse light signal identification method and apparatus thereof
CN102821101A (en) * 2012-07-27 2012-12-12 北京中科晶上科技有限公司 IP data packet identification method and gateway
CN105306536A (en) * 2015-09-22 2016-02-03 上海斐讯数据通信技术有限公司 Method for intelligent terminal to remotely execute service command based on WiFi (Wireless Fidelity)
CN106254355A (en) * 2016-08-10 2016-12-21 武汉信安珞珈科技有限公司 The security processing of a kind of the Internet protocol data bag and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109698831A (en) * 2018-12-28 2019-04-30 中电智能科技有限公司 Data prevention method and device
CN109698831B (en) * 2018-12-28 2021-07-02 中电智能科技有限公司 Data protection method and device
CN111935081A (en) * 2020-06-24 2020-11-13 武汉绿色网络信息服务有限责任公司 Data packet desensitization method and device
CN111935081B (en) * 2020-06-24 2022-06-21 武汉绿色网络信息服务有限责任公司 Data packet desensitization method and device

Similar Documents

Publication Publication Date Title
US8495736B2 (en) Method and apparatus for providing information assurance attributes through a data providence architecture
US9456002B2 (en) Selective modification of encrypted application layer data in a transparent security gateway
US8379638B2 (en) Security encapsulation of ethernet frames
CN106254355B (en) A kind of security processing and system of the Internet protocol data packet
US7877601B2 (en) Method and system for including security information with a packet
CN106357690B (en) data transmission method, data sending device and data receiving device
US20170272353A1 (en) Communication protocol testing method, and tested device and testing platform thereof
CN106941491A (en) The safety application data link layer device and communication means of power information acquisition system
CN106815511A (en) Information processor and method
CN101729871B (en) Method for safe cross-domain access to SIP video monitoring system
CN114050921B (en) UDP-based high-speed encryption data transmission system realized by FPGA
CN103618726A (en) Method for recognizing mobile data service based on HTTPS
CN103227742B (en) A kind of method of ipsec tunnel fast processing message
CN112699374A (en) Integrity checking vulnerability security protection method and system
CN107395592A (en) A kind of security processing and system of the Internet protocol data bag
CN107276996A (en) The transmission method and system of a kind of journal file
Büttner et al. Real-world evaluation of an anonymous authenticated key agreement protocol for vehicular ad-hoc networks
CN116015943B (en) Privacy protection method based on multi-level tunnel confusion
WO2023036348A1 (en) Encrypted communication method and apparatus, device, and storage medium
US8792519B2 (en) Method for transferring network event protocol messages
CN101938428A (en) Message transmission method and equipment
Ravi et al. Formal methods to verify authentication in TACACS+ protocol
Ecarot et al. Sensitive data exchange protocol suite for healthcare
CN117499267B (en) Asset mapping method and device for network equipment and storage medium
US20220407722A1 (en) Method for detecting anomalies in ssl and/or tls communications, corresponding device, and computer program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171124

RJ01 Rejection of invention patent application after publication