CN112152992A - End-to-end data secure transmission network communication method and device - Google Patents
End-to-end data secure transmission network communication method and device Download PDFInfo
- Publication number
- CN112152992A CN112152992A CN202010707091.8A CN202010707091A CN112152992A CN 112152992 A CN112152992 A CN 112152992A CN 202010707091 A CN202010707091 A CN 202010707091A CN 112152992 A CN112152992 A CN 112152992A
- Authority
- CN
- China
- Prior art keywords
- data
- sender
- network
- port
- receiver
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 95
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000004891 communication Methods 0.000 title claims abstract description 55
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 20
- 238000005516 engineering process Methods 0.000 claims abstract description 18
- 238000012545 processing Methods 0.000 claims abstract description 8
- 230000035515 penetration Effects 0.000 claims abstract description 7
- 238000013519 translation Methods 0.000 claims abstract description 6
- 238000001514 detection method Methods 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 11
- 230000003247 decreasing effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 9
- 238000012546 transfer Methods 0.000 description 5
- 238000011217 control strategy Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000008602 contraction Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000003044 adaptive effect Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011330 nucleic acid test Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
- H04L67/1044—Group management mechanisms
- H04L67/1046—Joining mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
Abstract
The application discloses a method and a device for end-to-end data secure transmission network communication, wherein the method comprises the following steps: establishing a point-to-point virtual data transmission connection channel between the terminal and the network attached storage equipment by using an NAT (network Address translation) penetration technology, and performing data transmission in a self-owned data packet format based on a UDP (user Datagram protocol) protocol; in the transmission process, a preset symmetric encryption algorithm is utilized to perform encryption algorithm processing on original data and an encryption key at a data sender to obtain an encrypted ciphertext, and the encrypted ciphertext is sent to a corresponding data receiver. By adopting the end-to-end data secure transmission network communication method, the end-to-end data can be safely, efficiently and stably transmitted, various systems adapted to various terminals are supported, good platform portability is achieved, and the use experience of users is greatly improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of data communication, in particular to a method and a device for end-to-end data secure transmission network communication, and further relates to electronic equipment and a computer readable storage medium.
Background
In recent years, with the rapid development of computer information technology, various electronic devices are gradually popularized, the application scale is rapidly enlarged, the generated data is explosively increased, and the rapid and effective access and management of various data are important in the research in the field.
At present, hardware products oriented to family private storage generally provide functions of data backup, downloading, browsing and the like of multiple terminals for users. The user can conveniently back up the data of pictures, videos and the like in the terminals such as mobile phones, computers, digital cameras and the like to a remote hardware storage product (such as a network attached storage device, NAS), and the data is usually the only data backup. Therefore, it is necessary to satisfy the requirement that the user can efficiently and remotely access the hardware storage device and obtain the related data at any place and in any network environment. A remote data access channel commonly used in the prior art adopts a C-S architecture, that is, end-to-end proxy forwarding is performed through a transit server.
However, the current network environment where the user is actually located is complex, and may be a home intranet, a mobile network, or any other network. In order to solve the problem of efficiently accessing hardware storage products in a complex network environment, how to provide an efficient, safe and stable remote data access channel for a user terminal becomes a technical problem to be solved urgently.
Disclosure of Invention
Therefore, the embodiment of the invention provides an end-to-end data secure transmission network communication method, so as to solve the problems that a user terminal accesses a remote hardware storage product unstably, the data transmission efficiency is low, and the user requirements cannot be well met in the prior art.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
in a first aspect, an embodiment of the present invention provides an end-to-end data secure transmission network communication method, including: establishing a point-to-point virtual data transmission connection channel between the terminal and the network attached storage equipment by using an NAT (network Address translation) penetration technology, and performing data transmission in a self-owned data packet format based on a UDP (user Datagram protocol) protocol; in the transmission process, a preset symmetric encryption algorithm is utilized to perform encryption algorithm processing on original data and an encryption key at a data sender to obtain an encrypted ciphertext, and the encrypted ciphertext is sent to a corresponding data receiver.
Further, when the data sender is the terminal, the data receiver is the network attached storage device, and when the data sender is the network attached storage device, the data receiver is the terminal.
Further, the establishing a peer-to-peer virtual data transmission connection channel between the terminal and the network attached storage device by using the NAT traversal technology specifically includes: when a connection channel is established between the data sender in the port-limited environment and the data receiver in the port-limited environment, acquiring an external network IP address and a port address from a corresponding server through the data sender and the data receiver in advance before the connection channel is established; the data sender actively sends a detection packet to an external network IP address and a port address of the data receiver, and records record information of accessing the data receiver on an NAT mode router of the data sender; sending a first request message for connecting a data receiver to the server through the data transmitter, and forwarding the first request message to the data receiver by the server; after receiving the first notification message forwarded by the server through the data receiver, the data receiver directly sends a detection packet to an external network IP address and a port address of the data sender, and if a target data packet directly returned by the data sender is received within a preset time range threshold, the data sender in a port-limited environment and the data receiver in the port-limited environment establish a connection channel successfully.
Further, the establishing a peer-to-peer virtual data transmission connection channel between the terminal and the network attached storage device by using the NAT traversal technology specifically includes: when a connection channel is established between the data sender using the public network IP address and the data receiver under the port-limited environment, a second request message for connecting the data receiver is sent to a server through the data sender in advance, and the server is utilized to forward the second request message to the data receiver; after receiving the second notification message forwarded by the server, the data receiver directly sends a detection packet to the external network IP address and the port address of the data sender, and if a target data packet directly responded by the data sender is received within a preset time range threshold, a connection channel is successfully established between the data sender and the data receiver.
Further, the establishing a peer-to-peer virtual data transmission connection channel between the terminal and the network attached storage device by using the NAT traversal technology specifically includes: when the data sender and the data receiver using the public network IP address are connected under the environment with limited ports, a third request message is actively and directly sent to the data receiver through the data sender, and if a target data packet directly responded by the data receiver is received within a preset time range threshold, a connection channel is successfully established between the data sender and the data receiver.
Further, the establishing a peer-to-peer virtual data transmission connection channel between the terminal and the network attached storage device by using the NAT traversal technology specifically includes: when the data sender under the port limited environment is connected with the data receiver under the symmetric router environment, a fourth request message is sent by the data sender in advance and forwarded to the data receiver through a server; after receiving the fourth notification message by the data receiver, sending a port type detection packet to a tracker server cluster, wherein the tracker server comprises a plurality of servers, respectively sending data packets to different IP addresses and port addresses, receiving the returned data packets, analyzing the law of an external network port, obtaining the law characteristic of the external network port, if the external network port is increased or decreased progressively, going to a subsequent process, and if the external network port is not distributed randomly, terminating the establishment of connection; if the data receiving party is the increment or decrement of the external network port, firstly sending a detection packet to the data sending party, and recording record information for accessing the data sending party on an NAT router of the data receiving party; transmitting a fifth request message to the server through the data receiving direction and then forwarding the fifth request message to the data sender through the server; and directly sending a seventh request message to the data sender after receiving a sixth notification message forwarded by the server through the data sender, wherein if a seventh notification message returned by the data receiver is received within a preset time range threshold, a connection channel is successfully established between the data sender and the data receiver.
In a second aspect, an embodiment of the present invention further provides an end-to-end data secure transmission network communication apparatus, including: the device comprises a channel establishing and data transmission unit, a network accessory storage device and a network interface unit, wherein the channel establishing and data transmission unit is used for establishing a point-to-point virtual data transmission connection channel between a terminal and the network accessory storage device by using an NAT (network Address translation) penetration technology and carrying out data transmission in a self-owned data packet format based on a UDP (user Datagram protocol) protocol; and the data transmission encryption unit is used for carrying out encryption algorithm processing on the original data and the encryption key by using a preset symmetric encryption algorithm at a data sender in the transmission process to obtain an encrypted ciphertext and sending the encrypted ciphertext to a corresponding data receiver.
Further, when the data sender is the terminal, the data receiver is the network attached storage device, and when the data sender is the network attached storage device, the data receiver is the terminal.
In a third aspect, an embodiment of the present invention further provides an electronic device, including: a processor and a memory; the memory is used for storing a program of an end-to-end data secure transmission network communication method, and after the electronic equipment is powered on and runs the program of the end-to-end data secure transmission network communication method through the processor, the electronic equipment executes any one of the end-to-end data secure transmission network communication methods.
In a fourth aspect, the embodiment of the present invention further provides a computer-readable storage medium, where one or more program instructions are contained in the computer-readable storage medium, and the one or more program instructions are used for a processor to execute any one of the end-to-end secure data transmission network communication methods described above.
According to the end-to-end data security transmission network communication method, the end-to-end data communication mode of P2P is adopted, server transfer is not needed in the data transmission process, expenditure of resources and cost is reduced, packet loss retransmission and data window expansion and contraction mechanisms and a network congestion control strategy are supported, end-to-end data security, high efficiency and stable transmission can be achieved, various systems which are adaptive to various terminals are supported, good platform portability is achieved, and use experience of users is greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
Fig. 1 is a flowchart of an end-to-end data secure transport network communication method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an end-to-end data secure transmission network communication device according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an electronic device according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a point-to-point direct connection channel and a server forwarding channel in an end-to-end data secure transmission network communication method according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating establishment of a first type of connection channel in an end-to-end data secure transport network communication method according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating establishment of a second type of connection channel in an end-to-end data secure transport network communication method according to an embodiment of the present invention;
fig. 7 is a schematic diagram illustrating establishment of a third type connection channel in an end-to-end data secure transmission network communication method according to an embodiment of the present invention;
fig. 8 is a schematic diagram illustrating establishment of a fourth type connection channel in an end-to-end data secure transmission network communication method according to an embodiment of the present invention;
fig. 9 is a schematic diagram illustrating implementation of data uploading and downloading in an end-to-end secure data transmission network communication method according to an embodiment of the present invention;
fig. 10 is a complete flow chart of a method for end-to-end data secure transmission network communication according to an embodiment of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following describes an embodiment of an end-to-end data secure transmission network communication method according to the present invention in detail. As shown in fig. 1 and 10, which are flowcharts of an end-to-end data secure transmission network communication method provided by the embodiment of the present invention, a specific implementation process includes the following steps:
step S101: and establishing a point-to-point virtual data transmission connection channel between the terminal and the network attached storage equipment by using an NAT (network Address translation) penetration technology, and carrying out data transmission in a self-owned data packet format based on a UDP (user Datagram protocol).
The channel is a virtual data link for the hardware communication of the terminal and the network attached storage device. And establishing a point-to-point virtual data transmission connection channel between the terminal and the hardware equipment in the NAT mode of the router through an NAT penetration technology, wherein the channel is a point-to-point direct connection channel. And based on the virtual data transmission connection channel, carrying out data transmission in a self-owned data packet format by using a UDP protocol. In order to provide the data transmission efficiency and stability of the point-to-point direct connection channel, a stable data transmission strategy based on a UDP protocol is added, so that a packet loss retransmission and data window expansion mechanism and a network congestion control strategy are supported, efficient data transmission is realized, the server bandwidth is saved, and the enterprise operation cost is reduced.
In the specific implementation process, the purpose of establishing the virtual data transmission connection channel is that two terminals of different local area networks can establish UDP direct connection, and the terminals are positioned behind NAT, so NAT traversal is particularly important. Considering the stateless nature of UDP, current implementations of NATs for UDP can be roughly classified into Full Cone (Full Cone), Restricted Cone (Restricted Cone), Port Restricted Cone (Port Restricted Cone), and Symmetric NAT (Symmetric NAT). The security of the full cone type NAT network is poor, so that the general NAT does not support. The present application is preferably implemented using a tunneling logic with public network IP, restricted cone, port restricted, and symmetric NAT.
Further, as shown in fig. 4, on the basis of establishing the virtual data transmission connection channel, a server forwarding channel may also be set. Due to the fact that network environments among users are complex, when point-to-point direct connection cannot be established between the terminal and network attached storage equipment hardware, data can be transmitted in a transfer channel through the server. The server forwarding channel adopts a TCP protocol, and long links are kept among the terminal, the hardware equipment and the server.
Step S102: in the transmission process, a preset symmetric encryption algorithm is utilized to perform encryption algorithm processing on original data and an encryption key at a data sender to obtain an encrypted ciphertext, and the encrypted ciphertext is sent to a corresponding data receiver. The data sender may be a terminal (mobile terminal or PC terminal), or may be a network attached storage device (such as network attached storage device, NAS); the data destination may be a terminal (mobile terminal or PC terminal) or a network attached storage device (such as a network attached storage device, NAS).
Specifically, the data encryption strategy adopts a bidirectional symmetric encryption algorithm. In the symmetric encryption algorithm, a data sender processes a plaintext (original data) and an encryption key together through a special encryption algorithm, and then the plaintext and the encryption key are changed into a complex encryption ciphertext to be sent out. After receiving the ciphertext, the data receiver needs to decrypt the ciphertext by using the key used for encryption and the inverse algorithm of the same algorithm to recover the ciphertext into a readable plaintext if the data receiver wants to decode the original text. In the symmetric encryption algorithm, only one key is used, and both the sender and the receiver use the key to encrypt and decrypt data, so that the encryption key must be known by a secret party in advance. The advantages are that: the calculation amount is small, the encryption speed is high, and the encryption efficiency is high.
In the actual application process, the main application scenes of the user terminal and the network attached storage device end are file uploading (backup) and downloading (browsing). As shown in fig. 9, the uploading and downloading are based on the application layer custom protocol stack on the data channel, and the purpose is to isolate the read-write of the file, the multi-thread uploading, the file blocking policy and the hash check policy independently provided by the service layer. Proxy http service: and the local http proxy service program hosts all get/post requests of the terminal service layer, and then the proxy service extracts body data in the http request packet and transmits the body data to the opposite terminal through a channel. The proxy service adopts the multithreading and connection pool technology and can respond to the request of the business logic layer concurrently.
In the specific implementation process, the network agent is divided into two parts, namely a network agent of the terminal and a network agent of the network attached storage device. And when the data sender is the terminal, the data receiver is the network attached storage device, and when the data sender is the network attached storage device, the data receiver is the terminal.
As shown in fig. 5, when the data sender in the port-limited environment and the data receiver in the port-limited environment establish a connection channel, the specific implementation process is as follows: before establishing a connection channel, acquiring an external network IP address and a port address of each other from a corresponding server through the data sender (PeerA) and the data receiver (PeerB) in advance respectively; the data sender actively sends a detection packet to an external network IP address and a port address of the data receiver, and records record information of accessing the data receiver on an NAT mode router of the data sender; transmitting a first REQUEST message (trailer _ PENETNATE _ REQUEST message) for connecting a data destination to the server through the data originator, the server forwarding the first REQUEST message to the data destination; after receiving the first notification message (TRACKER _ PENETRATE _ NOTIFY message) forwarded by the server through the data receiver, the data receiver directly sends a detection packet to an external network IP address and a port address of the data sender, and if a target data packet (C2C _ PENETRATE _ RESPONSE) directly returned by the data sender is received within a preset time range threshold, the data sender under the port-limited environment and the data receiver under the port-limited environment establish a connection channel successfully.
As shown in fig. 6, when the data sender using the public network IP address establishes a connection channel with the data receiver in the port-limited environment, the specific implementation process is as follows: -sending in advance a second REQUEST message (TRACKER _ PENETNATE _ REQUEST message) to a server via said data originator (PeerA) for connection to said data addressee (PeerB), said second REQUEST message being forwarded by said server to said data addressee; after receiving a second notification message (TRACKER _ PENETRATE _ NOTIFY message) forwarded by the server, the data receiver directly sends a detection packet to an external network IP address and a port address of the data sender, and if a target data packet (C2C _ PENETRATE _ RESPONSE) directly responded by the data sender is received within a preset time range threshold, the data sender and the data receiver establish a connection channel successfully.
As shown in fig. 7, when the data sender and the data receiver using the public network IP address establish a connection in the environment with a limited port, the specific implementation process is as follows: by the data originator (PeerA) actively sending a third REQUEST message (C2C _ PENETRATE _ REQUEST message) directly to the data recipient (PeerB), if a target data packet (C2C _ PENETRATE _ RESPONSE) directly responded by the data recipient is received within a preset time range threshold, the establishment of a connection channel between the data originator and the data recipient is successful.
As shown in fig. 8, when the data sender in the port-limited environment and the data receiver in the symmetric router environment establish a connection, the specific implementation process is as follows: transmitting a fourth REQUEST message (TRACKER _ PORT _ PROBE _ REQUEST message) to the data receiver (PeerB) through the data sender (PeerA) in advance through the server; after receiving a fourth notification message (TRACKER _ PORT _ PROBE _ NOTIFY) through the data receiver, sending a PORT type detection packet to a TRACKER server cluster, wherein the TRACKER server comprises a plurality of servers, respectively sending data packets to different IP addresses and PORT addresses, receiving the returned data packets, analyzing the law of an external network PORT, acquiring the law characteristic of the external network PORT, if the external network PORT is increased or decreased progressively, going a subsequent flow, and if the external network PORT is not distributed randomly according to the law, terminating the establishment of connection; if the data receiving party is the increment or decrement of the external network port, firstly sending a detection packet to the data sending party, and recording record information for accessing the data sending party on an NAT router of the data receiving party; transmitting a fifth REQUEST message (TRACKER _ SYMM2PORT _ REQUEST message) to the server through the data receiver and then forwarding the fifth REQUEST message to the data sender through the server; after receiving a sixth notification message (TRACKER _ SYMM2PORT _ NOTIFY) forwarded by the server, the data sender directly sends a seventh REQUEST message (TRACKER _ PORT2SYMM _ REQUEST message) to the data sender, and if the seventh notification message (TRACKER _ SYMM2PORT _ NOTIFY message) returned by the data receiver is received within a preset time range threshold, the data sender and the data receiver establish a connection channel successfully.
According to the end-to-end data security transmission network communication method, the end-to-end data communication mode of P2P is adopted, server transfer is not needed in the data transmission process, expenditure of resources and cost is reduced, packet loss retransmission and data window expansion and contraction mechanisms and a network congestion control strategy are supported, end-to-end data security, high efficiency and stable transmission can be achieved, various systems which are adaptive to various terminals are supported, good platform portability is achieved, and use experience of users is greatly improved.
Corresponding to the end-to-end data secure transmission network communication method, the invention also provides an end-to-end data secure transmission network communication device. Since the embodiment of the device is similar to the above method embodiment, the description is relatively simple, and please refer to the description of the above method embodiment, and the embodiment of the end-to-end data secure transmission network communication device described below is only schematic. Fig. 2 is a schematic diagram of an end-to-end data secure transmission network communication device according to an embodiment of the present invention.
The invention relates to an end-to-end data security transmission network communication device, which comprises the following parts:
a channel establishing and data transmitting unit 201, configured to establish a peer-to-peer virtual data transmission connection channel between the terminal and the network attached storage device by using the NAT traversal technology, and perform data transmission in an autonomous data packet format based on the UDP protocol.
The data transmission encryption unit 202 is configured to, during transmission, perform encryption algorithm processing on the original data and the encryption key by using a preset symmetric encryption algorithm at a data sender to obtain an encrypted ciphertext, and send the encrypted ciphertext to a corresponding data receiver.
The end-to-end data security transmission network communication device adopts a P2P end-to-end data communication mode, server transfer is not needed in the data transmission process, expenditure of resources and cost is reduced, packet loss retransmission and data window expansion and contraction mechanisms are supported, and a network congestion control strategy is adopted, so that end-to-end data security, high efficiency and stable transmission can be realized, various systems adapted to various terminals are supported, good platform portability is achieved, and the use experience of a user is greatly improved.
Corresponding to the end-to-end data secure transmission network communication method, the invention also provides electronic equipment. Since the embodiment of the electronic device is similar to the above method embodiment, the description is relatively simple, and please refer to the description of the above method embodiment, and the electronic device described below is only schematic. Fig. 3 is a schematic view of an electronic device according to an embodiment of the present invention. The electronic device specifically includes: a processor 301 and a memory 302; the memory 302 is configured to run one or more program instructions, and is configured to store a program of an end-to-end data secure transmission network communication method, and after the electronic device is powered on and runs the program of the end-to-end data secure transmission network communication method through the processor 301, the electronic device executes any one of the above end-to-end data secure transmission network communication methods.
In correspondence with the end-to-end data secure transmission network communication method provided above, the present invention also provides a computer readable storage medium containing one or more program instructions for executing, by a processor, any of the end-to-end data secure transmission network communication methods described above. Since the embodiment of the computer-readable storage medium is similar to the above-mentioned method embodiment, the description is simple, and for the relevant points, reference may be made to the description of the above-mentioned method embodiment, and the computer-readable storage medium described in this section is only an exemplary one.
In summary, it should be noted that, in the embodiment of the present invention, the processor or the processor module may be an integrated circuit chip having signal processing capability. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The processor reads the information in the storage medium and completes the steps of the method in combination with the hardware.
The storage medium may be a memory, for example, which may be volatile memory or nonvolatile memory, or which may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory.
The volatile Memory may be a Random Access Memory (RAM) which serves as an external cache. By way of example and not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (ddr Data Rate SDRAM), Enhanced SDRAM (ESDRAM), synclink DRAM (SLDRAM), and Direct memory bus RAM (DRRAM).
The storage media described in connection with the embodiments of the invention are intended to comprise, without being limited to, these and any other suitable types of memory.
Those skilled in the art will appreciate that the functionality described in the present invention may be implemented in a combination of hardware and software in one or more of the examples described above. When software is applied, the corresponding functionality may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.
Claims (10)
1. An end-to-end data secure transmission network communication method is characterized by comprising the following steps:
establishing a point-to-point virtual data transmission connection channel between the terminal and the network attached storage equipment by using an NAT (network Address translation) penetration technology, and performing data transmission in a self-owned data packet format based on a UDP (user Datagram protocol) protocol;
in the transmission process, a preset symmetric encryption algorithm is utilized to perform encryption algorithm processing on original data and an encryption key at a data sender to obtain an encrypted ciphertext, and the encrypted ciphertext is sent to a corresponding data receiver.
2. The end-to-end data security transmission network communication method according to claim 1, wherein when the data sender is the terminal, the data receiver is the network attached storage device, and when the data sender is the network attached storage device, the data receiver is the terminal.
3. The end-to-end data secure transmission network communication method according to claim 2, wherein the establishing a peer-to-peer virtual data transmission connection channel between the terminal and the network attached storage device by using the NAT traversal technology specifically includes:
when a connection channel is established between the data sender in the port-limited environment and the data receiver in the port-limited environment, acquiring an external network IP address and a port address from a corresponding server through the data sender and the data receiver in advance before the connection channel is established;
the data sender actively sends a detection packet to an external network IP address and a port address of the data receiver, and records record information of accessing the data receiver on an NAT mode router of the data sender;
sending a first request message for connecting a data receiver to the server through the data transmitter, and forwarding the first request message to the data receiver by the server;
after receiving the first notification message forwarded by the server through the data receiver, the data receiver directly sends a detection packet to an external network IP address and a port address of the data sender, and if a target data packet directly returned by the data sender is received within a preset time range threshold, the data sender in a port-limited environment and the data receiver in the port-limited environment establish a connection channel successfully.
4. The end-to-end data secure transmission network communication method according to claim 2, wherein the establishing a peer-to-peer virtual data transmission connection channel between the terminal and the network attached storage device by using the NAT traversal technology specifically includes:
when a connection channel is established between the data sender using the public network IP address and the data receiver under the port-limited environment, a second request message for connecting the data receiver is sent to a server through the data sender in advance, and the server is utilized to forward the second request message to the data receiver;
after receiving the second notification message forwarded by the server, the data receiver directly sends a detection packet to the external network IP address and the port address of the data sender, and if a target data packet directly responded by the data sender is received within a preset time range threshold, a connection channel is successfully established between the data sender and the data receiver.
5. The end-to-end data secure transmission network communication method according to claim 2, wherein the establishing a peer-to-peer virtual data transmission connection channel between the terminal and the network attached storage device by using the NAT traversal technology specifically includes:
when the data sender and the data receiver using the public network IP address are connected under the environment with limited ports, a third request message is actively and directly sent to the data receiver through the data sender, and if a target data packet directly responded by the data receiver is received within a preset time range threshold, a connection channel is successfully established between the data sender and the data receiver.
6. The end-to-end data secure transmission network communication method according to claim 2, wherein the establishing a peer-to-peer virtual data transmission connection channel between the terminal and the network attached storage device by using the NAT traversal technology specifically includes:
when the data sender under the port limited environment is connected with the data receiver under the symmetric router environment, a fourth request message is sent by the data sender in advance and forwarded to the data receiver through a server;
after receiving the fourth notification message by the data receiver, sending a port type detection packet to a tracker server cluster, wherein the tracker server comprises a plurality of servers, respectively sending data packets to different IP addresses and port addresses, receiving the returned data packets, analyzing the law of an external network port, obtaining the law characteristic of the external network port, if the external network port is increased or decreased progressively, going to a subsequent process, and if the external network port is not distributed randomly, terminating the establishment of connection;
if the data receiving party is the increment or decrement of the external network port, firstly sending a detection packet to the data sending party, and recording record information for accessing the data sending party on an NAT router of the data receiving party;
transmitting a fifth request message to the server through the data receiving direction and then forwarding the fifth request message to the data sender through the server;
and directly sending a seventh request message to the data sender after receiving a sixth notification message forwarded by the server through the data sender, wherein if a seventh notification message returned by the data receiver is received within a preset time range threshold, a connection channel is successfully established between the data sender and the data receiver.
7. An end-to-end data secure transport network communication device, comprising:
the device comprises a channel establishing and data transmission unit, a network accessory storage device and a network interface unit, wherein the channel establishing and data transmission unit is used for establishing a point-to-point virtual data transmission connection channel between a terminal and the network accessory storage device by using an NAT (network Address translation) penetration technology and carrying out data transmission in a self-owned data packet format based on a UDP (user Datagram protocol) protocol;
and the data transmission encryption unit is used for carrying out encryption algorithm processing on the original data and the encryption key by using a preset symmetric encryption algorithm at a data sender in the transmission process to obtain an encrypted ciphertext and sending the encrypted ciphertext to a corresponding data receiver.
8. The end-to-end data security transmission network communication apparatus according to claim 7, wherein when the data sender is the terminal, the data receiver is the network attached storage device, and when the data sender is the network attached storage device, the data receiver is the terminal.
9. An electronic device, comprising:
a processor; and
a memory for storing a program of an end-to-end data secure transmission network communication method, wherein the electronic device executes the end-to-end data secure transmission network communication method according to any one of claims 1 to 6 after being powered on and running the program of the end-to-end data secure transmission network communication method through the processor.
10. A computer readable storage medium having one or more program instructions embodied therein for execution by a processor to perform the end-to-end data secure transport network communication method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010707091.8A CN112152992A (en) | 2020-07-21 | 2020-07-21 | End-to-end data secure transmission network communication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010707091.8A CN112152992A (en) | 2020-07-21 | 2020-07-21 | End-to-end data secure transmission network communication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112152992A true CN112152992A (en) | 2020-12-29 |
Family
ID=73888384
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010707091.8A Pending CN112152992A (en) | 2020-07-21 | 2020-07-21 | End-to-end data secure transmission network communication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112152992A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113709163A (en) * | 2021-08-30 | 2021-11-26 | 高维亮 | Method and system for realizing remote operation of computer based on wireless terminal |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102231761A (en) * | 2011-08-12 | 2011-11-02 | 乐视网信息技术(北京)股份有限公司 | Peer-to-Peer (P2P) data interaction method |
| CN103795819A (en) * | 2014-01-27 | 2014-05-14 | 杭州顺浪信息技术有限公司 | Inter-terminal data transmission method based on NAT in P2P application |
| CN107071039A (en) * | 2017-04-24 | 2017-08-18 | 深圳至上移动科技有限公司 | A kind of private data cloud storage system and private data cloud storage method |
| WO2019004942A1 (en) * | 2017-06-30 | 2019-01-03 | Sitechexport Pte. Ltd. | Algorithms for peer-to-peer messaging system |
| CN109600449A (en) * | 2018-12-24 | 2019-04-09 | 深圳市网心科技有限公司 | A kind of P2P penetrating method, device, system and storage medium |
| CN109660637A (en) * | 2018-11-16 | 2019-04-19 | 深圳市网心科技有限公司 | P2P burrows transmission method and system, electronic device and computer readable storage medium |
-
2020
- 2020-07-21 CN CN202010707091.8A patent/CN112152992A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102231761A (en) * | 2011-08-12 | 2011-11-02 | 乐视网信息技术(北京)股份有限公司 | Peer-to-Peer (P2P) data interaction method |
| CN103795819A (en) * | 2014-01-27 | 2014-05-14 | 杭州顺浪信息技术有限公司 | Inter-terminal data transmission method based on NAT in P2P application |
| CN107071039A (en) * | 2017-04-24 | 2017-08-18 | 深圳至上移动科技有限公司 | A kind of private data cloud storage system and private data cloud storage method |
| CN108063816A (en) * | 2017-04-24 | 2018-05-22 | 深圳至上移动科技有限公司 | A kind of private data cloud storage penetration access method |
| WO2019004942A1 (en) * | 2017-06-30 | 2019-01-03 | Sitechexport Pte. Ltd. | Algorithms for peer-to-peer messaging system |
| CN109660637A (en) * | 2018-11-16 | 2019-04-19 | 深圳市网心科技有限公司 | P2P burrows transmission method and system, electronic device and computer readable storage medium |
| CN109600449A (en) * | 2018-12-24 | 2019-04-09 | 深圳市网心科技有限公司 | A kind of P2P penetrating method, device, system and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113709163A (en) * | 2021-08-30 | 2021-11-26 | 高维亮 | Method and system for realizing remote operation of computer based on wireless terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10305904B2 (en) | Facilitating secure network traffic by an application delivery controller | |
| US20210185114A1 (en) | Origin server cloaking using virtual private cloud network environments | |
| US10129216B2 (en) | Low latency server-side redirection of UDP-based transport protocols traversing a client-side NAT firewall | |
| CN107278360B (en) | System, method and device for realizing network interconnection | |
| US6044402A (en) | Network connection blocker, method, and computer readable memory for monitoring connections in a computer network and blocking the unwanted connections | |
| US8478890B2 (en) | System and method for reliable virtual bi-directional data stream communications with single socket point-to-multipoint capability | |
| US20230133809A1 (en) | Traffic forwarding and disambiguation by using local proxies and addresses | |
| US11882199B2 (en) | Virtual private network (VPN) whose traffic is intelligently routed | |
| KR101004385B1 (en) | System and method for establishing peer to peer connections between PCs and smart phones using networks with obstacles | |
| WO2016101591A1 (en) | Packet response method and apparatus | |
| CA2718274C (en) | System and method for creating a transparent data tunnel | |
| US8650313B2 (en) | Endpoint discriminator in network transport protocol startup packets | |
| US11012524B2 (en) | Remote socket splicing system | |
| CN112073540B (en) | Data processing method, device, related equipment and storage medium | |
| CN112152992A (en) | End-to-end data secure transmission network communication method and device | |
| CN113810349B (en) | Data transmission method, device, computer equipment and storage medium | |
| US20090157893A1 (en) | Personal media relay for rebroadcasting streaming data | |
| US11611542B2 (en) | Secure media streaming communication via user datagram protocol | |
| US11616716B1 (en) | Connection ownership gossip for network packet re-routing | |
| Goerzen | Introduction to Client/Server Networking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201229 |