CN107395592A - A kind of security processing and system of the Internet protocol data bag - Google Patents
A kind of security processing and system of the Internet protocol data bag Download PDFInfo
- Publication number
- CN107395592A CN107395592A CN201710592618.5A CN201710592618A CN107395592A CN 107395592 A CN107395592 A CN 107395592A CN 201710592618 A CN201710592618 A CN 201710592618A CN 107395592 A CN107395592 A CN 107395592A
- Authority
- CN
- China
- Prior art keywords
- packet
- protocol data
- data bag
- internet protocol
- appointment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention discloses a kind of security processing of the Internet protocol data bag, including:From client receiving network protocol packet P1, the Internet protocol data bag P1 is parsed, judge parsing after packet in whether the keyword identification containing application layer protocol, if find, then judge to whether there is in the Internet protocol data bag P1 packet header content and have the keyword made an appointment, if, alignment processing is first then carried out to the content in the Internet protocol data bag P1 packet header or inclusion according to the type for the keyword made an appointment, corresponding result Q2 after being handled with generation, further according to SSL record protocols to the Internet protocol data bag P1 and corresponding result Q2 processing, and the Internet protocol data bag S3 generated after processing is sent to remote server.The present invention can resist the network attack of different levels, so as to strengthen security, integrality and the non repudiation of packet transmission.
Description
Technical field
The invention belongs to field of information security technology and field of Internet communication, more particularly, to a kind of procotol
The security processing and system of packet.
Background technology
With the continuous improvement of the level of informatization, respective government agencies or enterprises and institutions have all deployed on the internet
Substantial amounts of operation system, and business datum contact is carried out by the branch or affiliate of internet and other various regions,
These business datums are the important numbers assets of government department or enterprises and institutions, need to ensure its machine during informatization
Close property, authenticity, integrality and non-repudiation.
In these business datums, for reasons of safety, often it can not be sent directly to remote server, it
Need secure internet to close after equipment carries out corresponding safe handling, remote server could be ultimately routed to, and remote
Journey server is received, handles and responded.Meanwhile the signature information that sends for valid certificates client of some senders or test
Demonstrate,prove the authenticity of signing messages and signed or verified signature operation in equipment, it is necessary to be closed in secure internet, come with this true
It is strictly what is signed and issued by sender to determine message, with the integrality of this determination message.
However, existing secure internet closes the technical problem that equipment has several aspects:Firstth, only in the client of equipment
The service end channel interior of end and equipment has carried out the encryption forwarding of packet, and packet without signature value is carried, waits in itself
When packet reaches Batch Processing system, it is impossible to ensure the integrality and non repudiation of business datum;Secondth, all data
Bag is uniformly processed, can not the different types of signature of classifying type progress and carrying signature value without Distinguish.
The content of the invention
For the disadvantages described above or Improvement requirement of prior art, the invention provides a kind of safety of the Internet protocol data bag
Processing method and system, it is intended that different types of packet can be distinguished, by being signed or being verified packet
Signature, and carry alignment processing result and be safely forwarded to remote server, the network attack of different levels can be resisted, from
And strengthen security, integrality and the non repudiation of packet transmission.
To achieve the above object, according to one aspect of the present invention, there is provided a kind of safe place of the Internet protocol data bag
Reason method, applied in secure internet closes equipment, the secure internet close equipment respectively with client and remote service
Device communicates to connect, and methods described includes:
(1) from client receiving network protocol packet P1, and judge in the Internet protocol data bag P1 packet header or inclusion
With the presence or absence of the packet for having the keyword identification made an appointment or form of making an appointment;
(2) keyword identification made an appointment is there are in the Internet protocol data bag P1 packet header or inclusion or is appointed in advance
During the packet for the formula that fixes, according to the type for the keyword made an appointment or the form made an appointment to the Internet protocol data bag P1
Content in packet header or inclusion is handled, to generate corresponding result, according to SSL record protocols to the Internet protocol data bag P1 and
Corresponding result is handled, and the Internet protocol data bag obtained after processing is sent into remote server.
Preferably, the Internet protocol data bag and corresponding result are handled according to SSL record protocols specifically, according to
SSL record protocols are segmented to the Internet protocol data bag and corresponding result, are compressed, increase MAC information, encryption and addition
The processing of SSL records.
Preferably, methods described further comprises whether there is in the Internet protocol data bag P1 packet header or inclusion is judged
Before the packet for having the keyword identification made an appointment or form of making an appointment, judge whether contain in the packet after parsing
The step of keyword identification of application layer protocol.
Preferably, the Internet protocol data bag P1 is parsed, judges whether contain application layer in the packet after parsing
Then the keyword identification of agreement searches the row content specifically, parse the first row in the Internet protocol data bag P1 packet header first
In whether have keyword, if so, then illustrating that the Internet protocol data bag P1 is exactly the packet of application layer protocol, otherwise represent
It is not the packet of application layer protocol.
Preferably, methods described further comprises:Made an appointment when being not present in the Internet protocol data bag P1 packet header
During the packet of form, determining whether to whether there is in the content in the Internet protocol data bag P1 inclusion has what is made an appointment
With the presence or absence of the step for the packet for having form of making an appointment in content in keyword, or the Internet protocol data bag P1 inclusion
Suddenly.
Preferably, methods described further comprises:Have when being not present in the content in the Internet protocol data bag P1 inclusion
The number for having form of making an appointment is not present in content in the keyword made an appointment, or the Internet protocol data bag P1 inclusion
According to bag, according to SSL record protocols to the Internet protocol data bag P1 processing, and the Internet protocol data bag that will be obtained after processing
The step of being sent to remote server.
Preferably, the keyword made an appointment can be that secure internet closes the word that equipment is made an appointment with client both sides
Symbol, the packet of form of making an appointment can be that secure internet closes equipment and client both sides and made an appointment the XML numbers of rule
According to or TLV data or other type of data packet.
Preferably, if the type of keyword is the keyword for signature operation, at the content in inclusion
Reason is exactly to carry out signature operation to it, if the type of keyword is the keyword for verifying signature operation, in inclusion
Content handled and exactly verify signature operation.
Preferably, methods described further comprises:When pre- in the absence of having in the Internet protocol data bag P1 packet header and inclusion
When appointing the packet for the formula of fixing, according to SSL record protocols to the Internet protocol data bag P1 processing, and it will be obtained after processing
The Internet protocol data bag be sent to remote server.
It is to apply it is another aspect of this invention to provide that providing a kind of safe processing system of the Internet protocol data bag
Secure internet is closed in equipment, and the secure internet closes equipment and communicated to connect respectively with client and remote server, described
System includes:
First module, for from client receiving network protocol packet P1, and judge the Internet protocol data bag P1 bag
With the presence or absence of the packet for having the keyword identification made an appointment or form of making an appointment in head or inclusion;
Second module, for there are the keyword mark made an appointment in the Internet protocol data bag P1 packet header or inclusion
Know or during the packet for form of making an appointment, network is assisted according to the type for the keyword made an appointment or the form made an appointment
Content in view packet P1 packet header or inclusion is handled, to generate corresponding result, according to SSL record protocols to procotol
Packet P1 and corresponding result are handled, and the Internet protocol data bag obtained after processing is sent into remote server.
In general, by the contemplated above technical scheme of the present invention compared with prior art, it can obtain down and show
Beneficial effect:
1st, the present invention can add signature value or checking signature value in the packet header of packet or inclusion, therefore can solve
Certainly existing secure internet closes present in equipment it cannot be guaranteed that the integrality of business datum and the technical problem of non repudiation;
2nd, the present invention can distinguish polytype and signature value or checking signature value are added to different packets.Cause
This can solve the problem that existing secure internet is closed present in equipment because all packets are in the case of no Distinguish
It is uniformly processed, so as to cause that the technical problem of different types of signature and carrying signature value can not be carried out according to type.
3rd, method of the invention realizes simple that efficiency high, processing data packets are flexible, can be needed with the different client of quick response
Ask.
Brief description of the drawings
Fig. 1 is the overview flow chart of the security processing of inventive network protocol data bag.
Fig. 2 is the refined flow chart of the security processing of inventive network protocol data bag.
Embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.As long as in addition, technical characteristic involved in each embodiment of invention described below
Conflict can is not formed each other to be mutually combined.
According to an aspect of the invention, there is provided a kind of security processing of the Internet protocol data bag, it is application
In secure internet closes equipment, the secure internet closes equipment one end and is connected with client communication, the other end and remote service
Device communicates to connect.
In the present embodiment, client is that can send the application journey based on Transmission Control Protocol above the Internet protocol data bag
Sequence or operation system, it is specifically including but not limited to browser, application program, browser/server (Browser/server, letter
Claim B/S) system such as operation system, client/server (Client/server, abbreviation C/S) operation system.Remote server
The communication of server end SSL record protocols, including but not limited to international standard SSL (Secure can be provided
Sockets Layer, abbreviation SSL) system such as protocol server, national password ssl protocol service end.
As shown in figure 1, the invention provides a kind of security processing of the Internet protocol data bag, applied in safety mutual
Join in gateway device, the secure internet closes equipment and communicated to connect respectively with client and remote server, methods described bag
Include:
(1) from client receiving network protocol packet P1, and judge in the Internet protocol data bag P1 packet header or inclusion
With the presence or absence of the packet for having the keyword identification made an appointment or form of making an appointment;
(2) keyword identification made an appointment is there are in the Internet protocol data bag P1 packet header or inclusion or is appointed in advance
During the packet for the formula that fixes, according to the type for the keyword made an appointment or the form made an appointment to the Internet protocol data bag P1
Content in packet header or inclusion is handled, to generate corresponding result, according to SSL record protocols to the Internet protocol data bag P1 and
Corresponding result is handled, and the Internet protocol data bag obtained after processing is sent into remote server.
Specifically, as shown in Fig. 2 the security processing of inventive network protocol data bag comprises the following steps:
(1) from client receiving network protocol packet P1;
It should be noted that the packet P1 that this step receives have passed through 0 before reaching secure internet and closing equipment
It is individual to arrive multiple intermediate equipments, such as interchanger, hub equipment;
(2) the Internet protocol data bag P1 is parsed, judges whether contain application layer protocol in the packet after parsing
Keyword identification, if comprising it is the packet of application layer protocol to illustrate the Internet protocol data bag P1, subsequently into step
(4) it is not the packet of application layer protocol, otherwise to illustrate the Internet protocol data bag P1, subsequently into step (3);
Then this step is searched in the row content specifically, parse the first row in the Internet protocol data bag P1 packet header first
Whether such as " HTTP/1.0 " or " HTTP/1.1 " keyword is had, if so, illustrating that the Internet protocol data bag P1 is exactly
The packet of application layer protocol, it is not the packet of application layer protocol otherwise then to represent it.
In the present embodiment, application layer protocol is HTTP (HyperText Transfer
Protocol, abbreviation HTTP), it should be understood that the invention is not limited in this, other application layer protocol, such as simple postal
Part transportation protocol (Simple Mail Transfer Protocol, abbreviation SMTP), FTP (File Transfer
Protocol, abbreviation FTP), Simple Network Management Protocol (simple Network Management Protocol, referred to as
SNMP), domain name system (Domain Name System, abbreviation DNS) etc. is also within the scope of the present invention.
(3) judge to whether there is in the content in the Internet protocol data bag P1 inclusion and have the keyword made an appointment, or
With the presence or absence of the packet for having form of making an appointment in content in person's the Internet protocol data bag P1 inclusion, if so, then saying
Bright the Internet protocol data bag P1 is customized packet, subsequently into step (5), if it is not, explanation procotol number
It is not customized packet according to bag P1, subsequently into step (6);
In the present embodiment, the keyword made an appointment can be that secure internet closes equipment and client both sides are advance
The character of agreement.
The packet of form of making an appointment can be that secure internet closes equipment and client both sides and made an appointment rule
XML data or TLV data or other type of data packet.
For example, can in advance by keyword "<origin_data>" keyword for signature operation is set to, it will close
Key word "<signed_data>" it is set to keyword for verifying signature operation.
Can in advance by packet "<Xml version=" 1.0 " encoding=" GBK "><QLBankSignData
><opReq><bsnCode>CBE001</bsnCode><cstNo>1000046447</cstNo><serialNo>11445489
</serialNo><reqTime>20161221114454</reqTime><ReqParam><accountNo>
86611741101423000010</accountNo><currencyType>CNY</currencyType><ReceiptNo></
ReceiptNo><ReqReserved1></ReqReserved1><ReqReserved2></ReqReserved2></
ReqParam></opReq></QLBankSignData>" be set to packet for signature operation, by packet "<xml
Version=" 1.0 " encoding=" GBK "><QLBankVerifyData><opReq><bsnCode>CBE001</
bsnCode><cstNo>1000046447</cstNo><serialNo>11445489</serialNo><reqTime>
20161221114454</reqTime><ReqParam><accountNo>86611741101423000010</accountNo>
<currencyType>CNY</currencyType><ReceiptNo></ReceiptNo><ReqReserved1></
ReqReserved1><ReqReserved2></ReqReserved2></ReqParam></opReq></
QLBankVerifyData>" it is set to packet for verifying signature operation.
(4) judge to whether there is in the Internet protocol data bag P1 packet header content and have the keyword made an appointment, if so,
It is the packet of user-defined format then to illustrate the Internet protocol data bag P1, subsequently into step (7), if it is not, explanation net
Network protocol data bag P1 is the packet of application layer protocol, subsequently into step (8);
For example, in advance keyword " content-signature (i.e. Content-Sign) " can be set to be used for signature operation
Keyword, keyword " content-checking (i.e. Content-Verify) " is set to the keyword for verifying signature operation.
(5) according to the type of keyword made an appointment to the content in the Internet protocol data bag P1 inclusion at
Reason, with the corresponding result Q1 of generation, result Q1 processing to the Internet protocol data bag P1 and is corresponded to according to SSL record protocols, and
The Internet protocol data bag S2 obtained after processing is sent to remote server, process terminates;
Specifically, if the type of keyword is the keyword for signature operation, this step is in inclusion
Appearance is handled exactly carries out signature operation to it;If the type of keyword is the keyword for verifying signature operation,
This step, which is handled the content in inclusion, exactly verifies signature operation;
The Internet protocol data bag P1 and corresponding result Q1 are handled specifically, being remembered according to SSL according to SSL record protocols
Record Protocol Through Network protocol data bag P1 and corresponding result Q1 is segmented, compressed, increasing MAC information, encryption and addition
The processing of SSL records.
(6) according to SSL record protocols to the Internet protocol data bag P1 processing, and the procotol that will be obtained after processing
Packet S1 is sent to remote server, and process terminates;
Specifically, this step is that the Internet protocol data bag P1 is segmented according to SSL record protocols, compressed, is increased
MAC information, encryption and increase SSL record processing.
(7) content in the Internet protocol data bag P1 inclusion or packet header is entered according to the type for the keyword made an appointment
Go and handle, with the corresponding result Q2 of generation, to the Internet protocol data bag P1 and corresponded to according to SSL record protocols at result Q2
Reason, and the Internet protocol data bag S3 obtained after processing is sent to remote server, process terminates;
Specifically, if keyword is the keyword for signature operation, in inclusion or packet header in this step
It is signature operation that content, which carries out processing, if keyword is the keyword for verifying signature operation, this step to inclusion or
It is checking signature operation that content in person packet header, which carries out processing, and handling the corresponding result Q2 of generation can be added in packet header
Ask in row, the optional position in the request header in packet header or in inclusion.
The Internet protocol data bag P1 and corresponding result Q2 are handled specifically, being remembered according to SSL according to SSL record protocols
Record Protocol Through Network protocol data bag P1 and corresponding result Q2 is segmented, compressed, increasing MAC information, encryption and increase
The processing of SSL records.
(8) judge to whether there is in the content in the Internet protocol data bag P1 inclusion and have the keyword made an appointment, or
With the presence or absence of the packet for having form of making an appointment in content in person's the Internet protocol data bag P1 inclusion, if so, then saying
Bright the Internet protocol data bag P1 is customized packet, subsequently into step (9), if it is not, explanation procotol number
It is not customized packet according to bag P1, subsequently into step (10);
In the present embodiment, the key word type made an appointment includes the keyword for signature operation, and is used for
The keyword of signature operation is verified, the type of data packet for form of making an appointment includes the packet for signature operation, Yi Jiyong
In the packet of checking signature operation.
Specifically, can in advance by keyword "<origin_data>" keyword for signature operation is set to, it will close
Key word "<signed_data>" it is set to keyword for verifying signature operation.
Can in advance by packet "<Xml version=" 1.0 " encoding=" GBK "><QLBankSignData
><opReq><bsnCode>CBE001</bsnCode><cstNo>1000046447</cstNo><serialNo>11445489
</serialNo><reqTime>20161221114454</reqTime><ReqParam><accountNo>
86611741101423000010</accountNo><currencyType>CNY</currencyType><ReceiptNo></
ReceiptNo><ReqReserved1></ReqReserved1><ReqReserved2></ReqReserved2></
ReqParam></opReq></QLBankSignData>" it is set to packet for signature operation.By packet "<xml
Version=" 1.0 " encoding=" GBK "><QLBankVerifyData><opReq><bsnCode>CBE001</
bsnCode><cstNo>1000046447</cstNo><serialNo>11445489</serialNo><reqTime>
20161221114454</reqTime><ReqParam><accountNo>86611741101423000010</accountNo>
<currencyType>CNY</currencyType><ReceiptNo></ReceiptNo><ReqReserved1></
ReqReserved1><ReqReserved2></ReqReserved2></ReqParam></opReq></
QLBankVerifyData>" it is set to packet for verifying signature operation.
(9) content in the Internet protocol data bag P1 inclusion or packet header is entered according to the type for the keyword made an appointment
Go and handle, with the corresponding result Q3 of generation, to the Internet protocol data bag P1 and corresponded to according to SSL record protocols at result Q3
Reason, and the Internet protocol data bag S4 obtained after processing is sent to remote server, process terminates;
Specifically, if keyword is the keyword for signature operation, this step is in inclusion or packet header
It is signature operation that content, which carries out processing, if keyword is the keyword for verifying signature operation, this step to inclusion or
It is checking signature operation that content in person packet header, which carries out processing,;The corresponding result Q3 of generation can be added to the request in packet header
The either optional position in request header or in inclusion in row.
The Internet protocol data bag P1 and corresponding result Q3 are handled and specifically remembered according to SSL according to SSL record protocols
Record Protocol Through Network protocol data bag P1 and corresponding result Q3 is segmented, compressed, increasing MAC information, encryption and increase
The processing of SSL records.
(10) according to SSL record protocols to the Internet protocol data bag P1 processing, and the network obtained after processing is assisted
View packet S5 is sent to remote server, and process terminates;
Specifically, this step is that the Internet protocol data bag P1 is segmented according to SSL record protocols, compressed, is increased
MAC information, encryption and increase SSL record processing.
The AES used it should be noted that in above-mentioned steps (5), step (6), step (10), during encryption can
Think aes algorithm, DES algorithms, 3DES algorithms, SM1 algorithms, SM4 algorithms etc., it is understood that, the present invention never limits to
In above-mentioned DEA, any symmetric encipherment algorithm well known in the art can be used;In addition, MAC algorithms can
Think SHA-1, SM3 algorithm etc., but the present invention is not limited to above-mentioned DEA, any hash well known in the art
Algorithm (digest algorithm) can be used.
In above-mentioned steps (7) and step (9), the AES that uses can be for when signature operation and checking signature operation
SM2 algorithms, RSA Algorithm etc., but the present invention is not limited to above-mentioned DEA, it is any well known in the art asymmetric
AES can be used.
Calculated it should be noted that the decipherment algorithm used in the above-mentioned steps of the inventive method is corresponding encryption
Algorithm for inversion corresponding to method.
According to another aspect of the present invention, there is provided a kind of safe processing system of the Internet protocol data bag, be application
In secure internet closes equipment, the secure internet closes equipment and communicated to connect respectively with client and remote server, institute
The system of stating includes:
First module, for from client receiving network protocol packet P1;
It should be noted that the packet P1 received have passed through 0 to more before reaching secure internet and closing equipment
Individual intermediate equipment, such as interchanger, hub equipment;
Second module, for being parsed to the Internet protocol data bag P1, judge whether contain in the packet after parsing
The keyword identification of application layer protocol, if comprising it is the packet of application layer protocol to illustrate the Internet protocol data bag P1, so
Enter the 4th module afterwards, it is not the packet of application layer protocol otherwise to illustrate the Internet protocol data bag P1, subsequently into the 3rd mould
Block;
Specifically, parse the first row in the Internet protocol data bag P1 packet header first, then search in the row content whether
There is such as " HTTP/1.0 " or " HTTP/1.1 " keyword, if so, illustrating that the Internet protocol data bag P1 is exactly to apply
The packet of layer protocol, it is not the packet of application layer protocol otherwise then to represent it.
In the present embodiment, application layer protocol is HTTP (HyperText Transfer
Protocol, abbreviation HTTP), it should be understood that the invention is not limited in this, other application layer protocol, such as simple postal
Part transportation protocol (Simple Mail Transfer Protocol, abbreviation SMTP), FTP (File Transfer
Protocol, abbreviation FTP), Simple Network Management Protocol (simple Network Management Protocol, referred to as
SNMP), domain name system (Domain Name System, abbreviation DNS) etc. is also within the scope of the present invention.
3rd module, with the presence or absence of having what is made an appointment in the content in inclusion for judging the Internet protocol data bag P1
It whether there is the packet for having form of making an appointment in content in keyword, or the Internet protocol data bag P1 inclusion, such as
Fruit has, then it is customized packet to illustrate the Internet protocol data bag P1, subsequently into the 5th module, if it is not, explanation
The Internet protocol data bag P1 is not customized packet, subsequently into the 6th module;
In the present embodiment, the key word type made an appointment includes the keyword for signature operation, and is used for
Verify the keyword of signature operation;Make an appointment form type of data packet include for signature operation packet, Yi Jiyong
In the packet of checking signature operation.
For example, can in advance by keyword "<origin_data>" keyword for signature operation is set to, it will close
Key word "<signed_data>" it is set to keyword for verifying signature operation.
Can in advance by packet "<Xml version=" 1.0 " encoding=" GBK "><QLBankSignData
><opReq><bsnCode>CBE001</bsnCode><cstNo>1000046447</cstNo><serialNo>11445489
</serialNo><reqTime>20161221114454</reqTime><ReqParam><accountNo>
86611741101423000010</accountNo><currencyType>CNY</currencyType><ReceiptNo></
ReceiptNo><ReqReserved1></ReqReserved1><ReqReserved2></ReqReserved2></
ReqParam></opReq></QLBankSignData>" be set to packet for signature operation, by packet "<xml
Version=" 1.0 " encoding=" GBK "><QLBankVerifyData><opReq><bsnCode>CBE001</
bsnCode><cstNo>1000046447</cstNo><serialNo>11445489</serialNo><reqTime>
20161221114454</reqTime><ReqParam><accountNo>86611741101423000010</accountNo>
<currencyType>CNY</currencyType><ReceiptNo></ReceiptNo><ReqReserved1></
ReqReserved1><ReqReserved2></ReqReserved2></ReqParam></opReq></
QLBankVerifyData>" it is set to packet for verifying signature operation.
4th module, with the presence or absence of there is the key made an appointment in the packet header content for judging the Internet protocol data bag P1
Word, if so, then illustrating that the Internet protocol data bag P1 is the packet of user-defined format, subsequently into the 7th module, if do not had
Have, then it is the packet of application layer protocol to illustrate the Internet protocol data bag P1, subsequently into the 8th module;
For example, in advance keyword " content-signature (i.e. Content-Sign) " can be set to be used for signature operation
Keyword, keyword " content-checking (i.e. Content-Verify) " is set to the keyword for verifying signature operation.
5th module, for according to the type of keyword made an appointment in the Internet protocol data bag P1 inclusion
Appearance is handled, and with the corresponding result Q1 of generation, the Internet protocol data bag P1 and corresponding result Q1 are carried out according to SSL record protocols
Processing, and the Internet protocol data bag S2 obtained after processing is sent to remote server, process terminates;
Specifically, if the type of keyword is the keyword for signature operation, the content in inclusion is carried out
Processing is exactly to carry out signature operation to it;If the type of keyword is the keyword for verifying signature operation, to inclusion
In content handled and exactly verify signature operation;
The Internet protocol data bag P1 and corresponding result Q1 are handled specifically, being remembered according to SSL according to SSL record protocols
Record Protocol Through Network protocol data bag P1 and corresponding result Q1 is segmented, compressed, increasing MAC information, encryption and addition
The processing of SSL records.
6th module, for, to the Internet protocol data bag P1 processing, and will be obtained according to SSL record protocols after processing
The Internet protocol data bag S1 be sent to remote server, process terminates;
Specifically, it is that the Internet protocol data bag P1 is segmented according to SSL record protocols, compressed, increases MAC letters
Breath, encryption and increase SSL record processing.
7th module, for according to inclusion or packet header of the type for the keyword made an appointment to the Internet protocol data bag P1
In content handled, with the corresponding result Q2 of generation, according to SSL record protocols to the Internet protocol data bag P1 and corresponding result
Q2 processing, and the Internet protocol data bag S3 obtained after processing is sent to remote server, process terminates;
Specifically, if keyword is the keyword for signature operation, the content in inclusion or packet header is carried out
Processing is signature operation, if keyword is the keyword for verifying signature operation, to the content in inclusion or packet header
Carry out processing be checking signature operation, handle the corresponding result Q2 of generation can be added in the request row in packet header, packet header
In request header in or inclusion in optional position.
The Internet protocol data bag P1 and corresponding result Q2 are handled specifically, being remembered according to SSL according to SSL record protocols
Record Protocol Through Network protocol data bag P1 and corresponding result Q2 is segmented, compressed, increasing MAC information, encryption and increase
The processing of SSL records.
8th module, with the presence or absence of having what is made an appointment in the content in inclusion for judging the Internet protocol data bag P1
It whether there is the packet for having form of making an appointment in content in keyword, or the Internet protocol data bag P1 inclusion, such as
Fruit has, then it is customized packet to illustrate the Internet protocol data bag P1, subsequently into the 9th module, if it is not, explanation
The Internet protocol data bag P1 is not customized packet, subsequently into the tenth module;
In the present embodiment, the key word type made an appointment includes the keyword for signature operation, and is used for
The keyword of signature operation is verified, the type of data packet for form of making an appointment includes the packet for signature operation, Yi Jiyong
In the packet of checking signature operation.
Specifically, can in advance by keyword "<origin_data>" keyword for signature operation is set to, it will close
Key word "<signed_data>" it is set to keyword for verifying signature operation.
Can in advance by packet "<Xml version=" 1.0 " encoding=" GBK "><QLBankSignData
><opReq><bsnCode>CBE001</bsnCode><cstNo>1000046447</cstNo><serialNo>11445489
</serialNo><reqTime>20161221114454</reqTime><ReqParam><accountNo>
86611741101423000010</accountNo><currencyType>CNY</currencyType><ReceiptNo></
ReceiptNo><ReqReserved1></ReqReserved1><ReqReserved2></ReqReserved2></
ReqParam></opReq></QLBankSignData>" it is set to packet for signature operation.By packet "<xml
Version=" 1.0 " encoding=" GBK "><QLBankVerifyData><opReq><bsnCode>CBE001</
bsnCode><cstNo>1000046447</cstNo><serialNo>11445489</serialNo><reqTime>
20161221114454</reqTime><ReqParam><accountNo>86611741101423000010</accountNo>
<currencyType>CNY</currencyType><ReceiptNo></ReceiptNo><ReqReserved1></
ReqReserved1><ReqReserved2></ReqReserved2></ReqParam></opReq></
QLBankVerifyData>" it is set to packet for verifying signature operation.
9th module, for according to inclusion or packet header of the type for the keyword made an appointment to the Internet protocol data bag P1
In content handled, with the corresponding result Q3 of generation, according to SSL record protocols to the Internet protocol data bag P1 and corresponding result
Q3 processing, and the Internet protocol data bag S4 obtained after processing is sent to remote server, process terminates;
Specifically, if keyword is the keyword for signature operation, the content in inclusion or packet header is entered
Row processing is signature operation, if keyword is the keyword for verifying signature operation, in inclusion or packet header
It is checking signature operation that appearance, which carries out processing,;The corresponding result Q3 of generation can be added in the request row in packet header or ask
In head, or the optional position in inclusion.
The Internet protocol data bag P1 and corresponding result Q3 are handled and specifically remembered according to SSL according to SSL record protocols
Record Protocol Through Network protocol data bag P1 and corresponding result Q3 is segmented, compressed, increasing MAC information, encryption and increase
The processing of SSL records.
Tenth module, for, to the Internet protocol data bag P1 processing, and will be obtained according to SSL record protocols after processing
The Internet protocol data bag S5 be sent to remote server, process terminates.
Sum it up, the present invention can distinguish different types of packet, by by packet carry out alignment processing and
Carry corresponding result and be safely forwarded to remote server, the network attack of different levels can be resisted, so as to strengthen data
Wrap security, integrality and the non repudiation of transmission.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, not to
The limitation present invention, all any modification, equivalent and improvement made within the spirit and principles of the invention etc., all should be included
Within protection scope of the present invention.
Claims (10)
1. a kind of security processing of the Internet protocol data bag, applied in secure internet closes equipment, the safety mutual
Join gateway device to communicate to connect with client and remote server respectively, it is characterised in that methods described includes:
(1) from client receiving network protocol packet P1, and judge the Internet protocol data bag P1 packet header or inclusion in whether
It there are the packet of the keyword identification made an appointment or form of making an appointment;
(2) in the Internet protocol data bag P1 packet header or inclusion it there are the keyword identification made an appointment or lattice of making an appointment
During the packet of formula, according to the type for the keyword made an appointment or the form made an appointment to the Internet protocol data bag P1 packet header
Or the content in inclusion is handled, to generate corresponding result, according to SSL record protocols to the Internet protocol data bag P1 and correspondingly
As a result handled, and the Internet protocol data bag obtained after processing is sent to remote server.
2. security processing according to claim 1, it is characterised in that according to SSL record protocols to procotol number
Handled according to wrapping and corresponding to result specifically, being divided according to SSL record protocols the Internet protocol data bag and corresponding result
Section, compression, increase MAC information, encryption and addition SSL record processing.
3. security processing according to claim 1, it is characterised in that methods described further comprises judging network
Whether there is in protocol data bag P1 packet header or inclusion has the keyword identification made an appointment or the data for form of making an appointment
Before bag, judge in the packet after parsing whether keyword identification containing application layer protocol the step of.
4. security processing according to claim 3, it is characterised in that the Internet protocol data bag P1 is parsed,
Judge whether the keyword identification containing application layer protocol specifically, parse the Internet protocol data first in the packet after parsing
The first row in P1 packet header is wrapped, whether have keyword, if so, then illustrating the Internet protocol data bag if then searching in the row content
P1 is exactly the packet of application layer protocol, and it is not the packet of application layer protocol otherwise to represent it.
5. security processing according to claim 1, it is characterised in that methods described further comprises:When network is assisted
When the packet for having form of making an appointment being not present in view packet P1 packet header, determine whether the Internet protocol data bag P1's
Whether there is in content in inclusion has the keyword made an appointment, or in the content in the Internet protocol data bag P1 inclusion
The step of with the presence or absence of the packet for having form of making an appointment.
6. security processing according to claim 5, it is characterised in that methods described further comprises:When network is assisted
Being not present in content in view packet P1 inclusion has the keyword made an appointment, or the Internet protocol data bag P1 inclusion
In content in be not present and have the packet of form of making an appointment, the Internet protocol data bag P1 is carried out according to SSL record protocols
The step of handling, and the Internet protocol data bag obtained after processing be sent to remote server.
7. the security processing according to claim 5 or 6, it is characterised in that
The keyword made an appointment can be that secure internet closes the character that equipment is made an appointment with client both sides;
The packet of form of making an appointment can be that secure internet closes equipment and client both sides and made an appointment the XML numbers of rule
According to or TLV data or other type of data packet.
8. security processing according to claim 7, it is characterised in that
If the type of keyword is the keyword for signature operation, the content in inclusion is handled exactly to enter it
Row signature operation;
If the type of keyword is the keyword for verifying signature operation, it is exactly to test that the content in inclusion, which handle,
Demonstrate,prove signature operation.
9. security processing according to claim 1, it is characterised in that methods described further comprises:When network is assisted
When the packet for having form of making an appointment being not present in view packet P1 packet header and inclusion, according to SSL record protocols to network
Protocol data bag P1 processing, and the Internet protocol data bag obtained after processing is sent to remote server.
10. a kind of safe processing system of the Internet protocol data bag, applied in secure internet closes equipment, the safety mutual
Join gateway device to communicate to connect with client and remote server respectively, it is characterised in that the system includes:
First module, for from client receiving network protocol packet P1, and judge the Internet protocol data bag P1 packet header or
With the presence or absence of the packet for having the keyword identification made an appointment or form of making an appointment in inclusion;
Second module, for there are in the Internet protocol data bag P1 packet header or inclusion the keyword identification made an appointment or
Make an appointment form packet when, according to the type for the keyword made an appointment or the form made an appointment to procotol number
Handled according to the content in bag P1 packet header or inclusion, to generate corresponding result, according to SSL record protocols to the Internet protocol data
Bag P1 and corresponding result are handled, and the Internet protocol data bag obtained after processing is sent into remote server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710592618.5A CN107395592A (en) | 2017-07-19 | 2017-07-19 | A kind of security processing and system of the Internet protocol data bag |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710592618.5A CN107395592A (en) | 2017-07-19 | 2017-07-19 | A kind of security processing and system of the Internet protocol data bag |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107395592A true CN107395592A (en) | 2017-11-24 |
Family
ID=60335820
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710592618.5A Pending CN107395592A (en) | 2017-07-19 | 2017-07-19 | A kind of security processing and system of the Internet protocol data bag |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107395592A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109698831A (en) * | 2018-12-28 | 2019-04-30 | 中电智能科技有限公司 | Data prevention method and device |
CN111935081A (en) * | 2020-06-24 | 2020-11-13 | 武汉绿色网络信息服务有限责任公司 | Data packet desensitization method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102231709A (en) * | 2011-07-04 | 2011-11-02 | 清华大学 | Control plane structure of virtual routing device and control method thereof |
CN102497265A (en) * | 2011-11-24 | 2012-06-13 | 飞天诚信科技股份有限公司 | Pulse light signal identification method and apparatus thereof |
CN102821101A (en) * | 2012-07-27 | 2012-12-12 | 北京中科晶上科技有限公司 | IP data packet identification method and gateway |
CN105306536A (en) * | 2015-09-22 | 2016-02-03 | 上海斐讯数据通信技术有限公司 | Method for intelligent terminal to remotely execute service command based on WiFi (Wireless Fidelity) |
CN106254355A (en) * | 2016-08-10 | 2016-12-21 | 武汉信安珞珈科技有限公司 | The security processing of a kind of the Internet protocol data bag and system |
-
2017
- 2017-07-19 CN CN201710592618.5A patent/CN107395592A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102231709A (en) * | 2011-07-04 | 2011-11-02 | 清华大学 | Control plane structure of virtual routing device and control method thereof |
CN102497265A (en) * | 2011-11-24 | 2012-06-13 | 飞天诚信科技股份有限公司 | Pulse light signal identification method and apparatus thereof |
CN102821101A (en) * | 2012-07-27 | 2012-12-12 | 北京中科晶上科技有限公司 | IP data packet identification method and gateway |
CN105306536A (en) * | 2015-09-22 | 2016-02-03 | 上海斐讯数据通信技术有限公司 | Method for intelligent terminal to remotely execute service command based on WiFi (Wireless Fidelity) |
CN106254355A (en) * | 2016-08-10 | 2016-12-21 | 武汉信安珞珈科技有限公司 | The security processing of a kind of the Internet protocol data bag and system |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109698831A (en) * | 2018-12-28 | 2019-04-30 | 中电智能科技有限公司 | Data prevention method and device |
CN109698831B (en) * | 2018-12-28 | 2021-07-02 | 中电智能科技有限公司 | Data protection method and device |
CN111935081A (en) * | 2020-06-24 | 2020-11-13 | 武汉绿色网络信息服务有限责任公司 | Data packet desensitization method and device |
CN111935081B (en) * | 2020-06-24 | 2022-06-21 | 武汉绿色网络信息服务有限责任公司 | Data packet desensitization method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8495736B2 (en) | Method and apparatus for providing information assurance attributes through a data providence architecture | |
US9456002B2 (en) | Selective modification of encrypted application layer data in a transparent security gateway | |
US8379638B2 (en) | Security encapsulation of ethernet frames | |
CN106254355B (en) | A kind of security processing and system of the Internet protocol data packet | |
US7877601B2 (en) | Method and system for including security information with a packet | |
CN106357690B (en) | data transmission method, data sending device and data receiving device | |
US20170272353A1 (en) | Communication protocol testing method, and tested device and testing platform thereof | |
CN106941491A (en) | The safety application data link layer device and communication means of power information acquisition system | |
CN106815511A (en) | Information processor and method | |
CN101729871B (en) | Method for safe cross-domain access to SIP video monitoring system | |
CN114050921B (en) | UDP-based high-speed encryption data transmission system realized by FPGA | |
CN103618726A (en) | Method for recognizing mobile data service based on HTTPS | |
CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
CN112699374A (en) | Integrity checking vulnerability security protection method and system | |
CN107395592A (en) | A kind of security processing and system of the Internet protocol data bag | |
CN107276996A (en) | The transmission method and system of a kind of journal file | |
Büttner et al. | Real-world evaluation of an anonymous authenticated key agreement protocol for vehicular ad-hoc networks | |
CN116015943B (en) | Privacy protection method based on multi-level tunnel confusion | |
WO2023036348A1 (en) | Encrypted communication method and apparatus, device, and storage medium | |
US8792519B2 (en) | Method for transferring network event protocol messages | |
CN101938428A (en) | Message transmission method and equipment | |
Ravi et al. | Formal methods to verify authentication in TACACS+ protocol | |
Ecarot et al. | Sensitive data exchange protocol suite for healthcare | |
CN117499267B (en) | Asset mapping method and device for network equipment and storage medium | |
US20220407722A1 (en) | Method for detecting anomalies in ssl and/or tls communications, corresponding device, and computer program product |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171124 |
|
RJ01 | Rejection of invention patent application after publication |