CN111382451A - Security level identification method and device, electronic equipment and storage medium - Google Patents
Security level identification method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111382451A CN111382451A CN201911384420.3A CN201911384420A CN111382451A CN 111382451 A CN111382451 A CN 111382451A CN 201911384420 A CN201911384420 A CN 201911384420A CN 111382451 A CN111382451 A CN 111382451A
- Authority
- CN
- China
- Prior art keywords
- data packet
- control information
- original data
- identification
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The present disclosure relates to a security level identification method, device, electronic device and computer readable storage medium, wherein the security level identification method comprises: receiving an original data packet sent by a client and a security level identification adding request aiming at the original data packet; determining control information of the original data packet according to the security identification adding request, wherein the control information comprises a data packet identification of the original data packet, the security of the data packet and a session task identification of a session task to which the original data packet belongs; and generating a cipher label data packet based on the management and control information and the original data packet splicing so as to send the cipher label data packet to a receiving end corresponding to the session task. Therefore, the security level identification is carried out by taking the data packet as a unit in the data transmission process, the transmission real-time performance of the streaming data is ensured on the basis of ensuring the data security, the method and the device can be simultaneously suitable for storage control and streaming control of the streaming data, and the applicability and the user experience are effectively improved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a security level identification method, apparatus, electronic device, and computer-readable storage medium.
Background
In the modern times, with the rapid development of internet technology and information technology, a huge amount of data may be generated, stored, processed, or transmitted every day. In this process, ensuring the safety and controllability of information is an important issue in the industry.
For this reason, the related art adopts a file-based security level identification method, that is, according to the secrecy degree of the file, a corresponding mark about the secrecy degree is added to the file by some technical means, such as setting a file watermark or a file security level and the like. Obviously, the applicable object of such file security level identification method is a file, and thus is applicable to storage control of the file. However, for stream data such as video and short message, when such a file security level identification method is adopted, it is necessary to generate a related file from the stream data first, and then perform security level identification based on the generated file, which involves a problem of splitting the stream data for continuous transmission, that is, specifically, how much capacity or how long stream data is generated into one file: when the file generation rate is set to be low, the real-time performance of stream data transmission control is seriously reduced, and the method cannot be suitable for some applications with high requirements on the real-time performance of data transmission, such as real-time videos; when the file generation rate is increased, the total number of generated files is increased, and the size of a single file is reduced, so that the file storage management is not facilitated, and the file storage control efficiency is reduced. It can be seen that such a file security level identification method is only suitable for storage control, but is not suitable for stream data transfer control in data transmission. In view of the above, it is an important need for those skilled in the art to provide a solution to the above technical problems.
Disclosure of Invention
The present disclosure provides a secret level identification method, device, electronic device and computer readable storage medium with high real-time performance, so as to be suitable for storage control and stream control of stream data at the same time, thereby effectively improving applicability and user experience.
In order to achieve the above object, the present disclosure provides a security classification identifying method, including:
receiving an original data packet sent by a client and a security level identification adding request aiming at the original data packet;
determining control information of the original data packet according to the security classification identification adding request, wherein the control information comprises a data packet identification of the original data packet, a data packet security classification and a session task identification of a session task to which the original data packet belongs;
and generating a secret mark data packet based on the management and control information and the original data packet in a splicing mode so as to send the secret mark data packet to a receiving end corresponding to the session task.
Optionally, the generating a cryptographic data packet based on the management and control information and the splicing of the original data packet includes:
performing abstract operation on the control information and the original data packet to obtain a data packet abstract value;
and splicing the control information, the original data packet and the data packet abstract value to generate the secret mark data packet, so that the receiving end checks the data packet abstract value after receiving the secret mark data packet to judge whether the secret mark data packet is tampered.
Optionally, the generating the cryptographic data packet by splicing the management and control information, the original data packet, and the data packet digest value includes:
encrypting the data packet digest value based on a private key of a key pair to generate an encrypted digest value;
and splicing the control information, the original data packet and the encrypted digest value to generate the encrypted standard data packet.
Optionally, the splicing the management and control information, the original data packet, and the encrypted digest value to generate the encrypted data packet includes:
encrypting the original data packet to generate an encrypted data packet;
and splicing the control information, the encrypted data packet and the encrypted digest value to generate the encrypted mark data packet.
Optionally, the method further comprises:
and sending the public key in the key pair to the receiving end so that the receiving end can decrypt the received encrypted digest value based on the public key to obtain the data packet digest value, and verifying the data packet digest value to judge whether the encrypted data packet is tampered.
Optionally, after the performing a digest operation on the management and control information and the original data packet to obtain a data packet digest value, the method further includes:
storing the control information and the data packet abstract value;
responding to the abstract query request of the receiving end, sending the data packet abstract value to the receiving end so that the receiving end can judge whether the data packet abstract value obtained by decryption is consistent with the data packet abstract value obtained by query, and if the data packet abstract value obtained by decryption is consistent with the data packet abstract value obtained by query, the receiving end judges that the received encrypted-mark data packet is not tampered.
Optionally, the security level of the data packet specified by each security level identifier adding request corresponding to each original data packet in the same session task is the same.
Optionally, the generating a cryptographic data packet based on the management and control information and the splicing of the original data packet includes:
verifying the validity of the security level identifier adding request according to the management and control information;
and if the verification is passed, starting the step of generating the cipher mark data packet based on the management and control information and the original data packet.
Optionally, the performing validity check on the security identifier addition request according to the management and control information includes:
judging whether the session task is an audited session task;
if the session task is an audited session task, acquiring an audit result;
and if the session task is an unchecked session task, performing validity check on the security level identification adding request according to the management and control information to generate a check result.
Optionally, the management and control information further includes a client identifier, a user identifier, a client security level, and a user security level; the performing validity audit on the security level identifier adding request according to the management and control information to generate an audit result includes:
judging whether the client identification and the user identification are both real and effective;
if the client identification and the user identification are both true and valid, judging that the secret level identification adding request has true validity;
judging whether the client security level and the user security level are not lower than the data packet security level;
and if the client security level and the user security level are not lower than the data packet security level, judging that the security level identification adding request has legal validity.
In order to achieve the above object, the present disclosure further provides a security classification identifying device, including:
the system comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving an original data packet sent by a client and a security level identification adding request aiming at the original data packet;
a determining module, configured to determine, according to the security identifier addition request, management and control information of the original data packet, where the management and control information includes a data packet identifier of the original data packet, a security of the data packet, and a session task identifier of a session task to which the original data packet belongs;
and the identification module is used for generating a secret mark data packet based on the management and control information and the original data packet in a splicing mode so as to send the secret mark data packet to a receiving end corresponding to the session task.
To achieve the above object, the present disclosure also provides an electronic device, including:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the security classification identification method as described above.
To achieve the above object, the present disclosure also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the secret identification method as described above.
According to the technical scheme, the security identification is carried out by taking the data packet as a unit in the data transmission process, namely, each original data packet sent by the client is sent immediately after marking, so that the security identification is utilized to guarantee the data security and ensure the transmission real-time performance of the streaming data, and the method and the device are effectively suitable for the streaming control of the streaming data. Meanwhile, based on the control information in the secret mark data packet, the storage management of the data information can be realized. Therefore, the method and the device are suitable for storage control and streaming data circulation control, and therefore applicability and user experience are effectively improved.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is an application scenario diagram of a security classification identification method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a security classification identification method according to an embodiment of the present disclosure;
fig. 3 is a flowchart of another security classification identification method provided by the embodiment of the present disclosure;
fig. 4 is a flowchart of another security classification identification method provided by the embodiment of the present disclosure;
fig. 5 is a flowchart of another security classification identification method provided by the embodiment of the present disclosure;
fig. 6 is a schematic process diagram of a security classification identification method according to an embodiment of the present disclosure;
fig. 7 is a flowchart of another security classification identification method provided by the embodiment of the present disclosure;
fig. 8 is a block diagram of a security classification identifier provided in an embodiment of the present disclosure;
fig. 9 is a detailed structure block diagram of an identification module according to an embodiment of the present disclosure;
fig. 10 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The core of the application is to provide a security level identification method, device, electronic equipment and computer readable storage medium with strong real-time performance, so that the method and device are simultaneously suitable for storage control and stream data circulation control, and therefore the applicability and user experience are effectively improved.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Currently, in the related art, multiple files are used for secret level identification. The file security level identification method has poor real-time performance, is suitable for file storage control and is not suitable for stream data flow control. In view of this, the present disclosure provides a secret level identification method, which can effectively improve real-time performance, and is simultaneously suitable for storage control and streaming control of streaming data, thereby effectively improving applicability and user experience.
Referring to fig. 1, an application scenario of the security classification identification method is provided in the embodiment of the present disclosure, and includes a client and a server. The client has an interactive interface which can be used by a user, so that the user can initiate session communication services such as real-time chat by using the client; the server is used for providing the communication transit service comprising the security level identification for the client, and the security level identification can be carried out on the streaming data in the session communication service. It should be noted that, in order to ensure the communication security, the client may specifically be a security device that has security qualifications for communicating with the server in advance, and those skilled in the art can set the security device to implement the security.
Referring to fig. 2, an embodiment of the present disclosure provides a security classification identification method. The security level identification method provided by the embodiment can be applied to the server in the application scene, and mainly comprises the following steps:
s101: and receiving an original data packet sent by a client and a security class identification adding request aiming at the original data packet.
It should be noted that the security level identification object specifically targeted by the security level identification method provided by the embodiment of the present disclosure is a data packet, that is, a security level identification is added to each data packet; the security class identification is performed after the server receives the data packet and before the server transmits the data packet. After a user initiates and establishes a session task, a client sends an original data packet generated by a user communication behavior to a server, and it needs to be stated that the client also generates a security level identifier adding request corresponding to the original data packet and sends the security level identifier adding request and the original data packet together to the server, so that the server performs security level identification on the original data packet according to the security level identifier adding request. It should be further noted that the security identifier addition request carries information related to the secrecy degree of the original data packet, and is used as a basis for the server to perform security identifier on the original data packet.
Additionally, in one embodiment, the process of initiating and establishing a session task may include: when the user inputs the relevant information for initiating the session task through the interactive interface of the client, the client can send a session task establishment request to the server so that the server responds and establishes a corresponding communication link. Of course, it is easily understood that the session task establishment request may carry identification information for determining two communication parties, namely the client and the receiving end serving as the opposite communication end, and a session task identification for distinguishing different session tasks, where the identification information of the two communication parties is the client identification and the receiving end identification. Therefore, the session task identifier, the client identifier and the receiving end identifier are all corresponding to each other. Of course, those skilled in the art can refer to other manners and procedures for initiating and establishing a session task in the related art, and are not further limited herein.
S102: and determining the control information of the original data packet according to the security level identification adding request, wherein the control information comprises the data packet identification of the original data packet, the security level of the data packet and the session task identification of the session task to which the original data packet belongs.
It should be noted that the security level identifier adding request carries the security level of the data packet of the original data packet, and the server can obtain the security level of the data packet according to the security level identifier adding request, so as to perform the security level identifier on the original data packet according to the security level of the data packet in the subsequent steps. The security level of the data packet may be determined by the client according to the input information of the user, or may be determined by the client according to a security level option set by default, which may be selected and set by a person skilled in the art, and this disclosure does not limit this.
According to the relevant standards made by the relevant national departments, and according to the increasing order of the secret degree, common secret grades comprise non-secret (secret-related and public), secret and absolute secret, and then the data packet secret grade can be one of the four secret grades.
In addition, it should be noted that, in the secret level identification method provided in the embodiment of the present disclosure, since the original data packet in the session task is used as a unit, and a secret level identification is performed on each original data packet, the secret level identification addition request also carries a data packet identification of the original data packet and a session task identification of a session task to which the original data packet belongs, so as to distinguish different original data packets in different session tasks or in the same session task. The server obtains relevant information related to the security level identifier from the security level identifier adding request, wherein the relevant information includes a data packet security level, a data packet identifier and a session task identifier, which can be collectively referred to as management and control information.
It should be noted that the management and control information may include other relevant information besides the above-mentioned packet security level, packet identifier, and session task identifier. For example, the regulatory information may further include the marking time, the expiration date, and the knowledge range of the security level identifier according to related standards established by the relevant national departments. Marking time is the time of marking the security level identification; the expiration date specifies the time frame for which the security seal identifier will function as an identifier, and when the expiration date is exceeded, the security seal identifier will expire. The selection and arrangement may be made by one skilled in the art and are not limited thereto by the embodiments of the present disclosure.
It is easy to understand that the addition of the management and control information gives data traceability: based on specific information such as session task identification, client identification, marking time and the like, fault tracing can be quickly and conveniently carried out when a problem occurs, a problem link is determined, and responsibility division is carried out.
S103: and generating a cipher label data packet based on the management and control information and the original data packet splicing so as to send the cipher label data packet to a receiving end corresponding to the session task.
As described above, the security classification identification method provided by the embodiment of the present disclosure is to perform security classification identification on each original data packet in a session task. For a certain original data packet, after acquiring corresponding control information from a corresponding security level identifier adding request, the server may mark the original data packet with the corresponding control information including the security level of the data packet before forwarding, that is, generate a security level data packet by splicing the corresponding control information and the original data packet, thereby writing the security level of the data packet into the security level data packet, completing the security level identifier of the original data packet, and sending the security level data packet. It should be added that the cryptographic data packet is generated based on the management and control information and the original data packet, and as for the relative position when the two are spliced, the disclosure is not limited, and a person skilled in the art can select and set the cryptographic data packet by himself.
Since the security classification identification method provided by the embodiment of the disclosure performs security classification identification by taking the data packet as a unit in the transmission control process of the streaming data, the security classification data packet can be sent to the receiving end after the original data packet is marked to generate the security classification data packet, so that the method can meet the real-time requirement of streaming data and is completely applicable to streaming control in data transmission. Moreover, the storage of data can also be controlled by using the control information in the cipher label data packet, that is, the cipher identification method provided by the real-time example of the disclosure can be simultaneously applied to storage control and streaming control of streaming data.
The security level identification method provided by the embodiment of the disclosure receives an original data packet sent by a client and a security level identification adding request aiming at the original data packet; determining control information of the original data packet according to the security identification adding request, wherein the control information comprises a data packet identification of the original data packet, the security of the data packet and a session task identification of a session task to which the original data packet belongs; and generating a cipher label data packet based on the management and control information and the original data packet splicing so as to send the cipher label data packet to a receiving end corresponding to the session task.
Therefore, the security identification is carried out by taking the data packet as a unit in the data transmission process, namely, each original data packet sent by the client is sent immediately after marking, so that the security identification is utilized to ensure the data security, and the transmission real-time performance of the streaming data is ensured, and the method and the device can be effectively applied to the streaming control of the streaming data. Meanwhile, based on the control information in the secret mark data packet, the storage management of the data information can be realized. Therefore, the method and the device are suitable for storage control and streaming data circulation control, and therefore applicability and user experience are effectively improved.
Referring to fig. 3, another security classification identification method according to an embodiment of the present disclosure includes:
s201: and receiving an original data packet sent by a client and a security class identification adding request aiming at the original data packet.
S202: and determining the control information of the original data packet according to the security level identification adding request, wherein the control information comprises the data packet identification of the original data packet, the security level of the data packet and the session task identification of the session task to which the original data packet belongs.
S203: and performing summarization operation on the pipe control information and the original data packet to obtain a data packet summary value.
S204: and splicing the control information, the original data packet and the data packet abstract value to generate a secret-label data packet so as to send the secret-label data packet to a receiving end corresponding to the session task.
It should be noted that, in the security classification identification method provided in the embodiment of the present disclosure, the generated security label data packet after the original data packet is labeled includes not only the management and control information and the original data packet, but also the digest value of the data packet. The data packet digest value is generated by performing digest operation on the pipe control information and the original data packet, and is used for verifying the security of data transmission. That is, after receiving the cryptographic data packet, the receiving end may check the digest value of the data packet to determine whether the cryptographic data packet is tampered: if the data packet abstract value passes the verification, the secret level identification added in the secret level data packet is not credible; if the data packet abstract value passes the verification, the secret mark data packet can be judged not to be tampered, and the secret level identification added in the secret mark data packet is credible.
It is easy to understand that the data security of the data transmission process can be further improved by using the digest value of the data packet for digest protection: the condition that the data packet is illegally tampered can be effectively identified through the verification of the abstract value of the data packet, so that the integrity of the data packet is protected.
It should be further noted that, performing a digest operation on the pipe control information and the original data packet to obtain a digest value of the data packet includes: performing SHA-1 algorithm operation on the pipe control information and the original data packet to obtain a hash value, or performing MD5 algorithm operation on the pipe control information and the original data packet to obtain an MD5 value. The SHA-1 algorithm is also called a hash algorithm, and the MD5 algorithm belongs to a digest operation algorithm. Those skilled in the art can select an appropriate abstract operation algorithm according to the actual application requirement, and the disclosure is not limited thereto.
Similarly, when the cryptographic data packet is generated by splicing, the relative position relationship between the pipe control information, the original data packet and the data packet digest value in the embodiment of the present disclosure is not limited, and a person skilled in the art can select and set the value.
Referring to fig. 4, another security classification identification method according to an embodiment of the present disclosure includes:
s301: and receiving an original data packet sent by a client and a security class identification adding request aiming at the original data packet.
S302: and determining the control information of the original data packet according to the security level identification adding request, wherein the control information comprises the data packet identification of the original data packet, the security level of the data packet and the session task identification of the session task to which the original data packet belongs.
S303: and performing summarization operation on the pipe control information and the original data packet to obtain a data packet summary value.
S304: and storing the control information and the data packet abstract value.
It should be noted that, in order to facilitate data tracing query and management in the later stage, the server may locally store the management and control information and the data packet digest value in each of the cryptographic data packets as a backup.
S305: the data packet digest value is encrypted based on a private key of a key pair to generate an encrypted digest value.
It should be noted that, in order to further ensure the security of data transmission, in the present embodiment, the data packet digest value may be added to the ciphertext data packet in the form of ciphertext. When the digest value of the data packet is encrypted, asymmetric encryption can be adopted, and a key pair used for encryption can be obtained from a crypto-tube center and the like. The key pair comprises a public key and a private key, the private key is stored and used by the server, and the public key is available for the receiving end so that the receiving end can check the encrypted data packet based on the data packet digest value.
Therefore, further, the server may send the public key in the key pair to the receiving end, so that the receiving end decrypts the received encrypted digest value based on the public key to obtain the data packet digest value, and checks the data packet digest value to determine whether the encrypted data packet is tampered. The server may send the public key to the receiving end in a mail or message manner, and may send the public key in advance so that the receiving end stores the public key in advance.
S306: the original data packet is encrypted to generate an encrypted data packet.
Similarly, in order to further ensure the security of data transmission, in this embodiment, the original data packet may also be transmitted in the form of a ciphertext, that is, it is encrypted to obtain an encrypted data packet, so as to generate a ciphertext data packet based on the encrypted data packet.
Of course, a person skilled in the art can select one of the digest value of the data packet and the original data packet to perform the encryption process, and other embodiments extended in this way are also within the scope of the present disclosure.
S307: and splicing the control information, the encrypted data packet and the encrypted abstract value to generate a secret mark data packet so as to send the secret mark data packet to a receiving end corresponding to the session task.
Similar to the foregoing, when generating the cryptographic data packet by splicing, the embodiment of the present disclosure does not limit the relative splicing order of the management and control information, the cryptographic data packet, and the cryptographic digest value.
It should be further noted that, when the receiving end receives the encrypted standard data packet and verifies the digest value of the data packet in the encrypted standard data packet, a query and verification method may be adopted: the receiving end carries out abstract inquiry in the server, the server responds to an abstract inquiry request of the receiving end and sends the data packet abstract value to the receiving end, the receiving end judges whether the data packet abstract value obtained by decryption based on the public key is consistent with the data packet abstract value obtained by inquiry in the server, if the data packet abstract value obtained by decryption is consistent with the data packet abstract value obtained by inquiry, the verification is passed, and the received encrypted data packet can be judged not to be falsified; if the digest value of the data packet obtained by decryption is inconsistent with the digest value of the data packet obtained by query, the verification is not passed, and the received encrypted-label data packet can be judged to be tampered.
Of course, it is easily understood that the receiving end may also adopt a self-checking mode: the receiving end can carry out digest operation on the received encrypted standard data packet by itself, and compare the data packet digest value generated by the self operation with the data packet digest value obtained by decrypting the encrypted standard data packet based on the public key; if the data packet digest value generated by the self-operation is inconsistent with the data packet digest value obtained by the decryption based on the public key, the verification is not passed, and the received encrypted-mark data packet can be judged to be tampered.
Referring to fig. 5, another security classification identification method according to an embodiment of the present disclosure includes:
s401: and receiving an original data packet sent by a client and a security class identification adding request aiming at the original data packet.
S402: and determining the control information of the original data packet according to the security level identification adding request, wherein the control information comprises the data packet identification of the original data packet, the security level of the data packet, the session task identification of the session task to which the original data packet belongs, the client identification, the user identification, the security level of the client and the security level of the user.
Therein, it is easily understood that the client identification and the user identification are used for identifying the client and the user, respectively. It should be noted that this embodiment also sets a security level for the client and the user. Similarly, the secret level may be any of non-secret, and secret-top.
Referring to fig. 6, fig. 6 is a schematic process diagram of a security classification identification method according to an embodiment of the present disclosure, and illustrates a structure of a security label packet. As shown in fig. 6, in order to facilitate tracing back the security level identification process of the data in the later stage, the server may also write the server identification, the marking time, the validity period, the knowledge range, and the like of the security level identification into the security level data packet as management and control information.
S403: judging whether the session task is an audited session task; if yes, entering S404; if not, the process proceeds to S405.
It should be noted that, in order to ensure the validity of data transmission, the embodiment of the present disclosure further performs validity check on the security level identifier addition request submitted by the client.
However, because the number of data packets is large in the real-time communication process, in order to improve the auditing efficiency, the embodiment of the present disclosure may perform validity auditing only once for one session task, that is, only perform validity auditing for the secret identifier adding request of the first original data packet in the same session task, and the secret identifier adding request of the subsequent original data packet may continue to use the auditing result of the first validity auditing.
S404: obtaining an audit result, and judging whether the audit is passed; if yes, entering S407; if not, the process proceeds to S411.
S405: judging whether the client identification and the user identification are real and effective; if yes, go to S406; if not, the process proceeds to S411.
The validity review may include a true validity review and/or a valid validity review, and may include other conventional review operations and combinations thereof. In this embodiment, the detailed process of validity check is explained by taking the check on both the true validity and the legal validity of the secret identifier adding request as an example, and a person skilled in the art can obtain other various embodiments based on this embodiment.
The following description will be given by taking the first actual validity check as an example, and of course, those skilled in the art can adjust the sequence of various check contents at will. The client identification and the user identification are respectively unique identifications which can be used for identifying the client and the user, and whether the client identification and the user identification are real and effective can be judged by judging whether the client identification and the user identification accord with preset identification specifications.
If the client identifier and the user identifier are both true and valid, the secret identifier adding request can be judged to have true validity, and therefore legal validity verification can be continuously carried out. If any one of the client identifier and the user identifier is not true or valid, it can be determined that the audit is not passed.
S406: judging whether the client security level and the user security level are not lower than the data packet security level; if yes, entering S407; if not, the process proceeds to S411.
It should be noted that, in this embodiment, a security level is further set for the client and the user, so that the client security level and the user security level are used to perform validity check on the security level identifier addition request: and when the client security level and the user security level are not lower than the data packet security level of the requested identification, the validity is considered. Therefore, the user with low security authority can be prevented from performing security level identification operation unmatched with the security level, and the phenomenon of high security and low flow is prevented.
It should be further noted that, in order to improve the auditing efficiency, in this embodiment, only one auditing of the secret level identifier adding request is performed on a plurality of original data packets belonging to the same session task, so that, correspondingly, the secret levels of the data packets specified by the secret level identifier adding requests corresponding to the original data packets in the same session task may be made the same, so as to ensure that the auditing result based on the secret level identifier adding request corresponding to the first original data packet is applicable to the secret level identifier adding requests of other original data packets in the session task.
S407: and performing summarization operation on the pipe control information and the original data packet to obtain a data packet summary value.
S408: and storing the control information and the data packet abstract value.
S409: the data packet digest value is encrypted based on a private key of the key pair to generate an encrypted digest value, and the original data packet is encrypted to generate an encrypted data packet.
S410: and splicing the control information, the encrypted data packet and the encrypted abstract value to generate a secret mark data packet so as to send the secret mark data packet to a receiving end corresponding to the session task.
S411: and judging that the audit is not passed.
And when the verification is judged to be not passed, the server can terminate the security level identification operation on the original data packet, can send response information that the verification is not passed to the client, and can further generate alarm information, logs and the like.
Referring to fig. 7, a further security classification identification method provided in the embodiments of the present disclosure is applied to a communication system including a client and a server, and mainly includes the following steps:
s501: the client sends the original data packet and a security class identification adding request aiming at the original data packet to the server.
S502: and the server determines the control information of the original data packet according to the security level identification adding request, wherein the control information comprises the data packet identification of the original data packet, the security level of the data packet and the session task identification of the session task to which the original data packet belongs.
S503: and the server generates a cipher label data packet based on the management and control information and the original data packet in a splicing manner so as to send the cipher label data packet to a receiving end corresponding to the session task.
For the related details, those skilled in the art can refer to the corresponding contents in the foregoing embodiments, and the details are not repeated herein.
Referring to fig. 8, an embodiment of the present disclosure provides a security classification identification apparatus, including:
a receiving module 100, configured to receive an original data packet sent by a client and a security identifier addition request for the original data packet;
the determining module 200 is configured to determine, according to the security identifier addition request, management and control information of the original data packet, where the management and control information includes a data packet identifier of the original data packet, a security of the data packet, and a session task identifier of a session task to which the original data packet belongs;
and the identification module 300 is configured to generate a cryptographic data packet based on the management and control information and the original data packet, so as to send the cryptographic data packet to a receiving end corresponding to the session task.
Therefore, the security identification is carried out by taking the data packet as a unit in the data transmission process, namely, each original data packet sent by the client is sent immediately after marking, so that the security of data is guaranteed by using the security identification, and the transmission real-time performance of streaming data is ensured at the same time, thereby being effectively suitable for streaming control of streaming data. Meanwhile, based on the control information in the secret mark data packet, the storage management of the data information can be realized. Therefore, the method and the device are suitable for storage control and streaming data circulation control, and therefore applicability and user experience are effectively improved.
As shown in fig. 9, the identification module 300 may include:
the abstract operation submodule is used for carrying out abstract operation on the control information and the original data packet to obtain a data packet abstract value;
and the security level identification submodule is used for splicing the control information, the original data packet and the data packet abstract value to generate the security level data packet so as to send the security level data packet to a receiving end corresponding to the session task, and the receiving end checks the data packet abstract value after receiving the security level data packet so as to judge whether the security level data packet is tampered.
Further, the secret identification submodule may include:
a digest encryption unit to encrypt the data packet digest value based on a private key of a key pair to generate an encrypted digest value;
and the security level identification unit is used for splicing the control information, the original data packet and the encrypted digest value to generate the security label data packet so as to send the security label data packet to a receiving end corresponding to the session task.
Further, the security classification identification unit may include:
a data packet encryption subunit, configured to encrypt the original data packet to generate an encrypted data packet;
and the security level identification subunit is used for splicing the control information, the encrypted data packet and the encrypted digest value to generate the security mark data packet.
Further, the security classification identification device may further include:
and the sending module is used for sending the public key in the key pair to the receiving end so that the receiving end can decrypt the received encrypted digest value based on the public key to obtain the data packet digest value, and can check the data packet digest value to judge whether the encrypted data packet is tampered.
Further, the security classification identification device may further include:
the storage module is used for storing the management and control information and the data packet abstract value;
and the response module is used for responding to the abstract query request of the receiving end and sending the data packet abstract value to the receiving end so that the receiving end judges whether the data packet abstract value obtained by decryption is consistent with the data packet abstract value obtained by query, and if the data packet abstract value obtained by decryption is consistent with the data packet abstract value obtained by query, the receiving end judges that the received encrypted-mark data packet is not tampered.
Further, the identification module 300 may further include:
the auditing submodule is used for auditing the validity of the security level identification adding request according to the control information before a security label data packet is generated based on the control information and the original data packet in a splicing mode; if the verification is passed, the identification module 300 is configured to generate a cryptographic standard data packet based on the management and control information and the original data packet.
The security level of the data packet designated by each security level identification adding request corresponding to each original data packet in the same session task is the same; the audit submodule may include:
the judging unit is used for judging whether the session task is an audited session task;
the obtaining unit is used for obtaining an auditing result when the session task is an audited session task;
and the auditing unit is used for performing validity auditing on the security level identification adding request according to the management and control information to generate an auditing result when the session task is an unviewed session task.
Wherein, the auditing unit may include:
the first audit subunit is used for judging whether the client identifier and the user identifier are both real and effective; if the client identification and the user identification are both true and valid, judging that the secret level identification adding request has true validity;
the second audit subunit is used for judging whether the client security level and the user security level are not lower than the data packet security level; and if the client security level and the user security level are not lower than the data packet security level, judging that the security level identification adding request has legal validity.
Referring to fig. 10, fig. 10 is a block diagram illustrating an electronic device 400 in accordance with an exemplary embodiment. As shown in fig. 10, the electronic device 400 may include: a processor 401 and a memory 402. The electronic device 400 may also include one or more of a multimedia component 403, an information input/information output (I/O) interface 404, and a communication component 405.
The processor 401 is configured to control the overall operation of the electronic device 400, so as to complete all or part of the steps in the data transmission method applied to the electronic device; the memory 402 is used to store various types of data to support operation at the electronic device 400, such as instructions for any application or method operating on the electronic device 400 and application-related data, such as contact data, transmitted and received messages, pictures, audio, video, and so forth. The Memory 402 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk.
The multimedia components 403 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 402 or transmitted through the communication component 405. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 404 provides an interface between the processor 401 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 405 is used for wired or wireless communication between the electronic device 400 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, or 4G, or a combination of one or more of them, so that the corresponding Communication component 405 may include: Wi-Fi module, bluetooth module, NFC module.
In an exemplary embodiment, the electronic Device 400 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components for performing the data transmission methods set forth above.
In another exemplary embodiment, a computer readable storage medium comprising program instructions which, when executed by a processor, implement the steps of the above-described data transmission method is also provided. For example, the computer readable storage medium may be the memory 402 storing program instructions executable by the processor 401 of the electronic device 400 to perform the security classification identification method described above.
Claims (13)
1. A method for secret level identification, comprising:
receiving an original data packet sent by a client and a security level identification adding request aiming at the original data packet;
determining control information of the original data packet according to the security classification identification adding request, wherein the control information comprises a data packet identification of the original data packet, a data packet security classification and a session task identification of a session task to which the original data packet belongs;
and generating a secret mark data packet based on the management and control information and the original data packet in a splicing mode so as to send the secret mark data packet to a receiving end corresponding to the session task.
2. The secret level identification method according to claim 1, wherein the generating a secret-scale data packet based on the management and control information and the original data packet splicing comprises:
performing abstract operation on the control information and the original data packet to obtain a data packet abstract value;
and splicing the control information, the original data packet and the data packet abstract value to generate the secret mark data packet, so that the receiving end checks the data packet abstract value after receiving the secret mark data packet to judge whether the secret mark data packet is tampered.
3. The secret level identification method according to claim 2, wherein the generating the secret mark packet by splicing the management and control information, the original packet and the packet digest value comprises:
encrypting the data packet digest value based on a private key of a key pair to generate an encrypted digest value;
and splicing the control information, the original data packet and the encrypted digest value to generate the encrypted standard data packet.
4. The secret level identification method according to claim 3, wherein the generating the cryptographic data packet by splicing the management and control information, the original data packet and the cryptographic digest value comprises:
encrypting the original data packet to generate an encrypted data packet;
and splicing the control information, the encrypted data packet and the encrypted digest value to generate the encrypted mark data packet.
5. The secret level identification method according to claim 4, further comprising:
and sending the public key in the key pair to the receiving end so that the receiving end can decrypt the received encrypted digest value based on the public key to obtain the data packet digest value, and verifying the data packet digest value to judge whether the encrypted data packet is tampered.
6. The secret level identification method according to claim 5, after the digesting operation is performed on the management and control information and the original data packet to obtain a data packet digest value, further comprising:
storing the control information and the data packet abstract value;
responding to the abstract query request of the receiving end, sending the data packet abstract value to the receiving end so that the receiving end can judge whether the data packet abstract value obtained by decryption is consistent with the data packet abstract value obtained by query, and if the data packet abstract value obtained by decryption is consistent with the data packet abstract value obtained by query, the receiving end judges that the received encrypted-mark data packet is not tampered.
7. The secret level identification method according to any one of claims 1 to 6, wherein the secret levels of the data packets specified by the secret level identification adding requests corresponding to the original data packets in the same session task are the same.
8. The secret level identification method according to claim 7, wherein the generating a secret-scale data packet based on the management and control information and the original data packet splicing comprises:
verifying the validity of the security level identifier adding request according to the management and control information;
and if the verification is passed, starting the step of generating the cipher mark data packet based on the management and control information and the original data packet.
9. The secret level identification method according to claim 8, wherein the performing validity check on the secret level identification adding request according to the management and control information includes:
judging whether the session task is an audited session task;
if the session task is an audited session task, acquiring an audit result;
and if the session task is an unchecked session task, performing validity check on the security level identification adding request according to the management and control information to generate a check result.
10. The security classification identification method according to claim 8, wherein the management and control information further includes a client identifier, a user identifier, a client security classification and a user security classification; the performing validity audit on the security level identifier adding request according to the management and control information to generate an audit result includes:
judging whether the client identification and the user identification are both real and effective;
if the client identification and the user identification are both true and valid, judging that the secret level identification adding request has true validity;
judging whether the client security level and the user security level are not lower than the data packet security level;
and if the client security level and the user security level are not lower than the data packet security level, judging that the security level identification adding request has legal validity.
11. A security classification identification apparatus, comprising:
the system comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving an original data packet sent by a client and a security level identification adding request aiming at the original data packet;
a determining module, configured to determine, according to the security identifier addition request, management and control information of the original data packet, where the management and control information includes a data packet identifier of the original data packet, a security of the data packet, and a session task identifier of a session task to which the original data packet belongs;
and the identification module is used for generating a secret mark data packet based on the management and control information and the original data packet in a splicing mode so as to send the secret mark data packet to a receiving end corresponding to the session task.
12. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to carry out the steps of the secret identification method according to any one of claims 1 to 10.
13. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, is adapted to carry out the steps of the security classification method according to any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911384420.3A CN111382451A (en) | 2019-12-28 | 2019-12-28 | Security level identification method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911384420.3A CN111382451A (en) | 2019-12-28 | 2019-12-28 | Security level identification method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111382451A true CN111382451A (en) | 2020-07-07 |
Family
ID=71218554
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911384420.3A Pending CN111382451A (en) | 2019-12-28 | 2019-12-28 | Security level identification method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111382451A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112287246A (en) * | 2020-12-29 | 2021-01-29 | 视联动力信息技术股份有限公司 | Method and device for realizing access control and information filtering based on protocol identification |
| CN112989288A (en) * | 2021-04-16 | 2021-06-18 | 成都飞机工业(集团)有限责任公司 | System and method for calibrating security level of electronic documents in batch |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050226419A1 (en) * | 2004-04-12 | 2005-10-13 | Smathers Kevin L | Method and system for cryptographically secure hashed end marker of streaming data |
| CN102006302A (en) * | 2010-12-03 | 2011-04-06 | 中国软件与技术服务股份有限公司 | Method for identifying security classification of electronic file |
| CN102930225A (en) * | 2012-10-25 | 2013-02-13 | 中国航天科工集团第二研究院七〇六所 | Electronic document access control method based on confidential identifier |
| CN106790160A (en) * | 2016-12-29 | 2017-05-31 | 成都三零盛安信息系统有限公司 | Security level identification and method of calibration and device |
| CN110012260A (en) * | 2019-03-18 | 2019-07-12 | 苏州科达科技股份有限公司 | A kind of video conference content guard method, device, equipment and system |
-
2019
- 2019-12-28 CN CN201911384420.3A patent/CN111382451A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050226419A1 (en) * | 2004-04-12 | 2005-10-13 | Smathers Kevin L | Method and system for cryptographically secure hashed end marker of streaming data |
| CN102006302A (en) * | 2010-12-03 | 2011-04-06 | 中国软件与技术服务股份有限公司 | Method for identifying security classification of electronic file |
| CN102930225A (en) * | 2012-10-25 | 2013-02-13 | 中国航天科工集团第二研究院七〇六所 | Electronic document access control method based on confidential identifier |
| CN106790160A (en) * | 2016-12-29 | 2017-05-31 | 成都三零盛安信息系统有限公司 | Security level identification and method of calibration and device |
| CN110012260A (en) * | 2019-03-18 | 2019-07-12 | 苏州科达科技股份有限公司 | A kind of video conference content guard method, device, equipment and system |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112287246A (en) * | 2020-12-29 | 2021-01-29 | 视联动力信息技术股份有限公司 | Method and device for realizing access control and information filtering based on protocol identification |
| CN112989288A (en) * | 2021-04-16 | 2021-06-18 | 成都飞机工业(集团)有限责任公司 | System and method for calibrating security level of electronic documents in batch |
| CN112989288B (en) * | 2021-04-16 | 2021-09-03 | 成都飞机工业(集团)有限责任公司 | System and method for calibrating security level of electronic documents in batch |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110855671B (en) | Trusted computing method and system | |
| US11533297B2 (en) | Secure communication channel with token renewal mechanism | |
| CN110492990B (en) | Private key management method, device and system under block chain scene | |
| US8379857B1 (en) | Secure key distribution for private communication in an unsecured communication channel | |
| EP3324572B1 (en) | Information transmission method and mobile device | |
| US8527769B2 (en) | Secure messaging with read-undeniability and deletion-verifiability | |
| JP2020528224A (en) | Secure execution of smart contract operations in a reliable execution environment | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN110401677B (en) | Method and device for acquiring digital copyright key, storage medium and electronic equipment | |
| EP3340559A1 (en) | Method and system for facilitating secure communication between two or more devices | |
| CN110611657A (en) | File stream processing method, device and system based on block chain | |
| WO2017096887A1 (en) | Anti-leeching method and device | |
| KR101648364B1 (en) | Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption | |
| CN112073467A (en) | Block chain-based data transmission method and device, storage medium and electronic equipment | |
| CN112788001B (en) | Data encryption-based data processing service processing method, device and equipment | |
| US20230132485A1 (en) | System for Thin Client Devices in Hybrid Edge Cloud Systems | |
| CN113422679B (en) | Key generation method, device and system, encryption method, electronic device and computer readable storage medium | |
| CN114244508A (en) | Data encryption method, device, equipment and storage medium | |
| CN111382451A (en) | Security level identification method and device, electronic equipment and storage medium | |
| CN111741268A (en) | Video transmission method, device, server, equipment and medium | |
| CN117240625B (en) | Tamper-resistant data processing method and device and electronic equipment | |
| CN113868684A (en) | Signature method, device, server, medium and signature system | |
| CN113243093A (en) | System and method for message transmission and retrieval using blockchains | |
| CN110708155A (en) | Copyright information protection method, copyright information protection system, copyright confirming method, copyright confirming device, copyright confirming equipment and copyright confirming medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200707 |