CN110191084A - The encapsulation of IPsec data, method of reseptance and device - Google Patents
The encapsulation of IPsec data, method of reseptance and device Download PDFInfo
- Publication number
- CN110191084A CN110191084A CN201910238351.9A CN201910238351A CN110191084A CN 110191084 A CN110191084 A CN 110191084A CN 201910238351 A CN201910238351 A CN 201910238351A CN 110191084 A CN110191084 A CN 110191084A
- Authority
- CN
- China
- Prior art keywords
- location information
- receiving end
- data packet
- key
- terminal location
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0872—Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of encapsulation of IPsec data, method of reseptance and devices, transmitting terminal obtains local terminal location information and receiving end location information, key is generated based on local terminal location information and receiving end location information, and is sent after data packet is encrypted and is sent using the key pair;Receiving end obtains transmitting terminal location information and local terminal location information after receiving the data packet that transmitting terminal is sent, and generates key based on transmitting terminal location information and local terminal location information, is decrypted using the key pair received data packet.The application combination transmitting terminal and the location information of receiving end are encrypted and decrypted as data key, illegality equipment can not obtain the location information of legal sending and receiving end, therefore key strength is high, the parsing difficulty of data is big, when the attempt of illegality equipment packet spoof is communicated with receiving end or transmitting terminal, specific location information forge illegality equipment can not, improve the safety of IPsec.
Description
Technical field
The invention belongs to internet security protocol technology fields, specifically, being to be related to a kind of encapsulation of IPsec data, connect
Receiving method and device.
Background technique
IPsec(Internet Protocol Security, internet security agreement) it is a protocol package, through to IP
The grouping of agreement is encrypted and is authenticated the network transmission protocol race to protect IP agreement.As new generation network safety standard,
IPsec provides the security service of network layer, by the encryption and verifying to IP packet, guarantees peace of the data in transmission process
Entirely, provided for user be based on IPsec end-by-end security network Development a trend.
IPsec is mainly made of following agreement: one, authentication header (AH), for IP datagram provide connectionless data integrity,
Message authentication and anti-replay-attack protection;Two, package safety load (ESP) provides confidentiality, data source authentication, connectionless
Integrality, anti-replay and limited transport stream confidentiality;Three, security association (SA), provides algorithm and data packet, provides AH, ESP
Parameter needed for operation.
SA is the basis of IPsec, is the agreement between communication-peers to certain elements, for example, which kind of agreement, agreement used
Encapsulation mode, Encryption Algorithm, shared key and life cycle of key that data are protected in specific stream etc.;SA is usually by one
A triple carrys out unique identification, this triple includes SPI(Security Parameter Index, Security Parameter Index),
Purpose IP address, security protocol number.As it can be seen that the authentication header namely header of IPsec agreement, encapsulation be based on source and destination IP
Address.
If can be parsed out source and destination IP address after data packet is intercepted and captured in transmit process by illegal go-between,
By these IP, mistake can be sent with packet spoof or invalid data attacks the host of source and destination IP, while IP
Data content is resolved there is also great risk and comes out, and significant data is caused to be revealed.
Summary of the invention
This application provides a kind of encapsulation of IPsec data, method of reseptance and devices, using transmitting terminal location information and connect
Receiving end location information carries out encryption encapsulation to data, plays the technical effect for improving the encapsulation safety of IPsec data.
In order to solve the above technical problems, the application is achieved using following technical scheme:
It is proposed a kind of IPsec data encapsulation method, comprising: obtain local terminal location information and receiving end location information;Based on described
Local terminal location information and receiving end location information generate key;It is sent after data packet is encrypted and is sent using the key pair.
It is proposed a kind of IPsec data receiver method, comprising: obtain transmitting terminal location information and local terminal location information;It is based on
The transmitting terminal location information and local terminal location information generate key;It is decrypted using the key pair received data packet.
It is proposed a kind of IPsec data encapsulation apparatus, comprising: transmitting terminal position information acquisition module, for obtaining local terminal position
Confidence breath and receiving end location information;Transmitting terminal key production module, for based on the local terminal location information and receiving end position
Confidence breath generates key;Encrypting module is encrypted for sending data packet using the key pair;Sending module, for sending out
Send the transmission data packet of encryption.
It is proposed a kind of IPsec data sink, comprising: receiving end position information acquisition module, for obtaining transmitting terminal
Location information and local terminal location information;Receiving end key production module, for being based on the transmitting terminal location information and local terminal position
Confidence breath generates key;Deciphering module, for being decrypted using the key pair received data packet.
Compared with prior art, the advantages of the application and good effect is: IPsec data encapsulation that the application proposes connects
In receiving method and device, on the basis of original IPsec agreement, in conjunction with transmitting terminal and the location information of receiving end as key
Data are encrypted and decrypted, illegality equipment can not obtain the location information of legal sending and receiving end, therefore key strength is high, data
Parsing difficulty it is big, meanwhile, when illegality equipment packet spoof attempt communicated with receiving end or transmitting terminal when, specifically
Location information forge illegality equipment can not, therefore the method based on the application proposition and device can be improved IPsec's
Safety improves key complexity, reduces information leakage risk, guarantees the information security of communicating pair, plays and improves IPsec number
According to the technical effect of encapsulation safety.
After the detailed description of the application embodiment is read in conjunction with the figure, other features and advantages of the application will become more
Add clear.
Detailed description of the invention
Fig. 1 is the flow chart for the IPsec data encapsulation method that the application proposes;
Fig. 2 is the flow chart for the IPsec data receiver method that the application proposes;
Fig. 3 is the architecture diagram of IPsec data encapsulation and reception device that the application proposes.
Specific embodiment
The specific embodiment of the application is described in more detail with reference to the accompanying drawing.
The IPsec data encapsulation of the application proposition, method of reseptance, are on original IPsec protocol basis, in conjunction with local terminal position
Confidence breath and opposite end (transmitting terminal or receiving end) location information carry out data encryption encapsulation and decryption, the spy based on location information
It is qualitative, improve the security performance of packet encapsulation.
Specifically, the application proposes a kind of IPsec data encapsulation method for transmitting terminal, as shown in Figure 1, including following step
It is rapid:
Step S11: local terminal location information and receiving end location information are obtained.
Local terminal location information can be obtained by GPS, deviation range sets itself, be believed this end position by transfer algorithm
Breath is converted into binary number.Receiving end location information and deviation range can be set in web page, by web services after submission
Device backstage passes through transfer algorithm and obtains receiving end location information.
Step S12: key is generated based on local terminal location information and receiving end location information.
Data encryption key is generated by key schedule in conjunction with local terminal location information and receiving end location information;Together
The receiving end Shi Caiyong location information generates new IP header, so that in addition to existing IP address information also includes in new IP header
Receiving end location information.
Step S13: it is sent after data packet is encrypted and is sent using key pair.
Local terminal namely transmitting terminal are encrypted when sending data using the data packet that the key pair of generation to be sent, it
Afterwards, the transmission data packet for using key to encrypt and newly-generated IP header combinations are formed into IP data packet, finally by IP data packet
It is sent in network.
Corresponding to transmitting terminal, the application proposes a kind of IPsec data receiver method for receiving end, as shown in Fig. 2, including
Following steps:
Step S21: transmitting terminal location information and local terminal location information are obtained
After receiving end receives the IP data packet of transmitting terminal transmission, whether the destination address first in the IP header of analytic routines
For local ip address, if otherwise it is assumed that be not destined to local data packet and abandoned, if consistent with local ip address, from
Receiving end location information is parsed in the IP header of received data packet, while local terminal location information is obtained by local GPS, is compared
Receiving end location information and local terminal location information when location information and local terminal location information are inconsistent in receiving end, are abandoned and are received
Data packet, if unanimously, thening follow the steps S22: generating key based on transmitting terminal location information and local terminal location information.
Local terminal location information is obtained by local GPS, by the position for obtaining opposite end (transmitting terminal) in web page set content
Confidence breath and deviation range generate key using key generation method using transmitting terminal location information and local terminal location information.
Step S23: it is decrypted using key pair received data packet.
It after generating key, is decrypted using key pair received data packet, if it is messy code after decryption, illustrates decryption and add
The key of secret emissary is different, is not the data that legal transmitting terminal is sent, then by data packet discarding.
It is above-mentioned as it can be seen that the application propose the encapsulation of IPsec data, in method of reseptance, on the basis of original IPsec agreement
On, it is encrypted and decrypted in conjunction with the location information of transmitting terminal and receiving end as data key, illegality equipment can not obtain
The location information of legal sending and receiving end, therefore key strength is high, the parsing difficulty of data is big, meanwhile, when illegality equipment data falsification
When packet attempts to be communicated with receiving end or transmitting terminal, specific location information forge illegality equipment can not, therefore base
The safety of IPsec can be improved in the method and device of the application proposition, improve key complexity, reduce information leakage wind
Danger, guarantees the information security of communicating pair, plays the technical effect for improving the encapsulation safety of IPsec data.
Based on IPsec data encapsulation set forth above, method of reseptance, the application also proposes a kind of IPsec data accordingly
Packaging system and IPsec data sink, as shown in figure 3, IPsec data encapsulation apparatus (transmitting terminal) includes sending end position
Data obtaining module 31, transmitting terminal key production module 32, encrypting module 33 and sending module 34;IPsec data sink
Including receiving end position information acquisition module 41, receiving end key production module 42 and deciphering module 43.
Transmitting terminal position information acquisition module 31 is for obtaining local terminal location information and receiving end location information;Transmitting terminal is close
Key generation module 32 is used to generate key based on local terminal location information and receiving end location information;Encrypting module 33 is used for using close
Key is encrypted to data packet is sent;Sending module 34 is used to send the transmission data packet of encryption.Receiving end location information obtains
Module 41 is for obtaining transmitting terminal location information and local terminal location information;Receiving end key production module 42 is used to be based on transmitting terminal
Location information and local terminal location information generate key;Deciphering module 43 using key pair received data packet for being decrypted.
Above-mentioned IPsec data encapsulation apparatus further includes IP header package module 35 and IP data packet generation module 36;IPsec
Data sink further includes IP header parsing module 44 and reception data judgment module 45.IP header package module 35 is for adopting
New IP header is generated with receiving end location information;The new IP header and use that IP data packet generation module 36 is used to generate
The encrypted transmission data packet group of key synthesizes IP data packet;IP data packet of the sending module 34 then for would be combined into is sent to
Network;IP header parsing module 44 is for parsing receiving end location information from the IP header of received data packet;Receive data
Judgment module 45 abandons when inconsistent for judging whether receiving end location information is consistent with local terminal location information and receives data
Packet, when consistent, deciphering module 43 is decrypted using key pair received data packet.
The data encapsulation of specific IPsec data encapsulation apparatus and IPsec data sink and method of reseptance exist
It is described in detail in above-mentioned method, it will not go into details herein.
It should be noted that the above description is not a limitation of the present invention, the present invention is also not limited to the example above,
The variations, modifications, additions or substitutions that those skilled in the art are made within the essential scope of the present invention, are also answered
It belongs to the scope of protection of the present invention.
Claims (8)
1.IPsec data encapsulation method characterized by comprising
Obtain local terminal location information and receiving end location information;
Key is generated based on the local terminal location information and receiving end location information;
It is sent after data packet is encrypted and is sent using the key pair.
2. IPsec data encapsulation method according to claim 1, which is characterized in that obtain receiving end location information it
Afterwards, the method also includes:
New IP header is generated using the receiving end location information;
After then being encrypted using key pair transmission data packet, the method also includes:
By the new IP header of generation with synthesize IP data packet using the encrypted transmission data packet group of the key after send.
3.IPsec data receiver method characterized by comprising
Obtain transmitting terminal location information and local terminal location information;
Key is generated based on the transmitting terminal location information and local terminal location information;
It is decrypted using the key pair received data packet.
4. IPsec data receiver method according to claim 3, which is characterized in that receive data using the key pair
Before packet is decrypted, which comprises
Receiving end location information is parsed from the IP header of the received data packet;
When in receiving end, location information is consistent with local terminal location information, it is decrypted using the key pair received data packet;?
When receiving end location information and local terminal location information are inconsistent, the received data packet is abandoned.
5.IPsec data encapsulation apparatus characterized by comprising
Transmitting terminal position information acquisition module, for obtaining local terminal location information and receiving end location information;
Transmitting terminal key production module, for generating key based on the local terminal location information and receiving end location information;
Encrypting module is encrypted for sending data packet using the key pair;
Sending module, for sending the transmission data packet of encryption.
6. IPsec data encapsulation apparatus according to claim 5, which is characterized in that described device further include:
IP header package module, for generating new IP header using the receiving end location information;
IP data packet generation module, new IP header and the use encrypted transmission data packet group of the key for that will generate
Synthesize IP data packet.
7.IPsec data sink characterized by comprising
Receiving end position information acquisition module, for obtaining transmitting terminal location information and local terminal location information;
Receiving end key production module, for generating key based on the transmitting terminal location information and local terminal location information;
Deciphering module, for being decrypted using the key pair received data packet.
8. IPsec data sink according to claim 7, which is characterized in that described device further include:
IP header parsing module, for parsing receiving end location information from the IP header of the received data packet;
Data judgment module is received, for judging whether receiving end location information is consistent with local terminal location information, when inconsistent
The received data packet is abandoned, when consistent, the deciphering module is decrypted using the key pair received data packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910238351.9A CN110191084A (en) | 2019-03-27 | 2019-03-27 | The encapsulation of IPsec data, method of reseptance and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910238351.9A CN110191084A (en) | 2019-03-27 | 2019-03-27 | The encapsulation of IPsec data, method of reseptance and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110191084A true CN110191084A (en) | 2019-08-30 |
Family
ID=67713723
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910238351.9A Pending CN110191084A (en) | 2019-03-27 | 2019-03-27 | The encapsulation of IPsec data, method of reseptance and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110191084A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101938743A (en) * | 2009-06-30 | 2011-01-05 | 中兴通讯股份有限公司 | Generation method and device of safe keys |
| CN102332979A (en) * | 2011-05-31 | 2012-01-25 | 北京虎符科技有限公司 | RID (Reseller Identity) code and verification method thereof |
| WO2015084022A1 (en) * | 2013-12-03 | 2015-06-11 | 삼성전자 주식회사 | Contents security method and electronic apparatus for providing contents security function |
| CN106341404A (en) * | 2016-09-09 | 2017-01-18 | 西安工程大学 | IPSec VPN system based on many-core processor and encryption and decryption processing method |
| US20180351924A1 (en) * | 2017-06-01 | 2018-12-06 | Kct Holdings, Llc | Apparatus and method for secure router device |
| CN109450852A (en) * | 2018-10-09 | 2019-03-08 | 中国科学院信息工程研究所 | Network communication encrypting and decrypting method and electronic equipment |
-
2019
- 2019-03-27 CN CN201910238351.9A patent/CN110191084A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101938743A (en) * | 2009-06-30 | 2011-01-05 | 中兴通讯股份有限公司 | Generation method and device of safe keys |
| CN102332979A (en) * | 2011-05-31 | 2012-01-25 | 北京虎符科技有限公司 | RID (Reseller Identity) code and verification method thereof |
| WO2015084022A1 (en) * | 2013-12-03 | 2015-06-11 | 삼성전자 주식회사 | Contents security method and electronic apparatus for providing contents security function |
| CN106341404A (en) * | 2016-09-09 | 2017-01-18 | 西安工程大学 | IPSec VPN system based on many-core processor and encryption and decryption processing method |
| US20180351924A1 (en) * | 2017-06-01 | 2018-12-06 | Kct Holdings, Llc | Apparatus and method for secure router device |
| CN109450852A (en) * | 2018-10-09 | 2019-03-08 | 中国科学院信息工程研究所 | Network communication encrypting and decrypting method and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100480225B1 (en) | Data-securing communication apparatus and method therefor | |
| CN111245862A (en) | System for safely receiving and sending terminal data of Internet of things | |
| US8447968B2 (en) | Air-interface application layer security for wireless networks | |
| CN101986726B (en) | Method for protecting management frame based on wireless local area network authentication and privacy infrastructure (WAPI) | |
| WO2009000209A1 (en) | A method and a system for transmitting and receiving the data | |
| CN102594842A (en) | Device-fingerprint-based network management message authentication and encryption scheme | |
| CN104883372B (en) | A kind of data transmission method of anti-fraud and attack resistance based on mobile Ad hoc network | |
| JP2012010254A (en) | Communication device, communication method and communication system | |
| CN113904766B (en) | Encryption communication method, device, equipment and medium | |
| CN113904809A (en) | Communication method, communication device, electronic equipment and storage medium | |
| WO2023036348A1 (en) | Encrypted communication method and apparatus, device, and storage medium | |
| CN109005151A (en) | A kind of encryption of information, decryption processing method and processing terminal | |
| Brown | 802.11: the security differences between b and i | |
| Borsc et al. | Wireless security & privacy | |
| KR102219086B1 (en) | HMAC-based source authentication and secret key sharing method and system for Unnamed Aerial vehicle systems | |
| US8447033B2 (en) | Method for protecting broadcast frame | |
| JPH09312642A (en) | Data communication system | |
| CN114386049A (en) | Encryption method, decryption method, device and equipment | |
| CN111107245A (en) | Efficient interrupt recoverable image hiding encryption transmission method, device and system | |
| JP2004194196A (en) | Packet communication authentication system, communication controller and communication terminal | |
| CN210839642U (en) | Device for safely receiving and sending terminal data of Internet of things | |
| CN110191084A (en) | The encapsulation of IPsec data, method of reseptance and device | |
| EP3908950B1 (en) | Near field communication forum data exchange format (ndef) messages with authenticated encryption | |
| CN1190055C (en) | Network transmission controller | |
| CN117201200B (en) | Data safety transmission method based on protocol stack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190830 |