CN110995564B - Message transmission method, device and secure network system - Google Patents

Message transmission method, device and secure network system Download PDF

Info

Publication number
CN110995564B
CN110995564B CN201911424975.6A CN201911424975A CN110995564B CN 110995564 B CN110995564 B CN 110995564B CN 201911424975 A CN201911424975 A CN 201911424975A CN 110995564 B CN110995564 B CN 110995564B
Authority
CN
China
Prior art keywords
user terminal
tunnel
message
ssl vpn
virtual address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911424975.6A
Other languages
Chinese (zh)
Other versions
CN110995564A (en
Inventor
焦婵妮
任春爱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN201911424975.6A priority Critical patent/CN110995564B/en
Publication of CN110995564A publication Critical patent/CN110995564A/en
Application granted granted Critical
Publication of CN110995564B publication Critical patent/CN110995564B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a message transmission method, a message transmission device and a secure network system. The method comprises the following steps: after a first tunnel is established with the first user terminal, determining that the virtual address network segment of the second user terminal is successfully added in the access strategy of the first user terminal; after a second tunnel is established with the second user terminal, determining that the virtual address network segment of the first user terminal is successfully added in the access strategy of the second user terminal; sending the virtual address of the second user terminal to the first user terminal; receiving a first encrypted message sent by the first user terminal through the first tunnel, and decrypting the first encrypted message; wherein the first encrypted message includes a virtual address of the second user terminal; and sending the decrypted first message to the second user terminal through the second tunnel.

Description

Message transmission method, device and secure network system
Technical Field
The present application relates to the field of network security technologies, and in particular, to a message transmission method, an apparatus, and a secure network system.
Background
An SSL (Secure Sockets Layer) VPN (virtual private network) gateway is a VPN device for establishing a remote Secure access channel based on a Secure socket Layer protocol, and establishes a Secure and trusted data transmission channel in a shared network by using the SSL protocol. The inventor finds that, in the process of implementing the present invention, at present, the SSLVPN mainly implements data encryption transmission between the user terminal and the service server by establishing an SSL tunnel, but cannot implement data encryption transmission between the user terminal and the user terminal. Therefore, how to establish the SSL tunnel to realize data encryption transmission between the ue and the ue becomes a problem to be solved urgently.
Disclosure of Invention
An object of the embodiments of the present application is to provide a message transmission method, a device, and a secure network system, which are used to solve the problem of how to implement data encryption transmission between a user terminal and a user terminal by establishing an SSL tunnel.
The invention is realized by the following steps:
in a first aspect, an embodiment of the present application provides a message transmission method, which is applied to an SSL VPN gateway in a secure network system, where the secure network system further includes a first user terminal and a second user terminal, and the method includes: after a first tunnel is established with the first user terminal, determining that the virtual address network segment of the second user terminal is successfully added in the access strategy of the first user terminal; after a second tunnel is established with the second user terminal, determining that the virtual address network segment of the first user terminal is successfully added in the access strategy of the second user terminal; sending the virtual address of the second user terminal to the first user terminal; receiving a first encrypted message sent by the first user terminal through the first tunnel, and decrypting the first encrypted message; wherein the first encrypted message includes a virtual address of the second user terminal; and sending the decrypted first message to the second user terminal through the second tunnel.
In the method, after a first tunnel is established with a first user terminal, a virtual address network segment of a second user terminal is determined to be successfully added in an access strategy of the first user terminal; after a second tunnel is established with a second user terminal, determining that the virtual address network segment of the first user terminal is successfully added in the access strategy of the second user terminal; then sending the virtual address of the second user terminal to the first user terminal; receiving a first encrypted message sent by a first user terminal through a first tunnel, and decrypting the first encrypted message; wherein the first encrypted message includes a virtual address of the second user terminal; and sending the decrypted first message to the second user terminal through a second tunnel, so that data encryption transmission between the first user terminal and the second user terminal is realized, and the security of point-to-point service communication is improved through the first tunnel and the second tunnel.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the first tunnel is established through the following steps: receiving an encryption algorithm list provided by the first user terminal; and establishing the first tunnel based on an encryption algorithm shared by the first user terminal, and generating a first tunnel encryption tuple policy.
In the application, a first tunnel is established based on an encryption algorithm shared by the first user terminal, and a first tunnel encryption tuple policy is generated, so that data encryption transmission between the first user terminal and the SSL VPN gateway is facilitated.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the decrypting the first encrypted packet includes: and decrypting the first encrypted message according to the first tunnel encryption tuple policy.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, when the first user terminal performs packet transmission with the first user terminal, the method further includes: generating a first quintuple policy of the first tunnel; wherein the first five-tuple policy comprises a first user terminal address, a first user terminal port, an SSL VPN address, an SSL VPN port, and an SSL protocol.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, when the first user terminal performs packet transmission again, the method further includes: and searching the first quintuple policy corresponding to the first user terminal, and matching the first quintuple policy with the first quintuple policy.
In the application, when the message is transmitted again with the first user terminal, the first quintuple policy corresponding to the first user terminal is directly found out, and then the first quintuple policy is matched with the first quintuple policy. The quick forwarding of the encrypted message in the tunnel is realized, and the connection with the first user terminal is not required to be repeatedly established. The resource consumption mechanism in the communication process is optimized, and the overall performance of the safety network system is improved.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the second tunnel is established through the following steps: receiving an encryption algorithm list provided by the second user terminal; and establishing the second tunnel based on an encryption algorithm shared by the second user terminal, and generating a second tunnel encryption tuple policy.
In the application, a second tunnel is established based on an encryption algorithm shared by the second user terminal, and a second tunnel encryption tuple policy is generated, so that data encryption transmission between the second user terminal and the SSL VPN gateway is facilitated.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the sending the decrypted first packet to the second user terminal through the second tunnel includes: encrypting the first message obtained after decryption according to the second tunnel encryption tuple policy to generate a second encrypted message; and sending the second encrypted message to the second user terminal.
With reference to the technical solution provided by the first aspect, in some possible implementations, the method further includes: sending the virtual address of the first user terminal to the second user terminal; correspondingly, after the first message obtained after decryption is sent to the second user terminal through the second tunnel, the method further includes: receiving a third encrypted message sent by the second user terminal through the second tunnel, and decrypting the third encrypted message; wherein the third encrypted message includes a virtual address of the first user terminal; and sending the decrypted second message to the first user terminal through the first tunnel.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, when the first packet transmission is performed with the second user terminal, the method further includes: generating a second quintuple policy for the second tunnel; the second quintuple policy comprises a second user terminal address, a second user terminal port, an SSL VPN address, an SSL VPN port and an SSL protocol.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, when the second user terminal performs packet transmission again, the method further includes: and searching the second quintuple policy corresponding to the second user terminal, and matching the second quintuple policy with the second quintuple policy.
In the application, when the message is transmitted again with the second user terminal, the second quintuple policy corresponding to the second user terminal is directly found out, and then the second quintuple policy is matched with the second quintuple policy. The quick forwarding of the encrypted message in the tunnel is realized, and the repeated connection with the second user terminal is not needed. The resource consumption mechanism in the communication process is optimized, and the overall performance of the safety network system is improved.
In a second aspect, an embodiment of the present application provides a message transmission method, which is applied to a first user terminal in a secure network system, where the secure network system further includes an SSL VPN gateway and a second user terminal; a first tunnel is established between the first user terminal and the SSL VPN gateway, a virtual address network segment of the second user terminal is added in an access strategy of the first user terminal, and the first tunnel corresponds to a first tunnel encryption tuple strategy; a second tunnel is established between the second user terminal and the SSL VPN gateway, and the method includes: receiving a virtual address of the second user terminal issued by the SSL VPN gateway; matching a first protection strategy; the first protection strategy comprises an object needing protection; encrypting a first message and the virtual address of the second user terminal through the first tunnel encryption tuple policy to generate a first encrypted message; wherein, the first message is the object to be protected; and sending the first encrypted message to the SSL VPN gateway through the first tunnel so that the SSL VPN gateway sends the first message to the second user terminal through the second tunnel.
With reference to the technical solution provided by the second aspect, in some possible implementations, the method further includes: receiving a fourth encrypted message sent by the SSL VPN gateway through the first tunnel; and the fourth encrypted message is obtained by encrypting the second message received through the second tunnel through the first tunnel encryption tuple policy.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the first protection policy includes an access parameter of a time policy.
In a third aspect, an embodiment of the present application provides a packet transmission device, which is applied to an SSL VPN gateway in a secure network system, where the secure network system further includes a first user terminal and a second user terminal, and the device includes: a determining module, configured to determine that the virtual address network segment of the second user terminal has been successfully added to the access policy of the first user terminal after a first tunnel is established with the first user terminal; after a second tunnel is established with the second user terminal, determining that the virtual address network segment of the first user terminal is successfully added in the access strategy of the second user terminal; a first sending module, configured to send a virtual address of the second user terminal to the first user terminal; the decryption module is used for receiving a first encrypted message sent by the first user terminal through the first tunnel and decrypting the first encrypted message; wherein the first encrypted message includes a virtual address of the second user terminal; and the second sending module is used for sending the decrypted first message to the second user terminal through the second tunnel.
In a fourth aspect, an embodiment of the present application provides a message transmission apparatus, which is applied to a first user terminal in a secure network system, where the secure network system further includes an SSL VPN gateway and a second user terminal; a first tunnel is established between the first user terminal and the SSL VPN gateway, a virtual address network segment of the second user terminal is added in an access strategy of the first user terminal, and the first tunnel corresponds to a first tunnel encryption tuple strategy; a second tunnel is established between the second user terminal and the SSL VPN gateway, and the apparatus includes: a first receiving module, configured to receive a virtual address of the second user terminal issued by the SSL VPN gateway; the matching module is used for matching the first protection strategy; wherein the first protection policy is pre-provisioned in the first user terminal; the first protection strategy comprises an object needing protection; the encryption module is used for encrypting a first message and the virtual address of the second user terminal through the first tunnel encryption tuple policy to generate a first encrypted message; wherein, the first message is the object to be protected; and the sending module is used for sending the first encrypted message to the SSL VPN gateway through the first tunnel so that the SSL VPN gateway sends the first message to the second user terminal through the second tunnel.
In a fifth aspect, an embodiment of the present application provides a secure network system, including: the system comprises an SSL VPN gateway, a first user terminal and a second user terminal; a first tunnel is established between the first user terminal and the SSL VPN gateway, and a virtual address network segment of the second user terminal is added in an access strategy of the first user terminal; a second tunnel is established between the second user terminal and the SSL VPN gateway, and the virtual address network segment of the first user terminal is added in the access strategy of the second user terminal; the SSL VPN gateway is configured to perform the method provided in the first aspect; the first user terminal is configured to execute the method provided by the second aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a secure network system according to an embodiment of the present application.
Fig. 2 is a flowchart illustrating steps of a message transmission method according to an embodiment of the present application.
Fig. 3 is a flowchart illustrating steps of another message transmission method according to an embodiment of the present application.
Fig. 4 is a block diagram of a message transmission apparatus according to an embodiment of the present application.
Icon: 100-a secure network system; 10-a first user terminal; 20-a second user terminal; a 30-SSL VPN gateway; 200-a message transmission device; 201-a determination module; 202-a first sending module; 203-a decryption module; 204-a second sending module; 205-a setup module; 206-a generation module; 207-a lookup module; 208-a third sending module; 209-fourth sending module.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
At present, the SSLVPN mainly implements data encryption transmission between the user terminal and the service server by establishing an SSL tunnel, but cannot implement data encryption transmission between the user terminal and the user terminal.
In view of the above problems, the present inventors have studied and researched to provide the following embodiments to solve the above problems.
Referring to fig. 1, an embodiment of the present application provides a secure network system 100, including: a first user terminal 10, a second user terminal 20 and an SSL VPN gateway 30.
The first user terminal 10 and the second user terminal 20 may be communication devices such as mobile phones and computers. The present application is not limited.
In order to enable encrypted transmission of data between the first user terminal 10 and the second user terminal 20. First, a first tunnel needs to be established between the first user terminal 10 and the SSL VPN gateway 30, and a second tunnel needs to be established between the second user terminal 20 and the SSL VPN gateway 30. So that the SSL VPN gateway 30 implements the forwarding of the encrypted data between the first user terminal 10 and the second user terminal 20 through the first tunnel and the second tunnel.
The establishment procedure of the first tunnel and the second tunnel is described below.
Optionally, the first tunnel is established by the following steps: the SSL VPN gateway receives the list of encryption algorithms provided by the first user terminal. The SSL VPN gateway establishes a first tunnel based on an encryption algorithm shared by the SSL VPN gateway and the first user terminal, and generates a first tunnel encryption tuple policy.
It is understood that the Encryption algorithm may include a symmetric algorithm such as DES (Data Encryption Standard), RC4(Rivest Cipher 4, stream Encryption algorithm), authentication algorithm, hash algorithm, etc. The first user terminal provides all supported algorithms, namely provides an encryption algorithm list, then the SSL VPN gateway selects an encryption algorithm shared with the first user terminal to establish a first tunnel, and generates a first tunnel encryption tuple policy. Of course, one or more common encryption algorithms may be selected to establish the first tunnel, and generate the first tunnel encryption tuple policy, which is not limited in this application. The first tunnel encryption tuple policy is a common encryption algorithm. The SSL VPN gateway and the first user terminal may encrypt/decrypt a packet transmitted between the two through the first tunnel based on the first tunnel encryption tuple policy.
It should be noted that the tunnel establishment process is based on an SSL handshake protocol, and negotiations are performed through an SSL handshake process of the SSL client hello, server hello done standard. In the tunnel negotiation process, a tunnel encryption tuple policy containing a tunnel encryption key, an authentication key, an encryption algorithm, an authentication algorithm and a hash algorithm is generated according to information such as a negotiation algorithm suite, a session control and a first user terminal public key. Therefore, the tunnel encryption tuple policies generated by different user terminals are different.
Optionally, the second tunnel is established by: the SSL VPN gateway receives the list of encryption algorithms provided by the second user terminal. And the SSL VPN gateway establishes a second tunnel based on an encryption algorithm shared by the second user terminal and generates a second tunnel encryption tuple policy. The SSL VPN gateway and the second user terminal may encrypt/decrypt the packet transmitted between the two through the second tunnel based on the second tunnel encryption tuple policy.
Since the generation process of the second tunnel is the same as the generation process of the first tunnel, the description is not repeated here to avoid redundancy.
After the first tunnel is established, the SSL VPN gateway needs to determine whether secure communication between the first user terminal and the second user terminal can be performed through the tunnel. In this embodiment, the SSL VPN gateway determines that the virtual address network segment of the second user terminal is added to the access policy of the first user terminal and that the virtual address network segment of the first user terminal is added to the access policy of the second user terminal, so as to determine that the first user terminal and the second user terminal can perform secure communication through a tunnel. That is, after the SSL VPN client of the first user terminal is opened and the first user terminal and the SSL VPN gateway have successfully established the first tunnel, the virtual address network segment of the second user terminal is added to the access policy of the first user terminal. And after the SSL VPN client of the second user terminal is opened and the second user terminal and the SSL VPN gateway successfully establish a second tunnel, adding the virtual address network segment of the first user terminal in the access strategy of the second user terminal. If the SSL VPN gateway determines that the virtual address network segment of the second user terminal is added in the access strategy of the first user terminal and determines that the virtual address network segment of the first user terminal is added in the access strategy of the second user terminal, the first user terminal and the second user terminal can carry out safe communication through a tunnel.
It should be noted that a network segment refers to a portion of a computer network that can directly communicate using the same physical layer device. For example, 192.168.0.1 to 192.168.255.255 are a segment therebetween.
It should be noted that, if the first user terminal needs to perform secure communication with the third user terminal through the tunnel, the virtual address network segment of the third user terminal needs to be added to the access policy of the first user terminal.
When the tunnel is successfully established and the policy is successfully added, a specific process of performing secure communication between the first user terminal and the second user terminal through the tunnel is described below, referring to fig. 2, an embodiment of the present application provides a message transmission method. The method comprises the following steps: step S101-step S10.
Step S101: and the first user terminal receives the virtual address of the second user terminal sent by the SSL VPN gateway.
Step S102: the first user terminal matches the first protection policy.
Step S103: and the first user terminal encrypts the first message and the virtual address of the second user terminal through the first tunnel encryption tuple policy to generate a first encrypted message.
Step S104: and the first user terminal sends the first encrypted message to the SSL VPN gateway.
Step S105: and the SSL VPN gateway decrypts the first encrypted message to obtain a decrypted first message.
Step S106: and the SSL VPN gateway encrypts the first message through a second tunnel encryption tuple policy to generate a second encrypted message.
Step S107: and the SSL VPN gateway sends the second encrypted message to the second user terminal.
Step S108: and the second user terminal decrypts the second encrypted message to obtain the decrypted first message.
Each flow of the message transmission method will be described in detail with reference to an example.
Step S101: and the first user terminal receives the virtual address of the second user terminal sent by the SSL VPN gateway.
In the present application, information transmission is realized through a virtual address issued by an SSL VPN gateway. The virtual address issued by the SSL VPN gateway is issued through a server corresponding to the SSL VPN gateway. The server is used for address maintenance and management. That is, the virtual address of the second user terminal received by the first user terminal is issued by the server corresponding to the SSL VPN gateway. It should be noted that the virtual address of the second user terminal may be understood as an internal private address obtained when the second user terminal accesses the internet through the operator.
Step S102: the first user terminal matches the first protection policy.
The first protection policy contains objects that need protection. The object to be protected may be, for example, a mail, a short message, or the like. It should be noted that, the first user terminal needs to configure a protection object in advance, and when the first tunnel is successfully established, a corresponding protection policy is generated.
Optionally, the first protection policy comprises access parameters of a time policy. For example, if the first user terminal configures an authorized resource OA (Office Automation), and the authorization time is monday to friday, after the first tunnel is successfully established, a protection policy for the OA resource with a time range of monday to friday is generated. That is, the access to the resource on monday through friday needs to be encrypted by the first tunnel encryption tuple policy. It should be noted that, if the first user terminal does not perform corresponding authorization, after the first tunnel is established, the protection policy is not generated, and then the first user terminal performs plaintext routing forwarding when accessing the resource, and does not perform resource access encrypted by the tunnel.
Step S103: and the first user terminal encrypts the first message and the virtual address of the second user terminal through the first tunnel encryption tuple policy to generate a first encrypted message.
After the first protection strategy is matched, the first user terminal encrypts the first message to be transmitted and the virtual address of the second user terminal through the first tunnel encryption tuple strategy to generate a first encrypted message. That is, the first message to be transmitted and the virtual address of the second user terminal are encapsulated based on the first tunnel tuple policy. It should be noted that the virtual address is a private address, and the private address cannot be routed on interest. Therefore, in the embodiment of the present application, the virtual address is used to perform internal packet encapsulation, the portion of the packet is plaintext at the first user terminal, and then encrypted based on the first tunnel encryption tuple policy, and after the packet encapsulation is performed using the real IP address, the packet at the virtual address portion is subjected to ciphertext conversion.
In the embodiment of the application, the first tunnel is established based on the common encryption algorithm of the first user terminal, and the first tunnel encryption tuple policy is generated, so that the data encryption transmission between the first user terminal and the SSL VPN gateway is facilitated.
Step S104: and the first user terminal sends the first encrypted message to the SSL VPN gateway.
After the first message is packaged, namely the first encrypted message is generated, the route is matched, and finally the route is sent to the SSL VPN gateway from the physical network card.
Step S105: and the SSL VPN gateway decrypts the first encrypted message to obtain a decrypted first message.
After the SSL VPN gateway receives the first encrypted message sent by the first user terminal through the physical interface, optionally, when the SSL VPN gateway performs first message transmission with the first user terminal, the SSL VPN gateway generates a five-tuple policy of the first tunnel, and then stores the first five-tuple policy. The quintuple policy comprises a first user terminal address, a first user terminal port, an SSL VPN address, an SSL VPN port and an SSL protocol. The first user terminal address is a routing address (e.g. 192.168.0.1) of the first user terminal, and the first user terminal port is a routing port (e.g. 80, 139) of the first user terminal. The protocols refer to SSL protocols, such as TLS1.0, TLS 1.3. When the SSL VPN gateway and the first user terminal perform message transmission again, a first quintuple policy corresponding to the first user terminal is found out, and then the first quintuple policy is matched with the first quintuple policy.
In the embodiment of the application, when the first user terminal performs message transmission again, the first quintuple policy corresponding to the first user terminal is directly found out, and then the first quintuple policy is matched with the first quintuple policy. The quick forwarding of the encrypted message in the tunnel is realized, and the connection with the first user terminal is not required to be repeatedly established. The resource consumption mechanism in the communication process is optimized, and the overall performance of the safety network system is improved.
And the SSL VPN gateway decrypts the first encrypted message by adopting a first tunnel encryption tuple strategy to obtain a decrypted first message. And then acquiring the destination of the first message. Since the first user terminal encrypts the first packet and the virtual address of the second user terminal through the first tunnel encryption tuple policy, the destination of the acquired first packet is the address of the second user terminal, and then step S106 is executed.
Step S106: and the SSL VPN gateway encrypts the first message through a second tunnel encryption tuple policy to generate a second encrypted message.
Step S107: and the SSL VPN gateway sends the second encrypted message to the second user terminal.
And after the second encrypted message is generated, matching the route of the SSL VPN gateway, and finally sending the second encrypted message to the second user terminal from the physical network card.
Step S108: and the second user terminal decrypts the second encrypted message to obtain the decrypted first message.
And after receiving the second encrypted message, the second user terminal decrypts the second encrypted message through a second tunnel encryption tuple strategy so as to obtain a decrypted first message.
The encryption transmission of the message from the first user terminal to the second user terminal is realized through the steps S101 to S108.
In the embodiment of the application, after a first tunnel is established with a first user terminal, a virtual address network segment of a second user terminal is determined to be successfully added in an access strategy of the first user terminal; after a second tunnel is established with a second user terminal, determining that the virtual address network segment of the first user terminal is successfully added in the access strategy of the second user terminal; then sending the virtual address of the second user terminal to the first user terminal; receiving a first encrypted message sent by a first user terminal through a first tunnel, and decrypting the first encrypted message; wherein the first encrypted message includes a virtual address of the second user terminal; and sending the decrypted first message to the second user terminal through a second tunnel, so that data encryption transmission between the first user terminal and the second user terminal is realized, and the security of point-to-point service communication is improved through the first tunnel and the second tunnel.
Of course, in other implementations, the above method flow may not include the step of encrypting the first message by the first tunnel encryption tuple policy and the step of encrypting the second message by the second tunnel encryption tuple policy. That is, the first packet may be forwarded in plaintext.
Of course, in its characterizing embodiment, the data transmission between the first user terminal and the second user terminal is acknowledged. Therefore, referring to fig. 3, after the step S108, the method further includes: step S109 to step S116.
Step S109: and the second user terminal receives the virtual address of the first user terminal sent by the SSL VPN gateway.
Step S110: the second user terminal matches the second protection policy.
Step S111: and the second user terminal encrypts the second message and the virtual address of the first user terminal through a second tunnel encryption tuple policy to generate a third encrypted message.
Step S112: and the second user terminal sends a third encrypted message to the SSL VPN gateway.
Step S113: and the SSL VPN gateway decrypts the third encrypted message to obtain a decrypted second message.
Step S114: and the SSL VPN gateway encrypts the second message through the first tunnel encryption tuple policy to generate a fourth encrypted message.
Step S115: and the SSL VPN gateway sends a fourth encryption message to the first user terminal.
Step S116: and the first user terminal decrypts the fourth encrypted message to obtain a decrypted second message.
The flow from step S109 to step S116 is the same as the flow from step S101 to step S108. In order to avoid redundancy, the description is not repeated here, and the same parts may be referred to each other.
Referring to fig. 4, based on the same inventive concept, an embodiment of the present application further provides a message transmission apparatus 200 applied to an SSL VPN gateway in a secure network system, where the secure network system further includes a first user terminal and a second user terminal, and the apparatus:
a determining module 201, configured to determine that the virtual address network segment of the second user terminal has been successfully added to the access policy of the first user terminal after a first tunnel is established with the first user terminal; after a second tunnel is established with the second user terminal, determining that the virtual address network segment of the first user terminal is successfully added in the access strategy of the second user terminal;
a first sending module 202, configured to send a virtual address of the second user terminal to the first user terminal;
a decryption module 203, configured to receive a first encrypted message sent by the first user terminal through the first tunnel, and decrypt the first encrypted message; wherein the first encrypted message includes a virtual address of the second user terminal;
and a second sending module 204, configured to send the decrypted first packet to the second user terminal through the second tunnel.
Optionally, the apparatus further comprises: an establishing module 205, configured to receive an encryption algorithm list provided by the first user terminal; and establishing the first tunnel based on an encryption algorithm shared by the first user terminal, and generating a first tunnel encryption tuple policy.
Optionally, the decryption module is further configured to decrypt the first encrypted packet according to the first tunnel encryption tuple policy.
Optionally, the apparatus further comprises: a generation module 206; the generating module is used for generating a first quintuple policy of the first tunnel when the first user terminal performs message transmission for the first time; wherein the first five-tuple policy comprises a first user terminal address, a first user terminal port, an SSL VPN address, an SSL VPN port, and an SSL protocol.
Optionally, the apparatus further comprises: a lookup module 207; the searching module is used for searching the first quintuple policy corresponding to the first user terminal and matching the first quintuple policy with the first quintuple policy.
Optionally, the establishing module is further configured to receive an encryption algorithm list provided by the second user terminal; and establishing the second tunnel based on an encryption algorithm shared by the second user terminal, and generating a second tunnel encryption tuple policy.
Optionally, the second sending module is further configured to encrypt the decrypted first packet according to the second tunnel encryption tuple policy to generate a second encrypted packet; and sending the second encrypted message to the second user terminal.
Optionally, the apparatus further includes a third sending module 208, configured to send the virtual address of the first user terminal to the second user terminal.
Optionally, the decryption module is further configured to receive a third encrypted message sent by the second user terminal through the second tunnel, and decrypt the third encrypted message; wherein the third encrypted message includes a virtual address of the first user terminal.
Optionally, the apparatus further includes a fourth sending module 209, configured to send the decrypted second packet to the first user terminal through the first tunnel.
Optionally, the generating module is further configured to generate a second five-tuple policy of the second tunnel; the second quintuple policy comprises a second user terminal address, a second user terminal port, an SSL VPN address, an SSL VPN port and an SSL protocol.
Optionally, the searching module is further configured to search for the second quintuple policy corresponding to the second user terminal, and match the second quintuple policy with the second quintuple policy.
Based on the same inventive concept, the embodiment of the present application further provides a message transmission device, which is applied to a first user terminal in a secure network system, where the secure network system further includes an SSL VPN gateway and a second user terminal; a first tunnel is established between the first user terminal and the SSL VPN gateway, a virtual address network segment of the second user terminal is added in an access strategy of the first user terminal, and the first tunnel corresponds to a first tunnel encryption tuple strategy; a second tunnel is established between the second user terminal and the SSL VPN gateway, and the apparatus includes:
a first receiving module, configured to receive a virtual address of the second user terminal issued by the SSL VPN gateway;
the matching module is used for matching the first protection strategy; wherein the first protection policy is pre-provisioned in the first user terminal; the first protection strategy comprises an object needing protection;
the encryption module is used for encrypting a first message and the virtual address of the second user terminal through the first tunnel encryption tuple policy to generate a first encrypted message; wherein, the first message is the object to be protected;
and the sending module is used for sending the first encrypted message to the SSL VPN gateway through the first tunnel so that the SSL VPN gateway sends the first message to the second user terminal through the second tunnel.
Optionally, the apparatus further includes a second receiving module, where the second receiving module is configured to receive a fourth encrypted packet sent by the SSL VPN gateway through the first tunnel; and the fourth encrypted message is obtained by encrypting the second message received through the second tunnel through the first tunnel encryption tuple policy.
Based on the same inventive concept, the present application further provides a storage medium, on which a computer program is stored, and when the computer program is executed, the computer program performs the method provided in the foregoing embodiments.
The storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more integrated servers, data centers, and the like. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (15)

1. A message transmission method is applied to an SSL VPN gateway in a secure network system, wherein the secure network system further comprises a first user terminal and a second user terminal, and the method comprises the following steps:
after a first tunnel is established with the first user terminal, determining that the virtual address network segment of the second user terminal is successfully added in the access strategy of the first user terminal; after a second tunnel is established with the second user terminal, determining that the virtual address network segment of the first user terminal is successfully added in the access strategy of the second user terminal;
sending the virtual address of the second user terminal to the first user terminal;
receiving a first encrypted message sent by the first user terminal through the first tunnel, and decrypting the first encrypted message; wherein the first encrypted message includes a virtual address of the second user terminal;
sending the decrypted first message to the second user terminal through the second tunnel;
sending the virtual address of the first user terminal to the second user terminal;
receiving a third encrypted message sent by the second user terminal through the second tunnel, and decrypting the third encrypted message; wherein the third encrypted message comprises the virtual address of the first user terminal and the second message;
and sending the decrypted second message to the first user terminal through the first tunnel.
2. The message transmission method according to claim 1, wherein the first tunnel is established by:
receiving an encryption algorithm list provided by the first user terminal;
and establishing the first tunnel based on an encryption algorithm shared by the first user terminal, and generating a first tunnel encryption tuple policy.
3. The message transmission method according to claim 2, wherein the decrypting the first encrypted message comprises:
and decrypting the first encrypted message according to the first tunnel encryption tuple policy.
4. The message transmission method according to claim 1, wherein when the first message transmission is performed with the first user terminal, the method further comprises:
generating a first quintuple policy of the first tunnel; wherein the first five-tuple policy comprises a first user terminal address, a first user terminal port, an SSL VPN address, an SSL VPN port, and an SSL protocol.
5. The message transmission method according to claim 4, wherein when the message transmission is performed again with the first user terminal, the method further comprises:
and searching the first quintuple policy corresponding to the first user terminal, and matching the first quintuple policy with the first quintuple policy.
6. The message transmission method according to claim 1, wherein the second tunnel is established by:
receiving an encryption algorithm list provided by the second user terminal;
and establishing the second tunnel based on an encryption algorithm shared by the second user terminal, and generating a second tunnel encryption tuple policy.
7. The message transmission method according to claim 6, wherein the sending the decrypted first message to the second user terminal through the second tunnel includes:
encrypting the first message obtained after decryption according to the second tunnel encryption tuple policy to generate a second encrypted message;
and sending the second encrypted message to the second user terminal.
8. The message transmission method according to claim 1, wherein when the message transmission is performed with the second user terminal for the first time, the method further comprises:
generating a second quintuple policy for the second tunnel; the second quintuple policy comprises a second user terminal address, a second user terminal port, an SSL VPN address, an SSL VPN port and an SSL protocol.
9. The message transmission method according to claim 8, wherein when the message transmission is performed again with the second user terminal, the method further comprises:
and searching the second quintuple policy corresponding to the second user terminal, and matching the second quintuple policy with the second quintuple policy.
10. The message transmission method is characterized by being applied to a first user terminal in a secure network system, wherein the secure network system further comprises an SSL VPN gateway and a second user terminal; a first tunnel is established between the first user terminal and the SSL VPN gateway, a virtual address network segment of the second user terminal is added in an access strategy of the first user terminal, and the first tunnel corresponds to a first tunnel encryption tuple strategy; a second tunnel is established between the second user terminal and the SSL VPN gateway, and the method includes:
receiving a virtual address of the second user terminal issued by the SSL VPN gateway;
matching a first protection strategy; the first protection strategy comprises an object needing protection;
encrypting a first message and the virtual address of the second user terminal through the first tunnel encryption tuple policy to generate a first encrypted message; wherein, the first message is the object to be protected;
sending the first encrypted message to the SSL VPN gateway through the first tunnel, so that the SSL VPN gateway sends the first message to the second user terminal through the second tunnel;
receiving a second message sent by the SSL VPN gateway; the second message sends the virtual address of the first user terminal to the second user terminal through the SSL VPN gateway; receiving a third encrypted message sent by the second user terminal through the second tunnel, and decrypting the third encrypted message to obtain the third encrypted message; the third encrypted message includes the virtual address of the first user terminal.
11. The message transmission method according to claim 10, wherein the method further comprises:
receiving a fourth encrypted message sent by the SSL VPN gateway through the first tunnel; and the fourth encrypted message is obtained by encrypting the second message received through the second tunnel through the first tunnel encryption tuple policy.
12. The message transmission method according to claim 10, wherein the first protection policy includes access parameters of a time policy.
13. A message transmission apparatus, applied to an SSL VPN gateway in a secure network system, the secure network system further including a first user terminal and a second user terminal, the apparatus comprising:
a determining module, configured to determine that the virtual address network segment of the second user terminal has been successfully added to the access policy of the first user terminal after a first tunnel is established with the first user terminal; after a second tunnel is established with the second user terminal, determining that the virtual address network segment of the first user terminal is successfully added in the access strategy of the second user terminal;
a first sending module, configured to send a virtual address of the second user terminal to the first user terminal;
the decryption module is used for receiving a first encrypted message sent by the first user terminal through the first tunnel and decrypting the first encrypted message; wherein the first encrypted message includes a virtual address of the second user terminal;
the second sending module is used for sending the decrypted first message to the second user terminal through the second tunnel;
a third sending module, configured to send the virtual address of the first user terminal to the second user terminal;
the decryption module is further configured to receive a third encrypted message sent by the second user terminal through the second tunnel, and decrypt the third encrypted message; wherein the third encrypted message comprises the virtual address of the first user terminal and the second message;
and the fourth sending module is used for sending the decrypted second message to the first user terminal through the first tunnel.
14. The message transmission device is applied to a first user terminal in a secure network system, and the secure network system further comprises an SSL VPN gateway and a second user terminal; a first tunnel is established between the first user terminal and the SSL VPN gateway, a virtual address network segment of the second user terminal is added in an access strategy of the first user terminal, and the first tunnel corresponds to a first tunnel encryption tuple strategy; a second tunnel is established between the second user terminal and the SSL VPN gateway, and the apparatus includes:
a first receiving module, configured to receive a virtual address of the second user terminal issued by the SSL VPN gateway;
the matching module is used for matching the first protection strategy; wherein the first protection policy is pre-provisioned in the first user terminal; the first protection strategy comprises an object needing protection;
the encryption module is used for encrypting a first message and the virtual address of the second user terminal through the first tunnel encryption tuple policy to generate a first encrypted message; wherein, the first message is the object to be protected;
a sending module, configured to send the first encrypted packet to the SSL VPN gateway through the first tunnel, so that the SSL VPN gateway sends the first packet to the second user terminal through the second tunnel;
the second receiving module is used for receiving a second message sent by the SSL VPN gateway; the second message sends the virtual address of the first user terminal to the second user terminal through the SSL VPN gateway; receiving a third encrypted message sent by the second user terminal through the second tunnel, and decrypting the third encrypted message to obtain the third encrypted message; the third encrypted message includes the virtual address of the first user terminal.
15. A secure network system, comprising: the system comprises an SSL VPN gateway, a first user terminal and a second user terminal;
a first tunnel is established between the first user terminal and the SSL VPN gateway, and a virtual address network segment of the second user terminal is added in an access strategy of the first user terminal; a second tunnel is established between the second user terminal and the SSL VPN gateway, and the virtual address network segment of the first user terminal is added in the access strategy of the second user terminal;
the SSL VPN gateway is adapted to perform the method of any of claims 1-9;
the first user terminal is adapted to perform the method of any of claims 10-12.
CN201911424975.6A 2019-12-31 2019-12-31 Message transmission method, device and secure network system Active CN110995564B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911424975.6A CN110995564B (en) 2019-12-31 2019-12-31 Message transmission method, device and secure network system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911424975.6A CN110995564B (en) 2019-12-31 2019-12-31 Message transmission method, device and secure network system

Publications (2)

Publication Number Publication Date
CN110995564A CN110995564A (en) 2020-04-10
CN110995564B true CN110995564B (en) 2021-11-12

Family

ID=70080440

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911424975.6A Active CN110995564B (en) 2019-12-31 2019-12-31 Message transmission method, device and secure network system

Country Status (1)

Country Link
CN (1) CN110995564B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1866876A (en) * 2005-05-20 2006-11-22 株式会社日立制作所 System and method for encrypted communication
CN101199187A (en) * 2004-07-23 2008-06-11 茨特里克斯系统公司 A method and systems for securing remote access to private networks
CN104601325A (en) * 2013-10-31 2015-05-06 华为技术有限公司 Data encryption method, device, equipment and system and data decryption method, device, equipment and system
CN105610667A (en) * 2015-12-23 2016-05-25 深圳市华成峰实业有限公司 Method and device for establishing channel of virtual private network
CN106506354A (en) * 2016-10-31 2017-03-15 杭州华三通信技术有限公司 A kind of message transmitting method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572643B (en) * 2008-04-30 2011-06-22 成都市华为赛门铁克科技有限公司 Method and system for realizing data transmission among private networks
CN102769618B (en) * 2012-07-18 2015-03-11 北京星网锐捷网络技术有限公司 WEB access processing method, network equipment and communication system
KR20140122335A (en) * 2013-04-09 2014-10-20 한국전자통신연구원 Method for constructing virtual private network, method for packet forwarding and gateway apparatus using the methods

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101199187A (en) * 2004-07-23 2008-06-11 茨特里克斯系统公司 A method and systems for securing remote access to private networks
CN1866876A (en) * 2005-05-20 2006-11-22 株式会社日立制作所 System and method for encrypted communication
CN104601325A (en) * 2013-10-31 2015-05-06 华为技术有限公司 Data encryption method, device, equipment and system and data decryption method, device, equipment and system
CN105610667A (en) * 2015-12-23 2016-05-25 深圳市华成峰实业有限公司 Method and device for establishing channel of virtual private network
CN106506354A (en) * 2016-10-31 2017-03-15 杭州华三通信技术有限公司 A kind of message transmitting method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
对企业网终端接入控制的研究和方案设计;吕杨;《中国优秀硕士学位论文全文数据库》;20150415;全文 *

Also Published As

Publication number Publication date
CN110995564A (en) 2020-04-10

Similar Documents

Publication Publication Date Title
US9917812B2 (en) Inline inspection of security protocols
EP2561663B1 (en) Server and method for providing secured access to services
US6996842B2 (en) Processing internet protocol security traffic
JP5744172B2 (en) Proxy SSL handoff via intermediate stream renegotiation
US11621945B2 (en) Method and system for secure communications
US20130332724A1 (en) User-Space Enabled Virtual Private Network
US9219709B2 (en) Multi-wrapped virtual private network
US9444807B2 (en) Secure non-geospatially derived device presence information
US11483299B2 (en) Method and apparatus for encrypted communication
WO2021068777A1 (en) Methods and systems for internet key exchange re-authentication optimization
US20080072033A1 (en) Re-encrypting policy enforcement point
CN101861712A (en) Security method of mobile internet protocol based server
US20190173863A1 (en) Stateless session synchronization between secure communication interceptors
WO2016134631A1 (en) Processing method for openflow message, and network element
KR101847636B1 (en) Method and apprapatus for watching encrypted traffic
CN110995564B (en) Message transmission method, device and secure network system
CA3219175A1 (en) Protocol translation for encrypted data traffic
US20080059788A1 (en) Secure electronic communications pathway
CN113765900B (en) Protocol interaction information output transmission method, adapter device and storage medium
EP4346255A1 (en) Encrypted satellite communications
EP3051770A1 (en) User opt-in computer implemented method for monitoring network traffic data, network traffic controller and computer programs
EP3832949A1 (en) Method for securing a data communication network
CN115941228A (en) Method, device, system and medium for processing message and obtaining SA information
CN115767535A (en) Terminal vpn network access authentication method and system under 5G scene
answers Verizon 1.2 Securing Device Connectivity in the IoT

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant