CN111371798A - Data security transmission method, system, device and storage medium - Google Patents

Data security transmission method, system, device and storage medium Download PDF

Info

Publication number
CN111371798A
CN111371798A CN202010173296.2A CN202010173296A CN111371798A CN 111371798 A CN111371798 A CN 111371798A CN 202010173296 A CN202010173296 A CN 202010173296A CN 111371798 A CN111371798 A CN 111371798A
Authority
CN
China
Prior art keywords
link encryption
encryption gateway
gateway
link
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010173296.2A
Other languages
Chinese (zh)
Inventor
杨超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Publication of CN111371798A publication Critical patent/CN111371798A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a data security transmission method, a system, a device and a storage medium, and relates to the technical field of network security. The method is applied to a first link encryption gateway which is in communication connection with one or more terminals, the first link encryption gateway is also in communication connection with a second link encryption gateway, and the method comprises the following steps: receiving a first encrypted message sent by a terminal; determining that the first encrypted message passes authentication; decrypting the first encrypted message to obtain a first decrypted message; encrypting the first decryption message based on an encryption mode agreed with a second link encryption gateway to obtain a second encryption message; and sending the second encrypted message to a second link encryption gateway through a secure channel between the second encrypted message and the second link encryption gateway, so that the second link encryption gateway decrypts the second encrypted message and sends the second encrypted message to the server. In the method, a plurality of terminals share one link encryption gateway, and an independent link encryption gateway does not need to be arranged at each terminal, so that the hardware cost is reduced.

Description

Data security transmission method, system, device and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, a system, an apparatus, and a storage medium for secure data transmission.
Background
Under a traditional branch-and-head networking architecture, there is data interaction between a branch and a head, as shown in fig. 1, a PC1 accesses a head server, for Security, data between a PC1 and the head server needs to be encrypted, a common encryption means is to establish an IPsec VPN, and open an IPsec VPN function on an egress router, for example, an IPsec (Internet Protocol Security) VPN (Virtual private network) is established between a router 1 and a router 2, but after the IPsec VPN is established, a layer of tunnel Protocol header and a header containing a tunnel termination source address and a tunnel termination destination address are added, which brings about adverse effects including: the message is lengthened, the bandwidth overhead is increased, on one hand, a tunnel protocol header is added, and on the other hand, a tunnel endpoint address header is also added; security devices such as firewalls and the like may be deployed on a transmission path, and during deployment, there is a possibility (based on security consideration) that only an original message before encapsulation is allowed to pass through the firewall device, and a message after encapsulation is not allowed to pass through the firewall device; the IPsec VPN is deployed on a router, and thus there is no security for the transmission of the packet between PC1 and router 1, and no security for the transmission of the packet between router 2 and the headquarters server, in a sense that there is a security risk.
In order to solve the above problems, a scheme of "link encryption" is proposed in the prior art, and this scheme simply means to solve several adverse effects brought by IPsec VPN deployment. The deployment diagram is as shown in fig. 2, the encrypted boxes, the link encryption gateway 1, the link encryption gateway 2 and the link encryption gateway 3 are deployed at two communication end points, end-to-end encryption is achieved, information such as encryption keys is uniformly managed by using a controller, and simplification is achieved as far as possible.
However, in the above-mentioned prior art scheme of "link encryption", if each terminal has a link encryption gateway deployed in front of it, once there are many terminals in a network, compared with the traditional network deployment, the hardware deployment cost will increase a lot, and there is a problem that the deployment cost is high.
Disclosure of Invention
In view of this, embodiments of the present disclosure provide a method, a system, a device, and a storage medium for secure data transmission to solve the problem of high deployment cost in the prior art.
The embodiment of the application provides a data security transmission method, which is applied to a first link encryption gateway in communication connection with one or more terminals, wherein the first link encryption gateway is also in communication connection with a second link encryption gateway, the second link encryption gateway is in communication connection with a server side, and the method comprises the following steps: receiving a first encrypted message sent by the terminal; determining that the first encrypted message passes authentication; decrypting the first encrypted message to obtain a first decrypted message; encrypting the first decryption message based on an encryption mode agreed with the second link encryption gateway to obtain a second encryption message; and sending the second encrypted message to the second link encryption gateway, so that the second link encryption gateway decrypts the second encrypted message to obtain a second decrypted message, and sends the second decrypted message to a server.
In the implementation mode, the first link encryption gateway can be connected with a plurality of terminals, an independent link encryption gateway does not need to be arranged for each terminal, the hardware cost is reduced, meanwhile, the data transmission between the terminal and the first link encryption gateway is also guaranteed safely, and the data transmission safety is further improved.
Optionally, the first link encryption gateway is further communicatively connected to a controller, and before the receiving the first encrypted packet sent by the terminal, the method further includes: sending first registration information to the controller; and receiving first key information and second key information which are sent by the controller when the first link encryption gateway is allowed to access, so that the first link encryption gateway and the terminal communicate based on the first key information, and the second link encryption gateway and the first link encryption gateway communicate based on the second key information.
In the implementation mode, the controller is used for generating and issuing the key information of the secure channel among the terminal, the first link encryption gateway and the second link encryption gateway, so that the security of data transmission can be improved, and meanwhile, the uniformity and the standard of the data secure transmission can be improved by carrying out tunnel transmission based on the standard of the controller, so that the overall security is improved.
Optionally, the first key information includes a first authentication algorithm and a first authentication key, the first encrypted packet includes a first encapsulation header, the first encapsulation header includes first security control information and first authentication information obtained by the terminal after encrypting the first encrypted packet based on the first authentication algorithm and the first authentication key, and the determining that the first encrypted packet passes authentication includes: and determining that the first encrypted message passes the authentication based on the first authentication information and the first security control information.
In the implementation mode, the security authentication is performed on the encrypted message first, so that the security of data transmission is further improved, and the first encapsulation head of the first encrypted message is used for performing the security authentication, so that the first link encryption gateway can independently perform the security authentication on the message data transmitted from the multiple terminals, and the security of the messages transmitted from the multiple terminals can be simultaneously ensured.
Optionally, the first key information further includes a first encryption algorithm and a first encryption key, and the decrypting the first encrypted packet to obtain a first decrypted packet includes: and acquiring the first encryption algorithm corresponding to the first encrypted message based on the first security control information, and decrypting the first encrypted message by adopting the first encryption algorithm according to the local first encryption key to obtain the first decrypted message.
In the above implementation manner, the first link encryption gateway obtains the first encryption algorithm used by the first encryption message from the first security control information at the header of the first encryption message, and can decrypt the encryption messages transmitted from the multiple terminals according to the locally stored first key information corresponding to the first encryption algorithm, so that the first link encryption gateway can simultaneously process the data transmission requirements of the multiple terminals.
Optionally, the second key information includes a second encryption algorithm and a second encryption key, and the encrypting the first decrypted packet based on the agreed encryption mode with the second link encryption gateway to obtain a second encrypted packet includes: and based on the second encryption key, encrypting the first decryption message by adopting the second encryption algorithm to obtain a second encryption message.
In the implementation manner, the first link encryption gateway can uniformly encrypt the decryption messages corresponding to the plurality of terminals through the second key information stored locally and then transmit the decryption messages to the second link encryption gateway, so that the first link encryption gateway can simultaneously process the data transmission requirements of the plurality of terminals to the server.
The embodiment of the present application further provides a data secure transmission method, which is applied to a second link encryption gateway in communication connection with a server, where the second link encryption gateway is also in communication connection with a first link encryption gateway, and the method includes: receiving a second encrypted message sent by the first link encrypted gateway; determining that the second encrypted message passes authentication; decrypting the second encrypted message to obtain a second decrypted message; and sending the second decryption message to the server.
In the implementation manner, the first link encryption gateway can be connected with a plurality of terminals, and then the second link encryption gateway transmits the messages of the plurality of terminals received by the first link encryption gateway to the server side, so that an independent link encryption gateway does not need to be equipped for each terminal, the hardware cost is reduced, meanwhile, the data transmission between the server side and the second link encryption gateway is also ensured, and the data transmission safety is further improved.
Optionally, the second link encryption gateway is further communicatively connected to a controller, and before the receiving the second encrypted packet sent by the first link encryption gateway, the method further includes: sending second registration information to the controller; and receiving second key information sent by the controller when the second link encryption gateway is allowed to access, so that the second link encryption gateway and the first link encryption gateway communicate based on the second key information.
In the implementation mode, the controller issues the key information to perform the secure communication between the first link encryption gateway and the terminal and the secure communication between the first link encryption gateway and the second link encryption gateway, so that the standard property and the uniformity of the secure communication are improved, the secure communication mode from a plurality of terminals to the first link encryption gateway can be uniformly performed, an independent link encryption gateway does not need to be arranged for each terminal, the hardware cost is reduced, and the data transmission security is improved.
Optionally, the second key information includes a second authentication algorithm and a second authentication key, the second encrypted packet includes a second encapsulation header, the second encapsulation header includes second security control information and second authentication information obtained by the first link encryption gateway after encrypting the second encrypted packet based on the second authentication algorithm and the second authentication key, and the determining that the second encrypted packet is authenticated includes: and determining that the second encrypted message passes the authentication based on the second authentication information and the second security control information.
In the implementation manner, the security authentication is performed on the encrypted message received by the second link encryption gateway, so that the security of data transmission is further improved.
The embodiment of the present application further provides a data secure transmission method, which is applied to a controller that is in communication connection with a terminal, a first link encryption gateway, and a second link encryption gateway, respectively, where the method includes: receiving first registration information sent by the first link encryption gateway; after the first registration information is verified, sending first key information used for communication between the first link encryption gateway and the terminal to the first link encryption gateway; receiving second registration information sent by the second link encryption gateway; and after the second registration information passes the verification, sending second key information used for communication between the second link encryption gateway and the server side to the second link encryption gateway.
In the implementation mode, the controller issues the key information to the link encryption gateway to realize the secure tunnel communication, so that the standard property and the uniformity of the secure communication are improved, the communication standard from a plurality of terminals to the first link encryption gateway and the secure communication standard from the first link encryption gateway and the second link encryption gateway can be uniformly carried out, an independent link encryption gateway is not required to be arranged for each terminal, the hardware cost is reduced, and the data transmission security is improved.
Optionally, before the sending, to the first link encryption gateway, first key information for communication between the first link encryption gateway and the terminal, the method further includes: receiving terminal registration information sent by the terminal; and after the terminal registration information passes the verification, sending a network address of the first link encryption gateway closest to the terminal in the link encryption gateway and the first key information for communicating with the first link encryption gateway to the terminal.
In the implementation mode, the controller issues the key information comprising the algorithm and the key to the plurality of terminals to realize the safe communication between the first link encryption gateway and the terminals, and the safe communication between the first link encryption gateway and the second link encryption gateway, so that the standard property and the uniformity of the safe communication are improved, the safe communication mode from the plurality of terminals to the first link encryption gateway can be uniformly carried out, an independent link encryption gateway does not need to be arranged for each terminal, the hardware cost is reduced, and the data transmission safety is improved.
The embodiment of the application also provides a data secure transmission system, which comprises a first link encryption gateway, a second link encryption gateway and a controller, wherein the first link encryption gateway is in communication connection with one or more terminals, the second link encryption gateway is in communication connection with the first link encryption gateway and a server side, and the controller is in communication connection with the first link encryption gateway, the second link encryption gateway and the one or more terminals; the first link encryption gateway is used for executing the data secure transmission method; the second link encryption gateway is used for executing the data secure transmission method; the controller is used for executing the data security transmission method.
In the implementation mode, the first link encryption gateway can be connected with a plurality of terminals through the arrangement of the data security transmission system, an independent link encryption gateway does not need to be arranged for each terminal, the hardware cost is reduced, meanwhile, the data transmission between the terminal and the first link encryption gateway and between the first link encryption gateway and the second link encryption gateway is also guaranteed safely, and the security of the data transmission is further improved.
The embodiment of the present application further provides a data security transmission device, which is applied to a first link encryption gateway connected to one or more terminals through tunnel communication, where the first link encryption gateway is further connected to a second link encryption gateway in communication, and the second link encryption gateway is connected to a server side in communication, where the device includes: the first receiving module is used for receiving a first encrypted message sent by the terminal; the first authentication module is used for determining that the first encrypted message passes authentication; the first decryption module is used for decrypting the first encrypted message to obtain a first decrypted message; the first encryption module is used for encrypting the first decryption message based on an agreed encryption mode with the second link encryption gateway to obtain a second encryption message; and the first sending module is used for sending the second encrypted message to the second link encrypted gateway so that a second decrypted message obtained by decrypting the second encrypted message by the second link encrypted gateway is sent to a server.
In the implementation mode, the first link encryption gateway can be connected with a plurality of terminals, an independent link encryption gateway does not need to be arranged for each terminal, the hardware cost is reduced, meanwhile, the data transmission between the terminal and the first link encryption gateway is also guaranteed safely, and the data transmission safety is further improved.
Optionally, the data security transmission apparatus further includes: the first registration module is used for sending first registration information to the controller; and receiving first key information and second key information which are sent by the controller when the first link encryption gateway is allowed to access, so that the first link encryption gateway and the terminal communicate based on the first key information, and the second link encryption gateway and the first link encryption gateway communicate based on the second key information.
In the implementation mode, the controller is used for generating and issuing the key information of the secure channel among the terminal, the first link encryption gateway and the second link encryption gateway, so that the efficiency and the safety of data transmission can be improved, and meanwhile, the uniformity and the standard of data secure transmission can be improved by carrying out tunnel transmission based on the standard of the controller, so that the overall safety is improved.
Optionally, the first key information includes a first authentication algorithm and a first authentication key, the first encrypted packet includes a first encapsulation header, the first encapsulation header includes first security control information and first authentication information obtained by the terminal after encrypting the first encrypted packet based on the first authentication algorithm and the first authentication key, and the first authentication module is specifically configured to: and determining that the first encrypted message passes the authentication based on the first authentication information and the first security control information.
In the implementation mode, the security authentication is performed on the encrypted message, so that the security of data transmission is further improved, and the first encapsulation head of the first encrypted message is used for performing the security authentication, so that the first link encryption gateway can independently perform the security authentication on the message data transmitted from the multiple terminals, and the security of the messages transmitted from the multiple terminals can be simultaneously ensured.
Optionally, the first key information further includes a first encryption algorithm and a first encryption key, and the first decryption module is specifically configured to: and acquiring the first encryption algorithm corresponding to the first encrypted message according to the first security control information, and decrypting the first encrypted message by adopting the first encryption algorithm according to the local first encryption key to obtain the first decrypted message.
In the above implementation manner, the first link encryption gateway can decrypt the encrypted messages transmitted from the multiple terminals through the locally stored first key information, so that the first link encryption gateway can process the data transmission requirements of the multiple terminals at the same time.
Optionally, the second key information includes a second encryption algorithm and a second encryption key, and the first encryption module is specifically configured to: and based on the second encryption key, encrypting the first decryption message by adopting the second encryption algorithm to obtain a second encryption message.
In the implementation manner, the first link encryption gateway can uniformly encrypt the decryption messages corresponding to the plurality of terminals through the second key information stored locally and then transmit the decryption messages to the second link encryption gateway, so that the first link encryption gateway can simultaneously process the data transmission requirements of the plurality of terminals to the server.
The embodiment of the present application further provides a data security transmission apparatus, which is applied to a second link encryption gateway in communication connection with a server, where the second link encryption gateway is also in communication connection with a first link encryption gateway, and the apparatus includes: a second receiving module, configured to receive a second encrypted packet sent by the first link encryption gateway; the second authentication module is used for determining that the second encrypted message passes the authentication; the second decryption module is used for decrypting the second encrypted message to obtain a second decrypted message; and the second sending module is used for sending the second decryption message to the server.
In the implementation manner, the first link encryption gateway can be connected with a plurality of terminals, and then the second link encryption gateway transmits the messages of the plurality of terminals received by the first link encryption gateway to the server side, so that an independent link encryption gateway does not need to be equipped for each terminal, the hardware cost is reduced, meanwhile, the data transmission between the server side and the second link encryption gateway is also ensured, and the data transmission safety is further improved.
Optionally, the data security transmission apparatus further includes: the second registration module is used for sending second registration information to the controller; and receiving second key information sent by the controller when the second link encryption gateway is allowed to access, so that the second link encryption gateway and the first link encryption gateway perform communication key based on the second key information.
In the implementation mode, the controller issues the key information to perform the secure communication between the first link encryption gateway and the terminal and the secure communication between the first link encryption gateway and the second link encryption gateway, so that the standard property and the uniformity of the secure communication are improved, the secure communication mode from a plurality of terminals to the first link encryption gateway can be uniformly performed, an independent link encryption gateway does not need to be arranged for each terminal, the hardware cost is reduced, and the data transmission security is improved.
Optionally, the second key information includes a second authentication algorithm and a second authentication key, the second encrypted packet includes a second encapsulation header, the second encapsulation header includes second security control information and second authentication information obtained by the first link encryption gateway encrypting the second encrypted packet based on the second authentication algorithm and the second authentication key, and the second authentication module is specifically configured to: and determining that the second encrypted message passes the authentication based on the second authentication information and the second security control information.
In the implementation manner, the security authentication is performed on the encrypted message received by the second link encryption gateway, so that the security of data transmission is further improved. The embodiment of the present application further provides a data security transmission device, which is applied to a controller in communication connection with a terminal, a first link encryption gateway and a second link encryption gateway, respectively, and the device includes: a registration information receiving module, configured to receive first registration information sent by the first link encryption gateway; a key information sending module, configured to send, to the first link encryption gateway, first key information used for communication between the first link encryption gateway and the terminal after the first registration information is verified; the registration information receiving module is further configured to receive second registration information sent by the second link encryption gateway; the key information sending module is further configured to send, to the second link encryption gateway, second key information used for communication between the second link encryption gateway and the server side after the second registration information is verified.
In the implementation mode, the controller issues the key information to the link encryption gateway to realize the secure tunnel communication, so that the standard property and the uniformity of the secure communication are improved, the communication standard from a plurality of terminals to the first link encryption gateway and the communication standard from the first link encryption gateway and the second link encryption gateway can be uniformly carried out, an independent link encryption gateway is not required to be arranged for each terminal, the hardware cost is reduced, and the data transmission security is improved.
An embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores program instructions, and the processor executes steps in any one of the above implementation manners when reading and executing the program instructions.
An embodiment of the present application further provides a storage medium, where computer program instructions are stored in the storage medium, and when the computer program instructions are read and executed by a processor, the steps in any one of the above implementation manners are performed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
FIG. 1 is a schematic diagram illustrating a branch-and-head networking architecture in the prior art;
FIG. 2 is a block diagram illustrating a branch-and-head networking architecture of a prior art link encryption scheme;
fig. 3 is a schematic structural diagram of a data secure transmission system according to an embodiment of the present application;
fig. 4 is a schematic flowchart illustrating network configuration steps of a secure data transmission system according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a packet according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of authentication information provided in an embodiment of the present application;
fig. 7 is a schematic flowchart of a data secure transmission method applied to a first link encryption gateway according to an embodiment of the present application;
fig. 8 is a schematic flowchart of a data secure transmission method applied to a second link encryption gateway according to an embodiment of the present application;
fig. 9 is a schematic block diagram of a data security transmission apparatus applied to a first link encryption gateway according to an embodiment of the present application;
fig. 10 is a schematic block diagram of a data security transmission apparatus applied to a second link encryption gateway according to an embodiment of the present application;
fig. 11 is a block diagram of a data security transmission apparatus applied to a controller according to an embodiment of the present disclosure.
Icon: 10-a data secure transmission system; 11-a first link encryption gateway; 12-a second link encryption gateway; 13-a controller; 50-a data secure transmission device; 51-a first receiving module; 52-a first authentication module; 53-a first decryption module; 54-a first cryptographic module; 55-a first sending module; 60-data secure transmission means; 61-a second receiving module; 62-a second authentication module; 63-a second decryption module; 64-a second sending module; 70-data secure transmission means; 71-a registration information receiving module; 72-key information sending module.
Detailed Description
The technical solution in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
The applicant researches and discovers that data security transmission of a branch and a headquarters is realized by arranging an independent link encryption gateway at each terminal in data interaction under the existing branch-headquarters networking architecture, the hardware equipment cost is high, the security transmission guarantee is directly carried out by adopting software at the terminal, and the link encryption gateway connected with the terminal is not adopted, so that the security problem exists, and the method is not suitable for a data transmission scene with high security requirement.
To solve the above problems, an embodiment of the present invention provides a data secure transmission system 10, please refer to fig. 3, and fig. 3 is a schematic structural diagram of the data secure transmission system according to the embodiment of the present invention.
The data secure transmission system 10 includes a first link encryption gateway 11, a second link encryption gateway 12, and a controller 13. The data secure transmission system 10 is configured to perform data transmission between a branch and a head office in a branch-and-head office networking architecture, where the branch-and-head office networking architecture generally includes a plurality of terminal devices such as a terminal device PC (Personal Computer) 1 and a terminal device PC2, a switch, a first router, a second router, and a head office server, and in the branch-and-head office networking architecture, the PC1 and the PC2 sequentially pass through the switch and the first router, are connected to the second router based on the internet, and are then connected to the head office server in a communication manner through the second router. The first link encryption gateway 11 in the data secure transmission system 10 is communicatively connected to a plurality of terminals such as a PC1 and a PC2, respectively, and is also communicatively connected to the second link encryption gateway 12, the controller 13 is communicatively connected to the first link encryption gateway 11 and the second link encryption gateway 12, and a plurality of terminals such as a PC1 and a PC2, respectively, and the second link encryption gateway 12 is also communicatively connected to a service terminal such as a headquarters service terminal.
It should be understood that the terminal device may be an electronic device such as a smartphone, a processor, or the like, in addition to a general personal computer. The first link encryption gateway 11 and the second link encryption gateway 12 may be link gateways of applicable types and brands, so that the terminal device may connect to internal network resources in a branch-and-head office network through the internet using an encrypted connection without configuring a virtual private network connection, while providing a point-to-point RDP (remote Desktop Protocol) instead of allowing a remote user to access all internal network resources, thereby improving network security. The controller 13 may be a server providing one or more functions of network system management, control, visualization, policy control, service orchestration, and the like, and is a platform for supporting a network system management control service by a user, for example, an Intelligent Control Center (ICC) of the applicant. The headquarters service can be a server capable of performing functions such as data transmission and arithmetic processing.
First, a terminal and a link encryption gateway need to complete registration on a controller 13, and issue related information for the terminal to perform secure data communication with a first link encryption gateway 11, and issue related information for the first link encryption gateway 11 to perform secure data communication with a second link encryption gateway 12, please refer to fig. 4, where fig. 4 is a schematic flow chart of network configuration steps of a data security transmission system provided in an embodiment of the present application, and the specific steps may include:
step S21: the controller statically configures access authentication information of all terminals and link encryption gateways of the whole network.
The terminal uses the link encryption software to automatically find the address of the link encryption gateway (the first link encryption gateway 11 in the embodiment) nearest to the terminal through the controller 13, establishes an end-to-end tunnel with the link encryption gateway through the link encryption software, and uses the tunnel to perform secure data transmission to protect data. Therefore, the link encryption gateway only adds the encryption information head to the message, does not add the head of the tunnel endpoint, does not change the source address and destination address information of the original message, reduces the bandwidth consumption, and the encapsulation mode of the data sent by the terminal is consistent with that of the traditional link encryption gateway, the original message head is not modified, the message added with the encryption information head can also pass through a firewall, the security risk is not brought, and the data transmission from the terminal to the hardware link encryption gateway also has the data security guarantee.
The access authentication information may include a software version number of the link encryption, a Media Access Control (MAC) Address of the terminal, and the like.
Step S22: the controller opens the access service port and waits for the access of the terminal and the link encryption gateway.
Step S23: and the terminal, the first link encryption gateway and the second link encryption gateway respectively send registration information to the controller.
The registration information of the terminal, the first link encryption gateway 11, and the second link encryption gateway 12 generally corresponds to the access authentication information, and may include an IP (Internet Protocol) address, port information, and a device MAC address of the above device, and may also include hardware information such as a memory and a hard disk, and version information of the own link encryption software.
Step S24: the controller verifies the registration information based on the access verification information and sends verification passing information to the terminal, the first link encryption gateway and the second link encryption gateway after the registration information passes the verification passing information, sends a network address and first key information of the first link encryption gateway closest to the terminal in the link encryption gateways to the terminal, sends the first key information and second key information to the first link encryption gateway, and sends the second key information to the second link encryption gateway, so that the first link encryption gateway and the terminal communicate based on the first key information, and the second link encryption gateway and the first link encryption gateway communicate based on the second key information.
It should be noted that there may be a plurality of first key information and second key information sent by the controller.
The link encryption gateway closest to the terminal may generally be the link encryption gateway with the smallest number of hops with the terminal or the shortest time for message delivery, and may be, but is not limited to, the closest link encryption gateway determined by means of PING test response speed and the like according to a learned and stored network topology map in link encryption software.
The first key information includes a first encryption algorithm, a first encryption key, a first authentication algorithm, a first authentication key, and the like, and the second key information includes a second encryption algorithm, a second encryption key, a second authentication algorithm, a second authentication key, and the like. The terminal encrypts a message to be sent to the server side by using a first encryption algorithm and a first encryption key to obtain a first encrypted message, encrypts the first encrypted message by using a first authentication algorithm and a first authentication key to obtain first authentication information, and adds information of the first authentication algorithm and the first authentication information in first security control information of the first encrypted message.
The first link encryption gateway 11 determines a first authentication algorithm based on the first security control information, locally determines a first authentication key corresponding to the first authentication algorithm, authenticates the first encrypted message by using the first authentication algorithm and the first authentication key, decrypts the first encrypted message by using the first encryption algorithm and the first encryption key to obtain a first decrypted message, encrypts a second encrypted message obtained by encrypting the first decrypted message based on the second encryption algorithm and the second encryption key, encrypts the second encrypted message by using the second authentication algorithm and the second authentication key to obtain second authentication information, adds the second authentication algorithm and the second authentication information to the second security control information of the second encrypted message, and sends the second encrypted message to the second link encryption gateway 12.
The second link encryption gateway 12 locally determines a second authentication key corresponding to the second authentication algorithm based on the second authentication algorithm in the second security control information, authenticates the second encrypted message by using the second authentication algorithm and the second authentication key, decrypts the second encrypted message by using the second encryption algorithm and the second encryption key to obtain a second decrypted message, and sends the second decrypted message to the server.
It should be understood that the first key information issued by the controller 13 may include multiple sets of authentication algorithms and authentication keys, which may be, but are not limited to, authentication algorithms and authentication keys based on algorithms such as SHA1, SHA2, SHA256, or MD5, and the terminal selects an appropriate authentication algorithm and authentication key according to its own computing capability to sign the first encrypted message to obtain the first authentication information, and puts the first authentication information into the header of the first encrypted message. The second key information is the same as the first key information, and is not described herein again.
Alternatively, the data transmission between the first link encryption gateway 11 and the terminal and the data transmission between the first link encryption gateway 11 and the second link encryption gateway 12 in this embodiment may be based on a tunneling technique, which is a manner of transferring data between networks by using the infrastructure of the internet, and the data (or payload) transferred by using the tunneling may be data frames or packets of different protocols. The tunneling protocol re-encapsulates the data frames or packets of these other protocols in a new header for transmission. The new header provides routing information to enable the encapsulated payload data to be delivered over the internet.
After the network configuration of the data security transmission system 10 is completed according to the above steps, when the terminal needs to perform data transmission through the data security transmission system 10, the message is encrypted and encapsulated, and then the obtained first encrypted message is sent to the first link encryption gateway 11.
Referring to fig. 5, fig. 5 is a schematic diagram of a structure of a message according to an embodiment of the present application.
The source address of the message is the address of the terminal, the destination address is the address of the head office server, the source address and the destination address after encapsulation are unchanged, and the source address and the destination address are composed of an ethernet encapsulation header, an IP encapsulation header, a TCP (Transmission control Protocol)/UDP (User data Protocol) encapsulation header, an SEC (Security Certificate) encapsulation header, and a TCP/UDP payload, which are included in a normal message.
The SEC encapsulation header may be a first encapsulation header in this embodiment, where the SEC encapsulation header includes first authentication Information (SEC Signature) and first security Control Information (SEC Control Information), the first authentication Information is obtained by the terminal signing the entire encrypted packet according to its own computation capability by using a first authentication algorithm and a first authentication key specified in first key Information sent by the controller 13, and the authentication packet is tampered during transmission, and the first security Control Information is used for the first link encryption gateway 11 to perform packet authentication, decryption, and the like.
Specifically, please refer to fig. 6, where fig. 6 is a schematic structural diagram of an authentication information according to an embodiment of the present application.
Referring to table 1, table 1 shows an information composition of the first security control information.
Figure BDA0002409766120000111
After receiving the first encrypted message sent by the terminal, the first link encryption gateway 11 needs to authenticate, decrypt, and re-encrypt the first encrypted message and then sends the first encrypted message to the second link encryption gateway 12. Fig. 7 is a schematic flowchart of a data security transmission method applied to a first link encryption gateway 11 according to an embodiment of the present application, where fig. 7 is a flowchart of the data security transmission method applied to the first link encryption gateway according to the embodiment of the present application. The data security transmission method comprises the following specific steps:
step S31: the first link encryption gateway receives a first encryption message sent by a terminal.
Step S32: the first link encryption gateway determines that the first encrypted message is authenticated.
The first security control information includes data used for performing security authentication, such as an authentication algorithm, a verification word length, and the like, and a specific verification process may be that the first link encryption gateway 11 determines, according to a first authentication algorithm in the first security control information of the first encrypted message, a first authentication key corresponding to the first authentication algorithm from one or more authentication keys in the first key information acquired from the controller 13, obtains authentication information (such as a security signature) of the first encrypted message by using the first authentication key and the first authentication algorithm, and if the authentication information is the same as the first authentication information in the first security control information, it is determined that the first encrypted message is authenticated, otherwise, the authentication is not authenticated.
Step S33: and the first link encryption gateway decrypts the first encrypted message to obtain a first decrypted message.
The above steps are to decrypt the TCP/UDP payload of the first encrypted message, and the specific decryption process is common knowledge in the encryption field, which is not described in detail in this embodiment.
Step S34: and the first link encryption gateway encrypts the first decryption message based on an encryption mode agreed with the second link encryption gateway to obtain a second encryption message.
Specifically, a first decrypted message (payload) is encrypted by using a second encryption algorithm and a second encryption key in second key information, then, based on the computing capability, a proper second authentication algorithm and a proper second authentication key are selected from the second key information to perform security authentication (such as security signature) on the whole encrypted message, and the security authentication information is supplemented into a second encapsulation header as second authentication information to obtain a second encrypted message.
Step S35: and the first link encryption gateway sends the second encrypted message to a second link encryption gateway so that the second link encryption gateway decrypts the second encrypted message to obtain a second decrypted message and sends the second decrypted message to the server.
The first link encryption gateway 11 sends the second encrypted message out of the device, and routes the second encrypted message to the second link encryption gateway 12, and the routing information planning belongs to a common technology in the communication field, which is not described in detail in this embodiment.
After receiving the second encrypted message, the second link encryption gateway 12 needs to authenticate and decrypt the second encrypted message, and the specific authentication and decryption steps are similar to those of the first encrypted message, and then the second encrypted message is sent to the server. Fig. 8 is a schematic flowchart of a data security transmission method applied to a second link encryption gateway, provided in this embodiment of the present application, and fig. 8 is a flowchart of the data security transmission method applied to the second link encryption gateway provided in this embodiment of the present application. The data security transmission method comprises the following specific steps:
step S41: and the second link encryption gateway receives a second encryption message sent by the first link encryption gateway.
Step S42: and the second link encryption gateway determines that the second encrypted message passes the authentication.
The second security control information includes data for performing security authentication, such as a second authentication algorithm, a verification word length, and the like, and a specific authentication process of the second security control information is the same as that of the first encryption message, which is not described herein again.
Step S43: and the second link encryption gateway decrypts the second encrypted message to obtain a second decrypted message.
The above steps are to decrypt the TCP/UDP payload of the second encrypted message, and the specific decryption process is common knowledge in the encryption field, which is not described in detail in this embodiment.
Step S44: and the second link encryption gateway sends the second decryption message to the server side.
Optionally, in other embodiments, for the security of data transmission between the second link encryption gateway 12 and the server, the data transmission between the second link encryption gateway 12 and the server may also be the same as the transmission between the first link encryption gateway 11 and the second link encryption gateway 12, the second link encryption gateway 12 re-encrypts the second decrypted packet and transmits the second decrypted packet to the server, and the server decrypts the second decrypted packet to obtain the content of the payload in the second decrypted packet.
As an optional implementation manner, as a manufacturer of link encryption equipment such as a link encryption gateway, a plurality of hardware link gateways may be further established on a network to form a secure link ring, different link encryption software of a plurality of customers may perform secure data transmission with the same hardware link encryption gateway, which is equivalent to that the cost of one link encryption gateway is distributed to a plurality of users, so that the cost can be further reduced.
In order to cooperate with the above-mentioned data security transmission method applied to the first link encryption gateway 11, the embodiment of the present application further provides a data security transmission device 50 applied to the first link encryption gateway.
Referring to fig. 9, fig. 9 is a block diagram illustrating a data security transmission apparatus applied to a first link encryption gateway according to an embodiment of the present disclosure.
The data security transmission device 50 includes:
a first receiving module 51, configured to receive a first encrypted message sent by a terminal;
a first authentication module 52, configured to determine that the first encrypted message passes authentication;
the first decryption module 53 is configured to decrypt the first encrypted message to obtain a first decrypted message;
the first encryption module 54 is configured to encrypt the first decrypted packet based on an agreed encryption mode with the second link encryption gateway to obtain a second encrypted packet;
the first sending module 55 is configured to send the second encrypted message to the second link encryption gateway, so that the second link encryption gateway decrypts the second encrypted message to obtain a second decrypted message, and sends the second decrypted message to the server.
Optionally, the data security transmission device 50 further includes: the first registration module is used for sending first registration information to the controller; receiving first key information and second key information which are sent by a controller when a first link encryption gateway is allowed to access; so that the first link encryption gateway and the terminal communicate based on the first key information, and the second link encryption gateway and the first link encryption gateway communicate based on the second key information.
Optionally, the first key information includes a first authentication algorithm and a first authentication key, the first encrypted packet includes a first encapsulation header, the first encapsulation header includes first security control information and first authentication information obtained by encrypting, by the terminal, the first encrypted packet based on the first authentication algorithm and the first authentication key, and the first authentication module 52 is specifically configured to: and determining that the first encrypted message passes the authentication based on the first authentication information and the first security control information.
Optionally, the first key information includes a first encryption algorithm and a first encryption key, and the first decryption module 53 is specifically configured to: and acquiring the first encryption algorithm corresponding to the first encryption message based on the first safety control information, and decrypting the first encryption message by adopting the first encryption algorithm according to the local first encryption key to obtain a first decrypted message.
Optionally, the second key information includes a second encryption algorithm and a second encryption key, and the first encryption module 54 is specifically configured to: and based on the second encryption key, encrypting the first decryption message by adopting a second encryption algorithm to obtain a second encryption message.
In order to cooperate with the above-mentioned data security transmission method applied to the second link encryption gateway 12, the embodiment of the present application further provides a data security transmission device 60 applied to the second link encryption gateway.
Referring to fig. 10, fig. 10 is a block diagram illustrating a data security transmission apparatus applied to a second link encryption gateway according to an embodiment of the present disclosure.
The data security transmission device 60 includes:
a second receiving module 61, configured to receive a second encrypted message sent by the first link encryption gateway;
a second authentication module 62, configured to determine that the second encrypted message passes authentication;
the second decryption module 63 is configured to decrypt the second encrypted message to obtain a second decrypted message;
and a second sending module 64, configured to send the second decrypted message to the server.
Optionally, the data security transmission device 60 further includes: the second registration module is used for sending second registration information to the controller; and receiving second key information sent by the controller when the second link encryption gateway is allowed to access, so that the second link encryption gateway and the first link encryption gateway perform communication key based on the second key information.
Optionally, the second key information includes a second authentication algorithm and a second authentication key, the second encrypted packet includes a second encapsulation header, the second encapsulation header includes second security control information and second authentication information obtained by the first link encryption gateway encrypting the second encrypted packet based on the second authentication algorithm and the second authentication key, and the second authentication module 62 is specifically configured to: and determining that the second encrypted message passes the authentication based on the second authentication information and the second security control information.
In order to cooperate with the above-mentioned data security transmission method applied to the controller 13, the embodiment of the present application further provides a data security transmission device 70 applied to the controller.
Referring to fig. 11, fig. 11 is a block diagram illustrating a data security transmission apparatus applied to a controller according to an embodiment of the present disclosure.
The data security transmission device 70 includes:
a registration information receiving module 71, configured to receive first registration information sent by the first link encryption gateway;
a key information sending module 72, configured to send, to the first link encryption gateway, first key information used for communication between the first link encryption gateway and the terminal after the first registration information is verified;
the registration information receiving module 71 is further configured to receive second registration information sent by the second link encryption gateway;
the key information sending module 72 is further configured to send, to the second link encryption gateway, second key information for establishing communication between the second link encryption gateway and the server side after the second registration information is verified.
The embodiment of the present application further provides a storage medium, where the storage medium stores computer program instructions, and the computer program instructions are read and executed by a processor to perform steps in the data secure transmission method.
To sum up, the embodiment of the present application provides a method, a system, an apparatus and a storage medium for data secure transmission, which are applied to a first link encryption gateway in communication connection with one or more terminals, where the first link encryption gateway is further in communication connection with a second link encryption gateway, and the second link encryption gateway is in communication connection with a server, where the method includes: receiving a first encrypted message sent by the terminal; determining that the first encrypted message passes authentication; decrypting the first encrypted message to obtain a first decrypted message; encrypting the first decryption message based on an encryption mode agreed with the second link encryption gateway to obtain a second encryption message; and sending the second encrypted message to the second link encryption gateway, so that the second link encryption gateway decrypts the second encrypted message to obtain a second decrypted message, and sends the second decrypted message to a server.
In the implementation mode, the first link encryption gateway can be connected with a plurality of terminals, an independent link encryption gateway does not need to be arranged for each terminal, the hardware cost is reduced, meanwhile, the data transmission between the terminal and the first link encryption gateway is also guaranteed safely, and the data transmission safety is further improved.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (15)

1. A data security transmission method is applied to a first link encryption gateway which is in communication connection with one or more terminals, the first link encryption gateway is also in communication connection with a second link encryption gateway, and the second link encryption gateway is in communication connection with a server side, and the method comprises the following steps:
receiving a first encrypted message sent by the terminal;
determining that the first encrypted message passes authentication;
decrypting the first encrypted message to obtain a first decrypted message;
encrypting the first decryption message based on an encryption mode agreed with the second link encryption gateway to obtain a second encryption message;
and sending the second encrypted message to the second link encryption gateway, so that the second link encryption gateway decrypts the second encrypted message to obtain a second decrypted message, and sends the second decrypted message to a server.
2. The method according to claim 1, wherein the first link encryption gateway is further communicatively coupled to a controller, and wherein before the receiving the first encrypted message sent by the terminal, the method further comprises:
sending first registration information to the controller;
and receiving first key information and second key information which are sent by the controller when the first link encryption gateway is allowed to access, so that the first link encryption gateway and the terminal communicate based on the first key information, and the second link encryption gateway and the first link encryption gateway communicate based on the second key information.
3. The method according to claim 2, wherein the first key information includes a first authentication algorithm and a first authentication key, the first encrypted packet includes a first encapsulation header, the first encapsulation header includes first security control information and first authentication information obtained by the terminal after encrypting the first encrypted packet based on the first authentication algorithm and the first authentication key, and the determining that the first encrypted packet is authenticated comprises:
and determining that the first encrypted message passes the authentication based on the first authentication information and the first security control information.
4. The method according to claim 3, wherein the first key information further includes a first encryption algorithm and a first encryption key, and the decrypting the first encrypted message to obtain a first decrypted message includes:
and acquiring the first encryption algorithm corresponding to the first encrypted message based on the first security control information, and decrypting the first encrypted message by adopting the first encryption algorithm according to the local first encryption key to obtain the first decrypted message.
5. The method according to any one of claims 2 to 3, wherein the second key information includes a second encryption algorithm and a second encryption key, and the encrypting the first decrypted packet based on the agreed encryption method with the second link encryption gateway to obtain a second encrypted packet includes:
and based on the second encryption key, encrypting the first decryption message by adopting the second encryption algorithm to obtain a second encryption message.
6. A data security transmission method is applied to a second link encryption gateway which is in communication connection with a server side, and the second link encryption gateway is also in communication connection with a first link encryption gateway, and the method comprises the following steps:
receiving a second encrypted message sent by the first link encrypted gateway;
determining that the second encrypted message passes authentication;
decrypting the second encrypted message to obtain a second decrypted message;
and sending the second decryption message to the server.
7. The method of claim 6, wherein the second link encryption gateway is further communicatively coupled to a controller, and wherein prior to said receiving the second encrypted message sent by the first link encryption gateway, the method further comprises:
sending second registration information to the controller;
and receiving second key information sent by the controller when the second link encryption gateway is allowed to access, so that the second link encryption gateway and the first link encryption gateway communicate based on the second key information.
8. The method of claim 7, wherein the second key information comprises a second authentication algorithm and a second authentication key, wherein the second encrypted packet comprises a second encapsulation header, wherein the second encapsulation header comprises second security control information and second authentication information obtained by the first link encryption gateway after encrypting the second encrypted packet based on the second authentication algorithm and the second authentication key, and wherein the determining that the second encrypted packet is authenticated comprises:
and determining that the second encrypted message passes the authentication based on the second authentication information and the second security control information.
9. A data security transmission method is applied to a controller which is respectively in communication connection with a terminal, a first link encryption gateway and a second link encryption gateway, and the method comprises the following steps:
receiving first registration information sent by the first link encryption gateway;
after the first registration information is verified, sending first key information used for communication between the first link encryption gateway and the terminal to the first link encryption gateway;
receiving second registration information sent by the second link encryption gateway;
and after the second registration information passes the verification, sending second key information used for communication between the second link encryption gateway and a server side to the second link encryption gateway.
10. The method according to claim 9, wherein before said sending the first key information for communication between the first link encryption gateway and the terminal to the first link encryption gateway, the method further comprises:
receiving terminal registration information sent by the terminal;
and after the terminal registration information passes the verification, sending a network address of the first link encryption gateway closest to the terminal in the link encryption gateway and the first key information for communicating with the first link encryption gateway to the terminal.
11. A data security transmission system is characterized by comprising a first link encryption gateway, a second link encryption gateway and a controller, wherein the first link encryption gateway is in communication connection with one or more terminals, the second link encryption gateway is in communication connection with the first link encryption gateway and a server side, and the controller is in communication connection with the first link encryption gateway, the second link encryption gateway and the one or more terminals;
the first link encryption gateway is used for executing the data security transmission method of any one of claims 1 to 5;
the second link encryption gateway is used for executing the data security transmission method of any one of claims 6 to 8;
the controller is used for executing the data security transmission method of any one of claims 9-10.
12. A data security transmission apparatus, applied to a first link encryption gateway communicatively connected to one or more terminals, the first link encryption gateway further communicatively connected to a second link encryption gateway, the second link encryption gateway communicatively connected to a server, the apparatus comprising:
the first receiving module is used for receiving a first encrypted message sent by the terminal;
the first authentication module is used for determining that the first encrypted message passes authentication;
the first decryption module is used for decrypting the first encrypted message to obtain a first decrypted message;
the first encryption module is used for encrypting the first decryption message based on an agreed encryption mode with the second link encryption gateway to obtain a second encryption message;
and the first sending module is used for sending the second encrypted message to the second link encrypted gateway so that a second decrypted message obtained by decrypting the second encrypted message by the second link encrypted gateway is sent to a server.
13. A data security transmission apparatus, applied to a second link encryption gateway in communication connection with a server, the second link encryption gateway being further in communication connection with a first link encryption gateway, the apparatus comprising:
a second receiving module, configured to receive a second encrypted packet sent by the first link encryption gateway;
the second authentication module is used for determining that the second encrypted message passes the authentication;
the second decryption module is used for decrypting the second encrypted message to obtain a second decrypted message;
and the second sending module is used for sending the second decryption message to the server.
14. A secure data transmission apparatus, for use in a controller communicatively coupled to a terminal, a first link encryption gateway, and a second link encryption gateway, respectively, the apparatus comprising:
a registration information receiving module, configured to receive first registration information sent by the first link encryption gateway; a key information sending module, configured to send, to the first link encryption gateway, first key information used for communication between the first link encryption gateway and the terminal after the first registration information is verified;
the registration information receiving module is further configured to receive second registration information sent by the second link encryption gateway;
the key information sending module is further configured to send, to the second link encryption gateway, second key information used for communication between the second link encryption gateway and the server side after the second registration information is verified.
15. A storage medium having stored thereon computer program instructions for executing the steps of the method according to any one of claims 1 to 10 when executed by a processor.
CN202010173296.2A 2020-02-24 2020-03-12 Data security transmission method, system, device and storage medium Pending CN111371798A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010114233 2020-02-24
CN202010114233X 2020-02-24

Publications (1)

Publication Number Publication Date
CN111371798A true CN111371798A (en) 2020-07-03

Family

ID=71212545

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010173296.2A Pending CN111371798A (en) 2020-02-24 2020-03-12 Data security transmission method, system, device and storage medium

Country Status (1)

Country Link
CN (1) CN111371798A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112087440A (en) * 2020-09-02 2020-12-15 上海英恒电子有限公司 Message transmission method and device, electronic equipment and storage medium
CN113765900A (en) * 2021-08-24 2021-12-07 深圳融安网络科技有限公司 Protocol interaction information output transmission method, adapter device and storage medium
CN113794704A (en) * 2021-08-31 2021-12-14 山石网科通信技术股份有限公司 Feature library file updating method and device, storage medium and processor
CN114125027A (en) * 2021-11-24 2022-03-01 上海派拉软件股份有限公司 Communication establishing method and device, electronic equipment and storage medium
CN114363024A (en) * 2021-12-22 2022-04-15 北京六方云信息技术有限公司 Data encryption transmission method and device, terminal equipment and storage medium
CN115473729A (en) * 2022-09-09 2022-12-13 中国联合网络通信集团有限公司 Data transmission method, gateway, SDN controller and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159988A (en) * 2007-11-15 2008-04-09 中兴通讯股份有限公司 Method and system of implementing different security level voice encryption
US7406595B1 (en) * 2004-05-05 2008-07-29 The United States Of America As Represented By The Director, National Security Agency Method of packet encryption that allows for pipelining
US20140223538A1 (en) * 2011-06-08 2014-08-07 Alcatel Lucent Method and apparatus for providing network access to a user entity
CN104680630A (en) * 2014-12-29 2015-06-03 深圳市进林科技有限公司 Method and system for controlling door locks
CN106375992A (en) * 2015-07-20 2017-02-01 中兴通讯股份有限公司 Method for realizing access layer security, user equipment, and node
CN106506354A (en) * 2016-10-31 2017-03-15 杭州华三通信技术有限公司 A kind of message transmitting method and device
CN106789834A (en) * 2015-11-20 2017-05-31 中国电信股份有限公司 Method, gateway, PCRF network elements and system for identifying user identity

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7406595B1 (en) * 2004-05-05 2008-07-29 The United States Of America As Represented By The Director, National Security Agency Method of packet encryption that allows for pipelining
CN101159988A (en) * 2007-11-15 2008-04-09 中兴通讯股份有限公司 Method and system of implementing different security level voice encryption
US20140223538A1 (en) * 2011-06-08 2014-08-07 Alcatel Lucent Method and apparatus for providing network access to a user entity
CN104680630A (en) * 2014-12-29 2015-06-03 深圳市进林科技有限公司 Method and system for controlling door locks
CN106375992A (en) * 2015-07-20 2017-02-01 中兴通讯股份有限公司 Method for realizing access layer security, user equipment, and node
CN106789834A (en) * 2015-11-20 2017-05-31 中国电信股份有限公司 Method, gateway, PCRF network elements and system for identifying user identity
CN106506354A (en) * 2016-10-31 2017-03-15 杭州华三通信技术有限公司 A kind of message transmitting method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
蔡建: "网络安全技术与安全管理机制", 贵州工业大学学报(自然科学版), no. 01, 25 February 1999 (1999-02-25) *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112087440A (en) * 2020-09-02 2020-12-15 上海英恒电子有限公司 Message transmission method and device, electronic equipment and storage medium
CN113765900A (en) * 2021-08-24 2021-12-07 深圳融安网络科技有限公司 Protocol interaction information output transmission method, adapter device and storage medium
CN113765900B (en) * 2021-08-24 2023-09-26 深圳融安网络科技有限公司 Protocol interaction information output transmission method, adapter device and storage medium
CN113794704A (en) * 2021-08-31 2021-12-14 山石网科通信技术股份有限公司 Feature library file updating method and device, storage medium and processor
CN113794704B (en) * 2021-08-31 2023-09-26 山石网科通信技术股份有限公司 Feature library file updating method and device, storage medium and processor
CN114125027A (en) * 2021-11-24 2022-03-01 上海派拉软件股份有限公司 Communication establishing method and device, electronic equipment and storage medium
CN114125027B (en) * 2021-11-24 2024-04-05 上海派拉软件股份有限公司 Communication establishment method and device, electronic equipment and storage medium
CN114363024A (en) * 2021-12-22 2022-04-15 北京六方云信息技术有限公司 Data encryption transmission method and device, terminal equipment and storage medium
CN115473729A (en) * 2022-09-09 2022-12-13 中国联合网络通信集团有限公司 Data transmission method, gateway, SDN controller and storage medium
CN115473729B (en) * 2022-09-09 2024-05-28 中国联合网络通信集团有限公司 Data transmission method, gateway, SDN controller and storage medium

Similar Documents

Publication Publication Date Title
CN107018134B (en) Power distribution terminal safety access platform and implementation method thereof
CN111371798A (en) Data security transmission method, system, device and storage medium
US9461975B2 (en) Method and system for traffic engineering in secured networks
JP4407452B2 (en) Server, VPN client, VPN system, and software
US8713305B2 (en) Packet transmission method, apparatus, and network system
US7055027B1 (en) System and method for trusted inspection of a data stream
WO2017181894A1 (en) Method and system for connecting virtual private network by terminal, and related device
EP1635502B1 (en) Session control server and communication system
US8104082B2 (en) Virtual security interface
EP1396979A2 (en) System and method for secure group communications
US20040161110A1 (en) Server apparatus, key management apparatus, and encrypted communication method
US11736304B2 (en) Secure authentication of remote equipment
US20170201382A1 (en) Secure Endpoint Devices
US20080141360A1 (en) Wireless Linked Computer Communications
US20170126623A1 (en) Protected Subnet Interconnect
US20080072033A1 (en) Re-encrypting policy enforcement point
WO2009082950A1 (en) Key distribution method, device and system
CN110519259B (en) Method and device for configuring communication encryption between cloud platform objects and readable storage medium
JP2011176395A (en) IPsec COMMUNICATION METHOD AND IPsec COMMUNICATION SYSTEM
US8046820B2 (en) Transporting keys between security protocols
WO2016134631A1 (en) Processing method for openflow message, and network element
JPWO2003096613A1 (en) Centralized management system for encryption
WO2008042318A2 (en) Systems and methods for management of secured networks with distributed keys
CN112235318B (en) Metropolitan area network system for realizing quantum security encryption
WO2005057842A1 (en) A wireless lan system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination