CN109450852B - Network communication encryption and decryption method and electronic equipment - Google Patents

Network communication encryption and decryption method and electronic equipment Download PDF

Info

Publication number
CN109450852B
CN109450852B CN201811174660.6A CN201811174660A CN109450852B CN 109450852 B CN109450852 B CN 109450852B CN 201811174660 A CN201811174660 A CN 201811174660A CN 109450852 B CN109450852 B CN 109450852B
Authority
CN
China
Prior art keywords
key
algorithm
index value
protocol
characteristic information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811174660.6A
Other languages
Chinese (zh)
Other versions
CN109450852A (en
Inventor
李凤华
耿魁
张玲翠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201811174660.6A priority Critical patent/CN109450852B/en
Publication of CN109450852A publication Critical patent/CN109450852A/en
Application granted granted Critical
Publication of CN109450852B publication Critical patent/CN109450852B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a network communication encryption and decryption method and electronic equipment. The encryption method comprises the following steps: determining a target key by utilizing feature information and an index value, wherein the feature information is one or more of quintuple information, the quintuple information comprises a sending end address, a sending end port number, a receiving end address, a receiving end port number and a protocol number, and the index value is obtained by mapping the feature information; and encrypting and packaging the plaintext data of the current session by using the target key, and then sending the plaintext data. The embodiment of the invention can realize that different session processes use different keys by binding the characteristic information and the keys; the method realizes the key distribution method of the session level, the process level and the application level, and can realize a communication mode with higher protection level aiming at important communication occasions and important communication data.

Description

Network communication encryption and decryption method and electronic equipment
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a network communication encryption and decryption method and electronic equipment.
Background
With the development of internet communication technology, communication and data access are faster and faster, one terminal can access different servers and can also interact with different application programs of the same server, but in the aspect of security, the existing technology cannot meet the requirement of confidentiality with finer granularity.
For example, an IPsec encapsulation Security Payload (IPsec Encapsulating Security Payload, IPsec esp) protocol is capable of performing integrity measurement, source authentication, and encryption on data during transmission of the data. In tunnel mode, a session key is negotiated between the two networks, which is common to all host communications between the networks. In the transmission mode, although different session keys can be used between each pair of hosts, the same session key is still shared for different applications between the same pair of hosts. The keys are negotiated by establishing SAs (security associations), each of which is uniquely identified by a triplet < SPI, source/destination IP address, IPSec protocol >.
Neither the tunnel mode nor the transport mode described above can achieve session level security isolation, which is not secure enough for some applications with high security requirements, resulting in lower security.
Disclosure of Invention
An embodiment of the present invention provides a network communication encryption and decryption method and an electronic device for solving the above problems.
In a first aspect, an embodiment of the present invention provides a network communication encryption method, including:
determining a target key by utilizing feature information and an index value, wherein the feature information is one or more of quintuple information, the quintuple information comprises a sending end address, a sending end port number, a receiving end address, a receiving end port number and a protocol number, and the index value is obtained by mapping the feature information;
and encrypting and packaging the plaintext data of the current session by using the target key, and then sending the plaintext data.
In a second aspect, an embodiment of the present invention provides a network communication decryption method, including:
receiving packaged data, analyzing the packaged data, and acquiring encrypted data and characteristic information and/or algorithm parameters carried by a packaging format;
obtaining an index value according to the characteristic information and/or algorithm parameter mapping, and determining a target key by using the characteristic information and the index value;
and decrypting the encrypted data by using the target key to obtain the plaintext data of the current session.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
the processor and the memory are communicated with each other through a bus; the memory stores program instructions executable by the processor, and the processor calls the program instructions to execute the network communication encryption method of the first aspect or the network communication decryption method of the second aspect of the embodiments of the present invention.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium storing computer instructions, which when executed by a processor, is capable of performing the network communication encryption method according to the first aspect or the network communication decryption method according to the second aspect of the embodiment of the present invention.
According to the network communication encryption and decryption method and the electronic equipment provided by the embodiment of the invention, the characteristic information of two communication parties is bound with the secret key, so that different session processes can use different secret keys; the sending end and the receiving end use the same common characteristic information to determine the key of the current session through the incidence relation among the characteristic information, the index value and the key, thereby realizing the key distribution method of the session level, the process level and the application level, and meeting the communication mode of fine-grained safety isolation of important communication occasions and important communication data.
Drawings
Fig. 1 is a schematic diagram illustrating a network communication encryption method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a data format of an IPSec ESP transmission mode according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a data format of an IPSec ESP tunnel mode according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a binding method of an index value, feature information and a key according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating a network communication decryption method according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of a network communication encryption method according to an embodiment of the present invention, where an execution main body of the network communication encryption method shown in fig. 1 is a sending end, and the method includes:
and 100, determining a target key by using feature information and an index value, wherein the feature information is one or more of quintuple information, the quintuple information comprises a sending end address, a sending end port number, a receiving end address, a receiving end port number and a protocol number, and the index value is obtained by mapping the feature information.
It should be noted that the sending end address and the receiving end address may be IPv4 addresses or IPv6 addresses, and it is not excluded that future IP addresses are expanded by more digits; other protocol addresses are not excluded. The embodiment of the invention can support the address with any digit.
101, encrypting and packaging the plaintext data of the current session by using the target key, and then sending the plaintext data.
Specifically, when the sending end acquires the feature information, the address, the port number, and the protocol number of the two communicating parties, that is, the quintuple information, may be determined according to the current session process. Different two communication parties have different quintuple information, and different session processes of the same two communication parties also have different quintuple information, so that different keys are distributed to different sessions according to the characteristic information, and the keys are different when one or more arbitrary combinations of the quintuple information are different, thereby realizing the session-level security isolation of information transmission. Specifically, the embodiment of the present invention refers to the feature information mapping as an index group, so as to facilitate establishing the index and positioning the feature information.
After determining the current target key, the sending end encrypts plaintext data to be sent in the current session through the target key, packages the plaintext data and sends the plaintext data to the receiving end.
The embodiment of the invention can bind the characteristic information and the key which can be obtained by both communication parties, and can realize that different conversations, processes and applications use different keys; the sending end and the receiving end determine the key of the current session by utilizing the common characteristic information and the incidence relation among the characteristic information, the index value and the key, thereby realizing the key distribution method of the session level, the process level and the application level, and meeting the communication mode aiming at the fine-grained safety isolation of important communication occasions and important communication data.
Based on the foregoing embodiment, in step 100, the determining a target key by using the feature information and the index value specifically includes:
100.1, mapping the characteristic information to obtain an index value through an index value algorithm;
100.2, carrying out key matching in a key database according to the characteristic information and the index value;
100.3, if the matching is successful, taking the matched key as a target key; otherwise, generating a new key by using a key generation algorithm and/or a key negotiation protocol according to the characteristic information and the index value, and taking the new key as a target key.
Specifically, in step 100.3, the generating a new key by using the key generation algorithm further includes: and binding the new key, the feature information and the index value, establishing an index, and storing a binding result to the key library.
It should be noted that, the index value algorithm of the embodiment of the present invention may have a variety of algorithms; when a sending end selects a certain index value algorithm, a receiving end must select the same index value algorithm to map the same characteristic information to the same index value.
The embodiment of the invention can generate a new key through the key generation algorithm, can also generate a new key through the key agreement protocol, and can also generate a new key through the key generation algorithm and the key agreement protocol.
It should be noted that, in the embodiment of the present invention, there may be one or more key generation algorithms and key agreement protocols. When a sending end selects a certain key generation algorithm and a key negotiation protocol, a receiving end must select the same key generation algorithm and the same key negotiation protocol to obtain the same key according to the same characteristic information so as to decrypt encrypted data.
The embodiment of the invention saves the existing characteristic information, the index value and the corresponding key through the key bank, thereby accelerating the speed and the efficiency of obtaining the key. For example, assuming that the current session is 10 minutes, assuming that the current frame period is 1ms, 10 × 1000/1 times of encrypted data needs to be sent to the receiving end, and at this time, the feature information in the 10 × 1000 sending processes is the same, according to the index value algorithm, the index value obtained by mapping is also the same, and the key corresponding to the feature information is also the same. At this time, if the corresponding relationship between the feature information and the secret key is not stored in the secret key library, the secret key needs to be calculated every time data is transmitted, and the calculation amount and the processing amount are increased; if the corresponding relation between the characteristic information and the key is stored through the key bank, the key needs to be calculated when the data is sent for the first time, and the corresponding key is directly acquired from the key bank subsequently, so that the key acquisition efficiency is improved.
Specifically, if the current session sends data for the first time, and there may be no key corresponding to the feature information corresponding to the current session in the key library, a new key needs to be generated by using a key generation algorithm, and then the new key, the feature information, and the index value are bound and stored in the key library, so that in subsequent key matching, the corresponding key can be matched in the key library through the index value and the feature information.
Based on the above embodiment, the characteristic information corresponds to one or more keys;
correspondingly, if the matching is successful, taking the matched key as the target key specifically includes:
if one key is matched, the matched key is used as a target key;
and if the plurality of keys are matched, randomly acquiring one key from the plurality of keys as a target key, or acquiring a specified key as the target key, or alternately replacing the key according to specified communication time length, and determining the current target key from the plurality of keys.
It should be noted that, in the embodiment of the present invention, the correspondence between the feature information and the key includes: in a session process, one feature information is uniquely corresponding to one key, or one feature information is corresponding to a plurality of keys, which is equivalent to the existence of a spare key for key replacement.
The specified communication duration in the embodiment of the present invention may be a communication duration specified by a user or a default communication duration.
If one piece of feature information uniquely corresponds to one key, the feature information is matched in the key library, at most one key can be matched, and the matched key is used as a target key. If one piece of feature information corresponds to a plurality of keys, the feature information is matched in the key library to match the plurality of keys, and at this time, a plurality of processing methods are available: one key can be randomly selected from a plurality of keys to serve as a target key; or according to the user specification, selecting a key specified by the user from the plurality of keys as a target key; or different keys are used as target keys in turn according to the communication time length designated by the user or the default communication time length. For example, if one piece of feature information corresponds to 10 keys, and the specified communication duration is 1 minute, an encryption key is replaced every 1 minute to encrypt plaintext data, 10 keys are sequentially replaced every ten minutes as target keys, after ten minutes, 10 keys are replaced again in turn as target keys, and so on.
For one encryption and decryption process, the sending end and the receiving end ensure to use the same pair of encryption and decryption keys, and the pair of encryption and decryption keys are different in the asymmetric encryption algorithm and the same in the symmetric encryption algorithm. Whether symmetric or asymmetric. If more than one key exists, the key sequence number can be generated by using the same random algorithm, or the selection is carried out according to a certain agreed sequence, so that the two communication parties can be ensured to select the same pair of encryption and decryption keys.
It should be noted that, if the feature information and the key are in a one-to-many mode, that is, if there is a spare key, the user may specify how long or how long the communication is, and then automatically discard the currently used key and continue to use other new keys. The advantage of this is that the automatic updating of the key is realized, and the security is further improved.
Based on the above embodiment, step 101, encrypting and encapsulating the plaintext data of the current session by using the target key, and then sending the encrypted plaintext data, specifically includes:
encrypting the plaintext data by using the target key;
packaging the encrypted data, and packaging the characteristic information and/or the algorithm parameter;
sending the encapsulated data;
the algorithm parameter is used for specifying any combination of one or more of the index value algorithm and the state thereof, the key generation algorithm and the state thereof, the key agreement protocol and the state thereof, the encryption algorithm and the state thereof, and the key sequence number, so that a receiving end performs index value mapping according to the characteristic information and/or the algorithm parameter and determines a target key by using the characteristic information and the index value.
The index value algorithm is used for generating a specific index value for the key;
the key generation algorithm is used for generating an encryption and decryption key by utilizing the algorithm;
the key negotiation protocol is used for generating an encryption and decryption key through negotiation;
the encryption algorithm is matched with the secret key to encrypt the data;
the key sequence number, a plurality of keys, is used to specify a key.
It should be noted that the encapsulation format is different according to different protocols, and if some protocols carry the characteristic information themselves and meet the encryption requirement, the protocols are encapsulated according to the original protocol, and the key index value is calculated by directly using the information carried by the protocols themselves; the other situation is realized by modifying the protocol filling characteristic information if the field in the original protocol can not meet the encryption requirement.
It should be noted that the algorithm parameter field may exist or may not exist, if the two communication parties have agreed unique index value algorithm, unique key generation algorithm, unique key agreement protocol, unique encryption algorithm, unique key selection method, or only one encryption algorithm, one index value algorithm, one key generation algorithm, one key agreement protocol, one encryption algorithm, one key, then this field may not exist, if the two communication parties have not agreed, or agreed multiple index value algorithms, multiple key generation algorithms, multiple key agreement protocols, multiple encryption algorithms, multiple keys, then this field must exist.
Specifically, the index value algorithm refers to a unique index value generating algorithm selected by the sender, and the index value algorithm may be determined in two ways: one is default of both communication sides, and retransmission is not needed in the communication process; alternatively, after the sender selects, the index value algorithm's identification is written into the algorithm parameters at the time of data encapsulation.
Similarly, the key generation algorithm and the key agreement protocol in the embodiment of the present invention are the same as the index value algorithm, and the key generation algorithm and the key agreement protocol may be determined in two ways: one is default of both communication sides, and retransmission is not needed in the communication process; alternatively, after the sender selects, the key generation algorithm and/or the identifier of the key agreement protocol are written into the algorithm parameters at the time of data encapsulation.
It should be noted that, when a plurality of key generation algorithms or a plurality of key agreement protocols are used to calculate a key or a plurality of encryption algorithms, the key generation algorithms or the key agreement protocols or the encryption algorithms may be periodically changed in turn, thereby ensuring that the communication between the sending end and the receiving end is safer.
After the receiving end receives the data packet, the algorithm parameter field is analyzed from the data packet, the index value algorithm and the state thereof and/or the key generation algorithm and the state thereof and/or the key negotiation protocol and/or the encryption algorithm and the state thereof and/or the key sequence number thereof used by the sending end are determined according to the algorithm parameter field, and then the same index value algorithm and the state thereof and/or the key generation algorithm and the state thereof and/or the key negotiation protocol and the state thereof and/or the encryption algorithm and the state thereof and/or the key sequence number thereof are used, so that the decryption key obtained in the decryption process can be ensured to be decrypted.
Embodiments of the invention may include, but are not limited to: the method comprises the steps of carrying out index value mapping and key matching through characteristic information by naturally carrying characteristic information and/or algorithm parameters through a communication protocol, or filling the characteristic information and/or the algorithm parameters through modifying the communication protocol, or carrying the characteristic information and/or the algorithm parameters through increasing negotiation turns before formal communication, or filling the characteristic information and/or the algorithm parameters through reserving fields, or carrying the characteristic information and/or the algorithm parameters through additionally increasing fields, or selecting a fixed position in a data message text to carry the characteristic information and/or the algorithm parameters, sending encrypted and packaged data to a receiving end, and obtaining the characteristic information through analysis by the receiving end, so that the encrypted data is decrypted, the fine-grained safety encryption is realized, and the process-level and application-level safety isolation conversation is realized.
Based on the above embodiment, the encapsulating the feature information and/or the algorithm parameter specifically includes:
by extending the IPSec ESP protocol, the feature information and/or algorithm parameters are carried in the IPSec ESP protocol format.
Wherein, the IPSec ESP protocol format carrying the characteristic information and/or the algorithm parameters specifically includes:
if communication is carried out through an IPSec ESP transmission mode, carrying a sending end IP address and/or a receiving end IP address in an IP header of an IPSec ESP protocol format, carrying first characteristic information and/or algorithm parameters in a filling item of the ESP header of the IPSec ESP protocol format, wherein the first characteristic information comprises one or more arbitrary combinations of a sending end port number, a receiving end port number and a protocol number in the quintuple information;
if the communication is performed through the IPSec ESP tunnel mode, the padding of the ESP header in the IPSec ESP protocol format carries second feature information and/or algorithm parameters, where the second feature information includes one or more arbitrary combinations of the sending end IP address, the receiving end IP address, the sending end port number, the receiving end port number, and the protocol number in the quintuple information.
Fig. 2 is a schematic diagram of a data format of an IPSec ESP transmission mode according to an embodiment of the present invention, but is not limited to this implementation manner. Referring to fig. 2, when the IPSec ESP transmission mode is selected for communication, the sending port number, the receiving port number, and the protocol number in the quintuple information are encapsulated in an ESP header of the IPSec ESP protocol, the algorithm parameter is also encapsulated in the ESP header of the IPSec ESP protocol, and the sending IP address and the receiving IP address in the quintuple information are encapsulated in the IP header.
Specifically, the ESP header of the IPSec ESP protocol includes a security parameter index SPI, a sequence number, and a padding. The embodiment of the invention modifies the filling items and adds the port number of the sending end, the port number of the receiving end, the protocol number and the algorithm parameter. The specific number of bytes occupied by the sending end IP address, the receiving end IP address, the sending end port number, the receiving end port number, the protocol number and the algorithm parameter may be determined according to actual conditions, and the embodiment of the present invention is not particularly limited. For example, the sending port number occupies 2 bytes, the receiving port number occupies 2 bytes, the protocol number occupies 1 byte, the algorithm parameter occupies 5 bytes, and so on.
And if the communication is carried out in the IPSec ESP transmission mode, the plaintext data is encrypted by using the target key, and then the encrypted plaintext data is packaged according to the data format of the IPSec ESP transmission mode and then is transmitted.
Fig. 3 is a schematic diagram of a data format of an IPSec ESP tunnel mode according to an embodiment of the present invention, but is not limited to this implementation manner. Referring to fig. 3, when selecting the IPSec ESP tunnel mode for communication, the embodiment of the present invention encapsulates the sending end IP address, the receiving end IP address, the sending end port number, the receiving end port number, and the protocol number in the quintuple information in the ESP header of the IPSec ESP protocol, and encapsulates the algorithm parameter in the ESP header of the IPSec ESP protocol.
Specifically, the ESP header of the IPSec ESP protocol includes a security parameter index SPI, a sequence number, and a padding. The embodiment of the invention modifies the filling items and adds the IP address of the sending end, the IP address of the receiving end, the port number of the sending end, the port number of the receiving end, the protocol number and the algorithm parameter. The specific number of bytes occupied by the sending end IP address, the receiving end IP address, the sending end port number, the receiving end port number, and the protocol number may be determined according to actual conditions, and embodiments of the present invention are not particularly limited. For example, the IP address of the sending end occupies 4 bytes, the IP address of the receiving end occupies 4 bytes, the port number of the sending end occupies 2 bytes, the port number of the receiving end occupies 2 bytes, the protocol number occupies 1 byte, the algorithm parameter occupies 5 bytes, and so on.
And if the communication is carried out in the IPSec ESP tunnel mode, the plaintext data is encrypted by using the target key, and then the encrypted plaintext data is packaged according to the data format of the IPSec ESP tunnel mode and then is transmitted.
The network communication encryption method of the embodiment of the invention can bind the characteristic information and the key which can be obtained by both communication parties, and can realize that different sessions, processes and applications use different keys; the sending end and the receiving end use the same common characteristic information to determine the key of the current session through the incidence relation among the characteristic information, the index value and the key, thereby realizing the key distribution method of the session level, the process level and the application level, and meeting the communication mode aiming at the fine-grained safety isolation of important communication occasions and important communication data.
Fig. 4 is a schematic diagram of a binding method of an index value, feature information, and a key according to an embodiment of the present invention, but is not limited to this implementation manner. As shown in fig. 4, in the binding linked list structure, an index value algorithm and its state are obtained according to the algorithm parameters, the index value is obtained by mapping the feature information according to the index value algorithm and its state, and a matched key is found in the binding linked list structure according to the feature information and the index value.
Each index value corresponds to a key chain table, each key chain table comprises zero-pair, one-to-one or many-to-one corresponding combination of feature information and a key, and when the key is matched through the feature information and the index value, if the matching is successful, the matched key is used as a target key; if the matching is not successful, generating a new key by using a key generation algorithm and/or a key negotiation protocol according to the characteristic information and the index value, and adding the new key and the characteristic information to a key linked list corresponding to the index value, wherein the added position can be at the head, the tail or any position of the linked list.
Fig. 5 is a flowchart illustrating a network communication decryption method according to an embodiment of the present invention, but is not limited to this implementation manner. As shown in fig. 5, the network communication decryption method, whose executing body is the receiving end, includes:
500, receiving the encapsulated data, analyzing the encapsulated data, and obtaining encrypted data and characteristic information and/or algorithm parameters carried by the encapsulation format;
the characteristic information is one or more of quintuple information, and the quintuple information comprises a sending end address, a sending end port number, a receiving end address, a receiving end port number and a protocol number; the algorithm parameter is used for specifying one or more arbitrary combinations of the index value algorithm and the state thereof, the key generation algorithm and the state thereof, the key agreement protocol and the state thereof, the encryption algorithm and the state thereof, and the key sequence number.
501, obtaining an index value according to the feature information and/or algorithm parameter mapping, and determining a target key by using the feature information and the index value;
502, decrypting the encrypted data by using the target key to obtain the plaintext data of the current session.
As described in the previous example, the sender carries the characteristic information and/or algorithm parameters in the encapsulation format. And the receiving end corresponding to the sending end analyzes and obtains the characteristic information and/or the algorithm parameter from the received packaging format. At the moment, the receiving end uses the same index value algorithm as the sending end; then, key matching is carried out in a key bank by utilizing the index value and the characteristic information to determine a target key, and the encrypted data is decrypted by utilizing the target key to obtain plaintext data of the current session; or under the condition of no matching, generating a new key through a default key generation algorithm or a key negotiation protocol, or generating a new key through a key generation algorithm or a key negotiation protocol specified by algorithm parameters, so as to decrypt the encrypted data by using the new key to obtain the plaintext data of the current session.
In addition, when the encrypted data is decrypted by using the target key, the encrypted data may be decrypted by a decryption algorithm corresponding to a default encryption algorithm or by a decryption algorithm corresponding to an encryption algorithm specified by an algorithm parameter (if the algorithm parameter specifies the encryption algorithm).
The embodiment of the invention can bind the characteristic information and the key which can be obtained by both communication parties, and can realize that different conversations, processes and applications use different keys; the sending end and the receiving end use the same common characteristic information to determine the key of the current session through the incidence relation among the characteristic information, the index value and the key, thereby realizing the key distribution method of the session level, the process level and the application level and meeting the communication mode aiming at the fine-grained safety isolation of important communication occasions and important communication data.
Based on the above embodiment, the analyzing the encapsulated data in step 500 to obtain the encrypted data and the feature information and/or algorithm parameters carried by the encapsulation format specifically includes:
based on IPSec ESP protocol, decapsulating the encapsulated encrypted data to obtain encrypted data;
if communication is carried out through an IPSec ESP transmission mode, obtaining a sending end IP address and/or a receiving end IP address according to an IP head in an IPSec ESP protocol format, obtaining first characteristic information and/or algorithm parameters according to a filling item of the ESP head in the IPSec ESP protocol, wherein the first characteristic information comprises one or more of a sending end port number, a receiving end port number and a protocol number in the quintuple information, and obtaining one or more of any combinations of the sending end IP address and the receiving end IP address through the IP head;
if the communication is carried out through the IPSec ESP tunnel mode, second characteristic information and/or algorithm parameters are obtained according to filling items of an ESP header of an IPSec ESP protocol, wherein the second characteristic information comprises one or any combination of more than one of a transmitting end IP address, a receiving end IP address, a transmitting end port number, a receiving end port number and a protocol number in the quintuple information.
As described above, the sending end sends one or more of the feature information, i.e. the quintuple information, to the receiving end through the encapsulation format; the receiving end can obtain corresponding characteristic information and/or algorithm parameters by analyzing the packaging format, so that the receiving end and the sending end use the same characteristic information, use the same index value algorithm, use the same key generation algorithm and/or key negotiation protocol, and can ensure that the encrypted data is decrypted.
Specifically, the algorithm parameter is used to specify the index value algorithm and its state;
correspondingly, the mapping according to the feature information and/or the algorithm parameter to obtain an index value, and determining the target key by using the feature information and the index value specifically includes:
obtaining an index value algorithm according to the algorithm parameters;
mapping the characteristic information to obtain an index value through the index value algorithm;
carrying out key matching in a key database according to the characteristic information and the index value;
and if the matching is successful, taking the matched key as the target key.
In the embodiment of the invention, the algorithm for the key matching of the receiving end is the same as that of the sending end, and the matching is also carried out in the key database. When a piece of feature information is first matched with a key, the key may not be matched in the key library, and at this time, it is also necessary to perform index value mapping according to the feature information, calculate a key through a key algorithm, and establish an index and store the index in the key library, which is the same as the processing of the sending end, please refer to the following embodiment.
For one encryption and decryption process, the sending end and the receiving end ensure to use the same pair of encryption and decryption keys, and the pair of encryption and decryption keys are different in the asymmetric encryption algorithm and the same in the symmetric encryption algorithm. Whether symmetric or asymmetric. If more than one key exists, the key sequence number can be generated by using the same random algorithm, or the selection is carried out according to a certain agreed sequence, so that the two communication parties can be ensured to select the same pair of encryption and decryption keys.
Specifically, the algorithm parameter is used to specify the key generation algorithm and its state and/or the key agreement protocol and its state;
correspondingly, the mapping according to the feature information and/or the algorithm parameter to obtain an index value, and determining the target key by using the feature information and the index value specifically includes:
acquiring a key generation algorithm and/or a key negotiation protocol according to the algorithm parameters;
and generating a new key and/or a key sequence number by using the key generation algorithm and/or the key negotiation protocol, selecting a specified new key, and taking the new key as a target key.
Based on the above embodiment, the generating a new key by using the key generation algorithm and/or the key agreement protocol further includes:
generating an index value through an index value algorithm; binding the target key, the characteristic information and the index value, and establishing an index;
and saving the binding result to the key library.
It should be noted that the algorithm parameter field may exist or may not exist, if the two communication parties have agreed unique index value algorithm, unique key generation algorithm, unique key agreement protocol, unique encryption algorithm, unique key selection method, or only one encryption algorithm, one index value algorithm, one key generation algorithm, one key agreement protocol, one encryption algorithm, one key, then this field may not exist, if the two communication parties have not agreed, or agreed multiple index value algorithms, multiple key generation algorithms, multiple key agreement protocols, multiple encryption algorithms, multiple keys, then this field must exist.
It should be noted that, when a plurality of key generation algorithms are used to calculate the key, the key generation algorithms may be periodically changed in turn, so as to ensure that the communications performed by both the sending end and the receiving end are safer. After the receiving end receives the data packet, the algorithm parameter field is analyzed from the data packet, the index value algorithm and the state thereof and/or the key generation algorithm and the state thereof and/or the key negotiation protocol and/or the encryption algorithm and the state thereof and/or the key sequence number thereof used by the sending end are determined according to the algorithm parameter field, and then the same index value algorithm and the state thereof and/or the key generation algorithm and the state thereof and/or the key negotiation protocol and the state thereof and/or the encryption algorithm and the state thereof and/or the key sequence number thereof are used, so that the decryption key obtained in the decryption process can be ensured to be decrypted. For the detailed description, reference is made to the sending end, which is not described herein again.
The network communication encryption method of the embodiment of the invention can bind the characteristic information and the key which can be obtained by both communication parties, and can realize that different session processes use different keys; the sending end and the receiving end use the same quintuple information to determine the key of the current session through the association relation among one or more random combinations in the quintuple, the index value and the key, thereby realizing the key distribution method of the session level, the process level and the application level and meeting the communication mode aiming at important communication occasions and fine-grained safety isolation of important communication data.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 6, the electronic device includes: a processor 601, a memory 602, and a bus 603; wherein, the processor 601 and the memory 602 complete the communication with each other through the bus 603; processor 601 is configured to call program instructions in memory 602 to perform the methods provided by the above-described method embodiments, including, for example:
determining a target key by utilizing feature information and an index value, wherein the feature information is one or more of quintuple information, the quintuple information comprises a sending end address, a sending end port number, a receiving end address, a receiving end port number and a protocol number, and the index value is obtained by mapping the feature information; encrypting and packaging the plaintext data of the current session by using the target key and then sending the plaintext data;
or comprises the following steps:
receiving packaged data, analyzing the packaged data, and acquiring encrypted data and characteristic information and/or algorithm parameters carried by a packaging format; obtaining an index value according to the characteristic information and/or algorithm parameter mapping, and determining a target key by using the characteristic information and the index value; and decrypting the encrypted data by using the target key to obtain the plaintext data of the current session.
Embodiments of the present invention provide a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions that, when executed by a computer, enable the computer to perform the methods provided by the above-mentioned method embodiments, for example, including:
determining a target key by utilizing feature information and an index value, wherein the feature information is one or more of quintuple information, the quintuple information comprises a sending end address, a sending end port number, a receiving end address, a receiving end port number and a protocol number, and the index value is obtained by mapping the feature information; encrypting and packaging the plaintext data of the current session by using the target key and then sending the plaintext data;
or comprises the following steps:
receiving packaged data, analyzing the packaged data, and acquiring encrypted data and characteristic information and/or algorithm parameters carried by a packaging format; obtaining an index value according to the characteristic information and/or algorithm parameter mapping, and determining a target key by using the characteristic information and the index value; and decrypting the encrypted data by using the target key to obtain the plaintext data of the current session.
Embodiments of the present invention provide a non-transitory computer-readable storage medium, which stores computer instructions, where the computer instructions cause the computer to perform the methods provided by the above method embodiments, for example, the methods include:
determining a target key by utilizing feature information and an index value, wherein the feature information is one or more of quintuple information, the quintuple information comprises a sending end address, a sending end port number, a receiving end address, a receiving end port number and a protocol number, and the index value is obtained by mapping the feature information; encrypting and packaging the plaintext data of the current session by using the target key and then sending the plaintext data;
or comprises the following steps:
receiving packaged data, analyzing the packaged data, and acquiring encrypted data and characteristic information and/or algorithm parameters carried by a packaging format; obtaining an index value according to the characteristic information and/or algorithm parameter mapping, and determining a target key by using the characteristic information and the index value; and decrypting the encrypted data by using the target key to obtain the plaintext data of the current session.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The above-described embodiments of the apparatuses and devices are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (12)

1. A method of network communication encryption, comprising:
determining a target key by utilizing feature information and an index value, wherein the feature information is one or more of quintuple information, the quintuple information comprises a sending end address, a sending end port number, a receiving end address, a receiving end port number and a protocol number, and the index value is obtained by mapping the feature information;
encrypting and packaging the plaintext data of the current session by using the target key and then sending the plaintext data;
the determining a target key by using the feature information and the index value specifically includes:
mapping the characteristic information to obtain an index value through an index value algorithm;
carrying out key matching in a key database according to the characteristic information and the index value;
if the matching is successful, the matched key is used as a target key;
otherwise, generating a new key by using a key generation algorithm and/or a key negotiation protocol according to the characteristic information and the index value, and taking the new key as a target key.
2. The method of claim 1, wherein generating a new key using a key generation algorithm and/or a key agreement protocol further comprises:
binding the new key, the feature information and the index value, and establishing an index;
and storing the binding result to the key bank.
3. The method of claim 1, wherein the characterizing information corresponds to one or more keys;
correspondingly, if the matching is successful, taking the matched key as the target key specifically includes:
if one key is matched, the matched key is used as a target key;
and if the plurality of keys are matched, randomly acquiring one key from the plurality of keys as a target key, or acquiring a specified key as the target key, or alternately replacing the key according to specified communication time length, and determining the current target key from the plurality of keys.
4. The method according to claim 3, wherein the encrypting and encapsulating the plaintext data of the current session with the target key before sending the plaintext data comprises:
encrypting the plaintext data by using the target key;
packaging the encrypted data, and packaging the characteristic information and/or the algorithm parameter;
sending the encapsulated data;
the algorithm parameter is used for specifying any combination of one or more of the index value algorithm and the state thereof, the key generation algorithm and the state thereof, the key agreement protocol and the state thereof, the encryption algorithm and the state thereof, and the key sequence number, so that a receiving end performs index value mapping according to the characteristic information and/or the algorithm parameter, and determines a target key by using the characteristic information and the index value.
5. The method according to claim 4, wherein the encapsulating the feature information and/or the algorithm parameters specifically comprises:
by extending the IPSec ESP protocol, the feature information and/or algorithm parameters are carried in the IPSec ESP protocol format.
6. The method according to claim 5, wherein the carrying of the characteristic information and/or algorithm parameters in the IPSec ESP protocol format specifically comprises:
if communication is carried out through an IPSec ESP transmission mode, carrying a sending end IP address and/or a receiving end IP address in an IP header of an IPSec ESP protocol format, carrying first characteristic information and/or algorithm parameters in a filling item of the ESP header of the IPSec ESP protocol format, wherein the first characteristic information comprises one or more arbitrary combinations of a sending end port number, a receiving end port number and a protocol number in the quintuple information;
if the communication is performed through the IPSec ESP tunnel mode, the padding of the ESP header in the IPSec ESP protocol format carries second feature information and/or algorithm parameters, where the second feature information includes one or more arbitrary combinations of the sending end IP address, the receiving end IP address, the sending end port number, the receiving end port number, and the protocol number in the quintuple information.
7. A method for decrypting network communications, comprising:
receiving packaged data, analyzing the packaged data, and acquiring encrypted data and characteristic information and/or algorithm parameters carried by a packaging format;
obtaining an index value according to the characteristic information and/or algorithm parameter mapping, and determining a target key by using the characteristic information and the index value;
decrypting the encrypted data by using the target key to obtain plaintext data of the current session;
the algorithm parameter is used for specifying the index value algorithm and the state thereof;
correspondingly, the mapping according to the feature information and/or the algorithm parameter to obtain an index value, and determining the target key by using the feature information and the index value specifically includes:
obtaining an index value algorithm according to the algorithm parameters;
mapping the characteristic information to obtain an index value through the index value algorithm;
carrying out key matching in a key database according to the characteristic information and the index value;
if the matching is successful, the matched key is used as a target key;
the characteristic information is one or more of quintuple information, and the quintuple information comprises a sending end address, a sending end port number, a receiving end address, a receiving end port number and a protocol number.
8. The method according to claim 7, wherein the analyzing the encapsulated data to obtain the encrypted data and the feature information and/or the algorithm parameter carried by the encapsulation format specifically comprises:
based on IPSec ESP protocol, decapsulating the encapsulated encrypted data to obtain encrypted data;
if communication is carried out through an IPSec ESP transmission mode, obtaining a sending end IP address and/or a receiving end IP address according to an IP head in an IPSec ESP protocol format, obtaining first characteristic information and/or algorithm parameters according to a filling item of the ESP head in the IPSec ESP protocol, wherein the first characteristic information comprises one or more of a sending end port number, a receiving end port number and a protocol number in the quintuple information, and obtaining one or more of any combinations of the sending end IP address and the receiving end IP address through the IP head;
if the communication is carried out through the IPSec ESP tunnel mode, second characteristic information and/or algorithm parameters are obtained according to filling items of an ESP header of an IPSec ESP protocol, wherein the second characteristic information comprises one or any combination of more than one of a transmitting end IP address, a receiving end IP address, a transmitting end port number, a receiving end port number and a protocol number in the quintuple information.
9. The method of claim 7, wherein the algorithm parameters are used to specify a key generation algorithm and its state and/or a key agreement protocol and its state;
correspondingly, the mapping according to the feature information and/or the algorithm parameter to obtain an index value, and determining the target key by using the feature information and the index value specifically includes:
acquiring a key generation algorithm and/or a key negotiation protocol according to the algorithm parameters;
and generating a new key by using the key generation algorithm and/or the key negotiation protocol, and taking the new key as a target key.
10. The method according to claim 9, wherein said generating a new key using said key generation algorithm and/or key agreement protocol further comprises:
generating an index value through an index value algorithm; binding the target key, the characteristic information and the index value, and establishing an index;
and saving the binding result to the key library.
11. An electronic device, comprising:
the processor and the memory are communicated with each other through a bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 10.
12. A non-transitory computer-readable storage medium having stored thereon a computer program, characterized in that the non-transitory computer-readable storage medium stores computer instructions, which when executed by a processor, implement the method according to any one of claims 1 to 10.
CN201811174660.6A 2018-10-09 2018-10-09 Network communication encryption and decryption method and electronic equipment Active CN109450852B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811174660.6A CN109450852B (en) 2018-10-09 2018-10-09 Network communication encryption and decryption method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811174660.6A CN109450852B (en) 2018-10-09 2018-10-09 Network communication encryption and decryption method and electronic equipment

Publications (2)

Publication Number Publication Date
CN109450852A CN109450852A (en) 2019-03-08
CN109450852B true CN109450852B (en) 2020-09-29

Family

ID=65546366

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811174660.6A Active CN109450852B (en) 2018-10-09 2018-10-09 Network communication encryption and decryption method and electronic equipment

Country Status (1)

Country Link
CN (1) CN109450852B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110191084A (en) * 2019-03-27 2019-08-30 青岛海信电子设备股份有限公司 The encapsulation of IPsec data, method of reseptance and device
CN110190956A (en) * 2019-05-28 2019-08-30 杭州迪普科技股份有限公司 Data transmission method, device, electronic equipment and machine readable storage medium
CN110351086B (en) * 2019-08-19 2021-12-24 吉林省吉创科豹科技有限公司 Method and system for processing and transmitting encrypted information in robot group
CN110798316A (en) * 2019-09-20 2020-02-14 西安瑞思凯微电子科技有限公司 Encryption key generation method, decryption key generation method, encryption key generation program, decryption key generation program, and decryption program
CN110933063B (en) * 2019-11-25 2022-02-18 中国联合网络通信集团有限公司 Data encryption method, data decryption method and equipment
CN111371549B (en) * 2020-03-05 2023-03-24 浙江双成电气有限公司 Message data transmission method, device and system
CN111371544B (en) * 2020-05-27 2020-09-08 支付宝(杭州)信息技术有限公司 Prediction method and device based on homomorphic encryption, electronic equipment and storage medium
CN111614691B (en) * 2020-05-28 2021-06-22 广东纬德信息科技股份有限公司 Outbound message processing method and device based on power gateway
CN112733175A (en) * 2021-01-22 2021-04-30 浪潮思科网络科技有限公司 Data encryption method and device based on ESP (electronic stability program) protocol
CN112929166B (en) * 2021-02-03 2022-10-04 中国人民解放军火箭军工程大学 Master station, slave station and data transmission system based on Modbus-TCP protocol
CN113612599B (en) * 2021-05-27 2023-09-26 国网浙江省电力有限公司台州供电公司 Lightweight electric power Internet of things communication encryption method based on preset key book
CN115037459B (en) * 2022-05-26 2023-03-17 中国电子信息产业集团有限公司第六研究所 Novel IPsec key distribution method and distribution system
CN117319516A (en) * 2023-11-15 2023-12-29 中国三峡建工(集团)有限公司 Multi-protocol conversion protocol processing method and device, electronic equipment and medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483860A (en) * 2009-01-23 2009-07-15 清华大学 Negotiation control method based on SIP security policy grade in IMS network
CN106304400A (en) * 2015-05-21 2017-01-04 阿里巴巴集团控股有限公司 The IP address distribution method of wireless network and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067290B (en) * 2012-11-30 2016-06-01 成都卫士通信息产业股份有限公司 The VPN tunnel implementation of load balancing network is adapted to based on virtual network interface card
US9350550B2 (en) * 2013-09-10 2016-05-24 M2M And Iot Technologies, Llc Power management and security for wireless modules in “machine-to-machine” communications
CN105227308B (en) * 2014-06-13 2019-01-08 华为技术有限公司 A kind of encryption and decryption method and electronic equipment
US9774451B2 (en) * 2015-02-10 2017-09-26 Qualcomm Incorporated Using secure elements to authenticate devices in point-to-point communication
CN106817358B (en) * 2015-12-02 2020-07-17 阿里巴巴集团控股有限公司 Encryption and decryption method and device for user resources
CN108256309B (en) * 2018-01-10 2020-01-03 飞天诚信科技股份有限公司 Method and device for realizing system logging in windows10 or above

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483860A (en) * 2009-01-23 2009-07-15 清华大学 Negotiation control method based on SIP security policy grade in IMS network
CN106304400A (en) * 2015-05-21 2017-01-04 阿里巴巴集团控股有限公司 The IP address distribution method of wireless network and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
面向网络空间的访问控制模型;李凤华等;《通信学报》;20160531;全文 *

Also Published As

Publication number Publication date
CN109450852A (en) 2019-03-08

Similar Documents

Publication Publication Date Title
CN109450852B (en) Network communication encryption and decryption method and electronic equipment
CN105262772B (en) Data transmission method, system and related device
US9350711B2 (en) Data transmission method, system, and apparatus
CN108075890A (en) Data sending terminal, data receiver, data transmission method and system
CN107040446B (en) VPN tunnel protocol realizing method
SE538304C2 (en) Improved installation of a terminal in a secure system
CN110620762A (en) RDMA (remote direct memory Access) -based data transmission method, network card, server and medium
WO2012026855A1 (en) Methods and arrangements for secure communication over an ip network
CN111786869B (en) Data transmission method between servers and server
WO2016056990A1 (en) Method and system for establishing a secure communication channel
US10419212B2 (en) Methods, systems, apparatuses, and devices for securing network communications using multiple security protocols
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
CN111786867A (en) Data transmission method and server
CN113904766A (en) Encrypted communication method, device, equipment and medium
CN104796887B (en) A kind of method and apparatus of security information interaction
CN111786868B (en) Data transmission method between servers and strongswan server
CN107579964A (en) Data transmission method and device
CN110832806B (en) ID-based data plane security for identity-oriented networks
US10015208B2 (en) Single proxies in secure communication using service function chaining
CN113904809A (en) Communication method, communication device, electronic equipment and storage medium
CN111835613B (en) Data transmission method of VPN server and VPN server
CN115225414B (en) Encryption strategy matching method and device based on IPSEC (Internet protocol Security) and communication system
CN111416791B (en) Data transmission method, equipment and system
CN110417804A (en) A kind of bidirectional identity authentication encryption communication method and system suitable for chip microcontroller
CN115118458A (en) Data processing method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant