CN111163102A - Data processing method and device, network equipment and readable storage medium - Google Patents

Data processing method and device, network equipment and readable storage medium Download PDF

Info

Publication number
CN111163102A
CN111163102A CN201911423076.4A CN201911423076A CN111163102A CN 111163102 A CN111163102 A CN 111163102A CN 201911423076 A CN201911423076 A CN 201911423076A CN 111163102 A CN111163102 A CN 111163102A
Authority
CN
China
Prior art keywords
encryption
task data
decryption
data
task
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911423076.4A
Other languages
Chinese (zh)
Other versions
CN111163102B (en
Inventor
宁宏河
吴亚东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN201911423076.4A priority Critical patent/CN111163102B/en
Publication of CN111163102A publication Critical patent/CN111163102A/en
Application granted granted Critical
Publication of CN111163102B publication Critical patent/CN111163102B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Abstract

The present disclosure provides a data processing method and apparatus, a network device, and a readable storage medium, wherein the data processing method includes: determining whether the acquired first task data needs to be encrypted and decrypted; under the condition that the first task data is determined to need to be subjected to encryption and decryption operations, performing encryption and decryption operations on the first task data; determining whether the second task data acquired in the process of performing encryption and decryption operations on the first task data needs to be subjected to encryption and decryption operations; and under the condition that the second task data is determined not to need to be encrypted and decrypted, forwarding the second task data.

Description

Data processing method and device, network equipment and readable storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a data processing method, an apparatus, a device, and a readable storage medium.
Background
With the rapid development of computer technology, higher requirements are put forward on network equipment in consideration of the rapid increase of network bearing traffic, the diversified transition of network service types, the safety of service information and the like. The network device not only needs to provide a reliable network security protocol to ensure the security of data information, but also needs to have higher data processing and data forwarding capabilities.
Based on the above, in the process of implementing the concept of the present disclosure, at least the following problems exist in the related art: when the firewall of the existing network device processes the acquired current data information, if the current data is encrypted, the firewall needs to synchronously wait for the processing result of the current data of the encryption card before continuing the subsequent data processing. This results in increased processing delay and inefficiency.
Disclosure of Invention
In view of the above, the present disclosure provides a data processing method and apparatus, a network device, and a computer-readable storage medium.
One aspect of the present disclosure provides a data processing method, including: determining whether the acquired first task data needs to be encrypted and decrypted; under the condition that the first task data is determined to need to be encrypted and decrypted, the first task data is sent to an encryption and decryption unit for encryption and decryption; determining whether the encryption and decryption operation is required to be carried out on the second task data acquired in the process of carrying out the encryption and decryption operation on the first task data; and under the condition that the second task data is determined not to need to be encrypted and decrypted, forwarding the second task data.
According to an embodiment of the present disclosure, determining whether the first task data needs to be encrypted and decrypted includes: analyzing the first task data to obtain configuration information of the first task data; and determining whether the first task data needs to be subjected to encryption and decryption operations based on the configuration information.
According to an embodiment of the present disclosure, the data processing method further includes: further comprising: acquiring state information of an encryption and decryption unit, wherein the state information comprises a ready state and a non-ready state; the ready state represents that the encryption and decryption unit finishes the encryption and decryption operation related to the first task data, and the non-ready state represents that the encryption and decryption unit does not finish the encryption and decryption operation related to the first task data.
According to the embodiment of the disclosure, in the case that the state information is in the ready state, first encryption and decryption data corresponding to the first task data are obtained from the encryption and decryption unit; and forwarding the first encryption and decryption data.
According to the embodiment of the disclosure, under the condition that the second task data needs to be encrypted and decrypted, responding to the non-ready state of the state information, sending the second task data to the buffer unit for buffer storage and defining the encryption and decryption operation sequence; and responding to the state information as a ready state, and sending the second task data to the encryption and decryption unit for encryption and decryption operation.
Another aspect of the present disclosure provides a data processing apparatus, including: the encryption and decryption judging module is used for determining whether the acquired first task data needs to be subjected to encryption and decryption operation; under the condition that the first task data is determined to need to be encrypted and decrypted, the first task data is sent to an encryption and decryption unit for encryption and decryption; determining whether the encryption and decryption operation is required to be carried out on the second task data acquired in the process of carrying out the encryption and decryption operation on the first task data; and the data processing module is used for forwarding the second task data under the condition that the second task data does not need to be encrypted and decrypted.
According to the embodiment of the present disclosure, the encryption and decryption determining module includes: the data analysis unit is used for analyzing the first task data to obtain configuration information of the first task data; and the encryption and decryption judging unit is used for determining whether the first task data needs to be subjected to encryption and decryption operation or not based on the configuration information.
According to an embodiment of the present disclosure, the data processing apparatus further includes: the state monitoring module is used for acquiring state information of the encryption and decryption unit, and the state information comprises a ready state and a non-ready state; the ready state represents that the encryption and decryption unit finishes the encryption and decryption operation related to the first task data, and the non-ready state represents that the encryption and decryption unit does not finish the encryption and decryption operation related to the first task data.
According to an embodiment of the disclosure, the encryption and decryption operation module is configured to obtain, from the encryption and decryption unit, first encryption and decryption data corresponding to the first task data when the state information is in a ready state; and the first encryption and decryption module is also used for forwarding the first encryption and decryption data.
According to the embodiment of the disclosure, under the condition that the second task data needs to be encrypted and decrypted, the data buffering module responds to the non-ready state of the state information, sends the second task data to the buffering unit for buffering and storing and defines the encryption and decryption operation sequence; the encryption and decryption operation module is also used for responding to the state information as a ready state and sending the second task data to the encryption and decryption unit for encryption and decryption operation.
Another aspect of the present disclosure provides a network device, including: one or more processors; a storage device for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the data processing method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to implement a data processing method as described above.
Another aspect of the disclosure provides a computer program product comprising computer readable instructions, wherein the computer readable instructions are adapted to perform the data processing method described above when executed.
According to an embodiment of the present disclosure, the data processing method includes: determining whether the acquired first task data needs to be encrypted and decrypted; under the condition that the first task data needs to be encrypted and decrypted, encrypting and decrypting the first task data; determining whether the encryption and decryption operation is required to be carried out on the second task data acquired in the process of carrying out the encryption and decryption operation on the first task data; and under the condition that the second task data is determined not to need to be encrypted and decrypted, forwarding the second task data. Based on the data processing method, the method realizes that the hardware encryption card is called to encrypt and decrypt data in an asynchronous mode on software under the condition that the firewall of the network equipment keeps the deployment of the original hardware password card, so that the processing of the second task data is not limited by the working state of the encryption card any more, and the data processing can be directly carried out under the condition that the second task data is not required to be encrypted and decrypted, thereby reducing the forwarding delay caused by waiting for the data returned by the encryption card in the data processing process and improving the data processing efficiency. On the other hand, the asynchronous calling of the encryption card can improve the working frequency of the encryption card, reduce the idle time of the encryption card, improve the utilization rate of the encryption card and further improve the data processing efficiency.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically shows an exemplary system architecture to which a data processing method may be applied, according to an embodiment of the present disclosure;
FIG. 2 schematically shows a flow diagram of a data processing method according to an embodiment of the present disclosure;
FIG. 3A schematically illustrates a block composition diagram of a data processing apparatus according to an embodiment of the present disclosure;
FIG. 3B schematically illustrates another block composition diagram of a data processing apparatus according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a module interaction composition diagram of a data processing apparatus according to an embodiment of the present disclosure; and
fig. 5 schematically shows a block diagram of a network device according to an embodiment of the disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The disclosure provides a data processing method and device, network equipment and a readable storage medium. In the field of computer technology, a firewall can construct a relatively isolated protection barrier between an internal network and an external network of a computer network to guarantee the security of user data and information. In the firewall technology, since multiple users access the same network or perform directional data transmission between multiple users through the network, the data transmission, and other data processing are involved. In order to guarantee data security, data can be encrypted by means of a firewall, wherein encryption information is mastered by a data transmission party and a data receiving party, so that an information security transmission channel is established, and network data of a computer are guaranteed to have good security in the transmission process.
An embodiment of the present disclosure provides a data processing method, including: determining whether the acquired first task data needs to be encrypted and decrypted; under the condition that the first task data is determined to need to be encrypted and decrypted, the first task data is sent to an encryption and decryption unit for encryption and decryption; determining whether the encryption and decryption operation is required to be carried out on the second task data acquired in the process of carrying out the encryption and decryption operation on the first task data; and under the condition that the second task data is determined not to need to be encrypted and decrypted, forwarding the second task data.
It will be understood by those skilled in the art that the term "encryption" as used in the claims and in the specification of the present disclosure may be understood as one of the meanings of "encryption", "decryption", and "encryption and decryption". That is, "encryption" and "decryption" should be interpreted as having a meaning consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Fig. 1 schematically shows an exemplary system architecture 100 to which the data processing method may be applied, according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an application example to which the embodiment of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the data processing method of the embodiment of the present disclosure may not be used in other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include a firewall 110 and end devices 121, 122, 123, 124, and 125 that establish a data transmission channel with the firewall 110, where the firewall 110 and the end devices 121, 122, 123, 124, and 125 may be located in the same internal network. Alternatively, when the terminal device 125 of the terminal devices 121, 122, 123, 124 and 125 is a network server, i.e. opposite to the internal network of the other terminal devices 121, 122, 123 and 124, the terminal device 125 may be located in an external network, and in this case, the firewall 110 is used here to provide the medium of the communication link between the terminal devices 121, 122, 123, 124 and 125. The data transmission path between the firewall 110 and the plurality of terminal devices may be implemented by various communication connection types, such as a wired communication link, a wireless communication link, or a fiber optic cable.
The user may use the end devices 121, 122, 123, 124, and 125 to interact with the firewall 110 to receive or send messages, etc. to effect data transmission or processing. For example, the terminal device 121 sends the service data to the terminal device 122, and after receiving the sending request of the terminal device 121, the firewall 110 performs forwarding processing on the service data, and encrypts the service data according to specific requirements, so that the service data finally reaching the terminal device 122 is secured. The end devices 121, 122, 123, 124, and 125 may have various messenger client applications installed thereon, such as a shopping-type application, a web browser application, a search-type application, an instant messenger, a mailbox client, social platform software, and the like (by way of example only).
Terminal devices 121, 122, 123, 124, and 125 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The firewall 110 may be various types of firewalls that provide various services, such as a filtering type firewall (for example only) that provides support for websites browsed by users using end devices 121, 122, 123, 124, and 125. The filtering firewall can analyze and process the received data such as the user request, analyze the data based on the address of the data source, the protocol type and other mark characteristics, and determine whether the data can pass through, so that unsafe factors are filtered or blocked.
It should be noted that the data processing method provided by the embodiment of the present disclosure may be generally executed by the firewall 110. Accordingly, the data processing apparatus provided by the embodiments of the present disclosure may be generally disposed in the firewall 110. The data processing method provided by the embodiment of the present disclosure may also be performed by other firewalls different from the firewall 110 and capable of communicating with the terminal devices 121, 122, 123, 124, and 125 and/or the firewall 110. Accordingly, the data processing apparatus provided by the embodiment of the present disclosure may also be disposed in other firewalls different from the firewall 110 and capable of communicating with the terminal devices 121, 122, 123, 124 and 125 and/or the firewall 110.
It should be understood that the number of end devices and firewalls in fig. 1 is merely illustrative. Any number of terminal devices and firewalls may be provided according to implementation needs.
Fig. 2 schematically shows a flow chart of a data processing method according to an embodiment of the present disclosure.
As shown in fig. 2, the method includes operations S210 to S240.
In operation S210, it is determined whether the acquired first task data requires an encryption/decryption operation.
According to the embodiment of the disclosure, the firewall may sequentially receive the plurality of task data sent by the other device, and the first task data may be any one of the plurality of task data. Each task data may be a single independent data packet, the plurality of task data correspond to the plurality of independent data packets, and a certain time interval may be provided between each independent data packet. For example, the interval time Δ t between the first task data and the second task data is operated, and the firewall may perform forwarding transmission, encryption processing, instruction execution, and the like on the task data. The tasks corresponding to each task data are different, for example, if there is OA (Office Automation) task data, the OA tasks are executed correspondingly, and if there is ERP (Enterprise Resource Planning) task data, the ERP tasks are executed correspondingly.
According to the embodiment of the disclosure, in the data forwarding processing process of the firewall, each task data in the plurality of task data determines whether encryption and decryption processing is required according to the preset requirement of a user on the task data, and not all task data need to be encrypted and decrypted. For example, the interval time Δ t between adjacent task data of 10 task data, where only the first task data and the sixth task data may need to be encrypted and decrypted. The preset requirement can be a user requirement for forwarding processing of the task data, and the task data is defined by an encryption and decryption requirement before being sent to the firewall. The encryption and decryption operations include encryption processing and/or decryption processing of the task data.
Then, in operation S220, in the case that it is determined that the first task data needs to be subjected to the encryption and decryption operation, the first task data is sent to the encryption and decryption unit for the encryption and decryption operation.
For example, when the first task data needs to be encrypted and decrypted, the encryption and decryption unit may be called to perform the encryption and decryption operation of the first task data, and the calling of the encryption and decryption unit may refer to, for example, sending the first task data to the encryption and decryption unit.
According to an embodiment of the present disclosure, the encryption and decryption unit may be used to implement encryption and decryption operations of corresponding task data, and the encryption and decryption unit may be, for example, a hardware encryption card (also referred to as a cryptocard) or the like disposed in a firewall. The encryption and decryption unit may receive the first task data and perform an encryption and decryption operation on the first task data in a case where the first task data is received.
During the process of performing the encryption and decryption operation on the first task data by the encryption and decryption unit, the second task data positioned after the first task data may be acquired.
In operation S230, it is determined whether the second task data acquired during the encryption and decryption operation on the first task data needs to be subjected to the encryption and decryption operation.
According to an embodiment of the present disclosure, the second task data may be an independent data packet occurring with an interval of Δ t from the first task data. The encryption/decryption unit may perform a successive process on each of the plurality of pieces of task data that need to be subjected to the encryption/decryption operation, and the successive process may be a process of one by one of the plurality of pieces of task data that need to be subjected to the encryption/decryption operation.
In operation S240, in case that it is determined that the second task data does not need to be subjected to the encryption and decryption operation, the second task data is subjected to the forwarding process.
According to the embodiment of the disclosure, each task data in the plurality of task data does not need to be encrypted and decrypted, and when the first task data is encrypted and decrypted and the second task data does not need to be encrypted and decrypted, the second task data can be directly forwarded without waiting for the first task data to finish the encryption and decryption process. The forwarding processing is to meet task requirements corresponding to each task data, for example, the OA task data are correspondingly forwarded to the OA task data processing unit, and the ERP task data are correspondingly forwarded to the ERP task data processing unit.
Based on the data processing method, the data encryption and decryption operation is carried out on the firewall by adopting the mode of asynchronously calling the hardware encryption card, so that the processing of the second data is not limited by the working state of the encryption card any more, and the data processing can be directly carried out under the condition of not needing encryption and decryption, thereby reducing the forwarding delay caused by waiting for the data returned by the encryption card in the data processing process and improving the data processing efficiency. On the other hand, the asynchronous calling of the encryption card can improve the working frequency of the encryption card, reduce the idle time of the encryption card, improve the utilization rate of the encryption card and further improve the data processing efficiency.
According to an embodiment of the present disclosure, determining whether the first task data needs to be encrypted and decrypted includes: analyzing the first task data to obtain configuration information of the first task data; and determining whether the first task data needs to be subjected to encryption and decryption operations based on the configuration information.
According to the embodiment of the disclosure, a data packet corresponding to each task data includes multiple layers of data, such as an application layer, an IP layer, a transport layer, and a MAC layer, etc., where the application layer includes data to be processed, the IP layer includes an IP address corresponding to the data to be processed, the transport layer includes a port number corresponding to the data to be processed, and the MAC layer includes a MAC address corresponding to the data to be processed, where configuration information of the task data is data information such as an IP address, a port number, and a MAC address of a non-application layer such as the IP layer, the transport layer, and the MAC layer, and further, for example, an OA data packet corresponding to the OA task data includes the OA data to be processed. The IP layer contains an IP address, e.g., 192.168.255.255, corresponding to the data to be processed. The transport layer includes a port number corresponding to the data to be processed, for example, if the port corresponding to the IP address is numbered by 16 bits, the port number may be one of numbers from 0 to 65595, for example, the port number 100. The MAC layer contains the MAC address corresponding to the data to be processed, for example, if the length of the MAC address is 48 bits, the MAC address is represented by 12 16-ary numbers, for example, 00-16-EA-AE-3C-40. The configuration information of the OA task data is IP: 192.168.255.255, port number 100 and MAC: 00-16-EA-AE-3C-40, and the actual data to be processed is the data of the application layer. The parsing of the first task data is essentially an extraction of configuration information of the first task data. Based on the method, the extraction of the configuration information of the first task data is realized.
According to the embodiment of the disclosure, the configuration information of the first task data is matched with preset configuration information, and the preset configuration information is data information such as an IP address, a port number, and a MAC address of a non-application layer such as an IP layer, a transport layer, and a MAC layer in corresponding task data. According to an embodiment of the present disclosure, it may be defined that when one or more items of configuration information of the first task data are the same as one or more items corresponding to the preset configuration information, it is determined that the first task data needs to be encrypted and decrypted, for example, the first task data is OA task data, and an IP address of an IP layer of the first task data is: 192.168.255.255, in the preset configuration information of the corresponding OA task data, the IP address of the preset IP layer is 192.168.255.255, that is, one item of configuration information of the first task data is the same as one item of the preset configuration information, and it is determined that the first task data needs to be encrypted and decrypted. Similarly, for example, the first task data may be OA task data, and the IP addresses of the IP layer may be: 192.168.255.255, the MAC address is: 00-16-EA-AE-3C-40, in the preset configuration information of the corresponding OA task data, the IP address of the preset IP layer is 192.168.255.255, and the MAC address is: 00-16-EA-AE-3C-40, namely, a plurality of items of configuration information of the first task data are the same as a plurality of items of preset configuration information, and at this time, it is determined that the first task data needs to be encrypted and decrypted. Conversely, it is determined that the first task data does not require an encryption/decryption operation. Based on the method, whether the first task data is subjected to encryption and decryption operation is judged.
According to an embodiment of the present disclosure, the data processing method further includes: acquiring state information of an encryption and decryption unit, wherein the state information comprises a ready state and a non-ready state; the ready state represents that the encryption and decryption unit finishes the encryption and decryption operation related to the first task data, and the non-ready state represents that the encryption and decryption unit does not finish the encryption and decryption operation related to the first task data.
According to the embodiment of the disclosure, during the encryption and decryption operation of the first task data by the encryption and decryption unit, the encryption and decryption unit is in a busy state. If the second task data also needs to be encrypted and decrypted, the encryption and decryption unit is in a non-ready state corresponding to the second task data to be processed subsequently. At this time, if the encryption and decryption unit is called based on the encryption and decryption operation request of the second task data, the port of the encryption and decryption unit rejects the request, and the non-ready state of the encryption and decryption unit can be known. Similarly, if the encryption/decryption unit has completed the process of performing the encryption/decryption operation on the first task data, the encryption/decryption unit is in an idle state, and for the second task data to be processed subsequently, the encryption/decryption unit is in a ready state. At this time, if the encryption/decryption unit is called based on the encryption/decryption operation request of the second task data, the port of the encryption/decryption unit receives the request, and the ready state of the encryption/decryption unit can be known. Therefore, the asynchronous calling of the encryption card can improve the working frequency of the encryption card, reduce the idle time of the encryption card, improve the utilization rate of the encryption card and further improve the data processing efficiency.
According to the embodiment of the disclosure, in the case that the state information is in the ready state, first encryption and decryption data corresponding to the first task data are obtained from the encryption and decryption unit; and forwarding the first encryption and decryption data.
After acquiring the encryption and decryption operation request of the first task data, the encryption and decryption unit receives the first task data and performs encryption and decryption processing on the first task data under the condition of a ready state. Specifically, the encryption and decryption unit includes an encryption card (crypto card), the encryption card performs encryption and decryption processing on data (plaintext or ciphertext) to be processed of the application layer of the first task data to obtain encrypted and decrypted data (ciphertext or plaintext) of the application layer corresponding to the first task data, and corresponding configuration information in the first task data may not be processed. The first task data processed by the encryption and decryption unit is the preliminary encryption and decryption data including the original data to be processed (plaintext or ciphertext) and the encryption and decryption data (ciphertext or plaintext). For example, if the original data to be processed is a plaintext, the initial encrypted and decrypted data after the encryption and decryption operation is the original plaintext + the ciphertext corresponding to the plaintext.
And deleting the original data to be processed (plaintext or ciphertext) in the primary encryption and decryption data, and combining the remaining encryption and decryption data (ciphertext or plaintext) with the configuration information of the original first task data to obtain first encryption and decryption data. For example, the first task data is OA task data, where the OA task data includes to-be-processed data of an application layer and OA configuration information (an IP address of an IP layer, a port number of a transport layer, and a MAC address of a MAC layer), and if it is determined that the OA task data needs to be encrypted and decrypted, for example, an encryption operation, the to-be-processed data corresponds to plaintext L. And after the OA task data is sent to the encryption and decryption unit for encryption operation, the plaintext L is encrypted to be a ciphertext M. The preliminary encryption and decryption data corresponding to the OA task data is plaintext L + ciphertext M + OA configuration information. And deleting the plaintext L in the preliminary encryption and decryption data to obtain first encryption and decryption data corresponding to the OA task data as ciphertext M + OA configuration information. Therefore, the embodiment of the present disclosure completes the encryption and decryption operations on the first task data, and obtains the corresponding first encryption and decryption data.
The forwarding processing is to meet task requirements corresponding to each task data, for example, the OA task data are correspondingly forwarded to the OA task data processing unit, and the ERP task data are correspondingly forwarded to the ERP task data processing unit. The forwarding processing efficiency of the first encryption and decryption data is improved.
According to the embodiment of the disclosure, under the condition that the second task data needs to be encrypted and decrypted, responding to the non-ready state of the state information, sending the second task data to the buffer unit for buffer storage and defining the encryption and decryption operation sequence; and responding to the state information as a ready state, and sending the second task data to the encryption and decryption unit for encryption and decryption operation.
When the first task data is encrypted and decrypted, namely the encryption and decryption unit is in a non-ready state, if it is determined that the second task data needs to be encrypted and decrypted, the second task data needs to be sent to the buffer unit for storage so as to wait for a ready state response of the encryption and decryption unit. Meanwhile, the calling sequence of the encryption and decryption unit is defined based on the second task data stored by the buffer unit, the buffer unit can be a buffer storage area in the forms of a buffer file, a linked list and the like, the buffer storage area can define a single execution sequence of a plurality of stored and buffered task data to be processed, or sequentially number each task data entering the buffer storage area, and after the ready state request of the encryption and decryption unit is obtained, the task data can be called one by one according to the sequential number of each task data and sent to the encryption and decryption unit for encryption and decryption operation. The method and the device are favorable for realizing the return result of the data processed by the encryption and decryption unit in the asynchronous processing in the data forwarding process, reduce the forwarding delay and improve the forwarding efficiency.
Fig. 3A schematically shows a block composition diagram of a data processing apparatus 300 according to an embodiment of the present disclosure. Another aspect of the present disclosure provides a data processing apparatus, as shown in fig. 3A, the data processing apparatus 300 including:
an encryption and decryption determining module 310, configured to determine whether the obtained first task data needs to be encrypted and decrypted; under the condition that the first task data is determined to need to be encrypted and decrypted, the first task data is sent to an encryption and decryption unit for encryption and decryption; determining whether the encryption and decryption operation is needed to be carried out on the second task data acquired in the process of carrying out the encryption and decryption operation on the first task data; and the data processing module 320 is used for forwarding the second task data under the condition that the second task data is determined not to need to be encrypted and decrypted.
According to an embodiment of the present disclosure, the encryption/decryption determining module 310 may invoke an encryption/decryption unit, where the encryption/decryption unit may be used to implement encryption/decryption operations on corresponding task data, and the encryption/decryption unit may specifically be an encryption card (a password card) in a firewall, and the like. The encryption and decryption unit may directly call the first task data, or receive the first task data when receiving an encryption and decryption operation requirement of the first task data, and perform an encryption and decryption operation on the first task data when receiving the first task data. The encryption and decryption unit may perform a successive process on each of the plurality of pieces of task data that need to be subjected to the encryption and decryption operation, and the successive process may process the plurality of pieces of task data that need to be subjected to the encryption and decryption operation one by one.
According to the embodiment of the disclosure, each task data in the plurality of task data does not need to be encrypted and decrypted, and when the first task data is encrypted and decrypted and the second task data does not need to be encrypted and decrypted, the second task data does not need to wait for the first task data to complete the encryption and decryption process, and the second task data can be directly forwarded through the data processing module 320. The data processing module 320, the forwarding processing, is that the data processing module 320 correspondingly forwards the OA task data to the OA task data processing unit, and correspondingly forwards the ERP task data to the ERP task data processing unit, for example, according to the task requirement corresponding to each task data.
Fig. 3B schematically shows another block composition diagram of the data processing apparatus 300 according to an embodiment of the present disclosure. As shown in fig. 3B, in addition to the encryption/decryption determining module 310 and the data processing module 320, a status monitoring module 330, a data buffering module 340, and an encryption/decryption operation module 350 may be included. The encryption and decryption operation module 350 includes an encryption and decryption unit, which is used to implement encryption and decryption operations on corresponding task data. The status monitoring module 330 is used to obtain whether the encryption/decryption unit is performing the encryption/decryption operation process. The data buffering module 340 may be configured to, during the encryption and decryption operation performed on the first task data by the encryption and decryption unit, perform storage buffering on the second task data that needs to be encrypted and decrypted, so as to wait for the encryption and decryption operation performed on the first task data by the encryption and decryption unit to be completed.
Based on the data processing device, the method and the device realize that the hardware encryption card is called to encrypt and decrypt data in an asynchronous mode on software under the condition that the firewall of the network equipment keeps the deployment of the original hardware password card, so that the processing of the second data is not limited by the working state of the encryption card any more, and the data can be directly processed under the condition that the encryption and decryption are not needed, thereby reducing the forwarding delay caused by waiting for the data returned by the encryption card in the data processing process and improving the data processing efficiency. On the other hand, the asynchronous calling of the encryption card can improve the working frequency of the encryption card, reduce the idle time of the encryption card, improve the utilization rate of the encryption card and further improve the data processing efficiency.
Fig. 4 schematically shows a module interaction composition diagram of a data processing apparatus according to an embodiment of the present disclosure. As shown in fig. 4, according to the embodiment of the disclosure, the data processing apparatus 400 further includes a data obtaining module 410, and the data obtaining module 410 obtains each task data of the plurality of task data one by one according to the time interval Δ t, for example, the data obtaining module 410 obtains the second task data after the time interval Δ t after obtaining the first task data.
As shown in fig. 4, the encryption/decryption determining module 420 includes: a data parsing unit 421 and an encryption/decryption judging unit 422. The data analysis unit 421 is configured to analyze the first task data to obtain configuration information of the first task data; an encryption/decryption determining unit 422, configured to determine whether the first task data needs to be encrypted/decrypted based on the configuration information.
According to the embodiment of the disclosure, a data packet corresponding to each task data includes multiple layers of data, such as an application layer, an IP layer, a transport layer, and a MAC layer, etc., where the application layer includes data to be processed, the IP layer includes an IP address corresponding to the data to be processed, the transport layer includes a port number corresponding to the data to be processed, and the MAC layer includes a MAC address corresponding to the data to be processed, where configuration information of the task data is data information such as the IP address, the port number, and the MAC address of a non-application layer such as the IP layer, the transport layer, and the MAC layer. The data analysis unit 421 analyzes the first task data acquired by the data acquisition module 410, which is basically to extract the configuration information of the first task data, and the configuration information of the acquired first task data is corresponding analysis data. The data parsing unit sends the acquired configuration information of the first task data to the encryption/decryption determining unit 422 according to the retrieval request of the encryption/decryption determining unit 422.
According to the embodiment of the present disclosure, the encryption/decryption determining unit 422 matches the configuration information of the first task data acquired by the data analyzing unit 421 with preset configuration information, where the preset configuration information is data information such as an IP address, a port number, and a MAC address of a non-application layer such as an IP layer, a transport layer, and a MAC layer in the corresponding task data. According to the embodiment of the present disclosure, it may be defined that when one or more items of configuration information of the first task data are the same as one or more items corresponding to the preset configuration information, it is determined that the encryption and decryption operations are required to be performed on the first task data, and it is determined that the encryption and decryption operations are not required to be performed on the first task data.
As shown in fig. 4, according to an embodiment of the present disclosure, the data processing apparatus further includes: a status monitoring module 440, configured to obtain status information of the encryption/decryption unit 451 of the encryption/decryption operation module 450, where the status information includes a ready status and a non-ready status of the encryption/decryption unit 451; wherein the ready state represents that the encryption and decryption unit 451 has completed an encryption and decryption operation with respect to the first task data, and the non-ready state represents that the encryption and decryption unit 451 has not completed an encryption and decryption operation with respect to the first task data.
According to the embodiment of the present disclosure, if the encryption/decryption unit 451 performs the encryption/decryption operation on the first task data, the encryption/decryption unit 451 is in a busy state, and if the encryption/decryption operation is also required on the second task data, the encryption/decryption unit 451 is in a non-ready state corresponding to the second task data to be processed subsequently. At this time, if the status monitoring module 440 calls the encryption/decryption unit 451 based on the encryption/decryption operation request for the second task data sent by the encryption/decryption determining unit 422, the port of the encryption/decryption unit 451 will reject the call request of the status monitoring module 440, that is, the status monitoring module 440 may know the non-ready status of the encryption/decryption unit. Similarly, if the encryption/decryption unit 451 has completed the encryption/decryption operation on the first task data, the encryption/decryption unit 451 is in an idle state, and the encryption/decryption unit 451 is in a ready state corresponding to the second task data to be processed subsequently. At this time, if the status monitoring module 440 calls the encryption/decryption unit 451 based on the encryption/decryption operation request of the second task data, the port of the encryption/decryption unit 451 receives the request from the status monitoring module 440, that is, the status monitoring module 440 can know the ready status of the encryption/decryption unit. Therefore, the asynchronous calling of the encryption card can improve the working frequency of the encryption card, reduce the idle time of the encryption card, improve the utilization rate of the encryption card and further improve the data processing efficiency.
As shown in fig. 4, according to the embodiment of the present disclosure, the encryption/decryption operation module 450 is configured to obtain, from the encryption/decryption unit 451, the first encrypted/decrypted data corresponding to the first task data when the state information is in the ready state; and the first encryption and decryption module is also used for forwarding the first encryption and decryption data.
Specifically, the encryption/decryption operation module 450 includes: an encryption/decryption unit 451, and a forwarding processing unit 452. The encryption/decryption unit 451 receives the first task data and performs encryption/decryption processing on the first task data in the case where the encryption/decryption unit 451 is in the ready state after acquiring the encryption/decryption operation request for the first task data by the encryption/decryption determining unit 422. Specifically, the encryption/decryption unit 451 includes an encryption card (or a crypto card), where the encryption card performs encryption/decryption processing on data (plaintext or ciphertext) to be processed in the application layer of the first task data to obtain encrypted/decrypted data (ciphertext or plaintext) in the application layer corresponding to the first task data, and the corresponding configuration information in the first task data may not be processed. The first task data processed by the encryption and decryption unit 451 is preliminary encryption and decryption data including original data to be processed (plaintext or ciphertext) and encryption and decryption data (ciphertext and plaintext). For example, if the original data to be processed is a plaintext, the initial encrypted and decrypted data after the encryption and decryption operation is the original plaintext + the ciphertext corresponding to the plaintext.
And deleting the original data to be processed (plaintext or ciphertext) in the primary encryption and decryption data, and combining the remaining encryption and decryption data (ciphertext or plaintext) with the configuration information of the original first task data to obtain first encryption and decryption data. Therefore, the encryption and decryption operations of the first task data are completed, and the corresponding first encryption and decryption data are obtained.
The forwarding processing unit 452 is configured to forward, according to a task requirement corresponding to each task data, the forwarding processing unit 452 forwards the obtained first encrypted and decrypted data to the data processing module 460 for performing corresponding re-forwarding processing operation, and the data processing module 460 performs corresponding forwarding processing, for example, OA task data is correspondingly forwarded to the OA task data processing unit, and ERP task data is correspondingly forwarded to the ERP task data processing unit. In addition, the forwarding processing unit 452 may also directly implement the forwarding processing function corresponding to the data processing module 460, and forward the first encrypted and decrypted data according to the corresponding task type.
According to the embodiment of the disclosure, the data buffering module 430, in response to the state information being in the non-ready state, sends the second task data to the buffering unit 431 for buffering and defining the encryption and decryption operation sequence in the case that it is determined that the second task data needs to be subjected to the encryption and decryption operation; the encryption and decryption operation module 450 is further configured to send the second task data to the encryption and decryption unit for encryption and decryption operation in response to the state information being in the ready state.
During the encryption and decryption operation performed on the first task data by the encryption and decryption unit 451 of the encryption and decryption operation module 450, that is, the state monitoring module 440 may acquire that the encryption and decryption unit 451 is in a non-ready state, if the encryption and decryption determining unit 422 of the encryption and decryption determining module 420 determines that the second task data needs to be encrypted and decrypted, the encryption and decryption determining unit 422 of the encryption and decryption determining module 420 needs to send the second task data to the buffer unit 431 of the data buffer module 430 for storage to wait for a ready state response sent to the encryption and decryption unit 451 of the data buffer module 430 by the state monitoring module 440. Meanwhile, the calling order of the encryption/decryption unit 451 is defined based on the buffer unit 431, the buffer unit 431 may be a buffer storage area in the form of a buffer heap, a linked list, etc., the buffer storage area may define a single execution order of a plurality of stored and buffered task data to be processed, or may sequentially number each task data entering the buffer storage area, for example, the buffer storage area is a linked list with a size of 16, may store 16 task data, after the second task data enters the buffer storage area, the task data to be encrypted/decrypted may be configured as the 0 th task data, the third task data, the fourth task data, the fifth task data … to the seventeenth task data sequentially entering the buffer storage area, and the task data may be sequentially defined as the 1 st task data, the 2 nd task data, … to the seventeenth task data by the buffer storage area, The task data to be encrypted and decrypted of No. 3 to No. 15 are …. Accordingly, based on the defined order of the to-be-encrypted/decrypted task data by the buffer unit 431, the encryption/decryption unit 451 of the encryption/decryption operation module 450 executes the calls to the to-be-encrypted/decrypted task data one by one in the defined order after the ready state. That is, after acquiring the ready-state request from the encryption/decryption unit 451, the buffer unit 431 may call the task data one by one according to the sequence number of each task data and send the task data to the encryption/decryption unit 451 to perform the encryption/decryption operation.
According to the embodiment of the present disclosure, as shown in fig. 4, the data obtaining module 410 first obtains the first task data, and sends the first task data to the data parsing unit 421 of the encryption and decryption determining module 420 to parse the first task data and the configuration information thereof, after obtaining the first task data and the configuration information thereof, the encryption and decryption determining unit 422 matches the configuration information of the first task data with the configuration information preset in the encryption and decryption determining unit 422 to determine whether to perform an encryption and decryption operation on the first task data. If the first task data does not need to be encrypted and decrypted, the encryption and decryption determining unit 422 directly sends the first task data to the data processing module 460 for forwarding. If the first task data needs to be encrypted and decrypted, the encryption and decryption determining unit 422 sends the first task data to the encryption and decryption unit 451 of the encryption and decryption operation module 450 for encryption and decryption, obtains the first encrypted and decrypted data, and sends the first encrypted and decrypted data to the data processing module 460 through the forwarding unit 452 of the encryption and decryption operation module 450 for forwarding.
The data obtaining module 410 obtains second task data at an interval time Δ t from the first task data, and sends the second task data to the data parsing unit 421 of the encryption and decryption determining module 420 to parse the second task data and the configuration information thereof, and after obtaining the second task data and the configuration information thereof, the encryption and decryption determining unit 422 matches the configuration information of the second task data with the configuration information preset in the encryption and decryption determining unit 422 to determine whether to perform encryption and decryption operations on the second task data. If the encryption and decryption operation on the second task data is not needed, the encryption and decryption determining unit 422 directly sends the second task data to the data processing module 460 for forwarding.
If the encryption and decryption operation needs to be performed on the first task data, the encryption and decryption determining unit 422 sends the second task data to the encryption and decryption unit 451 of the encryption and decryption operation module 450 for encryption and decryption operation according to the ready state information of the encryption and decryption unit 451 acquired by the state monitoring module 440, acquires the second encryption and decryption data, and sends the second encryption and decryption data to the data processing module 460 through the forwarding processing unit 452 of the encryption and decryption operation module 450 for forwarding.
If the encryption and decryption operations on the first task data are required, according to the non-ready state information of the encryption and decryption unit 451 acquired by the state monitoring module 440, that is, the first task data is still encrypted and decrypted in the encryption and decryption unit 451, the encryption and decryption determining unit 422 sends the second task data to the buffer unit 431 of the data buffer module 430 for storage and defines the encryption and decryption operation sequence. When the encryption and decryption unit 451 acquired by the status monitoring module 440 is in a ready status, that is, the encryption and decryption operations of the first task data in the encryption and decryption unit 451 are completed, the buffering unit 431 sends the second task data to the encryption and decryption unit 451 according to the defined encryption and decryption operation sequence for performing the encryption and decryption operations. After the forwarding processing of the second task data is completed, the data processing apparatus continues to process the subsequent task data accordingly. After the forwarding efficiency is improved, the data processing device can fully utilize the encryption and decryption unit to forward data.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any number of the encryption/decryption determination module 420, the data buffering module 430, the status monitoring module 440, and the encryption/decryption operation module 450 may be combined into one module to be implemented, or any one of the modules may be divided into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the encryption/decryption determination module 420, the data buffer module 430, the status monitoring module 440, and the encryption/decryption operation module 450 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware, and firmware, or any suitable combination of any of them. Alternatively, at least one of the encryption/decryption decision module 420, the data buffering module 430, the status monitoring module 440, and the encryption/decryption operation module 450 may be at least partially implemented as a computer program module that, when executed, may perform a corresponding function.
Another aspect of the present disclosure provides a network device, including: one or more processors; a storage device for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the data processing method as described above.
Fig. 5 schematically shows a block diagram of a network device according to an embodiment of the disclosure. The network device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 5, a network device 500 according to an embodiment of the present disclosure includes a processor 501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 501 may also include onboard memory for caching purposes. Processor 501 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM 503, various programs and data necessary for the operation of the network device 500 are stored. The processor 501, the ROM502, and the RAM 503 are connected to each other by a bus 504. The processor 501 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM502 and/or the RAM 503. Note that the programs may also be stored in one or more memories other than the ROM502 and the RAM 503. The processor 501 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Network device 500 may also include input/output (I/O) interface 505. input/output (I/O) interface 505 is also connected to bus 504, according to an embodiment of the present disclosure. Network device 500 may also include one or more of the following components connected to I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 505 as necessary. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 611. The computer program performs the above-described functions defined in the network device of the embodiments of the present disclosure when executed by the processor 501. According to an embodiment of the present disclosure, the above-described apparatuses, devices, modules, units, and the like may be realized by computer program modules.
Another aspect of the present disclosure provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to implement a data processing method as described above. The computer-readable storage medium may be embodied in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include ROM502 and/or RAM 503 and/or one or more memories other than ROM502 and RAM 503 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Another aspect of the disclosure provides a computer program product comprising computer readable instructions, wherein the computer readable instructions are adapted to perform the data processing method described above when executed.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (10)

1. A data processing method, comprising:
determining whether the acquired first task data needs to be encrypted and decrypted;
under the condition that the first task data is determined to need to be encrypted and decrypted, the first task data is sent to an encryption and decryption unit for encryption and decryption;
determining whether the second task data acquired in the process of performing encryption and decryption operations on the first task data needs to be subjected to encryption and decryption operations; and
and under the condition that the second task data is determined not to need encryption and decryption operation, forwarding the second task data.
2. The data processing method of claim 1, wherein the determining whether the first task data requires a cryptographic operation comprises:
analyzing the first task data to obtain configuration information of the first task data; and
and determining whether the first task data needs to be encrypted and decrypted based on the configuration information.
3. The data processing method of claim 1, further comprising:
acquiring state information of the encryption and decryption unit, wherein the state information comprises a ready state and a non-ready state;
wherein the ready state indicates that the encryption and decryption unit has completed an encryption and decryption operation on the first task data, and the non-ready state indicates that the encryption and decryption unit has not completed an encryption and decryption operation on the first task data.
4. The data processing method of claim 3,
under the condition that the state information is in a ready state, first encryption and decryption data corresponding to the first task data are obtained from the encryption and decryption unit;
and forwarding the first encryption and decryption data.
5. The data processing method of claim 3,
in the case where it is determined that the second task data requires an encryption/decryption operation,
responding to the state information as a non-ready state, sending the second task data to a buffer unit for buffer storage and defining an encryption and decryption operation sequence;
and responding to the state information as a ready state, and sending the second task data to an encryption and decryption unit for encryption and decryption operation.
6. A data processing apparatus, comprising:
the encryption and decryption judging module is used for determining whether the acquired first task data needs to be subjected to encryption and decryption operation; under the condition that the first task data is determined to need to be encrypted and decrypted, the first task data is sent to an encryption and decryption unit for encryption and decryption; determining whether the second task data acquired in the process of performing encryption and decryption operations on the first task data needs to be subjected to encryption and decryption operations; and
and the data processing module is used for forwarding the second task data under the condition that the second task data does not need to be encrypted and decrypted.
7. The data processing apparatus according to claim 6, wherein the encryption/decryption determination module includes:
the data analysis unit is used for analyzing the first task data to obtain configuration information of the first task data;
and the encryption and decryption judging unit is used for determining whether the first task data needs to be subjected to encryption and decryption operation or not based on the configuration information.
8. A network device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the data processing method of any of claims 1-5.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the data processing method of any one of claims 1 to 5.
10. A computer program product comprising computer readable instructions, wherein the computer readable instructions, when executed, are for performing the data processing method of any of claims 1-5.
CN201911423076.4A 2019-12-31 2019-12-31 Data processing method and device, network equipment and readable storage medium Active CN111163102B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911423076.4A CN111163102B (en) 2019-12-31 2019-12-31 Data processing method and device, network equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911423076.4A CN111163102B (en) 2019-12-31 2019-12-31 Data processing method and device, network equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN111163102A true CN111163102A (en) 2020-05-15
CN111163102B CN111163102B (en) 2022-02-25

Family

ID=70560588

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911423076.4A Active CN111163102B (en) 2019-12-31 2019-12-31 Data processing method and device, network equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN111163102B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112765077A (en) * 2021-01-18 2021-05-07 三未信安科技股份有限公司 PCI password card master control asynchronous dispatching system and method
CN113014307A (en) * 2021-02-23 2021-06-22 兴唐通信科技有限公司 Data security transmission method and system suitable for satellite mobile communication terminal

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070255679A1 (en) * 2006-04-27 2007-11-01 Takeshi Hosoi Method and system for encrypted communications using multi-valued modulation
CN101179384A (en) * 2007-11-23 2008-05-14 杭州师范大学 Asynchronization type secure transfer based compile method
US20130290720A1 (en) * 2006-07-07 2013-10-31 Marc Danzeisen Process and system for selectable data transmission
CN105404824A (en) * 2015-11-11 2016-03-16 成都比特信安科技有限公司 Asynchronous data slow encryption system and method
CN107277030A (en) * 2017-06-30 2017-10-20 武汉斗鱼网络科技有限公司 A kind of method and device that authentication is handled using multithreading
US9852203B1 (en) * 2016-11-17 2017-12-26 Red Hat, Inc. Asynchronous data journaling model in hybrid cloud
CN108737521A (en) * 2018-05-09 2018-11-02 广州市冰海网络技术有限公司 A kind of method of data asynchronous transmission
CN109492038A (en) * 2018-11-02 2019-03-19 鲁班(北京)电子商务科技有限公司 Data distribution system between a kind of heterogeneous system based on micro-kernel and asynchronous queue

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070255679A1 (en) * 2006-04-27 2007-11-01 Takeshi Hosoi Method and system for encrypted communications using multi-valued modulation
US20130290720A1 (en) * 2006-07-07 2013-10-31 Marc Danzeisen Process and system for selectable data transmission
CN101179384A (en) * 2007-11-23 2008-05-14 杭州师范大学 Asynchronization type secure transfer based compile method
CN105404824A (en) * 2015-11-11 2016-03-16 成都比特信安科技有限公司 Asynchronous data slow encryption system and method
US9852203B1 (en) * 2016-11-17 2017-12-26 Red Hat, Inc. Asynchronous data journaling model in hybrid cloud
CN107277030A (en) * 2017-06-30 2017-10-20 武汉斗鱼网络科技有限公司 A kind of method and device that authentication is handled using multithreading
CN108737521A (en) * 2018-05-09 2018-11-02 广州市冰海网络技术有限公司 A kind of method of data asynchronous transmission
CN109492038A (en) * 2018-11-02 2019-03-19 鲁班(北京)电子商务科技有限公司 Data distribution system between a kind of heterogeneous system based on micro-kernel and asynchronous queue

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
商新娜等: "一种异步网络系统的安全通讯方案的设计研究", 《计算机工程与科学》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112765077A (en) * 2021-01-18 2021-05-07 三未信安科技股份有限公司 PCI password card master control asynchronous dispatching system and method
CN112765077B (en) * 2021-01-18 2024-01-26 三未信安科技股份有限公司 PCI cipher card master control asynchronous scheduling system
CN113014307A (en) * 2021-02-23 2021-06-22 兴唐通信科技有限公司 Data security transmission method and system suitable for satellite mobile communication terminal
CN113014307B (en) * 2021-02-23 2023-02-14 兴唐通信科技有限公司 Data security transmission method and system suitable for satellite mobile communication terminal

Also Published As

Publication number Publication date
CN111163102B (en) 2022-02-25

Similar Documents

Publication Publication Date Title
US8578486B2 (en) Encrypted network traffic interception and inspection
US9749292B2 (en) Selectively performing man in the middle decryption
US9781082B2 (en) Selectively performing man in the middle decryption
CN109154968B (en) System and method for secure and efficient communication within an organization
CN113726789B (en) Sensitive data interception method and device
CN111163102B (en) Data processing method and device, network equipment and readable storage medium
CN111478974B (en) Network connection method and device, electronic equipment and readable storage medium
CN110519203B (en) Data encryption transmission method and device
US9219712B2 (en) WAN optimization without required user configuration for WAN secured VDI traffic
CN111600787B (en) Information processing method, information processing apparatus, electronic device, and medium
CN113810397B (en) Protocol data processing method and device
KR20160123416A (en) Information security device, terminal, network having information security system and terminal
CN113542431A (en) Information processing method, information processing device, electronic equipment and storage medium
CN110808993A (en) Data transmission control method, device, computer system and medium
CN110851754A (en) Webpage access method and system, computer system and computer readable storage medium
US10749899B1 (en) Securely sharing a transport layer security session with one or more trusted devices
CN113676482B (en) Data transmission system and method and data transmission system and method based on double-layer SSL
CN107257327B (en) High-concurrency SSL session management method
CN117914612A (en) Data processing method, device, electronic equipment and storage medium
CN114500399A (en) Data transmission method, apparatus, medium and product
CN116707984A (en) Network access control method and device
CN117896153A (en) Data processing method, apparatus, device, medium, and program product
CN115941600A (en) Message distribution method, system and computer readable storage medium
CN116582500A (en) Message transmission method, message processing method and device thereof
CN117520130A (en) Log generation method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee after: Qianxin Technology Group Co.,Ltd.

Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee before: Qianxin Technology Group Co.,Ltd.

Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

CP01 Change in the name or title of a patent holder