The content of the invention
It is an object of the invention to provide a kind of quantum secret communication method and device based on mark identification, to improve quantum
Key effective rate of utilization, quantum secret communication network resource is saved, reduce network cost.
In order to solve the above technical problems, the present invention provides following technical scheme:
A kind of quantum secret communication method based on mark identification, applied to the quantum application net for being deployed in network exit
Close, including:
Obtain data flow waiting for transmission;
The encryption mark carried to the data flow is identified, it is determined that the actual treatment used to the data flow
Mode;
Respective handling is carried out to the data flow using the actual treatment mode, wherein, in the actual treatment mode
For quantum cryptography mode when, to the data flow carry out quantum cryptography processing;
The data flow after processing is sent to recipient.
In a kind of embodiment of the present invention, the encryption is identified as:It is deployed in the mark part of sender
Part adds the mark in the data flow based on the first processing mode that user selects;
The encryption mark carried to the data flow is identified, it is determined that the reality used to the data flow
Processing mode, including:
The encryption mark carried to the data flow is identified, and determines first processing that the user specifies
Mode;
If first processing mode is quantum cryptography mode, it is determined that the actual treatment side used to the data flow
Formula is quantum cryptography mode;
If the first processing mode non-quantum cipher mode, transferring the first encryption policy storehouse being obtained ahead of time, according to
According to the encryption policy and first processing mode recorded in the first encryption policy storehouse, it is determined that the data flow is used
Actual treatment mode.
It is described according to the encryption plan recorded in the first encryption policy storehouse in a kind of embodiment of the present invention
Summary and first processing mode, it is determined that the actual treatment mode used to the data flow, including:
According to the attribute of the data flow, lookup is corresponding with the attribute in the first encryption policy storehouse encrypts plan
Slightly;
If find, it is determined that second processing mode corresponding to the encryption policy found;
According to the safe class of first processing mode and the safe class of the second processing mode, it is determined that to described
The actual treatment mode that data flow uses.
In a kind of embodiment of the present invention, the safe class according to first processing mode and described
The safe class of second processing mode, it is determined that the actual treatment mode used to the data flow, including:
If the safe class of first processing mode is greater than or equal to the safe class of the second processing mode,
The actual treatment mode that first processing mode is defined as using the data flow;
If the safe class of first processing mode is less than the safe class of the second processing mode, by described in
Second processing mode is defined as the actual treatment mode used to the data flow.
In a kind of embodiment of the present invention, do not found in the first encryption policy storehouse and the attribute
During corresponding encryption policy, in addition to:
First processing mode is directly defined as to the actual treatment mode used to the data flow.
In a kind of embodiment of the present invention, in addition to:
Obtain user encryption behavioral data;
According to the user encryption behavioral data, the encryption policy recorded in the first encryption policy storehouse is updated.
In a kind of embodiment of the present invention, the encryption is identified as:It is deployed in the mark part of sender
Encryption policy in first processing mode of part combination user selection and the second encryption policy storehouse for being obtained ahead of time, it is determined that to institute
State the mark of the actual treatment mode of data flow use.
A kind of quantum secret communication device based on mark identification, applied to the quantum application net for being deployed in network exit
Close, including:
Data flow obtaining unit, for obtaining data flow waiting for transmission;
Actual treatment mode determining unit, the encryption mark for being carried to the data flow are identified, it is determined that
The actual treatment mode used to the data flow;
Processing unit, for carrying out respective handling to the data flow using the actual treatment mode, wherein, described
When actual treatment mode is quantum cryptography mode, quantum cryptography processing is carried out to the data flow;
Data flow transmitting element, for the data flow after processing to be sent into recipient.
In a kind of embodiment of the present invention, the encryption is identified as:It is deployed in the mark part of sender
Part adds the mark in the data flow based on the first processing mode that user selects;
The actual treatment mode determining unit, is specifically used for:
The encryption mark carried to the data flow is identified, and determines first processing that the user specifies
Mode;
If first processing mode is quantum cryptography mode, it is determined that the actual treatment side used to the data flow
Formula is quantum cryptography mode;
If the first processing mode non-quantum cipher mode, transferring the first encryption policy storehouse being obtained ahead of time, according to
According to the encryption policy and first processing mode recorded in the first encryption policy storehouse, it is determined that the data flow is used
Actual treatment mode.
In a kind of embodiment of the present invention, the encryption is identified as:It is deployed in the mark part of sender
Encryption policy in first processing mode of part combination user selection and the second encryption policy storehouse for being obtained ahead of time, it is determined that to institute
State the mark of the actual treatment mode of data flow use.
The technical scheme provided using the embodiment of the present invention, the quantum application gateway for being deployed in network exit are treated
After the data flow of transmission, the encryption mark carried to data flow is identified, it is determined that the actual treatment used to data flow
Mode, and respective handling is carried out to data stream, wherein, when actual treatment mode is quantum cryptography mode, data stream is carried out
Quantum cryptography processing, recipient is sent to by the data flow after processing.The Control granularity to data flow identification, guaranteed discharge are refined
Sub- secret communication is specific data stream service, and on the premise of meeting user to the sub- encryption requirements of data traffic, it is close to improve quantum
Key effective rate of utilization, quantum secret communication network resource is saved, reduces network cost.
Embodiment
The core of the present invention is to provide a kind of quantum secret communication method based on mark identification, and this method can apply to
It is deployed in the quantum application gateway of network exit.
As shown in figure 1, A ends are transmitting terminal, B ends are receiving terminal.
At A ends, multiple client is connected by convergence switch and core switch with quantum application gateway, and server leads to
Cross core switch to be connected with quantum application gateway, be also connected by core switch and convergence switch with client, quantum
Application gateway is also connected with fire wall.Mark component is deployed with client and server.
The sender such as client or server is carried out not according to encryption requirements of user etc. by mark component to data stream
With the encryption configuration of safe class.Data flow through the network device processings such as interchanger, router, reach quantum application gateway.Amount
Sub- application gateway determines the actual treatment mode to data flow, and carries out respective handling, and the data flow after processing is passed through into fire prevention
Wall is via recipient of the Internet transmission to B ends.
B ends have corresponding framework, and the quantum application gateway at B ends receives the data flow transmitted via fire wall, carries out
Corresponding decryption processing, is transmitted to relative client.
In order that those skilled in the art more fully understand the present invention program, with reference to the accompanying drawings and detailed description
The present invention is described in further detail.Obviously, described embodiment is only part of the embodiment of the present invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, belongs to the scope of protection of the invention.
A kind of quantum secret communication method based on mark identification shown in Figure 2, being provided by the embodiment of the present invention
Implementing procedure figure, this method may comprise steps of:
S110:Obtain data flow waiting for transmission.
In embodiments of the present invention, client and server can be used as sending direction recipient to send data flow.Send
Data flow waiting for transmission is sent to quantum application gateway by side, after carrying out respective handling by quantum application gateway, is transferred to and is connect
Debit.
After quantum application gateway obtains data flow waiting for transmission, step S120 operation can be continued executing with.
S120:The encryption mark carried to data flow is identified, it is determined that the actual treatment side used to data flow
Formula.
In embodiments of the present invention, encryption mark can be carried in data flow waiting for transmission, quantum application gateway obtains
After obtaining data flow waiting for transmission, the encryption mark carried in data flow can be identified, it is determined that being used to data flow
Actual treatment mode.
In one embodiment of the invention, encryption mark can be:The mark component for being deployed in sender is based on
The mark of the first processing mode addition of user's selection in a stream, accordingly, as shown in fig. 6, step S120 can include
Following steps:
S121:The encryption mark carried to data flow is identified, and determines the first processing mode that user specifies.
In embodiments of the present invention, mark component can be disposed in client and server.When client or server etc.
, can be according to actual conditions, by mark component in data flow waiting for transmission when sender needs to send data flow to recipient
Middle addition encryption mark, data flow so waiting for transmission will carry encryption mark.
As shown in figure 3, mark component can specifically include first user's selecting module and the first mark module.User can be with
Specify which kind of processing mode is used to data flow waiting for transmission according to being actually needed, specifically, can be selected by the first user
Select module selection quantum cryptography, conventional cryptography, the processing mode for the different safety class such as not encrypting, the first mark module is according to the
The processing mode of one user's selecting module output adds corresponding encryption mark in data flow waiting for transmission.Such as encrypt place
Reason is identified as quantum cryptography mark, and mark match parameter can include:Process name, user name, IP address, IP ports, it is local when
Between etc..
The mark component of server can to client data stream carry out identification record, its send data flow waiting for transmission it
Before, corresponding safe class can be matched according to the record result to client data stream, in a stream the corresponding encryption of addition
Processing mark.
After quantum application gateway obtains data flow waiting for transmission, the encryption mark carried to data flow is identified,
The first processing mode that user specifies can be determined.
When encryption is identified as not encryption identification, or data flow waiting for transmission does not carry any encryption mark
When, it may be determined that the first processing mode that user specifies is not cipher mode;
When encryption is identified as quantum cryptography mark, it may be determined that the first processing mode that user specifies adds for quantum
Close mode;
When encryption is identified as conventional cryptography mark, it may be determined that the first processing mode that user specifies adds for tradition
Close mode.
Wherein, quantum communications have higher security, and the safe class of quantum cryptography mode is higher than conventional cryptography side
The safe class of formula, equally, the safe class of quantum cryptography mode and conventional cryptography mode are above the safety of not cipher mode
Grade.
S122:If the first processing mode is quantum cryptography mode, it is determined that the actual treatment mode used to data flow
For quantum cryptography mode.
In actual applications, if user requires very high to the transmission security of data flow waiting for transmission, user can select
It is the first processing mode to select quantum cryptography mode.It is deployed in the first processing side that the mark component of sender is selected based on user
Formula, quantum encryption identification can be added in data flow waiting for transmission.Quantum application gateway identifies according to quantum cryptography, can be true
It is quantum cryptography mode to determine the first processing mode that user specifies, and shows that data flow clearly waiting for transmission needs to carry out user
The other processing of higher security level, so as to directly determine to add the actual treatment mode that data flow waiting for transmission uses for quantum
Close mode.
S123:If the first processing mode non-quantum cipher mode, transferring the first encryption policy storehouse being obtained ahead of time, according to
According to the encryption policy and the first processing mode recorded in the first encryption policy storehouse, it is determined that the actual treatment side used to data flow
Formula.
A first encryption policy storehouse can be obtained ahead of time in quantum application gateway, and record has one in the first encryption policy storehouse
Bar or a plurality of encryption policy for data flow.In actual applications, network manager can add manually for specific user,
During time, the encryption policy that the data flow of application program etc. is formulated.Such as submitting a tender, researching and developing, law works, finance, manpower,
The encryption policy that the data flow of the information sensing such as management level colony is formulated is quantum cryptography;Supplied for administration, quality, part
The encryption policy that the data flows such as chain, part marketing are formulated is conventional cryptography, for the third-party data flow system such as client, supplier
Fixed encryption policy is not encrypt.
In embodiments of the present invention, quantum application gateway can obtain user encryption behavioral data, according to user encryption row
For data, the encryption policy recorded in the first encryption policy storehouse is updated.For example in setting time section, user can incite somebody to action every time
The upper quantum cryptography mark of mail related data flow addition, then according to user encryption behavior, the mail that can be directed to the user is related
The encryption policy that data flow is formulated is quantum cryptography.If the mail related data of the recorded user in encryption policy storehouse
Encryption policy corresponding to stream is conventional cryptography, then conventional cryptography can be updated into quantum cryptography.
Specifically, quantum application gateway can obtain user encryption by the mark component disposed in client or server
Behavioral data.As shown in figure 3, mark component can also include user encryption behavior collection module, mould is collected in user encryption behavior
Block collects the mark behavior pattern of mark module, reports quantum application gateway, is analyzed for encryption policy.
If the first processing mode non-quantum cipher mode, the first processing mode may be not cipher mode, Huo Zhewei
Conventional cryptography mode.In such a case, it is possible to transfer the first encryption policy storehouse being obtained ahead of time.In the first encryption policy storehouse
Search the encryption policy related to data flow.If found, based on the encryption policy found and the first processing mode, really
The fixed actual treatment mode used to data flow.
, can be by being recorded in the first encryption policy storehouse of following steps foundation in a kind of embodiment of the present invention
Encryption policy and the first processing mode, it is determined that to data flow use actual treatment mode:
Step 1:According to the attribute of data flow, encryption policy corresponding with attribute is searched in the first encryption policy storehouse, such as
Fruit finds, then performs the operation of step 2;
Step 2:It is determined that second processing mode corresponding to the encryption policy found;
Step 3:According to the safe class of the first processing mode and the safe class of second processing mode, it is determined that to data
Flow the actual treatment mode used.
For ease of description, above three step is combined and illustrated.
Data flow has certain attribute, such as type, corresponding sender, corresponding recipient, the application program belonged to
Deng.According to the attribute of data flow, encryption policy corresponding with the attribute can be searched in the first encryption policy storehouse, if searched
Arrive, then can determine second processing mode corresponding to the encryption policy that finds.If the encryption policy found have it is a plurality of,
Level of security highest processing mode in a plurality of encryption policy found can be defined as to second processing mode, or can be with
The same more processing mode of level of security in a plurality of encryption policy found is defined as second processing mode.
According to the safe class of the first processing mode and the safe class of second processing mode, it may be determined that data flow is adopted
Actual treatment mode.
In a kind of embodiment of the present invention, if the safe class of the first processing mode is greater than or equal to second
The safe class of processing mode, then the first processing mode is defined as to the actual treatment mode used to data flow;If first
The safe class of processing mode is less than the safe class of second processing mode, then second processing mode can be defined as to data
Flow the actual treatment mode used.
It is understood that Different treatments have different safe classes, and e.g., the safe class of quantum cryptography mode
Higher than the safe class of conventional cryptography mode, the safe class of conventional cryptography mode is higher than the safe class of not cipher mode.
To ensure the safe transmission of data flow, the preferential processing mode high using safe class carries out corresponding position to data stream
Reason.If the safe class of the first processing mode is greater than the safe class of second processing mode, show that user wishes
The security for improving data flow is hoped, the first processing mode can be defined as to the actual treatment mode used to data flow.If
The safe class of first processing mode is less than the safe class of second processing mode, show to record in the first encryption policy storehouse with
Encryption policy corresponding to the attribute of data flow waiting for transmission has more high safety grade, and this may specify the place of mistake because of user
Reason mode or user, which do not know how to specify, to cause, and in this case, is defined in a manner of the second encryption, and second is added
Close processing mode is defined as the actual treatment mode used to data flow.The safe transmission of data flow can so be ensured.
The present invention a kind of embodiment in, if do not found in the first encryption policy storehouse with it is waiting for transmission
Encryption policy corresponding to the attribute of data flow, then the first processing mode directly can be defined as the actual place to data flow use
Reason mode.
In another embodiment of the present invention, encryption mark can be:It is deployed in the mark component knot of sender
Encryption policy in the first processing mode for sharing family selection and the second encryption policy storehouse for being obtained ahead of time, it is determined that to data flow
The mark of the actual treatment mode of use.
In embodiments of the present invention, the first processing side of user's selection can be obtained by being deployed in the mark component of sender
Formula, with reference to the encryption policy in the first processing mode that user selects and the second encryption policy storehouse being obtained ahead of time, it may be determined that
The actual treatment mode used to data flow, and the mark of the actual treatment mode used to data flow is added in data flow
In so that encryption mark is carried in data flow.So, after quantum application gateway obtains data flow waiting for transmission, you can
By being identified to the encryption carried in data flow, the actual treatment mode used to data flow is directly determined.
In embodiments of the present invention, as shown in fig. 7, mark component can specifically include second user selecting module, second
Mark module, the second encryption judge module and the second encryption policy storehouse.User can according to be actually needed specify will be to be transmitted
Data flow which kind of processing mode used, specifically, can by second user selecting module select quantum cryptography, tradition plus
Processing mode that is close, the different safety class such as not encrypting.
Second encryption judge module understands the first processing mode of user's selection by second user selecting module.Second adds
Close judge module combines the encryption policy recorded in the first processing mode and the second encryption policy storehouse, it may be determined that data flow is adopted
Actual treatment mode.Record has one or more encryption policy for being directed to data flow in second encryption policy storehouse.
Such as, if the first processing mode is quantum cryptography mode, it is determined that the actual treatment mode used to data flow for
Quantum cryptography mode;
If the first processing mode non-quantum cipher mode, searched in the second encryption policy storehouse corresponding with the data flow
Encryption policy.If find, it is determined that second processing mode corresponding to the encryption policy found, in the first processing mode
Safe class be greater than or equal to second processing mode safe class when, by the first processing mode be defined as to data flow use
Actual treatment mode, the first processing mode safe class be less than second processing mode safe class when, at second
Reason mode is defined as the actual treatment mode used to data flow.If do not found, directly the first processing mode is determined
For the actual treatment mode used to data flow.
After second encryption judge module determines the actual treatment mode to data flow use, the second mark module is according to the reality
Border processing mode adds corresponding encryption mark in data flow waiting for transmission.Quantum application gateway obtains number waiting for transmission
After stream, you can determine the actual treatment mode used to data flow based on the encryption mark carried in the data flow.
Mark component can obtain user encryption behavioral data, according to user encryption behavioral data, can update second and add
The encryption policy recorded in close policy library.
S130:Respective handling is carried out to data stream using actual treatment mode.
Wherein, when actual treatment mode is quantum cryptography mode, quantum cryptography processing is carried out to data stream.
It is determined that after the actual treatment mode used to data flow waiting for transmission, the actual treatment mode, logarithm can be based on
Respective handling is carried out according to stream.
If actual processing mode is quantum cryptography mode, then quantum cryptography processing can be carried out to data stream, at actual
Reason mode is conventional cryptography mode, then conventional cryptography processing can be carried out to data stream, and such as actual processing mode is the not side of encryption
Formula, then not encryption can be done to data flow.
Quantum application gateway carries out quantum cryptography processing to data stream, specifically, quantum secret communication network can be obtained
Quantum key caused by QKD (quantum key distribution), the data flow that transmission is treated using quantum key carry out quantum cryptography processing.
S150:Data flow after processing is sent to recipient.
, can be with it is determined that the actual treatment mode used to data flow waiting for transmission, and after carrying out respective handling to data stream
Data flow after processing is sent to recipient.Specifically, as shown in figure 1, quantum application gateway can be by data waiting for transmission
Stream is sent to recipient by fire wall via internet.
Corresponding to embodiment illustrated in fig. 3, Fig. 4 shows a kind of structure of quantum application gateway, as shown in figure 4, quantum should
It can specifically be sentenced with gateway including the first policy management module, the first encryption policy storehouse, the first mark identification module, the first encryption
Disconnected module, the first forwarding data flow module, the first quantum cryptography module and the first conventional cryptography module.
Wherein, the encryption policy that the first policy management module can be added manually with receiving network managing person, and/or to client
The user encryption behavior that end mark component reports is analyzed, and automatically generates encryption policy, and protected in the first encryption policy storehouse
Deposit.
First encryption policy storehouse mainly stores the encryption policy of the first policy management module generation.
First mark identification module can identify the encryption mark carried in data flow waiting for transmission, determine that user refers to
The first fixed processing mode, and export to the first encryption judge module.
The result and the first encryption policy storehouse that first encryption judge module can identify according to the first mark identification module
Encryption policy judges the actual treatment mode used to data flow.Such as quantum cryptography mode, conventional cryptography mode or the not side of encryption
Formula.
First forwarding data flow module can carry out forward process to data flow waiting for transmission, and judge module is encrypted by first
It is judged as that the stream compression of quantum cryptography issues the first quantum cryptography module, the first encryption judge module is judged as conventional cryptography
Stream compression issue the first conventional cryptography module, and the data flow or the first encryption judge module of respective encrypted processing will be carried out
The stream compression for being judged as not encrypting issues next stage equipment, such as fire wall, to carry out data via internet by fire wall
The transmission of stream.
First quantum cryptography module can obtain quantum key caused by quantum secret communication network QKD, close using quantum
Key carries out encryption to data stream, and passes the data flow after encryption back first forwarding data flow module.
First conventional cryptography module can generate traditional secrete key by technologies such as IKE (the Internet Key Exchange association), use
Traditional secrete key carries out encryption to data stream, and passes the data flow after encryption back first forwarding data flow module.
The embodiment of the present invention is the description carried out in data flow sending side angle, can after receiving terminal receives data flow
To carry out corresponding decryption processing by quantum application gateway and forward.The embodiment of the present invention repeats no more to this.
Corresponding to embodiment illustrated in fig. 7, Fig. 8 shows a kind of structure of quantum application gateway, as shown in figure 8, quantum should
The second policy management module, the second mark identification module, the second forwarding data flow module, the second amount can specifically be included with gateway
Sub- encrypting module and the second conventional cryptography module.
Wherein, the second policy management module can obtain network manager add manually specific user, during the time, application
The encryption policys such as program, by associated encryption policy distribution to mark component, to be preserved in the second encryption policy storehouse.
Second mark identification module can identify the encryption mark carried in data flow waiting for transmission, it is determined that to data
The actual treatment mode of stream, such as quantum cryptography mode, not conventional cryptography mode, cipher mode, and result is exported to second
Forwarding data flow module.
Second forwarding data flow module can carry out forward process to data flow waiting for transmission, and identification module is identified by second
The stream compression exported as quantum cryptography issues the second quantum cryptography module, is conventional cryptography by the second mark identification module output
Stream compression issue the second conventional cryptography module, and the data flow or the second mark identification module of respective encrypted processing will be carried out
The stream compression for being defined as not encrypting issues next stage equipment.
Second quantum cryptography module can obtain quantum key caused by quantum secret communication network QKD, close using quantum
Key carries out encryption to data stream, and passes the data flow after encryption back second forwarding data flow module.
Second conventional cryptography module can generate traditional secrete key by technologies such as IKE (the Internet Key Exchange association), use
Traditional secrete key carries out encryption to data stream, and passes the data flow after encryption back second forwarding data flow module.
The embodiment of the present invention is the description carried out in data flow sending side angle, can after receiving terminal receives data flow
To carry out corresponding decryption processing by quantum application gateway and forward.The embodiment of the present invention repeats no more to this.
The method provided using the embodiment of the present invention, the quantum application gateway acquisition for being deployed in network exit are to be transmitted
Data flow after, to data flow carry encryption mark be identified, it is determined that to data flow use actual treatment mode,
And respective handling is carried out to data stream, wherein, when actual treatment mode is quantum cryptography mode, quantum is carried out to data stream and added
Close processing, the data flow after processing is sent to recipient.The Control granularity to data flow identification has been refined, has ensured quantum secure
Communicate as specific data stream service, on the premise of meeting user to the sub- encryption requirements of data traffic, it is effective to improve quantum key
Utilization rate, quantum secret communication network resource is saved, reduces network cost.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of quantum secure based on mark identification
Communicator, applied to the quantum application gateway for being deployed in network exit, a kind of amount based on mark identification described below
Sub- secure communication device can be mutually to should refer to a kind of above-described quantum secret communication method based on mark identification.
Shown in Figure 5, the device is included with lower unit:
Data flow obtaining unit 210, for obtaining data flow waiting for transmission;
Actual treatment mode determining unit 220, the encryption mark for being carried to data flow are identified, it is determined that pair
The actual treatment mode that data flow uses;
Processing unit 230, for carrying out respective handling to data stream using actual treatment mode, wherein, in actual treatment
When mode is quantum cryptography mode, quantum cryptography processing is carried out to data stream;
Data flow transmitting element 240, for the data flow after processing to be sent into recipient.
The device provided using the embodiment of the present invention, the quantum application gateway acquisition for being deployed in network exit are to be transmitted
Data flow after, to data flow carry encryption mark be identified, it is determined that to data flow use actual treatment mode,
And respective handling is carried out to data stream, wherein, when actual treatment mode is quantum cryptography mode, quantum is carried out to data stream and added
Close processing, the data flow after processing is sent to recipient.The Control granularity to data flow identification has been refined, has ensured quantum secure
Communicate as specific data stream service, on the premise of meeting user to the sub- encryption requirements of data traffic, it is effective to improve quantum key
Utilization rate, quantum secret communication network resource is saved, reduces network cost.
In a kind of embodiment of the present invention, encryption is identified as:It is deployed in the mark component base of sender
Mark in a stream is added in the first processing mode of user's selection;
Actual treatment mode determining unit 220, is specifically used for:
The encryption mark carried to data flow is identified, and determines the first processing mode that user specifies;
If the first processing mode is quantum cryptography mode, it is determined that the actual treatment mode used to data flow is quantum
Cipher mode;
If the first processing mode non-quantum cipher mode, the first encryption policy storehouse being obtained ahead of time is transferred, according to the
The encryption policy recorded in one encryption policy storehouse and the first processing mode, it is determined that the actual treatment mode used to data flow.
In a kind of embodiment of the present invention, actual treatment mode determining unit 220, it is specifically used for:
According to the attribute of data flow, encryption policy corresponding with attribute is searched in the first encryption policy storehouse;
If find, it is determined that second processing mode corresponding to the encryption policy found;
According to the safe class of the first processing mode and the safe class of second processing mode, it is determined that data flow is used
Actual treatment mode.
In a kind of embodiment of the present invention, actual treatment mode determining unit 220, it is specifically used for:
If the safe class of the first processing mode is greater than or equal to the safe class of second processing mode, at first
Reason mode is defined as the actual treatment mode used to data flow;
If the safe class of the first processing mode is less than the safe class of second processing mode, by second processing mode
It is defined as the actual treatment mode used to data flow.
In a kind of embodiment of the present invention, actual treatment mode determining unit 220, it is additionally operable to:
It is directly that the first processing mode is true when not finding encryption policy corresponding with attribute in the first encryption policy storehouse
It is set to the actual treatment mode used to data flow.
In a kind of embodiment of the present invention, in addition to encryption policy updating block, it is used for:
Obtain user encryption behavioral data;
According to user encryption behavioral data, the encryption policy recorded in the first encryption policy storehouse is updated.
In a kind of embodiment of the present invention, encryption is identified as:It is deployed in the mark component knot of sender
Encryption policy in the first processing mode for sharing family selection and the second encryption policy storehouse for being obtained ahead of time, it is determined that to data flow
The mark of the actual treatment mode of use.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be with it is other
The difference of embodiment, between each embodiment same or similar part mutually referring to.For dress disclosed in embodiment
For putting, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is referring to method part
Explanation.
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description
And algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software, the composition and step of each example are generally described according to function in the above description.These
Function is performed with hardware or software mode actually, application-specific and design constraint depending on technical scheme.Specialty
Technical staff can realize described function using distinct methods to each specific application, but this realization should not
Think beyond the scope of this invention.
Directly it can be held with reference to the step of method or algorithm that the embodiments described herein describes with hardware, processor
Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
Specific case used herein is set forth to the principle and embodiment of the present invention, and above example is said
It is bright to be only intended to help and understand technical scheme and its core concept.It should be pointed out that for the common of the art
For technical staff, under the premise without departing from the principles of the invention, some improvement and modification can also be carried out to the present invention, these
Improve and modification is also fallen into the protection domain of the claims in the present invention.