CN109005194A - Portless shadow communication means and computer storage medium based on KCP agreement - Google Patents
Portless shadow communication means and computer storage medium based on KCP agreement Download PDFInfo
- Publication number
- CN109005194A CN109005194A CN201811024376.0A CN201811024376A CN109005194A CN 109005194 A CN109005194 A CN 109005194A CN 201811024376 A CN201811024376 A CN 201811024376A CN 109005194 A CN109005194 A CN 109005194A
- Authority
- CN
- China
- Prior art keywords
- transmitting terminal
- receiving end
- network communication
- data
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/26—Special purpose or proprietary protocols or architectures
Abstract
The present invention provides a kind of portless shadow communication means and computer storage medium based on KCP agreement, wherein method, which includes: receiving end, catches packet mode by trawl performance and transmitting terminal establishes network communication and controls link;Link establishment network communication data link is controlled by the network communication between the receiving end and the transmitting terminal;The network communication data link transmit-receive data message is passed through based on KCP agreement between the receiving end and the transmitting terminal.The problems such as present invention can effectively avoid poor bring concealment due to monitoring network communications port, easily detected and attack, data check is single.
Description
Technical field
The present invention relates to Internet communication technology field more particularly to the shadow communication technologys of portless, specifically
It is a kind of portless shadow communication means and computer storage medium for being based on KCP agreement (fast and reliable agreement).
Background technique
Now, internet has become the essential a part of human lives, and people are engaged in amusement by internet, learn
Activities, the internets such as habit, office revolutionize the life and work mode of the mankind, have greatly pushed the development of society.But
It is that, as more and more information are transmitted by internet, criminal is obtained using the loophole of Internet communication technology
The information transmitted on the internet leads to the leakage of personal information and business secret, gives individual privacy and company property safety belt
Carry out great threat, how to ensure information on the internet safe transmission become current urgent need to resolve the problem of.
Currently, mainly ensureing information safety on the internet using SSL/TLS (Secure Socket Layer/Transport Layer Security) agreement
Transmission, SSL/TLS agreement guarantee the confidentiality and data integrity of network communication between two communication application programs, are widely used in
In internet, for example, HTTPS, SMTPS, SFTP etc. common communication protocol is all based on SSL/TLS agreement to realize.Though
Although the use of right SSL/TLS has ensured Secure Information Tanslation Through Netware to a certain extent, since SSL/TLS is established
On TCP (transmission control protocol), communication data stream has the feature of TCP session, to cause communication session concealment poor, easily
It is attacked and is kidnapped by criminal;In addition, communication session network penetrability is poor, is easily intercepted or hindered by gateways such as firewalls
It is disconnected;Server-side is monitored the network port for a long time and is easily illegally detected, and attacks by DDOS (distributed denial of service).Simultaneously as
Data encrypting and deciphering step is increased in communication session, causes the increase of data transfer delay, poor user experience.
Therefore, one of ordinary skill in the art need to research and develop a kind of network communication method, are ensureing the same of reliable data transmission
When, improve the efficiency of network communication.
Therefore this patent proposes a kind of portless shadow communication technology based on KCP.The technology is straight by using PowerShadow
It connects and goes to obtain network communication in the method that conventional TCP/IP protocol stack monitors the network port in the method replacement that physical network card catches packet
Data, the problems such as avoiding due to listening port poor bring concealment, easily detected and attack.Simultaneously (quickly using KCP agreement
Reliable protocol) data are packaged and are transmitted, even if in the case where network congestion, still ensure that communication stability and can
By property.
Summary of the invention
In view of this, the technical problem to be solved in the present invention is that provide a kind of portless shadow based on KCP agreement logical
Letter method and computer storage medium, solve existing network communication concealment it is poor, penetrability is weak, is easily intercepted, detects and attacks
Hit the problems such as equal.
In order to solve the above-mentioned technical problem, a specific embodiment of the invention provides a kind of portless based on KCP agreement
Shadow communication means, comprising: receiving end catches packet mode by trawl performance and transmitting terminal establishes network communication and controls link;It is described
Link establishment network communication data link is controlled by the network communication between receiving end and the transmitting terminal;The receiving end
The network communication data link transmit-receive data message is passed through based on KCP agreement between the transmitting terminal.
A specific embodiment of the invention also provides a kind of computer storage medium comprising computer executed instructions, described
When computer executed instructions are handled via data processing equipment, which executes the portless shadow based on KCP agreement
Sub- communication means.
Above-mentioned specific embodiment according to the present invention it is found that by the portless shadow communication means of KCP agreement and based on
Calculation machine storage medium at least has the advantages that receiving end using the shadow communication technology, is received by the shadow communication technology
End does not need to establish communication intercept port on the machine arbitrary network, and receiving end network interface card works under flooding mode, using driving
Catch packet mode directly to capture all data packets for being sent to the machine, realize receiving end port communications for no reason, can effectively avoid because
Monitor network communications port and bring concealment is poor, easily detected and attack, the problems such as data check is single.It will be based on TCP
The communication behavior of agreement is converted to the KCP agreement of the connectionless highly effective and safe of UDP carrying, enhances the penetrability of network communication,
The probability that network data is intercepted by network equipments such as firewalls is reduced, the transmission rate of data message is enhanced, making every effort to can in guarantee
The improve data transfer rate in the case where the property, solves the problems, such as that TCP data packet transmission speed is slow in network congestion.Definition
Control link and data link progress multi link communications management, control link is for establishing and consulting session information, data link
It is used for transmission session data.Receiving end dynamic updates data link information, enhances the concealment of transmission session.The present invention is to building
Highly-safe, invisible communication system strong, that transmission is stable has very great help, and can be widely used for shadow communication system, safe generation
The network communication fields such as reason system, anonymous transmission network.
It is to be understood that above-mentioned general description and following specific embodiments are merely illustrative and illustrative, not
The range of the invention to be advocated can be limited.
Detailed description of the invention
Following appended attached drawing is part of specification of the invention, depicts example embodiments of the present invention, institute
Attached drawing is used to illustrate the principle of the present invention together with the description of specification.
Fig. 1 is a kind of reality for portless shadow communication means based on KCP agreement that the specific embodiment of the invention provides
Apply the flow chart of example one.
Fig. 2 is a kind of reality for portless shadow communication means based on KCP agreement that the specific embodiment of the invention provides
Apply the flow chart of example two.
Fig. 3 is the integrated stand composition of a kind of receiving end and transmitting terminal composition that the specific embodiment of the invention provides.
Fig. 4 is the specific architecture diagram of receiving end PowerShadow in Fig. 3.
Fig. 5 A is to establish network communication control between a kind of receiving end that the specific embodiment of the invention provides and transmitting terminal
The timing diagram of link.
Fig. 5 B is to establish network communication data between a kind of receiving end that the specific embodiment of the invention provides and transmitting terminal
The timing diagram of link.
Fig. 5 C be transmitted between a kind of receiving end that the specific embodiment of the invention provides and transmitting terminal data message when
Sequence figure.
Fig. 5 D is the timing diagram of link between a kind of disconnection receiving end that the specific embodiment of the invention provides and transmitting terminal.
Specific embodiment
Understand in order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below will with attached drawing and in detail
Narration clearly illustrates the spirit of disclosed content, and any skilled artisan is understanding the content of present invention
After embodiment, when the technology that can be taught by the content of present invention, it is changed and modifies, without departing from the essence of the content of present invention
Mind and range.
The illustrative embodiments of the present invention and their descriptions are used to explain the present invention, but not as a limitation of the invention.
In addition, in the drawings and embodiments the use of element/component of same or like label is for representing same or like portion
Point.
About " first " used herein, " second " ... etc., not especially censure the meaning of order or cis-position,
It is non-to limit the present invention, only for distinguish with same technique term description element or operation.
About direction term used herein, such as: upper and lower, left and right, front or rear etc. are only the sides with reference to attached drawing
To.Therefore, the direction term used is intended to be illustrative and not intended to limit this creation.
It is open term, i.e., about "comprising" used herein, " comprising ", " having ", " containing " etc.
Mean including but not limited to.
About it is used herein " and/or ", including any of the things or all combination.
It include " two " and " two or more " about " multiple " herein;It include " two groups " about " multiple groups " herein
And " more than two ".
About term used herein " substantially ", " about " etc., to modify it is any can be with the quantity or mistake of microvariations
Difference, but this slight variations or error can't change its essence.In general, microvariations that such term is modified or error
Range in some embodiments can be 20%, in some embodiments can be 10%, can be in some embodiments 5% or its
His numerical value.It will be understood by those skilled in the art that the aforementioned numerical value referred to can be adjusted according to actual demand, it is not limited thereto.
Fig. 1 is a kind of reality for portless shadow communication means based on KCP agreement that the specific embodiment of the invention provides
The flow chart of example one is applied, as shown in Figure 1, receiving end network interface card works under flooding mode, receiving end network interface card captures all arrival originally
The data packet of machine network interface card to establish network communication control link with transmitting terminal, then controls what link obtained by network communication
Information establishes network communication data link, finally passes through the network communication data link transmit-receive datagram of foundation based on KCP agreement
Text.
In the specific embodiment shown in the drawings, the portless shadow communication means based on KCP agreement includes:
Step 101: receiving end catches packet mode by trawl performance and transmitting terminal establishes network communication and controls link.The present invention
Embodiment in, receiving end can be user equipment or server configured with network interface card, transmitting terminal can be user equipment or clothes
Business device.The network interface card of receiving end works under flooding mode, and the network interface card of receiving end captures all arrival the machine network interface cards in such a mode
Data packet, receiving end uses multicore programming technique, operating system (OS) is tied to specified core and is run, big page is used
(hugepages) memory techniques, without lock ring technology (UnlockQueue) and DirectIO (direct IO) technology, reduce memory and visit
It asks and exchanges, while avoiding multithreading from competing without lock circulating queue technology using multithreading operation.
Step 102: link establishment network being controlled by the network communication between the receiving end and the transmitting terminal and is led to
Letter data link.In the embodiment of the present invention, network communication is established using the information that network communication control link obtains in receiving end
Data link.Network communication control link is used for transmission session with consulting session information, network communication data link for establishing
Data message.Receiving end dynamic updates network communication data link information, enhances the concealment of session data message transmissions.
Step 103: the network communication data link being passed through based on KCP agreement between the receiving end and the transmitting terminal
Sending and receiving data message.In the embodiment of the present invention, by based on the behavior that Transmission Control Protocol communicates be converted to udp protocol carrying without even
The KCP agreement of the highly effective and safe connect reduces the probability intercepted by network equipments such as firewalls, enhances the transmission speed of data message
Rate makes every effort to the improve data transfer rate in the case where guaranteeing reliability.
Referring to Fig. 1, receiving end uses the shadow communication technology, i.e., does not establish communication intercept port on the machine arbitrary network,
Packet mode is caught using trawl performance directly to capture all data packets for being sent to the machine network interface card, can effectively avoid because monitoring end
Mouthful and bring communication concealment is poor, easily detected and attack, the problems such as data check is single;By what is communicated based on Transmission Control Protocol
Behavior is converted to the KCP agreement of the connectionless highly effective and safe of udp protocol carrying, what reduction was intercepted by network equipments such as firewalls
Probability, the improve data transfer rate in the case where guaranteeing reliability, the transmission rate of data message in network congestion
Also unaffected;Multi link communications management defines network communication control link and network communication data link, and receiving end can be moved
State updates network communication data link information, further enhances the concealment communicated between receiving end and transmitting terminal.
In specific embodiments of the present invention, step 101 is specifically included: the network interface card of the receiving end opens flooding mode, and
All data packets on packet mode capture network are caught by trawl performance;The transmitting terminal sends first at random to the receiving end
Several and one or more first cipher modes, wherein the first cipher mode can be in a manner of symmetric cryptography or asymmetric encryption side
The first random number and one or more are transmitted to transmitting terminal by legacy protocol stack (for example, ICP/IP protocol) in formula, the receiving end
A first cipher mode;The receiving end utilizes BPF (Berkeley Packet Filter) and efficient feature matching algorithm from all numbers
According to filtering out first random number and first cipher mode in packet, and the second random number, public affairs are replied to the transmitting terminal
Key and the second cipher mode, wherein second cipher mode is one in first cipher mode, efficient feature matching
Algorithm can be Horspool algorithm, Sunday algorithm etc., and the receiving end passes through legacy protocol stack (for example, ICP/IP protocol)
Transmit the second random number, public key and the second cipher mode to transmitting terminal, network interface card capture it is all be sent to local data packet, these numbers
According to a large amount of redundant data is mingled in packet, redundant data packets are removed using BPF and efficient feature matching algorithm;The transmitting terminal
Third random number is encrypted using the public key and second cipher mode, and encryption third random number is sent to the reception
End;The receiving end filters out the encryption third random number using BPF and efficient feature matching algorithm from all data packets,
And obtain the third random number using encryption third random number described in the public key decryptions, and using first random number,
Second random number and first session key of third generating random number, then by first session key and data link
Information returns to the transmitting terminal, and the receiving end is by legacy protocol stack (for example, ICP/IP protocol) to transmitting terminal transmission the
One session key and data link information;The transmitting terminal is according to first session key and the data link information and institute
It states receiving end and establishes the network communication control link.Criminal's forgery, modification or replay data in order to prevent, it is also necessary to school
Test encryption third random number, be further ensured that the safety of data, the receiving end using BPF and efficient feature matching algorithm from
It, can also be using timestamp, first random number, described after filtering out the encryption third random number in all data packets
Third random number is encrypted described in second random number and digital signature verification.
In another specific embodiment of the invention, step 102 is specifically included: the transmitting terminal is based on the network communication control
Receiving end described in chain road direction processed sends the 4th random number and one or more first cipher modes;The receiving end utilizes
BPF and efficient feature matching algorithm filter out the 4th random number and first cipher mode from all data packets, and
The 5th random number, the public key and third cipher mode are replied to the transmitting terminal, wherein the third cipher mode is described
One in first cipher mode, the third cipher mode can be identical as second cipher mode, can also with it is described
Second cipher mode is different, the receiving end by legacy protocol stack (for example, ICP/IP protocol) to transmitting terminal transmission the 5th with
Machine number, the public key and third cipher mode;The transmitting terminal utilizes the public key and third cipher mode encryption the 6th
Random number, and the 6th random number of encryption is sent to the receiving end;The receiving end utilizes BPF and efficient feature matching algorithm
The 6th random number of the encryption is filtered out from all data packets, and is obtained using the 6th random number of encryption described in the public key decryptions
To the 6th random number, and utilize the 4th random number, the 5th random number and the 6th generating random number second
Session key, then second session key is returned into the transmitting terminal, the receiving end by legacy protocol stack (for example,
ICP/IP protocol) to transmitting terminal transmit the second session key;The transmitting terminal is according to second session key and the reception
The network communication data link is established at end.
In another specific embodiment of the invention, step 103 is specifically included: the transmitting terminal utilizes the sliding of KCP agreement
Windowing mechanism controls link by the network communication and sends the first data message to the receiving end with first rate, and starts
Timing;The receiving end filters out first data message using BPF and efficient feature matching algorithm from all data packets,
And the first response message is replied to the transmitting terminal, the receiving end passes through legacy protocol stack (for example, ICP/IP protocol) to hair
Sending end transmits the first response message;The transmitting terminal receives first response message, first number in the given time
It is finished according to message transmissions, wherein the transmitting terminal continues to send one to the receiving end with the second rate in the given time
Or multiple second data messages, second rate are less than the first rate, do not wait for the first data message and normally connect
Receiving end just transmits the second data message after receiving, but transmits the second data message while waiting, further increases datagram
Literary transfer rate, while preventing data message transmission speed is more than the processing capacity of receiving end, the transmission speed of the second data message
The transmission rate less than the first data message is spent, guarantees the stability of communication;The transmitting terminal does not receive in the given time
To the response message, first data message is retransmitted until receiving first response message, retransmission mechanism guarantees
The reliability of communication.Criminal's forgery, modification or replay data in order to prevent, it is also necessary to the first data message is verified, into one
Step guarantees the safety of data, and the receiving end filters out institute using BPF and efficient feature matching algorithm from all data packets
It, can also be using the first number described in timestamp, second session key and digital signature verification after stating the first data message
According to message.
Fig. 2 is a kind of reality for portless shadow communication means based on KCP agreement that the specific embodiment of the invention provides
The flow chart of example two is applied, as shown in Fig. 2, transmitting terminal is successively sent out after completing data message transmitting-receiving between receiving end and transmitting terminal
Act the operation for disconnecting network communication data link and network communication control link.
In the specific embodiment shown in the drawings, after step 103, this method further include:
Step 104: the transmitting terminal successively initiates to disconnect the network communication data link and network communication control
The operation of link.In the embodiment of the present invention, step 104 is specifically included: the transmitting terminal passes through the network communication data chain
Receiving end described in road direction sends the first notification information for disconnecting the network communication data link, and starts timing;The reception
End filters out first notification information using BPF and efficient feature matching algorithm from all data packets, and using timestamp,
Then first notification information described in second session key and digital signature verification replys first to the transmitting terminal and disconnects letter
Breath, the receiving end disconnect information to transmitting terminal transmission first by legacy protocol stack (for example, ICP/IP protocol);The transmission
After end receives the first disconnection information in the given time, the network communication data link is disconnected;The transmitting terminal exists
It is not received by described first in predetermined time and disconnects information, retransmits first notification information until receiving described first
Information is disconnected, guarantees the stability of communication;The transmitting terminal is sent by receiving end described in the network communication Quality Initiative road direction
The second notification information of the network communication control link is disconnected, and starts timing;The receiving end utilizes BPF and efficient feature
Matching algorithm filters out second notification information from all data packets, and using timestamp, first session key and
Then second notification information described in digital signature verification replys second to the transmitting terminal and disconnects information, the receiving end passes through
Legacy protocol stack (for example, ICP/IP protocol) disconnects information to transmitting terminal transmission second;The transmitting terminal connects in the given time
After receiving the second disconnection information, the network communication control link is disconnected;The transmitting terminal does not connect in the given time
It receives described second and disconnects information, force to disconnect the network communication control link, prevent undesired link from occupying the communication resource.It is more
Link communication management defines network communication control link and network communication data link respectively.Network communication control link is used for
It establishes and consulting session information, network communication data link is used for transmission session data message, receiving end can dynamically update net
Network universal data link information, further enhances the concealment of communication.
A specific embodiment of the invention also provides a kind of computer storage medium comprising computer executed instructions, described
When computer executed instructions are handled via data processing equipment, which executes the portless shadow based on KCP agreement
Sub- communication means.Method the following steps are included:
Step 101: receiving end catches packet mode by trawl performance and transmitting terminal establishes network communication and controls link.
Step 102: link establishment network being controlled by the network communication between the receiving end and the transmitting terminal and is led to
Letter data link.
Step 103: the network communication data link being passed through based on KCP agreement between the receiving end and the transmitting terminal
Sending and receiving data message.
A specific embodiment of the invention also provides a kind of computer storage medium comprising computer executed instructions, described
When computer executed instructions are handled via data processing equipment, which executes the portless shadow based on KCP agreement
Sub- communication means.Method the following steps are included:
Step 101: receiving end catches packet mode by trawl performance and transmitting terminal establishes network communication and controls link.
Step 102: link establishment network being controlled by the network communication between the receiving end and the transmitting terminal and is led to
Letter data link.
Step 103: the network communication data link being passed through based on KCP agreement between the receiving end and the transmitting terminal
Sending and receiving data message.
Step 104: the transmitting terminal successively initiates to disconnect the network communication data link and network communication control
The operation of link.
Fig. 3 is the integrated stand composition of a kind of receiving end and transmitting terminal composition that the specific embodiment of the invention provides, and Fig. 4 is
The specific architecture diagram of receiving end PowerShadow in Fig. 3, as shown in Figure 3, Figure 4, the application layer of receiving end and transmitting terminal are encryption and decryption
The data of front and back are shown, storage or calculation procedure provide calling interface.The encryption and decryption layer of receiving end and transmitting terminal passes through specified
Cipher mode and key carry out encryption and decryption operation to data message, guarantee the safety during data-message transmission;Encryption side
Formula and key are negotiated when communication session is established by communicating pair, support common symmetric cryptography and asymmetric encryption mode.It connects
Communication data based on Transmission Control Protocol is converted to the communication data based on udp protocol by the KCP of receiving end and transmitting terminal layer, and according to
KCP agreement carries out data encapsulation and transmission, carries out telecommunication management using KCP agreement, passes through retransmission mechanism and sliding window mechanism
Guarantee the rapidity and reliability of data-message transmission.The PowerShadow of receiving end does not use conventional TCP/IP protocol stack, passes through
Big page memory techniques reduce memory copying and system break number without lock ring technology and DirectIO (direct IO) technology, can mention
High data-message transmission efficiency, simultaneously because driving layer (inner nuclear layer) supports that BPF and efficient feature matching algorithm can be quick
With anticipatory data packet, invalid data packet is abandoned, bring attack due to network hardware performance bottleneck is avoided.As shown in figure 4,
It catches Packet driven and packet is caught using inner nuclear layer driving, support common Intel network interface card type, abandon Linux kernel protocol stack, by data packet
It is transferred to user's custom protocol stack;Using multicore programming technique, OS (operating system) is tied to specified core and is run;Use big page
Memory management reduces internal storage access and exchange;Thread is avoided to compete without lock circulating queue technology using multithreading operation.Number
Data preprocess includes: that the data that capture of driving are to reach all data packets of the machine network interface card, wherein being mingled with the number of many redundancies
According to so need to pre-process to data, removing redundant data takes out shadow communication data packet, supports routine BPF rule and is based on
Space-time efficient data packet matching algorithm.Data check includes: to filter out shadow communication data packet by pretreatment, but in order to prevent
Third party's forgery, modification and replay data, still need to do data check to pretreated data, are further ensured that the safety of data
Property, in specific embodiments of the present invention, data school is done by the way of the combination of timestamp, random number and digital signature three elements
It tests.KCP protocol encapsulation includes: to encapsulate the data after verification by KCP protocol format, and submit to upper layer KCP management mould
Block is continued with by subsequent module;Meanwhile after application layer process takes, the data of transmitting terminal will be returned to via tradition
Protocol stack issues.
Fig. 5 A is to establish network communication control between a kind of receiving end that the specific embodiment of the invention provides and transmitting terminal
The timing diagram of link;Fig. 5 B is to establish network communication between a kind of receiving end that the specific embodiment of the invention provides and transmitting terminal
The timing diagram of data link;Fig. 5 C is to transmit data between a kind of receiving end that the specific embodiment of the invention provides and transmitting terminal
The timing diagram of message;Fig. 5 D be between a kind of disconnection receiving end that the specific embodiment of the invention provides and transmitting terminal link when
Sequence figure, as shown in Fig. 5 A~Fig. 5 D, Fig. 5 A illustrates the timing diagram for establishing network communication control link, and receiving end network interface card opens flood
The random number of the cipher mode itself supported and generation is issued receiving end by universal schema, transmitting terminal, and receiving end is using BPF and efficiently
Feature Correspondence Algorithm filters out random number and cipher mode from all data packets, and replys a kind of encryption side that both sides support
The certificate and public key that formula, the random number of generation, receiving end authorize;Transmitting terminal receives new random number after above-mentioned data by connecing
Receiving end is sent to after public key and the cipher mode encryption that receiving end is sent;Receiving end receives data and is decrypted, while using friendship
Three mutual generating random number session keys, it will words key returns to transmitting terminal together with data link information.
Fig. 5 B illustrates the timing diagram for establishing network communication data link, and transmitting terminal is obtained using network communication control link
Information establish network communication data link.Detailed process includes: to send to generate based on network communication Quality Initiative road direction receiving end
Random number and cipher mode;Receiving end filters out random number from all data packets using BPF and efficient feature matching algorithm
And cipher mode, and the card of the random number for the cipher mode, generation supported to transmitting terminal reply both sides, receiving end authorization
Book and public key;After transmitting terminal receives the public key sent new random number by receiving end after above-mentioned data and cipher mode encryption
It is sent to receiving end;Receiving end receives data and is decrypted, while using three generating random number session keys of interaction, it will
Words key returns to transmitting terminal.
Fig. 5 C illustrates the timing diagram of transmission data message, and after network communication data link establishment, transmitting terminal passes through sliding
Windowing mechanism batch sends datagram to receiving end;Receiving end returns to transmitting terminal for data message ID is received;Transmitting terminal exists
Data message ID is not received in predetermined time, according to timeout mechanism, the automatic data message for retransmitting receiving end reception failure,
Until data end of transmission.Transmitting terminal is during waiting data message ID to be received, after being sent using lower message transmission rate
Continuous data message.
Fig. 5 D illustrates the timing diagram for disconnecting link between receiving end and transmitting terminal, first disconnects network communication data link,
Network communication control link is disconnected again, is initiated by transmitting terminal, is disconnected network communication data link and is had to pass through receiving end confirmation,
Network communication control link is disconnected in the case where cannot get receiving end response, transmitting terminal can be disconnected actively, guarantee that communication is steady
Under the premise of qualitatively, network and computing resource are saved.
The embodiment of the present invention provides a kind of portless shadow communication means and computer storage medium based on KCP agreement,
Transmitting terminal and receiving end pass through the shadow communication technology completion data-message transmission based on KCP agreement progress portless.It is receiving
Any network port is monitored from unused socket (socket) in end, and it is to use PowerShadow that receiving end, which receives data message all,
Using driving capture data message directly on network interface card, then passes through pretreatment, parsing, data check, is packaged into KCP data
Packet submits upper layer;Upper layer returns data to transmitting terminal by legacy protocol stack again after having handled.Realize that receiving end portless is logical
Letter can effectively avoid bring concealment due to monitoring network communications port is poor, is easily detected and attacks, data check is single etc.
Problem.The KCP agreement that communication behavior based on Transmission Control Protocol is converted to the connectionless highly effective and safe of UDP carrying, enhances network
The penetrability of communication reduces the probability that network data is intercepted by network equipments such as firewalls, enhances the transmission rate of data message,
The improve data transfer rate in the case where guaranteeing communication reliability solves the TCP data packet transmission speed in network congestion
Slow problem.Definition control link and data, which link, carries out multi link communications management, and control link is for foundation and consulting session
Information, data link are used for transmission session data.Receiving end dynamic updates data link information, enhances the hidden of transmission session
Property.The present invention has very great help to highly-safe, invisible communication system strong, that transmission is stable is constructed, and can be widely used for shadow
The network communication fields such as communication system, safety proxy system, anonymous transmission network.
The above-mentioned embodiment of the present invention can be implemented in various hardware, Software Coding or both combination.For example, this hair
Bright embodiment can also be the execution above method in data signal processor (Digital Signal Processor, DSP)
Program code.The present invention can also refer to computer processor, digital signal processor, microprocessor or field-programmable gate array
Arrange the multiple functions that (Field Programmable Gate Array, FPGA) is executed.Above-mentioned processing can be configured according to the present invention
Device executes particular task, and machine-readable software code or the firmware generation of the ad hoc approach that the present invention discloses are defined by executing
Code is completed.Software code or firmware code can be developed as different program languages and different formats or form.Can also be
Different target platform composing software codes.However, executing software code and the other types configuration generation of task according to the present invention
Different code pattern, type and the language of code do not depart from spirit and scope of the invention.
The foregoing is merely the schematical specific embodiments of the present invention, before not departing from conceptions and principles of the invention
It puts, the equivalent changes and modifications that any those skilled in the art is made should belong to the scope of protection of the invention.
Claims (10)
1. a kind of portless shadow communication means based on KCP agreement, which is characterized in that this method comprises:
Receiving end catches packet mode by trawl performance and transmitting terminal establishes network communication and controls link;
Link establishment network communication data link is controlled by the network communication between the receiving end and the transmitting terminal;With
And
The network communication data link transmit-receive datagram is passed through based on KCP agreement between the receiving end and the transmitting terminal
Text.
2. the portless shadow communication means based on KCP agreement as described in claim 1, which is characterized in that receiving end passes through
Trawl performance catches packet mode and transmitting terminal establishes the step of network communication controls link, specifically includes:
The network interface card of the receiving end opens flooding mode, and catches all data on packet mode capture network by trawl performance
Packet;
The transmitting terminal sends the first random number and one or more first cipher modes to the receiving end;
The receiving end filters out first random number and institute using BPF and efficient feature matching algorithm from all data packets
The first cipher mode is stated, and replys the second random number, public key and the second cipher mode to the transmitting terminal, wherein described second
Cipher mode is one in first cipher mode;
The transmitting terminal encrypts third random number using the public key and second cipher mode, and will encrypt third random number
It is sent to the receiving end;
It is random that the receiving end using BPF and efficient feature matching algorithm filters out the encryption third from all data packets
Number, and the third random number is obtained using encryption third random number described in the public key decryptions, and random using described first
Several, described second random number and first session key of third generating random number, then by first session key and data
Link information returns to the transmitting terminal;And
The transmitting terminal establishes the network according to first session key and the data link information and the receiving end
Communication control link.
3. the portless shadow communication means based on KCP agreement as claimed in claim 2, which is characterized in that the receiving end
Using BPF and efficient feature matching algorithm after filtering out the encryption third random number in all data packets, further includes:
Using encryption third random number described in timestamp, first random number, second random number and digital signature verification.
4. the portless shadow communication means based on KCP agreement as claimed in claim 2, which is characterized in that the receiving end
The step of controlling link establishment network communication data link by the network communication between the transmitting terminal, specifically includes:
The transmitting terminal is based on receiving end described in the network communication Quality Initiative road direction and sends the 4th random number and one or more
First cipher mode;
The receiving end filters out the 4th random number and institute using BPF and efficient feature matching algorithm from all data packets
The first cipher mode is stated, and replys the 5th random number, the public key and third cipher mode to the transmitting terminal, wherein is described
Third cipher mode is one in first cipher mode;
The transmitting terminal encrypts the 6th random number using the public key and the third cipher mode, and will encrypt the 6th random number
It is sent to the receiving end;
The receiving end filters out the encryption the 6th at random using BPF and efficient feature matching algorithm from all data packets
Number, and the 6th random number is obtained using the 6th random number of encryption described in the public key decryptions, and random using the described 4th
Several, the second session key of the 5th random number and the 6th generating random number, then second session key is returned to
The transmitting terminal;And
The transmitting terminal establishes the network communication data link according to second session key and the receiving end.
5. the portless shadow communication means based on KCP agreement as claimed in claim 4, which is characterized in that the receiving end
The step of network communication data link transmit-receive data message is passed through based on KCP agreement between the transmitting terminal, it is specific to wrap
It includes:
The transmitting terminal using the sliding window mechanism of KCP agreement by network communication control link with first rate to institute
It states receiving end and sends the first data message, and start timing;
The receiving end filters out first data message using BPF and efficient feature matching algorithm from all data packets,
And the first response message is replied to the transmitting terminal;
The transmitting terminal receives first response message in the given time, and first data-message transmission finishes,
In, the transmitting terminal continue in the given time with the second rate to the receiving end send the second data message, described second
Rate is less than the first rate;
The transmitting terminal is not received by the response message in the given time, retransmit first data message until
Receive first response message.
6. the portless shadow communication means based on KCP agreement as claimed in claim 5, which is characterized in that the receiving end
Using BPF and efficient feature matching algorithm after filtering out first data message in all data packets, further includes:
Using the first data message described in timestamp, second session key and digital signature verification.
7. the portless shadow communication means based on KCP agreement as claimed in claim 4, which is characterized in that the receiving end
It, should after the step of passing through the network communication data link transmit-receive data message based on KCP agreement between the transmitting terminal
Method further include:
The transmitting terminal successively initiates to disconnect the operation of the network communication data link and network communication control link.
8. the portless shadow communication means based on KCP agreement as claimed in claim 7, which is characterized in that the transmitting terminal
Successively the step of operation of the initiation disconnection network communication data link and network communication control link, specifically includes:
The transmitting terminal is sent by receiving end described in the network communication data chain road direction and disconnects the network communication data chain
First notification information on road, and start timing;
The receiving end filters out first notification information using BPF and efficient feature matching algorithm from all data packets,
And first is replied to the transmitting terminal and disconnects information;
After the transmitting terminal receives the first disconnection information in the given time, the network communication data link is disconnected;
The transmitting terminal is not received by described first in the given time and disconnects information, retransmits first notification information
Until receiving described first disconnects information;
The transmitting terminal is sent by receiving end described in the network communication Quality Initiative road direction and disconnects the network communication Quality Initiative
Second notification information on road, and start timing;
The receiving end filters out second notification information using BPF and efficient feature matching algorithm from all data packets,
And second is replied to the transmitting terminal and disconnects information;
After the transmitting terminal receives the second disconnection information in the given time, the network communication control link is disconnected;
And
The transmitting terminal is not received by described second in the given time and disconnects information, forces to disconnect the network communication control
Link.
9. the portless shadow communication means based on KCP agreement as claimed in claim 8, which is characterized in that the receiving end
Using BPF and efficient feature matching algorithm after filtering out first notification information in all data packets, further includes:
Using the first notification information described in timestamp, second session key and digital signature verification,
The receiving end using BPF and efficient feature matching algorithm filtered out from all data packets second notification information it
Afterwards, further includes:
Using the second notification information described in timestamp, first session key and digital signature verification.
10. a kind of computer storage medium comprising computer executed instructions, the computer executed instructions are via data processing
When equipment processing, it is logical which executes the portless shadow based on KCP agreement as described in claim 1-9 is any
Letter method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811024376.0A CN109005194B (en) | 2018-09-04 | 2018-09-04 | No-port shadow communication method based on KCP protocol and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811024376.0A CN109005194B (en) | 2018-09-04 | 2018-09-04 | No-port shadow communication method based on KCP protocol and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109005194A true CN109005194A (en) | 2018-12-14 |
| CN109005194B CN109005194B (en) | 2020-10-27 |
Family
ID=64590318
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811024376.0A Active CN109005194B (en) | 2018-09-04 | 2018-09-04 | No-port shadow communication method based on KCP protocol and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109005194B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111176961A (en) * | 2019-12-05 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Application program testing method and device and storage medium |
| CN111404842A (en) * | 2019-12-11 | 2020-07-10 | 杭州海康威视系统技术有限公司 | Data transmission method, device and computer storage medium |
| CN111405298A (en) * | 2020-02-17 | 2020-07-10 | 重庆邮电大学 | Android end-to-end live broadcast method based on KCP protocol |
| CN113890896A (en) * | 2021-09-24 | 2022-01-04 | 中移(杭州)信息技术有限公司 | Network access method, communication device, and computer-readable storage medium |
| CN114598497A (en) * | 2022-01-26 | 2022-06-07 | 南京南瑞信息通信科技有限公司 | Data isolation device and method based on error-correctable multiple channels of transmission card |
| CN115955517A (en) * | 2023-03-10 | 2023-04-11 | 北京太一星晨信息技术有限公司 | Message processing method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739473A (en) * | 2012-07-09 | 2012-10-17 | 南京中兴特种软件有限责任公司 | Network detecting method using intelligent network card |
| CN103036904A (en) * | 2012-12-27 | 2013-04-10 | 东方通信股份有限公司 | Method of data reliable transmission with user datagram protocol (UDP) in communication network |
| US20150052257A1 (en) * | 2008-10-02 | 2015-02-19 | Apple Inc. | Methods and apparatus for transmitting data streams via a heterogeneous network |
| CN104767734A (en) * | 2015-03-18 | 2015-07-08 | 欧普照明股份有限公司 | Network communication system |
| CN105493524A (en) * | 2013-07-25 | 2016-04-13 | 康维达无线有限责任公司 | End-to-end M2M service layer sessions |
-
2018
- 2018-09-04 CN CN201811024376.0A patent/CN109005194B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150052257A1 (en) * | 2008-10-02 | 2015-02-19 | Apple Inc. | Methods and apparatus for transmitting data streams via a heterogeneous network |
| CN102739473A (en) * | 2012-07-09 | 2012-10-17 | 南京中兴特种软件有限责任公司 | Network detecting method using intelligent network card |
| CN103036904A (en) * | 2012-12-27 | 2013-04-10 | 东方通信股份有限公司 | Method of data reliable transmission with user datagram protocol (UDP) in communication network |
| CN105493524A (en) * | 2013-07-25 | 2016-04-13 | 康维达无线有限责任公司 | End-to-end M2M service layer sessions |
| CN104767734A (en) * | 2015-03-18 | 2015-07-08 | 欧普照明股份有限公司 | Network communication system |
Non-Patent Citations (1)
| Title |
|---|
| 邓全才: "基于模式匹配与协议分析的分布式入侵检测研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111176961A (en) * | 2019-12-05 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Application program testing method and device and storage medium |
| CN111176961B (en) * | 2019-12-05 | 2022-03-29 | 腾讯科技(深圳)有限公司 | Application program testing method and device and storage medium |
| CN111404842A (en) * | 2019-12-11 | 2020-07-10 | 杭州海康威视系统技术有限公司 | Data transmission method, device and computer storage medium |
| CN111404842B (en) * | 2019-12-11 | 2024-04-09 | 杭州海康威视系统技术有限公司 | Data transmission method, device and computer storage medium |
| CN111405298A (en) * | 2020-02-17 | 2020-07-10 | 重庆邮电大学 | Android end-to-end live broadcast method based on KCP protocol |
| CN113890896A (en) * | 2021-09-24 | 2022-01-04 | 中移(杭州)信息技术有限公司 | Network access method, communication device, and computer-readable storage medium |
| CN114598497A (en) * | 2022-01-26 | 2022-06-07 | 南京南瑞信息通信科技有限公司 | Data isolation device and method based on error-correctable multiple channels of transmission card |
| CN114598497B (en) * | 2022-01-26 | 2023-10-20 | 南京南瑞信息通信科技有限公司 | Data isolation device and method based on transmission card error-correcting multichannel |
| CN115955517A (en) * | 2023-03-10 | 2023-04-11 | 北京太一星晨信息技术有限公司 | Message processing method and system |
| CN115955517B (en) * | 2023-03-10 | 2023-07-28 | 北京太一星晨信息技术有限公司 | Message processing method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109005194B (en) | 2020-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109005194A (en) | Portless shadow communication means and computer storage medium based on KCP agreement | |
| JP7042875B2 (en) | Secure dynamic communication networks and protocols | |
| US8745723B2 (en) | System and method for providing unified transport and security protocols | |
| CN101099320B (en) | Clock-based replay protection | |
| CN104426837B (en) | The application layer message filtering method and device of FTP | |
| CN110266678B (en) | Security attack detection method and device, computer equipment and storage medium | |
| CN107277058B (en) | Interface authentication method and system based on BFD protocol | |
| CN103475706A (en) | Counterfeit TCP covert communication method based on SYN-ACK dual-server rebound pattern | |
| WO2023174143A1 (en) | Data transmission method, device, medium and product | |
| Rashid et al. | Proposed methods of IP spoofing detection & prevention | |
| CN1627682A (en) | Method for creating dynamic cipher at time of building connection in network transmission | |
| Rana et al. | A Study and Detection of TCP SYN Flood Attacks with IP spoofing and its Mitigations | |
| CN107294968A (en) | The monitoring method and system of a kind of audio, video data | |
| US11689517B2 (en) | Method for distributed application segmentation through authorization | |
| US7424741B1 (en) | Method and system for prevention of network denial-of-service attacks | |
| WO2023036348A1 (en) | Encrypted communication method and apparatus, device, and storage medium | |
| CN111131172B (en) | Method for actively calling service by intranet | |
| CN109995760A (en) | The defence method and system of HTTP flood attack | |
| EP2109284A1 (en) | Protection mechanism against denial-of-service attacks via traffic redirection | |
| CN116389169B (en) | Method for avoiding disorder and fragmentation of data packets of national security IPSecVPN gateway | |
| US20210306442A1 (en) | Adding or removing members from confederate rings | |
| Schnackenberg | Dynamic Cooperating Boundary Controllers | |
| CN101453335A (en) | User information secured inputting method, and customer terminal | |
| Zeb | Enhancement in TLS authentication with RIPEMD-160 | |
| WO2020223917A1 (en) | Method and apparatus for implementing secure multi-party computation, and computer device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |