CN111147344A - Virtual private network implementation method, device, equipment and medium - Google Patents

Virtual private network implementation method, device, equipment and medium Download PDF

Info

Publication number
CN111147344A
CN111147344A CN201911296706.6A CN201911296706A CN111147344A CN 111147344 A CN111147344 A CN 111147344A CN 201911296706 A CN201911296706 A CN 201911296706A CN 111147344 A CN111147344 A CN 111147344A
Authority
CN
China
Prior art keywords
message
analyzed
encrypted
network protocol
virtual private
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911296706.6A
Other languages
Chinese (zh)
Other versions
CN111147344B (en
Inventor
梅松
张云鹤
郑聪
叶志强
万雷
任永和
宋峰峰
付宁静
张平
陈高金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Fly For Same Flight Network Technology Ltd By Share Ltd
Original Assignee
Wuhan Fly For Same Flight Network Technology Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Fly For Same Flight Network Technology Ltd By Share Ltd filed Critical Wuhan Fly For Same Flight Network Technology Ltd By Share Ltd
Priority to CN201911296706.6A priority Critical patent/CN111147344B/en
Publication of CN111147344A publication Critical patent/CN111147344A/en
Application granted granted Critical
Publication of CN111147344B publication Critical patent/CN111147344B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The invention provides a method, a device, equipment and a medium for realizing a virtual private network. The method comprises the following steps: acquiring a data message from a physical network card, circularly acquiring a data message request, and taking the current data message as a message to be analyzed when the data message request is acquired; extracting a network protocol from a message to be analyzed, judging the network protocol of the message to be analyzed according to a local network protocol, processing the message to be analyzed according to a judgment result, and acquiring the processed message to be analyzed as a message to be encrypted; and encrypting the message to be encrypted, and feeding back the encrypted message to be encrypted to the physical network card. The invention judges the data packet to be transmitted and received in a polling mode, namely, in a timing cycle manner, improves the efficiency of transmitting and receiving the message, avoids the problem of CPU interruption, and then carries out secondary encryption on the message to be outbound, thereby enhancing the confidentiality of the message and improving the safety of the forwarding process.

Description

Virtual private network implementation method, device, equipment and medium
Technical Field
The present invention relates to the technical field of virtual private network encryption transmission, and in particular, to a method, an apparatus, a device, and a medium for implementing a virtual private network.
Background
The functions of a Virtual Private Network (VPN) are: and establishing a private network on the public network for encrypted communication. The method has wide application in enterprise networks. Compared with a private line, the method has the advantages of low cost and encrypted data transmission.
However, with the development of internet technology and services, the VPN communication scale is increasing, and the user demands the transmission performance of the VPN gateway more and more. However, conventional VPN gateways have poor packet forwarding efficiency, and VPN gateways face increasing performance pressure. Therefore, the research on the high-performance VPN gateway technology has great significance.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
In view of this, the present invention provides a method, an apparatus, a device, and a medium for implementing a virtual private network, and aims to solve the technical problem that the prior art cannot utilize a DPDK platform to promote forwarding of a VPN gateway packet.
The technical scheme of the invention is realized as follows:
in one aspect, the present invention provides a virtual private network implementation method, including the following steps:
s1, acquiring data messages from the physical network card, circularly and regularly acquiring data message requests, and taking the current data messages as messages to be analyzed when the data message requests are acquired;
s2, acquiring a local network protocol, extracting a network protocol from the message to be analyzed, judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to the judgment result, and acquiring the processed message to be analyzed as a message to be encrypted;
s3, setting a communication security policy, acquiring a corresponding communication security policy according to a network protocol, encrypting the message to be encrypted, and feeding back the encrypted message to be encrypted to the physical network card.
On the basis of the above technical solution, preferably, in step S1, acquiring a data packet from the physical network card, periodically acquiring a data packet request, and when the data packet request is acquired, taking the current data packet as a packet to be analyzed, further including the steps of acquiring user information from the data packet, acquiring a corresponding key from a local key repository according to the user information, decrypting the data packet according to the key, and when the decryption is successful, taking the successfully decrypted data packet as the packet to be analyzed; and when the decryption fails, reselecting the data message.
On the basis of the foregoing technical solution, preferably, in step S2, acquiring a local network protocol, extracting a network protocol from a message to be analyzed, determining the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to the determination result, and acquiring the processed message to be analyzed as a message to be encrypted, the method further includes the following steps of acquiring the local network protocol, where the network protocol includes: and the PKI protocol and the IKE protocol are used for judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to the judgment result and acquiring the processed message to be analyzed as the message to be encrypted.
On the basis of the above technical solution, preferably, the network protocol of the message to be analyzed is determined according to the local network protocol, the message to be analyzed is processed according to the determination result, and the processed message to be analyzed is acquired as the message to be encrypted, and the method further includes the following step of extracting the user identification information and the user public key from the message to be analyzed when the determination result is the PKI protocol, where the identification information includes: and establishing a new public key according to the user identification information and the user public key and distributing the new public key to the corresponding message to be analyzed, and taking the message to be analyzed distributed with the new public key as the message to be encrypted.
On the basis of the above technical solution, preferably, the network protocol of the message to be analyzed is determined according to the local network protocol, the message to be analyzed is processed according to the determination result, and the processed message to be analyzed is obtained as the message to be encrypted.
On the basis of the above technical solution, preferably, the method further includes the following steps, and the DH algorithm is:
S1=Ta^dbmodt,S2=Tb^damodt;
wherein S is1Shared secret key representing the sender of a message to be analyzed, S2Representing a shared secret key of the receiver of the message to be analyzed, and S1=S2Ta ═ r ^ damdt, Tb ^ r ^ dbmodt, da is a range [1, t-1]Db is a random number in the range of [1, t-1]]The (r, t) is a binary group formed by the data in the message to be analyzed.
On the basis of the above technical solution, preferably, in step S3, a communication security policy is set, a corresponding communication security policy is obtained according to a network protocol, a message to be encrypted is encrypted, and the encrypted message to be encrypted is fed back to the physical network card, and the method further includes the steps of obtaining a local network protocol and a corresponding security policy, setting a communication security policy according to the local network protocol and the corresponding security policy, obtaining a corresponding security policy from the communication security policy according to the network protocol, performing confidentiality on the message to be encrypted according to the security policy, and feeding back the encrypted message to be encrypted to the physical network card.
Still further preferably, the virtual private network implementation apparatus includes:
the acquisition module is used for acquiring data messages from the physical network card, circularly and regularly acquiring data message requests, and when the data message requests are acquired, taking the current data messages as messages to be analyzed;
the processing module is used for acquiring a local network protocol, extracting a network protocol from the message to be analyzed, judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to a judgment result, and acquiring the processed message to be analyzed as a message to be encrypted;
and the encryption module is used for setting a communication security policy, acquiring a corresponding communication security policy according to a network protocol, encrypting the message to be encrypted and feeding back the encrypted message to be encrypted to the physical network card.
In a second aspect, the method for implementing a virtual private network further includes a device, where the device includes: memory, a processor and a virtual private network implementation method program stored on the memory and executable on the processor, the virtual private network implementation method program configured to implement the steps of a virtual private network implementation method as described above.
In a third aspect, the virtual private network implementation method further includes a medium, which is a computer medium, and a virtual private network implementation method program is stored on the computer medium, and when executed by a processor, the virtual private network implementation method program implements the steps of the virtual private network implementation method as described above.
Compared with the prior art, the method for realizing the virtual private network has the following beneficial effects that:
(1) the CPU is always in a full load state by a polling mode, namely, the data packets are periodically and circularly transmitted and received, so that the CPU is prevented from transmitting and receiving the message in an interrupt mode, the message transmitting and receiving efficiency is improved, and the efficiency of the whole process is improved;
(2) the virtual private network is realized through the DPSK platform, and as the DPSK platform supports user mode driving, network messages are directly processed in the user mode, memory copy and system call are avoided, the efficiency of the whole forwarding process is improved, and meanwhile, the occupation of system resources is also saved;
(3) the message needing to be outbound is encrypted in a multiple encryption mode, so that the outbound message is prevented from being tampered, and the reliability and the integrity of data are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of an apparatus in a hardware operating environment according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a first embodiment of a virtual private network implementation method according to the present invention;
fig. 3 is a functional module diagram of a virtual private network implementation method according to a first embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
As shown in fig. 1, the apparatus may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory, or may be a Non-Volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of the device, and that in actual implementations the device may include more or less components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005 as a medium may include an operating system, a network communication module, a user interface module, and a virtual private network implementation method program therein.
In the device shown in fig. 1, the network interface 1004 is mainly used for establishing a communication connection between the device and a server storing all data required in a virtual private network implementation method system; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the virtual private network implementation method device of the present invention may be arranged in a virtual private network implementation method device, and the virtual private network implementation method device calls a virtual private network implementation method program stored in the memory 1005 through the processor 1001 and executes a virtual private network implementation method provided by the present invention.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for implementing a virtual private network according to a first embodiment of the present invention.
In this embodiment, the method for implementing a virtual private network includes the following steps:
s10: and acquiring a data message from the physical network card, circularly and regularly acquiring a data message request, and taking the current data message as a message to be analyzed when the data message request is acquired.
It should be understood that, a DPDK (i.e., a Data Plane Development Kit) mainly operates based on a Linux system, and a function library and a driver set for fast packet processing can greatly improve Data processing performance and throughput, and improve work efficiency of a Data Plane application program.
It should be understood that polling is a way for the CPU to decide how to provide peripheral services, also known as Programmed input/output (Programmed I/O). The concept of the polling method is: the CPU sends out inquiry at regular time to inquire each peripheral equipment whether it needs its service or not in sequence, if so, the peripheral equipment gives service, and after the service is over, the peripheral equipment asks the next peripheral equipment, and then the process is repeated.
It should be understood that, in this embodiment, a time threshold is set, an inquiry is made to the CPU regularly according to the time threshold, only when a data packet request is received, the data packet at this time is intercepted, then user information is extracted from the intercepted data packet, then a corresponding key is obtained from a local key store according to the user information, when the user information is extracted, the system generates a corresponding key according to its own key generator, establishes a local key store according to the keys, decrypts the data packet according to the key, and when successful decryption is performed, the data packet that is successfully decrypted is taken as a packet to be analyzed; and when the decryption fails, reselecting the data message.
S20: acquiring a local network protocol, extracting the network protocol from the message to be analyzed, judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to a judgment result, and acquiring the processed message to be analyzed as a message to be encrypted.
It should be understood that a local network protocol is obtained, the network protocol including: and then, judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to the judgment result, and acquiring the processed message to be analyzed as the message to be encrypted.
It should be understood that a so-called PKI (public key infrastructure) is a universal security infrastructure that implements and provides security services using public key concepts and technologies. The definition of PKI is constantly extending and expanding. PKI involves a collaboration process among a plurality of entities, such as CA, RA, certificate repository, key recovery server and end user, and is responsible for the generation, protection, update, backup, recovery of the device key of ipsec vpn gateway, application and download of device certificate, root certificate of CA server, CRL download, and validity check of other device certificate. When the judgment result is a PKI protocol, extracting user identification information and a user public key from the message to be analyzed, wherein the identification information comprises: and establishing a new public key according to the user identification information and the user public key and distributing the new public key to the corresponding message to be analyzed, and taking the message to be analyzed distributed with the new public key as the message to be encrypted.
It should be understood that IKE (internet key exchange protocol) is responsible for negotiation, update, destruction, security policy negotiation, and tunnel status monitoring of working keys and session keys of IPSec VPN gateway tunnels, and at the same time, IKE does not directly transmit keys on the network, but finally calculates keys shared by both parties through a series of data exchanges, and even if a third party intercepts all exchanged data used by both parties for calculating keys, it is not enough to calculate true keys.
It should be understood that, when the determination result is the IKE protocol, a message format is set, a DH algorithm is established, a message to be analyzed is detected according to the message format, when the message to be analyzed is the same as the message format, a corresponding public key is calculated according to the DH algorithm from the message to be analyzed, the message to be analyzed is encrypted according to the public key, the encrypted message to be analyzed is used as the message to be encrypted, the integrity of the data message is verified before the calculation, and the public key of the message is calculated only when the message is complete.
It should be understood that the DH algorithm is:
S1=Ta^dbmodt,S2=Tb^damodt;
wherein S is1Shared secret key representing the sender of a message to be analyzed, S2Representing a shared secret key of the receiver of the message to be analyzed, and S1=S2Ta ═ r ^ damdt, Tb ^ r ^ dbmodt, da is a range [1, t-1]Db is a random number in the range of [1, t-1]]The (r, t) is a binary group formed by the data in the message to be analyzed.
Assuming that there is such a doublet (r, t) ═ 3, 7;
da is a random number ranging between [1, t-1], da ═ 5, Ta ═ r ^ damodt ^ 5;
db is a random number ranging between [1, t-1], db ═ 6, Tb ^ dbmodt ^ 1;
shared secret key S representing sending end of message to be analyzed1Ta dbmodt 1, representing the shared secret key S of the receiving end of the message to be analyzed2=Tb^damodt=1。
S30: setting a communication security policy, acquiring a corresponding communication security policy according to a network protocol, encrypting a message to be encrypted, and feeding back the encrypted message to be encrypted to a physical network card.
It should be understood that the IPsec protocol (internet security protocol) is responsible for maintaining IPsec secure communication policies, session keys; matching the outbound message with a security policy and using a corresponding session key for encapsulation and encryption; and de-encapsulating and decrypting the inbound message.
It should be understood that, when receiving a message to be encrypted, the system obtains a local network protocol and a corresponding security policy, sets a communication security policy according to the local network protocol and the corresponding security policy, obtains the corresponding security policy from the communication security policy according to the network protocol, secrets the message to be encrypted according to the security policy, and feeds the encrypted message to be encrypted back to the physical network card.
The above description is only for illustrative purposes and does not limit the technical solutions of the present application in any way.
As can be easily found from the above description, in the embodiment, the data packet is acquired from the physical network card, the data packet request is acquired cyclically and periodically, and when the data packet request is acquired, the current data packet is used as a packet to be analyzed; acquiring a local network protocol, extracting the network protocol from the message to be analyzed, judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to a judgment result, and acquiring the processed message to be analyzed as a message to be encrypted; the device is used for setting a communication security policy, acquiring a corresponding communication security policy according to a network protocol, encrypting a message to be encrypted, and feeding back the encrypted message to be encrypted to the physical network card. In the embodiment, the data packet is judged and transmitted periodically in a polling mode, so that the efficiency of transmitting and receiving the message is improved, the problem of CPU interruption is avoided, then the message to be outbound is encrypted for the second time, the confidentiality of the message is enhanced, and the safety of the forwarding process is improved.
In addition, the embodiment of the invention also provides a virtual private network implementation device. As shown in fig. 3, the virtual private network implementation apparatus includes: the device comprises an acquisition module 10, a processing module 20 and an encryption module 30.
The acquisition module 10 is configured to acquire a data packet from a physical network card, periodically acquire a data packet request, and when the data packet request is acquired, use a current data packet as a packet to be analyzed;
the processing module 20 is configured to acquire a local network protocol, extract a network protocol from a message to be analyzed, determine the network protocol of the message to be analyzed according to the local network protocol, process the message to be analyzed according to a determination result, and acquire a processed message to be analyzed as a message to be encrypted;
the encryption module 30 is configured to set a communication security policy, obtain a corresponding communication security policy according to a network protocol, encrypt a message to be encrypted, and feed back the encrypted message to be encrypted to the physical network card.
In addition, it should be noted that the above-described embodiments of the apparatus are merely illustrative, and do not limit the scope of the present invention, and in practical applications, a person skilled in the art may select some or all of the modules to implement the purpose of the embodiments according to actual needs, and the present invention is not limited herein.
In addition, the technical details that are not described in detail in this embodiment may refer to a virtual private network implementation method provided in any embodiment of the present invention, and are not described herein again.
In addition, an embodiment of the present invention further provides a medium, where the medium is a computer medium, where a virtual private network implementation method program is stored on the computer medium, and when executed by a processor, the virtual private network implementation method program implements the following operations:
s1, acquiring data messages from the physical network card, circularly and regularly acquiring data message requests, and taking the current data messages as messages to be analyzed when the data message requests are acquired;
s2, acquiring a local network protocol, extracting a network protocol from the message to be analyzed, judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to the judgment result, and acquiring the processed message to be analyzed as a message to be encrypted;
s3, setting a communication security policy, acquiring a corresponding communication security policy according to a network protocol, encrypting the message to be encrypted, and feeding back the encrypted message to be encrypted to the physical network card.
Further, the virtual private network implementation method program, when executed by a processor, further implements the following operations:
acquiring user information from the data message, acquiring a corresponding key from a local key library according to the user information, decrypting the data message according to the key, and taking the successfully decrypted data message as a message to be analyzed when the decryption is successful; and when the decryption fails, reselecting the data message.
Further, the virtual private network implementation method program, when executed by a processor, further implements the following operations:
obtaining a local network protocol, the network protocol comprising: and the PKI protocol and the IKE protocol are used for judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to the judgment result and acquiring the processed message to be analyzed as the message to be encrypted.
Further, the virtual private network implementation method program, when executed by a processor, further implements the following operations:
when the judgment result is a PKI protocol, extracting user identification information and a user public key from the message to be analyzed, wherein the identification information comprises: and establishing a new public key according to the user identification information and the user public key and distributing the new public key to the corresponding message to be analyzed, and taking the message to be analyzed distributed with the new public key as the message to be encrypted.
Further, the virtual private network implementation method program, when executed by a processor, further implements the following operations:
and when the judgment result is the IKE protocol, setting a message format, establishing a DH algorithm, detecting the message to be analyzed according to the message format, calculating a corresponding public key according to the message to be analyzed according to the DH algorithm when the message to be analyzed is the same as the message format, encrypting the message to be analyzed according to the public key, and taking the encrypted message to be analyzed as the message to be encrypted.
Further, the virtual private network implementation method program, when executed by a processor, further implements the following operations:
the DH algorithm is as follows:
S1=Ta^dbmodt,S2=Tb^damodt;
wherein S is1Shared secret key representing the sender of a message to be analyzed, S2Representing a shared secret key of the receiver of the message to be analyzed, and S1=S2Ta ═ r ^ damdt, Tb ^ r ^ dbmodt, da is a range [1, t-1]Db is a random number in the range of [1, t-1]]The (r, t) is a binary group formed by the data in the message to be analyzed.
Further, the virtual private network implementation method program, when executed by a processor, further implements the following operations:
the method comprises the steps of obtaining a local network protocol and a corresponding security policy, setting a communication security policy according to the local network protocol and the corresponding security policy, obtaining the corresponding security policy from the communication security policy according to the network protocol, carrying out confidentiality on a message to be encrypted according to the security policy, and feeding the encrypted message to be encrypted back to a physical network card.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (10)

1. A virtual private network implementation method is characterized in that: comprises the following steps;
s1, acquiring data messages from the physical network card, circularly and regularly acquiring data message requests, and taking the current data messages as messages to be analyzed when the data message requests are acquired;
s2, acquiring a local network protocol, extracting a network protocol from the message to be analyzed, judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to the judgment result, and acquiring the processed message to be analyzed as a message to be encrypted;
s3, setting a communication security policy, acquiring a corresponding communication security policy according to a network protocol, encrypting the message to be encrypted, and feeding back the encrypted message to be encrypted to the physical network card.
2. The virtual private network implementation method of claim 1, wherein: step S1, acquiring data message from the physical network card, circularly and regularly acquiring a data message request, and when the data message request is acquired, using the current data message as the message to be analyzed; and when the decryption fails, reselecting the data message.
3. A virtual private network implementation method according to claim 2, characterized by: in step S2, a local network protocol is obtained, a network protocol is extracted from the message to be analyzed, the network protocol of the message to be analyzed is determined according to the local network protocol, the message to be analyzed is processed according to the determination result, and the processed message to be analyzed is obtained as a message to be encrypted, which further includes the following steps of obtaining the local network protocol, wherein the network protocol includes: and the PKI protocol and the IKE protocol are used for judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to the judgment result and acquiring the processed message to be analyzed as the message to be encrypted.
4. A virtual private network implementation method according to claim 3, characterized by: judging the network protocol of a message to be analyzed according to the local network protocol, processing the message to be analyzed according to the judgment result, and acquiring the processed message to be analyzed as a message to be encrypted, wherein the method further comprises the following steps of extracting user identification information and a user public key from the message to be analyzed when the judgment result is a PKI protocol, and the identification information comprises: and establishing a new public key according to the user identification information and the user public key and distributing the new public key to the corresponding message to be analyzed, and taking the message to be analyzed distributed with the new public key as the message to be encrypted.
5. A virtual private network implementation method according to claim 3, characterized by: the method comprises the steps of judging a network protocol of a message to be analyzed according to a local network protocol, processing the message to be analyzed according to a judgment result, and obtaining the processed message to be analyzed as a message to be encrypted.
6. The virtual private network implementation method of claim 5, wherein: the method further comprises the following steps that:
S1=Ta^dbmodt,S2=Tb^damodt;
wherein S is1Shared secret key representing the sender of a message to be analyzed, S2Representing a shared secret key of the receiver of the message to be analyzed, and S1=S2Ta ═ r ^ damdt, Tb ^ r ^ dbmodt, da is a range [1, t-1]Db is a random number in the range of [1, t-1]]The (r, t) is a binary group formed by the data in the message to be analyzed.
7. The virtual private network implementation method of claim 6, wherein: in step S3, a communication security policy is set, a corresponding communication security policy is obtained according to a network protocol, a message to be encrypted is encrypted, and the encrypted message to be encrypted is fed back to the physical network card.
8. A virtual private network implementing apparatus, the virtual private network implementing apparatus comprising:
the acquisition module is used for acquiring data messages from the physical network card, circularly and regularly acquiring data message requests, and when the data message requests are acquired, taking the current data messages as messages to be analyzed;
the processing module is used for acquiring a local network protocol, extracting a network protocol from the message to be analyzed, judging the network protocol of the message to be analyzed according to the local network protocol, processing the message to be analyzed according to a judgment result, and acquiring the processed message to be analyzed as a message to be encrypted;
and the encryption module is used for setting a communication security policy, acquiring a corresponding communication security policy according to a network protocol, encrypting the message to be encrypted and feeding back the encrypted message to be encrypted to the physical network card.
9. An apparatus, characterized in that the apparatus comprises: memory, processor and a virtual private network implementation method program stored on the memory and executable on the processor, the virtual private network implementation method program being configured to implement the steps of a virtual private network implementation method according to any one of claims 1 to 7.
10. A medium, characterized in that the medium is a computer medium on which a virtual private network implementation method program is stored, the virtual private network implementation method program, when executed by a processor, implementing the steps of a virtual private network implementation method according to any one of claims 1 to 7.
CN201911296706.6A 2019-12-16 2019-12-16 Virtual private network implementation method, device, equipment and medium Active CN111147344B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911296706.6A CN111147344B (en) 2019-12-16 2019-12-16 Virtual private network implementation method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911296706.6A CN111147344B (en) 2019-12-16 2019-12-16 Virtual private network implementation method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN111147344A true CN111147344A (en) 2020-05-12
CN111147344B CN111147344B (en) 2021-12-24

Family

ID=70518459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911296706.6A Active CN111147344B (en) 2019-12-16 2019-12-16 Virtual private network implementation method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN111147344B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1770767A (en) * 2005-09-01 2006-05-10 武汉思为同飞网络技术有限公司 System and its method for carrying out TCP application layer protocol package for VPN message
CN1937571A (en) * 2005-09-22 2007-03-28 武汉思为同飞网络技术有限公司 System and method for realizing VPN protocol at application layer
CN1984131A (en) * 2005-12-14 2007-06-20 北京三星通信技术研究有限公司 Method for processing distributed IPSec
CN101299665A (en) * 2008-05-19 2008-11-05 华为技术有限公司 Message processing method, system and apparatus
US20130318345A1 (en) * 2012-05-22 2013-11-28 Harris Corporation Multi-tunnel virtual private network
CN106341404A (en) * 2016-09-09 2017-01-18 西安工程大学 IPSec VPN system based on many-core processor and encryption and decryption processing method
US20170359372A1 (en) * 2016-06-14 2017-12-14 Microsoft Technology Licensing, Llc. Detecting volumetric attacks
CN108028748A (en) * 2016-02-27 2018-05-11 华为技术有限公司 For handling the method, equipment and system of VXLAN messages

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1770767A (en) * 2005-09-01 2006-05-10 武汉思为同飞网络技术有限公司 System and its method for carrying out TCP application layer protocol package for VPN message
CN1937571A (en) * 2005-09-22 2007-03-28 武汉思为同飞网络技术有限公司 System and method for realizing VPN protocol at application layer
CN1984131A (en) * 2005-12-14 2007-06-20 北京三星通信技术研究有限公司 Method for processing distributed IPSec
CN101299665A (en) * 2008-05-19 2008-11-05 华为技术有限公司 Message processing method, system and apparatus
US20130318345A1 (en) * 2012-05-22 2013-11-28 Harris Corporation Multi-tunnel virtual private network
CN108028748A (en) * 2016-02-27 2018-05-11 华为技术有限公司 For handling the method, equipment and system of VXLAN messages
US20170359372A1 (en) * 2016-06-14 2017-12-14 Microsoft Technology Licensing, Llc. Detecting volumetric attacks
CN106341404A (en) * 2016-09-09 2017-01-18 西安工程大学 IPSec VPN system based on many-core processor and encryption and decryption processing method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
吴越等: "基于IPSec的虚拟专用网络密钥交换实现及其安全分析", 《东南大学学报(自然科学版)》 *
蔡思飞等: "基于VPN的安全网关研究", 《太原理工大学学报》 *

Also Published As

Publication number Publication date
CN111147344B (en) 2021-12-24

Similar Documents

Publication Publication Date Title
US10785019B2 (en) Data transmission method and apparatus
CN113067828B (en) Message processing method, device, server, computer equipment and storage medium
CN113806772A (en) Information encryption transmission method and device based on block chain
CN111914291A (en) Message processing method, device, equipment and storage medium
CN110166489B (en) Data transmission method, system, equipment and computer medium in Internet of things
CN114938312B (en) Data transmission method and device
CN110808834A (en) Quantum key distribution method and quantum key distribution system
CN113992427B (en) Data encryption sending method and device based on adjacent nodes
CN115021932A (en) Authentication method for handshake process of TLCP protocol
CN114531239A (en) Data transmission method and system for multiple encryption keys
CN110611679A (en) Data transmission method, device, equipment and system
WO2024021958A1 (en) Communication processing method and system, client, communication server and supervision server
CN114650181B (en) E-mail encryption and decryption method, system, equipment and computer readable storage medium
CN114928503B (en) Method for realizing secure channel and data transmission method
CN111147344B (en) Virtual private network implementation method, device, equipment and medium
CN111988325B (en) Transaction information processing system, method, apparatus, computer device and storage medium
CN110995730B (en) Data transmission method and device, proxy server and proxy server cluster
CN111431846B (en) Data transmission method, device and system
CN110855628A (en) Data transmission method and system
CN107623571B (en) Handshake processing method, client and server
CN113765900B (en) Protocol interaction information output transmission method, adapter device and storage medium
CN114978564B (en) Data transmission method and device based on multiple encryption
CN117459325B (en) Three-party data communication method combining quantum communication and conventional communication
US20220255911A1 (en) Method for Secure Communication and Device
EP4346255A1 (en) Encrypted satellite communications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant